ACLU Asks FTC to Enforce Android Updates
Any smart user knows that keeping his or her Android smartphone up to date is the simplest way to prevent the lion's share of security breaches.
This strategy promptly falls apart when the mobile carrier refuses to provide those critical updates.
According to the American Civil Liberties Union, mobile service providers rarely provide critical security updates for Android smartphones, especially as the devices begin to age.
In an attempt to protect consumer rights, the ACLU has filed a request for investigation with the Federal Trade Commission. AT&T, Verizon Wireless, Sprint and T-Mobile all come under fire, as the ACLU accuses them of failing to comply with both consumer safety protocols and government recommendations.
The ACLU's 16-page request details how mobile carriers often overlay their own software over the "stock" Android operating system that comes directly from Google. Anyone who has bought a phone and found it pre-loaded with undeletable junk apps should be intimately familiar with this practice.
"Although they share a single brand name, there are two different categories of [Android] devices — those sold and managed directly by Google that run the stock version of Android … and those sold by handset manufacturers and the wireless carriers which run a customized version of Android," wrote the ACLU.
"Most Android smartphones do not receive operating system updates directly from Google nor in many cases, do they receive regular security updates at all." [See also: Why You Should Get Your Android Phone from Google]
The system updates that Android users periodically install do much more than tweak the user interface or allow new apps to run. The ACLU points out that Android phones control more than half of the American market, and more than 70 percent of the global one. Because of the multitude of Android devices, establishing universal security protocols is difficult.
This confluence of factors makes Android an unusually ripe target for hacks and exploits. Google's periodic updates patch a number of critical vulnerabilities, which range from bank hacks (which could bankrupt a user) to location service exploits (which could open up a user to stalking).
Google generally provides 18 months' worth of security updates for any given phone, but the ACLU found that carriers do not typically follow Google's lead.
In addition to pushing out updates much later than Google, carriers will often eschew updates as phones age and they begin to push newer devices on consumers. This means that many phones currently on two-year contracts will cease updates well before the contract expires.
Verizon Wireless, at least, believes it is already doing enough to look out for consumer interests.
"We are known for our rigorous testing protocols which lead the wireless industry, and we thoroughly test every update before delivering it to consumers," it said in a statement. "[We] provide mandatory updates to devices as quickly as possible, giving attention and priority to ensuring a good and secure customer experience."
These words likely offer little comfort to Verizon Wireless customers who had to wait more than a month for the Android OS 4.2.2 update.
The ACLU request reminds readers that even President Obama has urged Americans to keep their devices up to date in order to be secure. In that respect, the ACLU is doing important work. Expect the phone companies to push back, though: Keeping older phones up-to-date offers less incentive for customers to buy new ones.