The Federal Trade Commission announced a proposed settlement with mobile device manufacturer HTC American over its smartphone and mobile devices. The FTC had charged that HTC “failed to take reasonable steps to secure the software it developed for its smartphones and tablet computers, introducing security flaws that placed sensitive information about millions of consumers at risk.” The public can comment on settlement (see below). The FTC said:
The settlement requires HTC America to develop and release software patches to fix vulnerabilities found in millions of HTC devices. In addition, the settlement requires HTC America to establish a comprehensive security program designed to address security risks during the development of HTC devices and to undergo independent security assessments every other year for the next 20 years.
HTC America, Inc., a leading mobile device manufacturer in the United States, develops and manufactures mobile devices based on the Android, Windows Mobile, and Windows Phone operating systems. […]
Among other things, the [FTC] complaint alleged that HTC America failed to provide its engineering staff with adequate security training, failed to review or test the software on its mobile devices for potential security vulnerabilities, failed to follow well-known and commonly accepted secure coding practices, and failed to establish a process for receiving and addressing vulnerability reports from third parties. […]
Due to these vulnerabilities, the FTC charged, millions of HTC devices compromised sensitive device functionality, potentially permitting malicious applications to send text messages, record audio, and even install additional malware onto a consumer’s device, all without the user’s knowledge or consent. The FTC alleged that malware placed on consumers’ devices without their permission could be used to record and transmit information entered into or stored on the device, including, for example, financial account numbers and related access codes or medical information such as text messages received from healthcare providers and calendar entries concerning doctor’s appointments. In addition, malicious applications could exploit the vulnerabilities on HTC devices to gain unauthorized access to a variety of other sensitive information, such as the user’s geolocation information and the contents of the user’s text messages. […]
The settlement not only requires the establishment of a comprehensive security program, but also prohibits HTC America from making any false or misleading statements about the security and privacy of consumers’ data on HTC devices. HTC America and its network operator partners are also in the process of deploying the security patches required by the settlement to consumers’ devices.
Note that the FTC will allow the public to comment on the proposed settlement (pdf) through March 22, 2013. “Interested parties can submit comments electronically or in paper form by following the instructions in the ‘Invitation To Comment’ part of the ‘Supplementary Information’ section. Comments in paper form should be mailed or delivered to: Federal Trade Commission, Office of the Secretary, Room H-113 (Annex D), 600 Pennsylvania Avenue, N.W., Washington, DC 20580.”