Smartphones with custom versions of Android offered by large mobile operators in the U.S. are not getting security updates as regularly as phones from Google, or smartphones from other vendors like Microsoft, according to a complaint by the American Civil Liberties Union to the Federal Trade Commission.
"Android smartphones that do not receive regular, prompt security updates are defective and unreasonably dangerous," ACLU said in the complaint on Tuesday.
The complaint against AT&T, Verizon Wireless, Sprint Nextel and T-Mobile USA states that "all of the major wireless carriers have failed to deliver regular, prompt updates to Android phones which they have sold to their customers," citing results from a survey in December last year by technology news site Ars Technica.
The sale of mobile computing devices such as smartphones and the software updates to the devices are not part of common carrier activities, and are hence subject to FTC authority, according to the complaint, a copy of which is on the ACLU website.
"We are known for our rigorous testing protocols which lead the wireless industry, and we thoroughly test every update before delivering it to customers," Verizon said in a statement. "We work closely with [device makers] and provide mandatory updates to devices as quickly as possible, giving attention and priority to ensuring a good and secure customer experience," it added.
Sprint spokesman John B. Taylor said in an email that the company "follows industry-standard best practices designed to protect its customers."
T-Mobile and AT&T did not immediately respond.
Most Android devices offered by operators are customized by handset makers and wireless operators to support specific hardware, proprietary user interfaces and software application and services, with the result that they are "in effect, unique operating systems which only these companies have the ability to update," according to the complaint.
ACLU distinguishes between "Google-managed Nexus devices", which are sold and managed directly by Google, and run the standard version of Android, and "Non-Google-managed Nexus devices." While the Google managed devices receive regular software updates from Google, the others "do not -- and, in fact, cannot -- receive operating system updates without the participation and approval of the wireless carrier."
Device manufacturers can take time to produce a device-specific update incorporating a vulnerability fix, if there are proprietary modifications to the device's software, according to a 2012 report by the U.S. Government Accountability Office, also cited by ACLU. Carriers can be delayed in providing the updates from the manufacturer because they need time to test whether they interfere with other aspects of the device or the software installed on it, it added.
The browsers on the smartphones are also outdated and pose security risks, according to the complaint, which has asked the FTC to require the operators to allow users to exchange their Android smartphones that are less than 2 years old for one that receives regular security updates, or return the phone for a full refund of the purchase price, if they have not been receiving regular and prompt security updates.
ACLU also asked the FTC to compel the operators to allow customers using carrier-supplied Android smartphones to cancel contracts without any early termination fees. The operators should also be compelled to warn all subscribers using carrier-supplied Android smartphones with known, unpatched security vulnerabilities.
In a similar case, the FTC filed suit last year against hospitality company Wyndham Worldwide and three of its subsidiaries for alleged data security failures leading to three data breaches at Wyndham hotels in less than two years. The FTC said it was part of its ongoing effort to make sure companies live up to their promises on security and data privacy.