ACLU to FTC: Mobile carriers fail to provide good Android security

The America Civil Liberties Union filed a complaint with the Federal Trade Commission today asking the agency to investigate the four major mobile carriers' security practices in regards to smartphones.

The civil liberties group claims that AT&T, Verizon, T-Mobile, and Sprint are not doing enough to protect users' private and personal data -- specifically on Android devices. The gist of the complaint (PDF) is that these carriers aren't providing users with timely security updates, which the ACLU says is akin to "deceptive and unfair business practice."

"The major wireless carriers have sold millions of Android smartphones to consumers," the ACLU wrote in its complaint. "The vast majority of these devices rarely receive software security updates."

The ACLU claims that while Google has published updates to fix exploitable security vulnerabilities, these fixes have not been sent out to consumers.

"Android smartphones that do not receive regular, prompt security updates are defective and unreasonably dangerous," the ACLU wrote. "As the FTC has acknowledged, security vulnerabilities on consumers' mobile devices may be used 'to record and transmit information entered into or stored on the device ... to target spear-phishing campaigns, physically track or stalk individuals, and perpetrate fraud, resulting in costly bills to the consumer... [and to misuse] sensitive device functionality such as the device's audio recording feature... to capture private details of an individual's life.'"

Android devices are notorious for attracting malware and some of it is quite sophisticated. Some types of malware can embed themselves on smartphones and steal information from users, while others act as spyware and take over components of the device. Last October, the FBI warned users to be aware of such mobile malware because it is especially lured to Android's operating system.

Mindful of these dangers, Google has been working to beef up its OS security over the past several iterations of Android. With Jelly Bean's design, Google has aimed to defend against hacks that install viruses, along with other malware.

While the ACLU is alleging that the mobile carriers disregard user security, several of the carriers have worked to make Android devices on their networks safer. In September, Verizon debuted a security app to battle malware on Android devices; and in October, T-Mobile partnered with a mobile security company to preload free malware- and virus-protection software on select Android devices.

CNET contacted the mobile providers listed in the ACLU's complaint. Sprint Spokesman John Taylor said, "Sprint follows industry-standard best practices designed to protect its customers." T-Mobile spokesman Glenn Zaccara told CNET, "T-Mobile takes security very seriously, and regularly provides security updates to our customers, including those using the Android operating system. Additionally, we are continuously improving ways to help our customers safeguard their devices and data, such as enabling device security features by default. Customers can also take advantage of a wide array of mobile security and malware protection applications, and many are free of charge."

A Verizon representative told CNET, "Verizon Wireless is focused on ensuring our customers have good experiences with their smartphones and tablets. We are known for our rigorous testing protocols, which lead the wireless industry, and we thoroughly test every update before delivering it to customers. We work closely with our OEM partners and provide mandatory updates to devices as quickly as possible, giving attention and priority to ensuring a good and secure customer experience. We will review the complaint when it is filed with the FTC." CNET did not hear back from AT&T.

CNET also contacted the CTIA Wireless Association for comment. "Based on recent reports, U.S. wireless networks are among the most secure in the world because the carriers and the overall mobile industry are vigilant in preventing and protecting against malicious attacks," said John Marinho, the CTIA's vice president of cybersecurity and technology. "In addition, most U.S. wireless users shop at trusted application stores, which is why we have an app infection rate of less than 2 percent. Meanwhile, many other countries have app infection rates that are more than 10 times greater, and in the case of Russia, the app infection rate is reported at more than 90 percent."

It's unclear if the ACLU's complaint will gain any traction with the feds.

Correction, April 17 at 12:39 p.m. PT: The FTC does, in fact, have processes that allow it to file lawsuits, despite what this story originally reported.

Update, April 17 at 2:35 p.m. PT: Adds comments from Verizon, T-Mobile, and the CTIA Wireless Association.