Mobile device makers and telecom service providers need to make significant privacy protection improvements for their customers, according to a recent report from the U.S. Federal Trade Commission. The report could become the basis for agency enforcement actions — not only for smartphones, but also for other mobile devices.
“The report is a clear signal to the industry to focus on this issue,” said Gerard Stegmaier, a partner at Reed Smith.
“Consumers use their mobile devices for a wide range of activities and want to have confidence that when they use them they will be secure,” said Tom Pahl, acting director of the commission’s Bureau of Consumer Protection.
“Our report found, however, significant differences in how the industry deploys security updates and that more needs to be done to make it easier for consumers to ensure their devices are secure,” he added.
The FTC report, “Mobile Security Updates: Understanding the Issues,” is based on FTC research as well as on the responses to an agency request for information of eight mobile device providers: Apple, BlackBerry, Google, HTC America, LG Electronics USA, Microsoft, Motorola Mobility, and Samsung Electronics America.
The February 2018 report concentrates on two major deficiencies in mobile communication protection: the security patching process and proper notification for consumers.
Variety Presents Security Challenge
The “complexity of the mobile ecosystem means that the security update process for patching operating system software on some mobile devices is intricate and time-consuming,” the FTC report says. While providers have taken steps to streamline the process, improvements are needed for updates to be sent more quickly.
Among key findings in the FTC report:
- The wide array of devices and systems stymies security. Adding to the complexity issue is the manufacturer practice of customizing third-party operating systems at the device level, with the result that “a single operating system update may require dozens or hundreds of different device-level modifications,” causing security updates to take weeks, months, or even years to be completed.
- Consumer notification is spotty. Some providers make security update information available before purchase. Many others either do not do so, or do not provide such information for all of their devices. Few providers or carriers explain that apparently identical devices may receive different levels of support based on different service choices. Generally, providers notify consumers when a security update is available, but most never tell users when support will terminate.
In addition, many manufacturers do not maintain regular records about update support and other security-related decisions, the FTC found, and telecom carrier involvement in the security update process can provide stability, but it may also lead to delays.
The FTC proposed several recommendations for improvement:
- Designing for security. Industry should build security into the support culture and further embed security support considerations into product design, consistent with the costs and benefits of doing so. To that end, industry should ensure that devices receive security updates for a period of time consistent with consumers’ expectations.
- Updates can’t wait. Companies should continue streamlining the security update process. In particular, manufacturers should consider issuing security-only updates instead of bundling security patches with general software updates.
Manufacturers should consider keeping better records about update decisions, support length, update frequency, and update acceptance so that they can learn from their past practices.
Additionally, providers should consider adopting and disclosing minimum guaranteed support periods for their devices and notifying consumers when support is about to end, FTC said.
A Regulatory Caution Flag
Providers of mobility devices and services across the board might find the report provides useful guidance to avoid enforcement actions by the FTC.
Typically, the FTC uses reports and workshops to highlight an area of concern and then follows up with an enforcement case, said Reed Smith’s Stegmaier.
“It’s a process of ‘legislation by consent decree,'” he told the E-Commerce Times, “which the agency uses in preference to a limited ability for rulemaking.”
The report puts the industry on notice that adoption of the FTC’s recommendations is important, suggests a commentary Stegmaier coauthored with law firm colleagues. It provides guidance on “reasonable expectations” for mobile device security.
The FTC “may be offering a not-so-subtle hint that failure to meet its recommendations could constitute unfair practices” under the FTC Act, according to Stegmaier et al .
The FTC has been cautious about getting into prescriptive regulation of specific products, Stegmaier said. Still, the guidance in the report could be applied to a broad range of mobile operations, including certain automobile technologies, wearables, and even emerging Internet of Things devices and applications.
“I think this report probably marks the beginning of the FTC regulating security updates through consent agreements and other guidance, rather than formal rules,” said Christopher Ford, a member of the cybersecurity and privacy group at Debevoise & Plimpton.
Based on the outcome of a recent FTC privacy case, “companies should be paying attention to everything the FTC says for indications of how they might approach enforcement in the future,” he told the E-Commerce Times.
The mobility report “is no exception,” Ford remarked.
“The FTC’s findings and recommendations in this report can easily be generalized to apply to any Internet-connected device, and it would certainly be reasonable for IoT device manufacturers to expect that the FTC could apply the guidance and expectations contained in this report to their products in the future,” Ford said.
The FTC report “puts the onus on companies to monitor how consumers respond to their security updates — meaning that just releasing a security update may not be enough,” cautions a Debevoise & Plimpton commentary directed to providers.
The FTC’s interest in mobile security updates and notification procedures could be more of an evolutionary development rather than a fresh enforcement initiative, given the agency’s long interest in mobile privacy issues, said Catlin Meade, an associate at Covington & Burling.
FTC reports “can be helpful in setting a baseline for how to think about compliance and understanding which issues may be foremost in the FTC’s mind,” she told the E-Commerce Times.
However, “sometimes these reports merely are the result of information collected by the agency and are not indicators of areas of likely enforcement activity,” Meade noted.
Ultimately, the FTC evaluates conduct against the standards of the FTC Act, and “it always is possible that companies whose practices do not align with the FTC’s thinking may be subject to an inquiry and potentially an enforcement action,” she said.
Telecom providers also need to recognize the results of the FTC report, which mentioned the sector even though much of the report concerned device makers.
“The FTC is limited in its ability to bring enforcement actions against telecommunications carriers because of the ‘common carrier’ exemption in the FTC Act,” noted Yaron Dori, a partner at Covington & Burling.
A federal appeals court recently ruled that this exemption does not extend to the non-common carrier activities of telecom providers, he told the E-Commerce Times. “As a result, the FTC’s authority may be broader today than some previously argued when it comes to the telecommunications sector.”