Privacy & Information Security Law Blog

On February 28, 2018, the Federal Trade Commission issued a report, titled Mobile Security Updates: Understanding the Issues (the “Report”), that analyzes the process by which mobile devices sold in the U.S. receive security updates and provides recommendations for improvement. The Report is based on information the FTC obtained from eight mobile device manufacturers, and from information the Federal Communications Commission collected from six wireless carriers.

The Report raises a number of issues concerning the frequency and length of time that mobile devices are patched for security vulnerabilities, including:

• The complexity of the mobile ecosystem leads to a lag time between discovery of vulnerabilities and the issuance of patches.
• Formal support periods and update schedules are rare, and vary widely in application.
• Many device manufacturers fail to maintain regular records about update support decisions, patch development time, carrier testing time, deployment time or uptake rate.
• Manufacturers provide little information to the public about support period, update frequency or end of update support.

While the Commission commends device manufacturers, carriers and operating system developers that have contributed to providing effective security updates, it also makes several recommendations to improve the security update process:

• Consumer Education: Government, industry and advocacy groups should work together to educate consumers about the significance of security update support and consumers’ role in the operating system update process.
• Length of Security Updates: Device manufacturers, operating system developers and wireless carriers should ensure that all mobile devices receive operating system security updates for a period of time that is consistent with consumers’ reasonable expectations.
• Keep and Share Support Data: Companies involved in the security update process should consider keeping and consulting records about support length, update frequency, customized patch development time, testing time and uptake rate; they also should consider sharing this information with partners to fashion appropriate policies and practices.
• Security-only Updates: Industry should continue to streamline the security update process, including by patching vulnerabilities through security-only updates, when the benefits of more immediate action outweigh the convenience of a bundled security-functionality update.
• Minimum Guaranteed Support Periods: Device manufacturers should consider adopting and disclosing minimum guaranteed security support periods (and update frequency) for their devices; they also should consider giving device owners prompt notice when security support is about to end (and when it has ended), so that consumers can make informed decisions about device replacement or post-support use.