HTC Settles with FTC Over Software Security Complaints
The FTC said HTC America reached a tentative settlement over charges that the company’s failure, until at least November 2011 to take “reasonable steps” to secure the software used on its smartphones and tablets, constituted “unfair or deceptive acts or practices” (http://1.usa.gov/YHPOtt). The agency accused the maker of consumer electronics of not using “well-known and commonly-accepted secure programming practices ... which would have ensured that applications only had access to users’ information with their consent."
HTC didn’t adequately assess or prepare for potential security vulnerabilities in its products and didn’t institute a process for collecting security vulnerability reports, the FTC said (http://1.usa.gov/ZnAdjA). The FTC decided to pursue the case based on the “risk of substantial harm to consumers” because of the types of information and device functionality involved, said Nithan Sannappa and Jonathan Zimmerman, attorneys in the commission’s Privacy and Identity Protection division, during a Friday news conference on Twitter (http://bit.ly/VUYlwY). The case is the first to deal with software security as an unfair or deceptive practice, they said (http://bit.ly/WfJg3R).
HTC’s efforts at customizing software for its products introduced “permission re-delegation” vulnerabilities that allowed one application that has permission to access sensitive information to provide that information to other applications that do not seek that permission, the FTC said. Those vulnerabilities “undermined the Android operating system’s permission-based security model,” the commission said. HTC could have prevented those vulnerabilities by including well-known “permission check” code in its software, the FTC said. Without that code, applications could exploit those vulnerabilities and gain access to sensitive information or enable device functions like the microphone or geolocation information, the commission said. One of those applications, Carrier IQ, was a source of controversy in 2011 when consumer advocates raised concerns about how the software was collecting and transmitting sensitive data (CD Dec 5/11 p12). The FTC also claimed HTC’s user manuals contained deceptive security representations.
HTC has already begun to create and distribute security patches that will fix the vulnerabilities, as part of the settlement, the FTC said in its proposed consent order. Many consumers have already received the security patch, and the commission said it encouraged customers who have not installed the patch to do so “as soon as possible.” HTC did not publicly acknowledge whether the FTC’s allegations were true. The company is “committed to improving practices that help safeguard our customers’ devices and data,” HTC said in a written statement that was separate from the proposed settlement. The company said it’s worked with carriers to fix the vulnerabilities on a “majority” of devices released after December 2010. “We're working to rollout the remaining software updates now and recommend customers download them once available,” HTC said. The company will also need to establish a “comprehensive” program to address security risks during the development of its devices, and must undergo independent security assessments every other year for the next 20 years, the FTC said. HTC will also be prohibited from making “false or misleading” statements about the security or privacy of consumers’ data, the commission said (http://1.usa.gov/ZnAao3).
HTC’s settlement is evidence that consumer privacy will remain a “top priority” for the FTC during 2013, Sannappa and Zimmerman said (http://bit.ly/VBFswq). The commission released a business guide earlier this month to encourage app developers to “aim for reasonable data security” (http://1.usa.gov/WHnV5W). The FTC said it will also host a public forum on malware and other mobile security threats June 4 (http://1.usa.gov/UQEDAW).
The settlement “sent a strong signal to the mobile marketplace that consumers’ sensitive information must be safeguarded,” said Rep. Ed Markey, D-Mass., in a statement. “Consumers should know and have the ability to say ‘No’ to software on their mobile devices that is surreptitiously sending their personal data.” Markey said he plans to reintroduce the Mobile Device Privacy Act this Congress. He and Rep. Diana DeGette, D-Colo., originally introduced the bill in September (CD Sept 13/12 p3). It would “provide greater transparency into the sending of consumers’ personal information and empower consumers to prevent such transfer,” Markey said in his statement.
Commissioners Julie Brill, Edith Ramirez and Joshua Wright voted to accept the settlement with HTC. Chairman Jon Leibowitz didn’t participate in the vote, while Commissioner Maureen Ohlhausen recused herself. Comments on the proposed consent order are due March 22, after which the FTC will decide whether to approve it.