The Federal Trade Commission (FTC) “is seeking to compile data concerning policies, procedures, and practices for providing security updates to mobile devices offered by unnamed persons, partnerships, corporations, or others in the United States.” The May 6, 2016 FTC Order requested that “Apple, Inc.; Blackberry Corp.; Google, Inc.; HTC America, Inc.; LG Electronics USA, Inc.; Microsoft Corp.; Motorola Mobility, LLC; and Samsung Electronics America, Inc.” provide the following:
- the factors that they consider in deciding whether to patch a vulnerability on a particular mobile device;
- detailed data on the specific mobile devices they have offered for sale to consumers since August 2013;
- the vulnerabilities that have affected those devices; and
- whether and when the company patched such vulnerabilities.
Section 3i Security Update Processes in the Order also includes a requirement about software licensing including the following
i. Licensing terms or other contractual obligations that require the device manufacturer or any other entities to develop, test, or deploy security updates
ii. Communication of vulnerability information to device manufacturers or other entities involved in the development, testing, or deployment of security updates;
iii. Development support (e.g., software code, instructions, or other information or material) the Company provides for the development, testing, or deployment of security updates; and
iv. Any other assistance the Company provides to address security vulnerabilities in such device software.
After the FTC gets this information it will be interesting to see what happens next.