The final settlement between the Federal Trade Commission and HTC America has been agreed upon this Tuesday which requires the smartphone manufacturer to implement various security measures. This comes after allegations that the company sold smartphones in the market with bugs that posed a risk to the privacy of consumers. The FTC announced the settlement last February and after the required public comment period has just been finalized.
As part of the agreement HTC is required to come up with a comprehensive security program that will be assessed by an independent body every year for the next twenty years. The company is also required to release software patches to correct the vulnerabilities of their millions of devices.
Aside from this the company is also ordered not to make any false advertising claims or misleading statements regarding the security and privacy of consumer’s data on HTC devices. Any violation to this will incur the company a civil penalty of $16,000 per violation.
The FTC voted 3-0-1 in approving the final settlement orders.
The logging software in question is the diagnostic software CarrierIQ which was installed in millions of HTC devices with a certain code supposed to be used in testing not disabled. The FTC’s Bureau of Consumer Protection said that “Because of that mistake, all of the sensitive user data logged by Carrier IQ was also written to the device’s system log, which was accessible to any third-party app with permission to read it.”
CarrierIQ is also supposedly designed to record the keystrokes of the user which is accessible to third party apps. This means that personal data such as phone numbers, call logs, messages and more can easily be gathered.
Some of the known data that can easily be gathered are
- the list of user accounts, including email addresses and sync status for each
- last known network and GPS locations and a limited previous history of locations
- phone numbers from the phone log
- SMS data, including phone numbers and encoded text
- system logs