ACLU Takes Carriers To Task For Slow Android Updates
April 18, 2013

ACLU Files Complaint Against Carriers Alleging Deceptive Android Update Practices

Michael Harper for — Your Universe Online

Earlier this week, security firm NQ Mobile released a report which found Android to be the mobile platform most targeted by hackers. Along with being the largest mobile platform — and therefore a large target for hackers — it also has a bad reputation for being a fragmented OS. Though Google frequently releases new updates to Android which generally include security updates, these patches often never reach the customer once they leave Google HQ.

The American Civil Liberties Union (ACLU) has taken notice and has now issued a complaint against America´s top four wireless carriers: AT&T, Sprint, T-Mobile and Verizon. The ACLU filed the complaint with the Federal Trade Commission (FTC) and is also asking the agency to investigate the carriers´ “deceptive” practices.

"All four of the major wireless carriers consistently fail to provide consumers with available security updates to repair known security vulnerabilities in the software operating on mobile devices," reads the complaint written by Christopher Soghoian, the principal technologist for the ACLU and former official for the FTC.

"The wireless carriers have failed to warn consumers that the smartphones sold to them are defective and that they are running vulnerable operating system and browser software. The delivery of software updates to consumers is not just an industry best practice, but is in fact a basic requirement for companies selling computing devices that they know will be used to store sensitive information, such as intimate photographs, e-mail, instant messages, and online banking credentials."

According to Google´s own numbers, one in four Android handsets is running some iteration of Android 4, the latest version of the movie operating system.

There are considerably more Android handsets (39.7 percent) running Android 2.3 through 2.3.7, a version which was released well over two years ago. The fragmentation of Google´s Android OS is most often blamed for the lack of apps or features. The ACLU, on the other hand, is complaining that not keeping these millions of phones up-to-date could result in an enormous amount of infected hardware and stolen identities.

As this week´s NQ Mobile study showed, hackers and cybercriminals are making a steady push towards mobile operating systems, specifically Android. Without these vital updates, Android users with an older version could not only be vulnerable to an attack that has been patched in newer versions, the carriers could even make them pay full price for an upgrade or even an early termination fee.

For example, one of the first Android phones, the Motorola Droid on Verizon, never received an update past Android 2. Any user still carrying this handset could be vulnerable to a host of attacks.

The ACLU is asking the carriers to allow customers with orphaned or outdated devices to upgrade to a new device or leave their contract without penalties.

Sprint and Verizon have given separate statements about this complaint. Sprint claims they adhere to “industry-standard best practices” while Verizon says they lead the industry in testing these updates. AT&T and T-Mobile have not yet issued public comments on the ACLU complaint.

As it stands, any customers looking for prompt updates to their devices can buy a Nexus smartphone or tablet. As Google ships these themselves, they are the first to receive critical updates.