By: Tatiana G. King
According to a press release by the FTC, HTC, the company that just last week debuted the HTC One, has settled FTC charges that the “company failed to take reasonable steps to secure the software it developed for their smartphones”.
The charges stemmed from the Carrier IQ debacle back in 2011, where many carriers such as Sprint & AT&T and hardware makers themselves were found to be using Carrier IQ diagnostic program. While innocuous at its surface, Carrier IQ collected loads of sensitive data about the user through their actions on their smartphone devices. HTC was found that their Carrier IQ Interface used on their Android smartphones was full of security holes that allowed this same sensitive data to be intercepted and possibly exploited by any third-party application. Sensitive information collected by Carrier IQ included “GPS-based location information; web browsing and media viewing history; the content of incoming text messages, etc.” The FTC has suggested that had HTC had taken precise action to plug these holes and releases fixes in a timely manner, HTC may have prevented some huge security vulnerabilities of its customized software on its phones. The FTC has also contended that HTC was engaging in deceptive practices with consumers. One of them being that the user of an HTC Android-based mobile device would be notified when a third-party app would require access to a users personal data in order to function; when it fact HTC’s software wouldn’t alert the user at all.
Basically the FTC has stressed that HTC did not do enough to protect its users and therefore should be put on blast. While the settlement does not mention any financial dues owed, the FTC has stated that settlement requires that HTC develop and release software patches to fix security vulnerabilities in the millions of devices running its software (no word on which devices or which version(s) of Android fall under this settlement). HTC must also establish a security program and “undergo independent security assessments every other year, for 20 years”.
While no where near a death sentence it speaks to a larger volume that FTC is fairly serious about taking to task hardware makers that allow security issues to fester. According to FTC’s Twitter Account, this is their first case against a mobile device maker and, perhaps, sets a precedent for how they treat future mobile device manufacturers that turn into offenders.