Why Don’t Huge Privacy Flaws Result In Recalled Smartphones?

Image courtesy of 吉姆 Jim Hofman

When a car has a major flaw, like a potentially lethal airbag, it gets recalled. Same for a coffeemaker, or a surfboard, or a prescription drug. But when that major flaw is in a product’s software — like a huge exploit that puts literally a billion consumers’ privacy and personal data at risk — there’s no universal process out there for remedying the situation. Do we need one? And if so, how can we get one?

That’s something a Consumerist reader e-mailed to ask us.

“I don’t understand,” the reader wrote. “If the government can scare Fiat into recalling 1.4 million Jeeps in a week to fix a security bug, why can’t the government force Google, Verizon, and all the other phone makers into a recall to fix an Android bug?”

The TL;DR version of the answer is, as with many things, “because bureaucracy.”

The longer answer is that no government agency really has software oversight. That’s because the always-on, always-connected, mobile and digital era — with the possibility for harms to something other than physical safety — has sprung up a lot faster than the law has been able to keep up.

What Recalls Can Do

Image courtesy of me and the sysop

The web of recalls can be sprawling and confusing, but it all centers around one main theme: physical safety related to physical goods.

There are four agencies that handle recalls in the United States. Each of them works a little bit differently and has different levels of authority, but the thing all four share in common is a focus on health and safety. These agencies are concerned with things that will hurt or kill people, through design, malfunction, or defect.

MORE: HOW RECALLS DO AND DON’T WORK — AND WHY THEY’RE ALL SO DIFFERENT

In general, the four agencies split up the entire realm of goods like so:

  • USDA: Any food involving meat, poultry, or eggs.
  • FDA: All the other food there is. Also drugs; pet food — basically everything ingested really; and medical devices.
  • NHTSA: Anything you can drive, and safety items (tires, child car seats) you put in/on those vehicles.
  • CPSC: More or less literally every physical thing you do not eat or drive.

Those four agencies each draw their authority from a different network of laws and regulations passed over time, so each has a different mandate and set of boundaries.

The agency that pressured Fiat Chrysler to recall 1.4 million scarily hackable Jeeps is NHTSA, the National Highway Traffic Safety Administration.

Fiat Chrysler did, on its own, quickly and voluntarily issue a patch for their cars after Wired’s attention-grabbing news report hit the internet. But the patch didn’t really have any force behind it. The cars can’t be updated over the air, so Chrysler — through press releases — said that owners could either download the update from a website or go to a dealer.

A recall, on the other hand, encourages users to go back to the dealer and requires that the work be performed at no cost. It also emphasizes how severe a flaw is. When consumers hear “recall,” they’re more likely to listen than when they hear “optional software update.”

NHTSA had authority to act in the case of the Jeeps because the software that controls cars can be a physical safety issue. If a chip sends the wrong signals to the accelerator, the brakes, the transmission, or the airbags — among other systems — a car could not only crash but also have the safety systems intended to prevent lives in the event of that crash malfunction. In other words, maintaining the accuracy and security of the software that runs cars is a literal life-or-death situation.

NHTSA also had strong motivation to act quickly when reports made it clear that the wireless Jeep hack could be a safety hazard. The agency has faced a significant amount of criticism in recent months for a decade of missed issues that led to the protracted GM recall, as well as the Takata airbag recall.

Similarly, the CPSC has also been involved in recalls where bad or exploitable code can affect consumers’ physical safety.

In 2014, Nest smoke detectors had a glitch in the code that would prevent them from actually detecting smoke. Since that’s basically the function of a smoke detector — a lifesaving device — the product was recalled.

That was a bug, not a hack. But if an item like a smoke detector was vulnerable to a hack that had the same effect, putting consumer safety at risk, the CPSC could act there, too.

That’s why some products have been and can continue to be recalled. But what of items that put you at risk without literally killing you?

How Do We Fix The Future?

Image courtesy of Great Beyond

Given all this, the questions we are left with are: who, if anyone, could be the right regulators for this sort of stuff in the future? And are any agencies currently working on a solution to this problem?

Privacy and security issues don’t really fall under the auspices of food, agriculture, or consumables, so the FDA and USDA are right out. NHTSA is specifically related to car safety, and they’re already on that. So as far as our existing set of agencies goes, that leaves the CPSC.

We checked in with the CPSC, to see if they would ever envision or consider expanding their recall scope in the future.

They, in turn, quickly reminded us that the CPSC’s authority comes from Congress, and the mandate Congress gave them is very clearly “addressing unreasonable and substantial risks of physical harm from consumer products.”

In other words, for the CPSC ever to get involved, Congress would have to alter and expand the agency’s mandate significantly. And in the current political environment, any plan that involves Congress expanding regulation of anything is a non-starter. So no, the CPSC is not ever likely to have that authority.

But we do have a regulatory agency already tasked with protecting consumers when it comes to privacy and data: the FTC.

The FTC handles the whole world of privacy and identity issues as well as the internet of things. Those areas of coverage include hacks, scams, and the entire world of big data.

Although the FTC may at first seem like a strange place to find this particular branch of consumer protection, the evolution of it makes sense. After all, the agency has been in charge of “unfair or deceptive practices that affect consumers” for years.

That includes honesty in advertising, as well as oversight about just how consumer data can be used and collected, and how much businesses collecting, buying, selling, trading, and otherwise sharing that information have to tell you about what they’re doing. Because doing all that without disclosing it can easily lead to unfair behavior that disadvantages consumers.

The FTC even makes it really easy to file a complaint about the way a company handles your personal data.

The FTC even makes it really easy to file a complaint about the way a company handles your personal data.

Among the many issues about which the FTC lets consumers lodge complaints online are problems with mobile plans, devices and service; software or app concerns; any online services or websites; viruses, spyware, and malware; and data breaches, among many others. The complaint site even actively points out how consumers can report concerns about the way in which a company is handling personal information.

So we’ve found the right agency — but in the face of an issue like Stagefright, what can the FTC actually do?

The answer here, is “not much,” but that, too, goes directly back to Congress. Aside from a few narrow exceptions relating to credit reporting and childrens’ privacy (and health/medical data, which doesn’t fall under FTC jurisdiction), there are no federal laws protecting consumer privacy.

In short: no agency or commission can enforce rules that do not actually exist.

The FTC’s authority is derived from a whole pile of rules and laws passed over time, but the overarching rule is the FTC Act (PDF), which was written deliberately to be broad and adaptable. That allows the FTC to be involved in privacy in a general sense, but does not specifically provide the kind of recall or enforcement authority that other agencies may have.

The FTC has recommended several times that Congress take action to enact some kind of privacy law. After releasing a major report on consumer privacy in 2012, the commission joined the White House in urging Congress to adopt a basic set of privacy principles. The Obama administration renewed its efforts to make that happen this year, but so far there’s still been no meaningful action in either the House or the Senate on that legislation — nor is there likely to be.

In the end…

Government agencies can only protect consumers’ interests when there are laws on the books allowing them to do so. For now, we’re still all at the mercy of businesses that respond to bad PR as fast and as thoroughly as they can… which is often still not enough.

Without legislation or lawmakers acting to protect consumers’ privacy and data, we’re pretty much stuck. In order for any change to happen, consumers will have to tell Congress what they think.