Written by Nathalie Maréchal. Nathalie is a Senior Fellow with Ranking Digital Rights.
When it comes to smartphones, not all users are created equal. Low and middle-income people around the world mostly rely on affordable Android devices to communicate and share information, but cheaper phones often leave users more vulnerable to online threats and hacking.
Devices running the Android operating system account for 88% of the global market, with iPhones representing the remaining 12%. But not all Android devices are created equal either: models that are made and controlled directly by Google, like Nexus and Pixel smartphones, have significantly stronger protection against hacking than devices made by manufacturers like Samsung, Huawei, Sony and Xiaomi. They are also much more expensive, about on par with iPhones.
As a result, wealthier users who can afford to purchase new high-end devices every few years are protected from many threats that the majority of users — who use cheaper or used models, and don’t replace them as often — are vulnerable to.
This means that the people who can least afford it are the most vulnerable to fraud, identity theft, predatory scams, cyberstalking and harassment, and other harms a person can suffer when their digital privacy is violated.
This is a serious but poorly understood inequality issue worldwide.
New research from Ranking Digital Rights, a nonprofit research initiative that evaluates the world's most powerful internet, mobile and telecommunications companies’ practices affecting user rights, found that companies fail to communicate basic information about how their smartphones (and the software that powers them) affect users’ safety.
Everything we do on a mobile device creates digital traces that can then be used to paint a very revealing portrait of who we are, what we do, what we buy and even what we think. This data is valuable to marketers but also to governments, criminals, and anyone else who might want to do us harm.
Researchers are always finding new technical flaws in mobile software that attackers (including state-sponsored actors) can exploit, allowing them to install spyware or even take over devices remotely, simply by sending their victim a text message. Global Voices has covered a number of these cases, targeting Iranian activists, Tibetan internet users, and others.
While some users receive security “patches” or updates from the software manufacturer that fix the problem, others do not. And device manufacturers often don’t explain to users why the updates matter.
Many companies run “responsible disclosure” programs to encourage those who discover the bugs or technical problems to tell them about it, so they can then develop solutions and get them out to the devices running the software, usually by way of a software update.
This works fairly well from the perspective of Apple and Google — the two companies that produce the software that powers 99.6 percent of the world’s smartphones. Last summer, when a group of security researchers led by Bill Marczak, then a Berkeley graduate student, discovered that the government of the UAE was using an extremely sophisticated, previously unknown method to attack human rights defenders, with the aim of turning their iPhones into bugs that recorded everything around them. Fortunately, Emirati dissident Ahmed Mansoor didn’t fall for the attack, and instead alerted Macczak and his colleagues, who in turned reported it to Apple. Apple engineers worked overtime to get a patch out to users in less than a month. The Android security team is just as diligent.
The trouble happens with other Android hardware manufacturers like Samsung, HTC, and Xiaomi.
For a variety of reasons, these manufacturers modify the Android open source operating system software in ways that make it more difficult to deliver software updates. The code that Google releases has to be modified to match the changes that were made to the operating system itself. Cell phone companies can also make modifications on top of the ones made by the device maker, adding yet another step to the process and further delaying the delivery of software updates. Apple doesn’t allow such changes to iOS, and Google controls the update process for Nexus and Pixel handsets purchased from the Google Store.
As a result, at any given time there are millions of Android users whose devices are vulnerable to known exploits — attacks that are publicly known to the global IT security community. It’s like locking your front door with a key that hundreds of people have copies of. And because these devices are significantly cheaper than Nexus and Pixel models or iPhones, people who are poor, socially marginalized, and less tech-savvy — the same people who are most likely to access the internet exclusively through smartphones — are the ones most likely to bear the greatest risk of attacks.
Ranking Digital Rights: 2017 Corporate Accountability Index
The 2017 Index ranks 22 companies on 35 indicators across three categories. The indicators measure if and how well companies disclose policies affecting users’ freedom of expression and privacy. The Index evaluates policies of the parent company, operating company and those of selected services (depending on company structure).
According to new data published by Google, only half of all Android devices received a security patch in 2016, and only about 3% of devices worldwide are running the latest version of the operating system, “Nougat.” Recognizing that this as a serious issue, the US Federal Trade Commission and Federal Communications Commission launched a joint investigation into the delivery of mobile security patches specifically, though more than a year later, neither agency has published responses from companies.
Ranking Digital Rights’ 2017 Corporate Accountability Index compares publicly available disclosures and commitments affecting users’ human rights, including freedom of expression and privacy, for 22 global internet and telecommunications companies. It includes Samsung, which holds the largest share of Android devices worldwide, as well as 10 global telecommunications providers. None of the 11 companies involved in distributing Android software updates (other than Google) disclosed any information on the changes they make to the stock version of Android , or how those changes affect the delivery of security updates.
Moreover, of the three smartphone companies examined, only Google specified the date through which different device models were guaranteed to receive updates. Nexus and Pixel devices are guaranteed to receive software updates for at least two years from when the device became available on the Google Store, and to receive security patches for at least three years from when the device first became available, or at least 18 months from when the Google Store last sold the device, whichever is longer.
It would be ideal if Google extended that time period further, but at least they clearly communicate this commitment to users. (Neither Apple nor Samsung provides such a “best by” date). We depend on our smartphones for so much — and low income people without broadband or computers at home depend on them the most. Rich or poor, we all deserve to know how long they will be safe to use, and what companies are doing to keep us safe.
Nathalie Maréchal is a Senior Fellow with Ranking Digital Rights and a PhD Candidate at the Annenberg School for Communication and Journalism at the University of Southern California. Follow her at @marechalUSC.