The FTC announced that it has settled charges against mobile device manufacturer HTC America that the company placed sensitive consumer information at risk by failing to reasonably secure software applications for its mobile phones and tablets. Although the FTC has been concerned with pursuing what it regards as unreasonable data security practices as “unfair or deceptive acts” for years, this is the FTC’s first action against a mobile device manufacturer.  The settlement not only requires HTC to develop security enhancements for the software, but also to implement a comprehensive security program and “undergo independent security assessments every other year for the next 20 years.”

The FTC alleged that HTC failed to employ reasonable and appropriate security practices in at least five ways:

  1. failure to adequately assess the security of its products;
  2. failure to adequately train its engineering staff on privacy and security issues;
  3. failure to conduct assessments to identify potential security vulnerabilities;
  4. failure to follow well-known security practices that would have ensured that applications would only have access to consumer information with their consent; and
  5. failure to have a process to address reported privacy and security concerns.

More specifically, the complaint alleges that customized applications pre-installed by HTC to differentiate its products from other devices running Google’s Android operating system and Microsoft’s Windows Mobile and Windows Phone operating systems failed to include adequate “permission check code[] to protect th[e] pre-installed application from exploitation.”  For example, a third-party application could have commanded one of the pre-installed applications to download and install additional apps without the user’s knowledge or permission -- in other words, without the “permission check code” that the complaint alleges is “simple, well-documented software-code.”  Then these new applications could have accessed, among other information, financial account numbers, user names and passwords, text messages, photographs, and physical location information, as well as sensitive device functionality like the microphone.  FTC also noted a particular concern with malware that could have led to “text message toll fraud,” which occurs when text messages are sent to a premium number without the user’s consent in order to charge fees to the user.

As summarized in the complaint, “[i]n effect, this vulnerability undermines all protections provided by Android’s permission-based security model.”  The FTC alleged that HTC could have prevented these security issues, which were present in approximately 18.3 million devices, through implementation of “readily-available, low-cost measures.” 

In addition to charging that HTC’s failure to implement reasonable security practices was an unfair or deceptive act, the Commission also charged HTC with making at least two false or misleading representations in its user manual.  First, the complaint alleged that the manual’s representation that a user would be notified when a third-party application requested access to personal information was undermined by the vulnerabilities discussed above.  Second, the complaint alleged the user manual was false and misleading by representing that a user’s location data would not be sent to HTC along with an error report unless the user specifically checked a box marked “Add location data.” The complaint alleged that because of the security vulnerabilities discussed above, location data was sent to HTC even where the user did not check the box granting permission.

Shortly after announcing the settlement, the FTC hosted a Twitter chat to answer questions about the highly publicized settlement.  In response to a question about whether there was any evidence that consumer data had been lost, the FTC said that it brought the case because of the “risk” of substantial harm to consumers as well as HTC’s allegedly deceptive practices.  It also reiterated that “consumer privacy continues to be a top priority for FTC.”

This case illustrates the close connection between security practices and representations about privacy; promises about privacy rest in part upon a company’s ability to design, deliver, and support functionality with a privacy and security architecture that delivers upon those promises.  Put another way, design supports privacy.