A few days ago, the ACLU filed a complaint with the Federal Trade Commission against the four major US carriers. In that complaint, the ACLU claims that Sprint, T-Mobile, Verizon, and AT&T are guilty of two major faux pas: Not updating your Android device in a timely fashion, and not educating you properly to the security risks associated with the lagging updates.
A bold move, but not out of character for the ACLU. They’ve made a habit of exposing perceived slights and blatant wrongdoing, but is this one of them? Sure, not getting updates right away is annoying… but is it a civil liberties matter?
The 16-page complaint is fairly comprehensive, and hits on just about every topic relating to updates, malware, and general carrier malfeasance we can think of. In a nutshell, the complaint stresses that our contracts are binding us to an antiquated level of service, and this, in turn, affects our mobile security. The ACLU makes it very clear that contracts are the real issue here, as the complaint is focussed squarely at carriers and the subsidized phone model.
The filing opens up some very poignant issues, ones that go far beyond simple mobile security. It would be simple to focus on timely updates for our phones, but that’s not really the entire issue. In point 15 of the complaint, the ACLU claims “The major wireless service providers exert significant control over the market for mobile devices. The carriers are able to dictate the features included by manufacturers in phones, including the factory pre-installation of carrier specific apps, as well as the removal of features that threaten the carriers’ revenue stream, such as the ability to share the Internet connection of the phone with other devices (“tethering”) without paying an additional fee to the wireless carrier.”
Why this matters
This places blame where it belongs, which is squarely on the carriers. If we take the largest carrier in the US as an example, Verizon is notoriously slow to update their devices. This is, in part, due to a lack of oversight to do so. Nobody is policing them to update the devices in a timely manner, and they often sight security as a reason for slow updates.
They also act in the interest of profit, rather than subscriber happiness. Why block Google Wallet? They have their own mobile payment system. Why not let Google’s Android system take care of the security on a device? They have their own method, which they feel is better… and they may be wrong.
Each carrier is to blame for this, but then again… so are we. As consumers sign contracts for cellular devices with carriers, we’re effectively signing over control. While under contract, carriers often dictate to you just what can and can’t be done with a device. If you doubt that, flash a new ROM and take your subsidized device in for service. You will probably be turned away flatly, even if you simply flashed the newest, stock version of Android.
The inability to manage our devices as we see fit is another part of the complaint. Point 28 notes “The slow rate of adoption of the most recent versions of Android does not reflect a failure by consumers to seek out and install operating system updates. Instead, it reflects the fact that for most Android smartphones in use, updates to the most recent version of the operating system simply have not been made available for consumers to install.”
Does that mean we should stop signing contracts? Not necessarily. Going unsubsidized and contract-free has advantages, but many of us either can’t afford to do that, or simply don’t want to. This filing is meant to protect those who are hindered by carriers and their agenda, which the ACLU claims is widely based on malaise.
Carriers are burdened by the environment they create. We, as consumers, are guilty of subscribing to much more than a wireless plan. We subscribe to false hope. Our assumptions are that the carrier will support the device we purchase, and will do their best to make sure we’ve got what we perceive are necessary updates to our device.
The reality is carriers do support devices… just not as we’d like them to. We all love the new Android stuff that comes with each update, but how many of us are complaining about our devices being insecure because of it? Photospheres don’t help with malware.
We may not be excited to be left behind by carriers, but it doesn’t affect our security. The hard truth is that by signing a contract, you’ve agreed to be bound by their rules… one of which is to do as little as possible to make sure you have the latest and greatest. If that 12 month old security update hasn’t become insecure, what is the carrier motivation to do more? You’re under contract, and under their thumb.
Let’s start with point 34 of the complaint, which quotes a 2012 report from the US Government Accountability Office, and take it from there. It reads “It can take weeks to months before security updates are provided to consumers’ devices. Depending on the nature of the vulnerability, the patching process may be complex and involve many parties. For example, Google develops updates to fix security vulnerabilities in the Android OS, but it is up to device manufacturers to produce a device-specific update incorporating the vulnerability fix, which can take time if there are proprietary modifications to the device’s software. Once a manufacturer produces an update, it is up to each carrier to test it and transmit the updates to consumers’ devices. However, carriers can be delayed in providing the updates because they need time to test whether they interfere with other aspects of the device or the software installed on it.”
This, more than anything else in the complaint, succinctly identifies the issue. The process is cumbersome, dragging out through multiple stops. First Google, then (possibly) a manufacturer, and finally a carrier. This problem of security is debatable, as malware affects a very small percentage of Android apps, and is usually found via sources other than the Play Store.
There is also the issue of how much malware is actually written for Android. A small percentage, sure, but growing daily. It’s also important to keep in mind that the issue is not only apps, but the browser. The ACLU takes browser updates to task several times, and mentions the issue with considering Chrome as an alternative: “Because Chrome for Android can be updated through the Play Store, Google is able to distribute regular security updates to Chrome users. However, Chrome for Android is only compatible with devices running Android 4.0 and above. As such, only 40% of the Android devices worldwide can install Chrome.”
The ACLU’s agenda is not to dictate how to change the process, it’s to change carrier responsibility. In doing so, the process naturally changes. If carriers are bound by a set of expectations, they become more involved with what many of us want, and that’s the latest software. While those new iterations of Android are inherently cooler, they’re also more secure. That is where everyone concerned may find the gift, as well as the curse.
Carrier responsibility sounds lovely, but it may end up biting everyone in the backside. Carriers are good to get the latest devices, but not support them. If they’re made to support devices more, there is a reasonable expectation they will carry fewer devices. This affects our variety, and perhaps strains our relationship with the carrier.
It may, however, expose consumers to unsubsidized devices, and the possible benefits of prepaid plans. That’s great for us, but is it good for carriers? Recent comments by carriers suggest it may be fine with them, and perhaps even preferable. T-Mobile has gone away from the locked-down subsidized model, and their subscribership increased for the first time in years.
A middle ground can be settled on, but it takes carrier compromise. They’ll have to find a better way to accomplish the same goals, which is probably necessary anyway. The duality of signing consumers to a two-year contract, not supporting the devices as best they could be, then constantly rotating new devices is only good for the newest customers. For many of us, by the time the contract is up, our device is long gone from the store, much less the spotlight.
We can’t have it all, all the time. We can either upgrade to a new device, or suffer our old ones and the updates that never come. That’s our current methodology, or rather that of the carriers, but the ACLU wants that changed. This complaint serves to put carriers on notice, letting them know that their practices haven’t gone unnoticed.
The reaction from carriers will be crucial. We hope they swallow some pride, and acknowledge the system needs tweaking. We can all accept culpability for this situation, and we should. Carriers are trying to keep their offerings fresh, and we’re trying to keep our old device refreshed. We could have gone unsubsidized, but we didn’t. We wanted a lower up-front cost, and we bought into the system. We didn’t understand the whole picture.
Now we do, and hopefully so do carriers. If the problem persists after this complaint is recognized, and carriers have had some time to adjust their practices, consumers would be wise to pursue other avenues en masse. Nexus devices have an opportunity to change this game. Buying a low-cost, high-end phone and going prepaid throws a wrench into the system.
As much as we feel helpless, we’re actually in charge. Vote with your wallet to affect change. Carriers may not listen when you’re on the line with them, complaining about not having Jelly Bean… but they will pay attention when it comes to their bottom line.