ACLU: Carriers leave consumers exposed by withholding Android updates

The mobile industry’s practice of slowly parceling out Android(s goog) smartphone updates has earned the ire of the American Civil Liberties Union. On Tuesday, the ACLU filed a complaint with the Federal Trade Commission to investigate the major U.S. carriers for not updating their customer’s phones whenever new security patches are available and for not warning consumers of the dangers that exposes them to.

In the ACLU’s blog, Principal Technologist and Senior Policy Analyst Chris Soghoian wrote:

“Google’s Android operating system now has more than 75% of the smartphone market, yet the majority of these devices are running software that is out of date, often with known, exploitable security vulnerabilities that have not been patched. For consumers running these devices, there is no legitimate software upgrade path. The problem isn’t that consumers aren’t installing updates, but rather, that updates simply aren’t available. Although Google’s engineers regularly fix software flaws in the Android operating system, these fixes aren’t packaged up and pushed to consumers by the wireless carriers and their handset manufacturer partners.”

As the ACLU hints in that last sentence, carriers aren’t the only culprit here. Before they can send out an Android update, carriers have to wait until handset makers tweak Google’s code for their own purposes since no one – save Google – is running a generic version of Android on their devices. Recently, Android device makers have gotten faster at releasing updates for their phones, but it’s by no means instantaneous.

Still, carriers are definitely a large part of the bottleneck, often asking for Android features to be removed from a build for competitive reasons. A case in point is Verizon’s disabling of Google Wallet(s vz)(s vod) on its NFC-capable phones. The fragmentation and politics of the Android ecosystem has led my colleague Kevin Tofel to call for Google to take back control of Android’s distribution from carriers and device makers.

Getting timely updates for services and features is one thing, but the ACLU is saying that critical security fixes are getting lost in the shuffle. Carrier industry group CTIA didn’t comment directly on the ACLU’s accusations, but it did imply that the threat of security vulnerabilities in the U.S. was overblown. In a statement, CTIA VP of Cybersecurity and Technology John Marinho said:

“Based on recent reports, U.S. wireless networks are among the most secure in the world because the carriers and the overall mobile industry are vigilant in preventing and protecting against malicious attacks. In addition, most U.S. wireless users shop at trusted application stores, which is why we have an app infection rate of less than 2 percent. Meanwhile, many other countries have app infection rates that are more than 10 times greater, and in the case of Russia, the app infection rate is reported at more than 90 percent.”

Image courtesy of Shutterstock user gosphotodesign