Regulators Probe Google, Apple, Carriers on Mobile Security

The Internet Law Resource Center™ is the complete information solution for practitioners in cyberlaw. Follow the latest developments on ICANN’s gTLD program, keyword advertising, online privacy,...

May 9 — The Federal Communications Commission and Federal Trade Commission have launched coordinated inquiries into how Google Inc., Apple Inc., and other mobile device manufacturers and wireless carriers deal with security updates intended to address known device vulnerabilities.

The FTC is requiring eight mobile device makers — Google, Apple, Samsung Electronics America Inc., Microsoft Corp., Blackberry Corp., Motorola Mobility LLC, HTC America Inc. and LG Electronics USA Inc. — to supply information on their security updates. The agency wants companies to report, among other information, which factors lead them to decide whether to patch a vulnerability; what vulnerabilities have been found on all devices sold since August 2013; and whether those vulnerabilities were patched.

The FCC is asking wireless carriers about their role in the deployment of security updates. FCC spokesman Neil Grace told Bloomberg BNA that the agency sent inquiry letters, which included a questionnaire on company knowledge and practices involving security updates, to AT&T Inc., Verizon Communications Inc., T-Mobile US Inc., Sprint Corp., U.S. Cellular Corp. and TracFone Wireless Inc.

Officials from both agencies told Bloomberg BNA that the inquiries are information-gathering exercises; there are no immediate plans to use company responses to drive further actions, such as enforcement or drafting new rules. The two agencies will be cooperating and collaborating throughout their inquiries and will share information, officials said.

A sample FCC questionnaire included 20 questions on issues such as whether carriers face hurdles in releasing security updates; if they know whether a subscriber has installed an update; whether unpatched devices can harm a network; and how long it takes to release security updates after learning of a vulnerability.

Four of the sample FCC questions deal specifically with Stagefright, the collective term for a set of bugs discovered last year in Google's Android operating system. Stagefright allows hackers to remotely execute code on a targeted Android phone, potentially taking control of device elements such as the camera, microphone and display. The FCC wants to know when and how carriers became aware of Stagefright; how many device models on each carrier's network were affected; and how many models are still vulnerable.

Companies will have 45 days from the date of an inquiry to respond to both agencies.

John Marinho, vice president of technology and cybersecurity at CTIA — The Wireless Association, a wireless industry trade group, said in a statement there is a “very strong partnership” already in place among carriers, device makers and operating system providers regarding security. CTIA spokeswoman Amy Storey told Bloomberg BNA the organization is concerned the inquiries may be overbroad and could lead to a “one size fits all” regime with adverse consequences for the mobile sector.

To contact the reporter on this story: Kyle Daly in Washington at

To contact the editor responsible for this story: Keith Perine at

For More Information

Sample text of the FTC's order to device makers is available at:

Sample text of the FCC letter wireless carriers is available at:

A sample FCC questionnaire sent to wireless carriers is available at: