[ale] ACLU Files Complaint With FTC Over Android Security Updates

Mon Apr 22 10:01:36 EDT 2013

On 04/22/2013 07:54 AM, Neal Rhodes wrote:
> I have been on both ends of the spectrum - HTC phones which I have 
> left completely alone, and let the carrier handle it, and a Viewsonic 
> GTab, which pretty much required immediate replacement of the OS for 
> any useful functionality.
>
> I've also rebuilt three engines in my lifetime.  And I took my Asko 
> dishwasher apart before I gave up and replaced it.   Just because I 
> CAN, doesn't mean it's worth my time to do it.   I consider certain 
> things appliances which should "just work".
>
> The contrast between the HTC phones, on which everything "just works", 
> and the Viewsonic Gtab, which I've pretty much given up on, and bought 
> a Samsung Galaxy 2 are rather stark.    Maybe the developer community 
> for the Viewsonic isn't as robust.   Or maybe since they're not 
> getting paid they don't care if the microphone doesn't work, or it the 
> Wifi drops in and out.    But on the Galaxy everything just works 
> again.   There really is a tangible value to a manufacturer actually 
> testing stuff with their hardware.
>
> I will state a general opinion, which is that a carrier should be 
> obligated to continue providing security updates to phones for X years 
> after they sell them.  I think a reasonable value for X is between 2 
> and 4, because the darn battery will crap out after 2 years.    We are 
> now reaching that spot where the processing power in Android phones is 
> equal to the needs of 99% of the users, so there is no reason not to 
> keep these things for 5-6 years.
>
> Neal Rhodes
>
>
>
>
> On Mon, 2013-04-22 at 01:02 -0400, Jay Lozier wrote:
>> On 04/21/2013 09:29 PM, James Taylor wrote:
>> > I have had a half dozen android phones so far, and not a single one has run the carrier software for longer than it has taken me to root it and load a developer rom.
>> > In my household, I currently have an HTC One S, two Galaxy Vibrants and an LG Optimus, all running the latest Jelly Bean builds for the roms they have loaded.
>> > By the way, I've never had a problem with a warranty return. I either load the original build or send it as is if dead. Not a peep from the vendor.
>> > I can understand most consumers not wanting to deal with this, but most consumers don't want to mess with technology in general.  They just want to use what's handed to them.
>> > Anyone on this list should be able to root a phone and load a rom, maybe with a little help.
>> > Why complain about your provider not updating your phone when you have access to do it yourself?
>> > -jt
>> IMHO the problem is that most people (not people on the list) are afraid
>> of "ruining" their phone if they root the OS, etc. I remember on
>> observation about most users not switching to Linux - it is they are
>> afraid to install any OS on any device (Windows, iOS, Android, etc) and
>> stay with the originally installed OS as updated by the vendor. The
>> issue is then will the vendor take responsibility to protect their
>> mostly technically illiterate customers. That appears to be what the
>> ACLU is complaining about; an implied breach of contract. Whether this
>> has merit is probably depends on the contract terms.
>>
>> It is not that installing an OS particularly hard if you take your time.
>> It can be very tedious depending on what you must do to actually install
>> it (try Windows 7 upgrade from Windows XP).
>> >
>> >>>> Neal Rhodes <neal at mnopltd.com  <mailto:neal at mnopltd.com>> 4/21/2013   08:23 PM >>>
>> > yes. the ACLU taking this up seems odd.
>> >
>> > However, I've seen a graph somewhere showing that essentially all
>> > iPhones ever made can be updated the current versions of IOS.
>> >
>> > But Android phones are a totally different story.   Once the carrier
>> > stops selling them, they get abandoned and rarely get security
>> > upgrades.
>> >
>> > i'm not an Apple fan, but the different was quite striking.
>> >
>> > Neal Rhodes
>> >
The parallel to providing support is on computers, Apple, Micro$oft, and 
Linux distros have published support cycles for their OS releases. I 
should know before buying/installing what the support period is; it's 
not hidden. Also, an update path from one release to another is stated 
even if it is a PITA (Windows XP direct to Windows 7 sucks).

What I do not know is if the carriers have stated a support cycle for 
the OS versions and update paths to newer OS versions - I do not have an 
Android.

Jay
>> >
>> > On Sat, 2013-04-20 at 22:41 -0400, James Taylor wrote:
>> >
>> >> This seems releveant, considering recent conversations...
>> >> -jt
>> >>
>> >>  From the latest Security Alerts Network Newsbites newsletter.
>> >>
>> >> "--ACLU Files Complaint With FTC Over Android Security Updates
>> >> (April 17, 2013)
>> >> The American Civil Liberties Union (ACLU) has filed a complaint with the
>> >> US Federal Trade Commission (FTC) asking that the agency investigate
>> >> major wireless phone service carriers for failing to deliver updates for
>> >> known security issues in the Android operating system. The complaint
>> >> alleges unfair and deceptive business practices for failing to
>> >> distribute the patches and failing to inform customers that their
>> >> devices are vulnerable to attacks. While Google has issued updates for
>> >> the flaws, the carriers have not pushed them out in a timely manner.
>> >> Apple issues its own updates for its phones, but individual carriers
>> >> bear the responsibility of pushing out Android fixes.
>> >>http://www.wired.com/threatlevel/2013/04/aclu-android-security-issue/
>> >>http://www.h-online.com/security/news/item/ACLU-calls-for-FTC-investigation-into-carrier-Android-1844175.html
>> >>http://arstechnica.com/security/2013/04/wireless-carriers-deceptive-and-unfair/
>> >>http://www.washingtonpost.com/business/technology/2013/04/16/1d7364fc-a6c9-11e2-a8e2-5b98cb59187f_story.html
>> >> Text of Complaint:
>> >>http://www.aclu.org/files/assets/aclu_-_android_ftc_complaint_-_final.pdf
>> >> [Editor's Note (Pescatore): I think "Politics makes for strange
>> >> bedfellows" comes from Shakespeare, but it sure applies here: the ACLU
>> >> filing complaints about security issues? But I like their angle: if the
>> >> carriers don't push out security patches to the phones, they are not
>> >> honoring their side of the contracts they lock people into and thus the
>> >> contracts should be invalidated. Nice incentive for the carriers to more
>> >> regularly update Android phones. But this also points out the security
>> >> advantages of the Apple and Blackberry model, where the hardware and
>> >> software come from one vendor who does push out updates regularly, vs.
>> >> the Android (and Windows PC) model where the user is on their own.
>> >> (Northcutt):  Kudos to our story collector, Kathy Bradford! This is a
>> >> big story and everyone dealing with BYOD and MDM (Bring your own device
>> >> and mobile device management) has skin in the game.
>> >> (Shpantzer): Google could learn from Apple's closed ecosystem and
>> >> enforce discipline in the Android Telco/OEM ranks.  Fragmentation is
>> >> theoretically good for security against mass malware (not a monoculture,
>> >> hard to test on infinite number of hw/sw permutations), but old and
>> >> terminally vulnerable versions of Android persist for months or even
>> >> years, whereas new Apple iOS versions have 90% penetration in a matter
>> >> of days or weeks.]"
>> >>
>> >>
>> >>
>> >>
>> >> _______________________________________________
>> >> Ale mailing list
>> >>Ale at ale.org  <mailto:Ale at ale.org>
>> >>http://mail.ale.org/mailman/listinfo/ale
>> >> See JOBS, ANNOUNCE and SCHOOLS lists at
>> >>http://mail.ale.org/mailman/listinfo
>> >
>> >
>> >
>> > If this is an unsolicited spam message, please click this link to report it:http://control.eastcobbgroup.com:49285/contents/spamreport.shtml?rptid=27385&srvid=16vl15t
>> >
>> >
>> > _______________________________________________
>> > Ale mailing list
>> >Ale at ale.org  <mailto:Ale at ale.org>
>> >http://mail.ale.org/mailman/listinfo/ale
>> > See JOBS, ANNOUNCE and SCHOOLS lists at
>> >http://mail.ale.org/mailman/listinfo
>> >
>>
>>
>
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo

-- 
Jay Lozier
jslozier at gmail.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20130422/157c5b26/attachment-0001.html>