More expensive devices receive much stronger security protections.
This piece was originally posted on Global Voices Advocacy.
When it comes to smartphones, not all users are created equal. Low- and middle-income people around the world mostly rely on affordable Android devices to communicate and share information, but cheaper phones often leave users more vulnerable to online threats and hacking.
According to Strategy Analytics, devices running the Android operating system account for about 88 percent of the global market, with iPhones representing almost all of the remaining 12 percent. But not all Android devices are created equal, either: Models that are made and controlled directly by Google, like Nexus and Pixel smartphones, have significantly stronger protection against hacking than devices made by manufacturers like Samsung, Huawei, Sony, and Xiaomi. They are also much more expensive, about on par with iPhones.
As a result, wealthier users who can afford to purchase new high-end devices every few years are protected from many threats that the majority of users—who use cheaper or used models, and don’t replace them as often—are vulnerable to.
This means that the people who can least afford it are the most vulnerable to fraud, identity theft, predatory scams, cyberstalking and harassment, and other harms a person can suffer when their digital privacy is violated.
This is a serious but poorly understood inequality issue worldwide. New research from Ranking Digital Rights—a nonprofit research initiative that evaluates the world’s most powerful internet, mobile, and telecommunications companies’ practices affecting user rights—found that companies fail to communicate basic information about how their smartphones (and the software that powers them) affect users’ safety. (I work for Ranking Digital Rights, which is affiliated with the think tank New America; New America is a partner with Slate and Arizona State University in Future Tense.)
Everything we do on a mobile device creates digital traces that can then be used to paint a very revealing portrait of who we are, what we do, what we buy, and even what we think. This data is valuable to marketers but also to governments, criminals, and anyone else who might want to do us harm.
Researchers are always finding new technical flaws in mobile software that attackers (including state-sponsored actors) can exploit, allowing them to install spyware or even take over devices remotely, simply by sending their victim a text message. Global Voices has covered a number of these cases, targeting Iranian activists, Tibetan internet users, and others.
While some users receive security “patches,” or updates from the software manufacturer that fix the problem, others do not. And device manufacturers often don’t explain to users why the updates matter.
Many companies run “responsible disclosure” programs to encourage those who discover the bugs or technical problems to tell them about it, so they can then develop solutions and get them out to the devices running the software, usually by way of a software update. This works fairly well from the perspective of Apple and Google—the two companies that produce the software that powers 99.6 percent of the world’s smartphones. Last summer, when a group of security researchers led by Bill Marczak, then a University of California–Berkeley graduate student, discovered that the government of the United Arab Emirates was using an extremely sophisticated, previously unknown method to attack human rights defenders, with the aim of turning their iPhones into bugs that recorded everything around them. Fortunately, Emirati dissident Ahmed Mansoor didn’t fall for the attack. Instead, he alerted Marczak and his colleagues, who in turned reported it to Apple. Apple engineers worked overtime to get a patch out to users in less than a month. The Android security team is just as diligent.
The trouble happens with other Android hardware manufacturers like Samsung, HTC, and Xiaomi.
For a variety of reasons, these manufacturers modify the Android open-source operating system software in ways that make it more difficult to deliver software updates. The code that Google releases has to be modified to match the changes that were made to the operating system itself. Cellphone companies can also make modifications on top of the ones made by the device maker, adding yet another step to the process and further delaying the delivery of software updates. Apple doesn’t allow such changes to iOS, and Google controls the update process for Nexus and Pixel handsets purchased from the Google Store.
As a result, at any given time there are millions of Android users whose devices are vulnerable to known exploits—attacks that are publicly known to the global IT–security community. It’s like locking your front door with a key that hundreds of people have copies of. And because these devices are significantly cheaper than Nexus and Pixel models or iPhones, people who are poor, socially marginalized, and less tech-savvy—the same people who are most likely to access the internet exclusively through smartphones—are the ones most likely to bear the greatest risk of attacks.
Recognizing that this as a serious issue, the U.S. Federal Trade Commission and Federal Communications Commission launched a joint investigation in May 2016 into the delivery of mobile security patches specifically, though more than a year later, neither agency has published responses from companies. According to data published recently by Google, just half of all Android devices received a security patch in 2016, and only about 3 percent of devices worldwide are running the latest version of the operating system, “Nougat.”
Ranking Digital Rights’ 2017 Corporate Accountability Index compares publicly available disclosures and commitments affecting users’ human rights, including freedom of expression and privacy, for 22 global internet and telecommunications companies. It includes Samsung, which holds the largest share of Android devices worldwide, as well as 10 global telecommunications providers. None of the 11 companies involved in distributing Android software updates (other than Google) disclosed any information on the changes they make to the stock version of Android, or how those changes affect the delivery of security updates.
Moreover, of Google, Apple, and Samsung, only Google specified the date through which different device models were guaranteed to receive updates. Nexus and Pixel devices are guaranteed to receive software updates for at least two years from when the device became available on the Google Store, and to receive security patches for at least three years from when the device first became available or at least 18 months from when the Google Store last sold the device, whichever is longer.
It would be ideal if Google extended that time period further, but at least it clearly communicates this commitment to users, unlike Apple and Samsung. We depend on our smartphones for so much—and low-income people without broadband or computers at home depend on them the most. Rich or poor, we all deserve to know how long they will be safe to use, and what companies are doing to keep us safe.
Future Tense is a collaboration among Arizona State University, New America, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, follow us on Twitter and sign up for our weekly newsletter.