Even the least sophisticated of us are becoming aware that what has become one of life’s essentials, our personal mobile devices, are not as secure as we’d liked or hope they can be. In fact, the security of those devices – and I don’t mean if they are lost or stolen, but rather who well we are protected from bad guys when we are using them – is a hot topic to say the least.

It’s so hot that the American Civil Liberties Union (ACLU) has filed a complaint with the U.S. Federal Trade Commission (FTC) asking them to investigate the major wireless carriers—AT&T, Verizon, Sprint and T-Mobile—for failing to warn customers about un-patched security flaws in the software running on their phones.

The complaint says the vast majority of customers of millions of smartphones running versions of Google’s Android operating system, “Never receive critical software security updates, exposing consumers and their private data to significant cybersecurity-related risks.”

The 16-page complaint argues that the major wireless carriers have engaged in “unfair and deceptive business practices” by failing to warn their customers about known, un-patched security flaws in the mobile devices sold by the companies.”

Given that Android has over 75 percent of the U.S. smartphone market, the ACLU says the majority of devices are running software that is out of date, often with known, exploitable security vulnerabilities that have not been patched.

The ACLU goes on to contend in blunt language that, “For consumers running these devices, there is no legitimate software upgrade path. The problem isn’t that consumers aren’t installing updates, but rather updates simply aren’t available. Although Google’s engineers regularly fix software flaws in the Android operating system, these fixes aren’t packaged up and pushed to consumers by the wireless carriers and their handset manufacturer partners.” They say this is in “sharp contrast to the norm on the desktop, where Mac and PCs both receive regular security updates directly from Apple and Microsoft.”

They also note that Apple provides regular security updates to mobile devices.

The ACLU says it feels obligated to file a complaint since the problem has been the subject of numerous articles in the press, yet the industry has failed to act. This continued failure is why they believe regulators must step in.

Again in rather blunt language, the ACLU notes that, “As we stated in our complaint, if the mobile carriers are not going to provide important security updates, the FTC should at a minimum force them to provide device refunds to consumers and allow consumers to terminate their contracts without penalty so that they can switch to a provider who will.”

A delicate balance of insuring cyber security without violating civil liberties

For those who follow such matters, it should be no surprise about the ACLU’s interest here. While they’ve spent much time and effort, including litigation, on warrantless searches, overall as we store more and more of our personal information on our smart devices, the ACLU is looking at all aspects of making sure that data stays safe. They also believe that, “There are plenty of things the government can do to protect the computers and networks that consumers, businesses and government agencies depend upon without violating civil liberties. Investigating the wireless carriers and their role in smartphone security updates would be a great first step.”

Can we get some help here?

A few things to consider on this subject are the following:

Security experts acknowledge that un-patched handsets expose users to risks that would not be present if they were running the latest Android software. The risks include malicious apps exploiting vulnerabilities that escalate privileges which allow the bad apps to access address books or other data that is supposedly safe.

According to Google data, only 2 percent of Android devices use the latest version of Android, which means most of us are clearly at risk of exploitation.

The only Android device that can receive updates promptly are those managed directly by Google such as the Nexus 4, because security updates come directly from Google, rather from wireless carriers.

While the ACLU filing asks for an FTC investigation regarding the carriers as to whether they are in compliance with U.S. law, the commission has no obligation to start an investigation. And even if it did, such matters can take years before remedies are implemented.

The last point is the most crucial. One would think, or hope that the Android ecosystem, for competitive reasons (why give Apple a reason to boast) and for trust purposes, would have remediating this problem a priority. The ACLU, by filing a complaint, may put resolution of this challenge on a much shorter fuse than otherwise might be the case, but it should not have had to come to this. 

The carriers in particular have a lot riding on this in terms of sales and customer trust. Their responses as to not just the merits of the ACLU complaint, but what they individually or collectively decide to do about fixing this problem, will be a subject of intense interest. 

Let’s see who jumps first and how fast. Sooner would be preferable to later.