Let’s Go Crazy: The FTC and FCC Launch “Parallel” Investigations Into Security Updates of Mobile Communications Industry
Earlier this week, the FTC and FCC announced “parallel” investigations into how carriers and mobile device makers release information on vulnerabilities, and how and when mobile security patches are distributed. The regulators, who have publicly jockeyed for position on privacy and cybersecurity matters in the past year, appear to have reached a truce of sorts, allowing each agency to examine industry players within its core jurisdiction.
The FTC’s investigative orders, focusing on the devices and underlying operating systems targets Apple Inc., Blackberry Corp., Google, Inc., HTC America, Inc., LG Electronics USA Inc., Microsoft Corp, Motorola Mobility LLC and Samsung Electronics America, Inc.
The FCC’s investigation will focus on carriers: AT&T, Verizon Communications, Inc., T-Mobile USA Inc., Sprint Corp., U.S. Cellular and Tracfone Wireless Inc. Both agencies requested responses within 45 days.
The FCC and the FTC are knocking on the door of the mobile communications industry to investigate a series of recent critical security flaws on mobile devices, including the so-called Stagefright vulnerability, which affected nearly a billion Android devices and was discovered last July. Although the Stagefright problem has since been patched, vulnerabilities remain on older devices and may never be patched, leaving them exposed to the Stagefright bug. The FCC noted that “to date, operating system providers, original equipment manufacturers, and mobile service providers have responded to address vulnerabilities as they arise,” rather than creating a more comprehensive and coordinated program to ensure security on older devices.
The FTC asserted that it was launching the investigation to “gain a better understanding of security in the mobile ecosystem.” The agency presented device makers with an extensive list of questions, including details on how each company addresses security vulnerabilities in device software, how software updates are developed, tested and deployed, and how each determines whether a specific device model will receive a security update to address a known vulnerability
The FCC, for its part, sent carriers 20 questions related to any barriers or hurdles faced in releasing security updates, barriers or hurdles in getting consumers to install updates, and how carriers and device makers allocate responsibility for the security update process.
Despite the coordinated timing and subject matter of the FTC and FCC inquiries, signs of discord remain. While the FCC described its inquiry as part of a “longstanding partnership” with the FTC and vowed to “work cooperatively,” the FTC noted somewhat tersely that the FCC was conducting a “separate, parallel inquiry into common carriers’ policies.” It remains to be seen whether the two federal agencies can achieve the kind of coordinated response to cybersecurity issues that they are apparently seeking from the industries they regulate.
While it is perilous to predict whether this initiative will roar into a major government initiative into the cybersecurity practices of yet another industry, or whether it will fizzle into regulatory obscurity, it is yet another clear indication that federal government agencies believe that they have a role to play in protecting consumers in privacy and cybersecurity matters, in this case users of mobile broadband and telecommunications services.