Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in Consumer Privacy, Cybersecurity & Data Breaches, Privacy & Security Litigation

A Duty to Patch? FTC Settles First Case Against a Mobile Device Manufacturer, Describes Company’s Obligation to Implement Software Security

In the first enforcement action by the FTC against a mobile device manufacturer, the FTC on February 22 announced that HTC America (HTC) had settled charges alleging that the company had engaged in unfair practices and falsely or misleadingly represented whether third-party and HTC applications could access users’ personal information.  In settling the FTC’s charges, HTC has agreed to address security vulnerabilities on its devices, implement a comprehensive security program, and undergo biannual security assessments over the next twenty years.  On the same day that it announced the HTC settlement, the FTC also announced that it will hold a public forum on June 4 to discuss threats to mobile devices. 

This case is a significant development, particularly for companies who manufacture software or who incorporate it into the products and systems they sell to the consumer market:   

  • Just as privacy policy statements are carefully reviewed before publication, security-related statements made by companies should regularly be evaluated for their consistency with actual practices.
  • Despite the challenge to its foundational authority posed in FTC v. Wyndham, the Commission remains confident in its ability to use its unfairness authority under section 5 of the FTC Act to pursue businesses that fail to implement “reasonable and appropriate security practices.”
  • The FTC Technologist’s blog on the HTC settlement, while not a formal statement of the Commission’s views, describes the applicability of the reasoning used in this case to the rapidly increasing number of systems reliant upon embedded software.

Our summary of the FTC’s complaint and proposed settlement follows.

HTC manufactures mobile devices running on the Android operating system.  To differentiate its products from others on the market, HTC installs customized applications (apps) on its smartphones and tablets.  The FTC alleged that that HTC “failed to employ reasonable and appropriate security in the design and customization” of its custom-made software.  According to the FTC, HTC’s security training, security testing, risk assessment procedures, and programming practices were inadequate.  This allegedly resulted in the introduction of security vulnerabilities into tens of millions of HTC devices and exposed HTC device users to financial and physical harm.  These vulnerabilities could have been avoided, the FTC claims, had HTC “implemented readily-available, low-cost measures.”  The FTC complaint does not, however, specify any particular harms suffered by individuals. 

As the FTC’s complaint notes, Google’s Android operating system uses permissions to secure sensitive information and device functions like geolocation, text messages, contact information, and microphones.  Third-party apps must declare whether they will access sensitive information or device functions.  Before a user installs a third-party app, the Android system lets the user know what sensitive information or device functions the app has declared that it will access.  And the user must permit the app access to the declared information or functions to complete the installation process.  The problem with the HTC devices, according to the FTC, was that third-party applications could access sensitive information and device functions even without declaring their intent to do so.  The FTC offered several illustrations of how this could happen, including permission redelegation, application installation vulnerability, insecure communications, and debug code issues:

  • Permission Redelegation:  This occurs when an app that is permitted to access sensitive information or functionality “bestows” its permissions on another app that does not have those permissions.  Unauthorized apps ask an authorized app to work on their behalf.  HTC allegedly installed a voice recorder app that did not check whether third-party apps calling on it had received user authorization to access the microphone.  This omission, the FTC claims, allowed third-party apps to record conversations without users’ knowledge.  And permission-redelegation vulnerabilities allegedly exposed location information and text messaging functions, allowing third-party apps to surreptitiously track users and send text messages to premium numbers that billed to users’ accounts.
  • Application Installation Vulnerability:  HTC allegedly pre-installed an app that could authorize the download and installation of apps without users’ knowledge.  This app did not check the permissions of other apps calling on it to download additional apps.  Any third-party app could therefore command the pre-installed app to download applications, including malicious software. 
  • Insecure Communications:  HTC installed logging applications on its devices to allow HTC and network operators to diagnose problems with the devices or wireless networks.  These apps allowed HTC and network operators to access the contents of text messages, location information, information about users’ contacts, browsing history, the keys pressed by users, and other information.  Because HTC allegedly used an insecure communications mechanism, any third-party app with access to the Internet could communicate with the logging apps and access all the information available to HTC and network operators.
  • Debug Code:  Developers sometimes use a “debug code” to test whether apps are functioning properly.  For one of the logging applications, HTC allegedly used a debug code to record the information sent by the logging app to HTC to the Android system log on the device.  This allowed HTC developers to review whether the logging app was sending all the required information.  The FTC claims that the company did not deactivate this debug code before shipping devices to users.  Therefore, all of the information sent to the logging app was recorded on the device and would have been available to any third-party app permitted to read the system log.  Users may have permitted apps to read the system log, not knowing how much information the log contained. 

These vulnerabilities, the FTC claims, exposed HTC users to financial and physical risks because third-party apps could surreptitiously to track HTC users, record phone conversations, send text messages to premium numbers, compile profiles of users to facilitate spear-phishing campaigns, and obtain users’ financial account numbers and related access codes. 

HTC was charged with engaging in unfair security practices due to its alleged failure to implement low-cost, readily-available measures to avoid the security vulnerabilities.  The FTC also claimed that HTC made false or misleading representations in its user manuals and an error reporting tool.  The user manuals represented that the Android system would notify users when apps requested access to sensitive information or device functions.  And the error report tool suggested that users had a choice of whether to provide HTC with geolocation information even though the alleged debug-code vulnerability made geolocation information available to HTC whenever the reporting tool was used. 

The HTC settlement is yet another indication that the FTC is paying keen attention to mobile issues.  This year, the Commission released guidance on mobile privacy disclosures, settled with a mobile app developer that allegedly deceived app users by collecting personal information without adequate notice, and settled its first FCRA suit involving mobile apps

Businesses with a stake in the mobile ecosystem – and indeed any consumer-facing business reliant upon embedded software — would be prudent to evaluate whether their security and privacy practices align with FTC expectations.  Along with the privacy disclosure guidance mentioned above, the FTC has released Mobile App Developers: Start with Security, which contains recommendations for app developers and is mentioned in the FTC’s release regarding the HTC settlement.  That guidance recommends that developers implement a “security-by-design” approach. 

 James Denvil, an associate in our Washington office, contributed to this entry.