September 24, 2020

Volume X, Number 268

September 23, 2020

Subscribe to Latest Legal News and Analysis

September 22, 2020

Subscribe to Latest Legal News and Analysis

September 21, 2020

Subscribe to Latest Legal News and Analysis

Let’s Go Crazy: The FTC and FCC Launch “Parallel” Investigations Into Security Updates of Mobile Communications Industry

Earlier this week, the FTC and FCC announced “parallel” investigations into how carriers and mobile device makers release information on vulnerabilities, and how and when mobile security patches are distributed. The regulators, who have publicly jockeyed for position on privacy and cybersecurity matters in the past year, appear to have reached a truce of sorts,  allowing each agency to examine industry players within its core jurisdiction.

The FTC’s investigative orders, focusing on the devices and underlying operating systems targets Apple Inc.,  Blackberry Corp., Google, Inc., HTC America, Inc., LG Electronics USA Inc., Microsoft Corp, Motorola Mobility LLC and Samsung Electronics America, Inc.

The FCC’s investigation will focus on carriers: AT&T, Verizon Communications, Inc., T-Mobile USA Inc., Sprint Corp., U.S. Cellular  and Tracfone Wireless Inc.  Both agencies  requested responses within 45 days.

The  FCC and the FTC are knocking on the door of the mobile communications industry to investigate a series of recent critical security flaws on mobile devices, including the so-called Stagefright vulnerability, which affected nearly a billion Android devices and was discovered last July.  Although the Stagefright problem has since been patched, vulnerabilities remain on older devices and may never be patched, leaving them exposed to the Stagefright bug.  The FCC noted that “to date, operating system providers, original equipment manufacturers, and mobile service providers have responded to address vulnerabilities as they arise,” rather than creating a more comprehensive and coordinated program to ensure security on older devices.

The FTC asserted that it was launching the  investigation to “gain a better understanding of security in the mobile ecosystem.”  The agency presented device makers with an extensive list of questions, including details on how each company addresses security vulnerabilities in device software, how software updates are developed, tested and deployed, and  how each determines whether a specific device model will receive a security update to address a known vulnerability

The FCC, for its part, sent carriers 20 questions related to any barriers or hurdles faced in releasing security updates,  barriers or hurdles in getting consumers to install updates, and how carriers and device makers allocate responsibility for the security update process.

Despite the coordinated timing and subject matter of the FTC and FCC inquiries, signs of discord remain.  While the FCC described its inquiry as part of a “longstanding  partnership”  with the FTC and vowed to “work cooperatively,”  the FTC noted somewhat tersely that the FCC was conducting a “separate, parallel inquiry into common carriers’ policies.”  It remains to be seen whether the two federal agencies can achieve the kind of coordinated response to cybersecurity issues that they are apparently seeking from the industries they regulate.

While it is perilous to predict whether this initiative will roar into a major government initiative into the cybersecurity practices of yet another industry, or whether it will fizzle into regulatory obscurity, it is yet another clear indication that federal government agencies believe that they have a role to play in protecting consumers in privacy and cybersecurity matters, in this case users of mobile broadband and telecommunications services.

Copyright © 2020, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume VI, Number 134


About this Author


Laura Jehl is a partner in the Business Trial Practice Group in the firm’s Washington, D.C. office. Ms. Jehl is a privacy and cybersecurity expert and serves as Co-Leader of the Privacy and Data Security Practice.

Ms. Jehl has more than two decades of in-house and private practice experience, and has represented clients on a wide range of business and legal matters, including privacy, data security, breach response, litigation and government investigations, crisis management, Internet, digital media, technology and First Amendment matters. Most...

Dave Thomas, Telecommunications Attorney, Sheppard Mullin, Law Firm

Mr. Thomas is a partner in the Business Trial Practice Group in the firm's Washington D.C. office.

Mr. Thomas has a national practice in the telecommunications and broadband communications industries. His practice focuses on the deployment of competitive networks and services, with a particular emphasis on representing broadband providers in matters involving local franchising, rights-of-way, pole attachments, and similar issues.