On February 28, 2018, the Federal Trade Commission (“FTC”) issued a report discussing security updates for mobile devices.  The report stems from information the FTC collected from eight mobile device manufacturers — Apple, Blackberry, Google, HTC, LG, Microsoft, Motorola, and Samsung — and from information the Federal Communications Commission (“FCC”) collected from mobile carriers in May 2016. 

The FTC found, among other things, that:

  • The security update process is complex and time consuming, largely due to the customization of third-party operating system software at the device level. This increases the time and cost to develop, test, and deploy updates.
  • Efforts have been made to streamline the security update process, but adoption of these efforts is uneven.
  • Ongoing support and update schedules are variable. Most manufacturers do not provide formal support policies, relying instead on informal assessments of the device’s age, cost to support, vulnerability severity, and other factors.  These manufacturers point to unpredictable variables, such as device popularity, as the reason they are unable to commit to update support schedules.  However, the FTC noted that manufacturers who develop their own operating systems tend to commit to longer support periods because there is less customization of the system for their devices.
  • Several manufacturers do not provide specific information about their support periods and updates to consumers.
  • Manufacturers tend to prioritize new products for update support, specifically more expensive and more popular products.
  • Many manufacturers do not maintain regular records about update support and other security-related decisions.
  • Carrier involvement in the security update process can provide stability, but may also lead to delays.

In response to these findings, the FTC recommends that:

  • Government, industry, and advocacy work together to educate consumers about the update process.
  • Industry “start with security” by embedding security into design and support culture, including: ensuring that mobile devices receive security updates for a period of time consistent with consumers’ reasonable expectations; considering security updates during the product design process; considering whether to document security update support practices in a formal security policy and provide training to personnel involved in the process.
  • Industry consider keeping more consistent records about security support topics, analyzing the data from those records to improve device security, and sharing data with industry partners.
  • Industry continue to streamline the security update process, specifically with respect to bundling, testing, and deployment.
  • Device manufacturers consider providing consumers with more information about their security update support practices, including adopting minimum guaranteed support periods for devices.  The FTC reminds manufacturers that any information provided to consumers about security update support should be truthful, non-misleading, and supported by a reasonable basis so as not to violate Section 5 of the FTC Act.
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Yaron Dori Yaron Dori

Yaron Dori has over 25 years of experience advising technology, telecommunications, media, life sciences, and other types of companies on their most pressing business challenges. He is a former chair of the firm’s technology, communications and media practices and currently serves on the…

Yaron Dori has over 25 years of experience advising technology, telecommunications, media, life sciences, and other types of companies on their most pressing business challenges. He is a former chair of the firm’s technology, communications and media practices and currently serves on the firm’s eight-person Management Committee.

Yaron’s practice advises clients on strategic planning, policy development, transactions, investigations and enforcement, and regulatory compliance.

Early in his career, Yaron advised telecommunications companies and investors on regulatory policy and frameworks that led to the development of broadband networks. When those networks became bidirectional and enabled companies to collect consumer data, he advised those companies on their data privacy and consumer protection obligations. Today, as new technologies such as Artificial Intelligence (AI) are being used to enhance the applications and services offered by such companies, he advises them on associated legal and regulatory obligations and risks. It is this varied background – which tracks the evolution of the technology industry – that enables Yaron to provide clients with a holistic, 360-degree view of technology policy, regulation, compliance, and enforcement.

Yaron represents clients before federal regulatory agencies—including the Federal Communications Commission (FCC), the Federal Trade Commission (FTC), and the Department of Commerce (DOC)—and the U.S. Congress in connection with a range of issues under the Communications Act, the Federal Trade Commission Act, and similar statutes. He also represents clients on state regulatory and enforcement matters, including those that pertain to telecommunications, data privacy, and consumer protection regulation. His deep experience in each of these areas enables him to advise clients on a wide range of technology regulations and key business issues in which these areas intersect.

With respect to technology and telecommunications matters, Yaron advises clients on a broad range of business, policy and consumer-facing issues, including:

  • Artificial Intelligence and the Internet of Things;
  • Broadband deployment and regulation;
  • IP-enabled applications, services and content;
  • Section 230 and digital safety considerations;
  • Equipment and device authorization procedures;
  • The Communications Assistance for Law Enforcement Act (CALEA);
  • Customer Proprietary Network Information (CPNI) requirements;
  • The Cable Privacy Act
  • Net Neutrality; and
  • Local competition, universal service, and intercarrier compensation.

Yaron also has extensive experience in structuring transactions and securing regulatory approvals at both the federal and state levels for mergers, asset acquisitions and similar transactions involving large and small FCC and state communication licensees.

With respect to privacy and consumer protection matters, Yaron advises clients on a range of business, strategic, policy and compliance issues, including those that pertain to:

  • The FTC Act and related agency guidance and regulations;
  • State privacy laws, such as the California Consumer Privacy Act (CCPA) and California Privacy Rights Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Virginia Consumer Data Protection Act, and the Utah Consumer Privacy Act;
  • The Electronic Communications Privacy Act (ECPA);
  • Location-based services that use WiFi, beacons or similar technologies;
  • Digital advertising practices, including native advertising and endorsements and testimonials; and
  • The application of federal and state telemarketing, commercial fax, and other consumer protection laws, such as the Telephone Consumer Protection Act (TCPA), to voice, text, and video transmissions.

Yaron also has experience advising companies on congressional, FCC, FTC and state attorney general investigations into various consumer protection and communications matters, including those pertaining to social media influencers, digital disclosures, product discontinuance, and advertising claims.