The FTC has just settled with smartphone and tablet maker HTC over millions of devices that had been insecurely logging customer data, opening up consumers to all kinds of malware and privacy breaches.
With this settlement, HTC must immediately stop making false promises about how it respects its customers’ privacy. It must also fire up new security measures.
The logging software involved is Carrier IQ and HTC Loggers. Carrier IQ, as you may recall, was embroiled in a public relations/privacy debacle last year over how it logs smartphone user data. However, the FTC wasn’t upset over the software itself; rather, HTC’s lousy implementation was what started the complaint and eventually led to the settlement.
“The FTC’s complaint details several vulnerabilities found on HTC’s devices … as well as programming flaws that would allow third-party applications to bypass Android’s permission-based security model,” reads the FTC’s official statement on the news.
“Due to these vulnerabilities, the FTC charged, millions of HTC devices compromised sensitive device functionality, potentially permitting malicious applications to send text messages, record audio, and even install additional malware onto a consumer’s device, all without the user’s knowledge or consent.”
Carrier IQ’s software monitors how hundreds of millions of consumers use their mobile devices via shortcodes. The software then sends reports related to app performance, signal strength, and battery life back to carriers and manufacturers. As a Carrier IQ rep confirmed to VentureBeat in a previous interview, “The diagnostic data that we capture is mostly historical and won’t reveal where somebody is and what they are doing on a real-time basis.” Presumably, HTC Loggers does approximately the same.
However, HTC’s vulnerabilities in its implementations of these tools was the main cause for concern. Security patches are being rolled out to affected consumers now, the FTC said. FTC employees answered questions about the issues at hand via Twitter today from noon until 1 p.m. Eastern Time; interested parties can follow the hashtag #FTCpriv.