The American Civil Liberties Union has filed a complaint with the US Federal Trade Commission (FTC) concerning how AT&T, Verizon, Sprint and T-Mobile, despite having sold millions of smartphones, fail to update their customised versions of Android to fix security vulnerabilities. "Android smartphones that do not receive regular, prompt security updates are defective and unreasonably dangerous", says the ACLU. It notes that there is widely distributed malware which takes advantage of vulnerabilities for which Google has fixes available, but those fixes have not made it to the "vast majority of consumer devices". Those consumers are also typically on postpaid contracts of two years and are locked into the devices which are not getting the updates they need.

The problem is that, although Google delivers security fixes, the customised versions of Android created by the carriers appear not to be updated and the carriers appear to be unable to send out updates to users. Even where they are able to upgrade the devices' operating system, it is often just not done. Beyond operating system flaws, the ACLU notes that the stock browser on Android is not updated regularly and Google's Chrome for Android is only available for Android 4.0 and later. Many cannot make use of that as around 44 per cent of Android users are still on 2011's Android 2.3.

Given this, the ACLU alleges that the mobile carriers are actually engaging in deceptive practices by not revealing the issues with these smartphones to consumers, not attempting to remedy those problems and keeping the user locked-in on a contract. The ACLU asks the FTC to bring in requirements that the users of carrier-supplied phones with known vulnerabilities be warned by the carriers and that those customers be able to terminate their contract without penalty if they do not receive prompt security updates. The complaint also asks that carriers who have not been updating their phones either offer consumers an exchange for a regularly updated phone or give refunds for the original purchase price of the device. With such a requirement hanging over carriers, it would be much more likely that they would opt to deliver prompt security updates instead.

(djwm)