HTC America, Inc.; Analysis of Proposed Consent Order To Aid Public Comment, 13673-13675 [2013-04606]
Download as PDF
<![CDATA[
Federal Register / Vol. 78, No. 40 / Thursday, February 28, 2013 / Notices
other forms of information technology.
Comments may be submitted in writing
as instructed above in the Comments
section.
Dated: February 25, 2013.
Kevin Winkler,
Chief Information Officer, Federal Housing
Finance Agency.
maximum employment and price
stability.
By order of the Federal Open Market
Committee, February 22, 2013.
William B. English,
Secretary, Federal Open Market Committee.
[FR Doc. 2013–04693 Filed 2–27–13; 8:45 am]
BILLING CODE 6210–01–P
[FR Doc. 2013–04694 Filed 2–27–13; 8:45 am]
BILLING CODE 8070–01–P
FEDERAL TRADE COMMISSION
[File No. 122 3049]
FEDERAL RESERVE SYSTEM
mstockstill on DSK4VPTVN1PROD with NOTICES
Federal Open Market Committee;
Domestic Policy Directive of January
29–30, 2013
In accordance with Section 271.25 of
its rules regarding availability of
information (12 CFR part 271), there is
set forth below the domestic policy
directive issued by the Federal Open
Market Committee at its meeting held
on January 29–30, 2013.1
Consistent with its statutory mandate,
the Federal Open Market Committee
seeks monetary and financial conditions
that will foster maximum employment
and price stability. In particular, the
Committee seeks conditions in reserve
markets consistent with federal funds
trading in a range from 0 to 1/4 percent.
The Committee directs the Desk to
undertake open market operations as
necessary to maintain such conditions.
The Desk is directed to continue
purchasing longer-term Treasury
securities at a pace of about $45 billion
per month and to continue purchasing
agency mortgage-backed securities at a
pace of about $40 billion per month.
The Committee also directs the Desk to
engage in dollar roll and coupon swap
transactions as necessary to facilitate
settlement of the Federal Reserve’s
agency MBS transactions. The
Committee directs the Desk to maintain
its policy of rolling over maturing
Treasury securities into new issues and
its policy of reinvesting principal
payments on all agency debt and agency
mortgage-backed securities in agency
mortgage-backed securities. The System
Open Market Account Manager and the
Secretary will keep the Committee
informed of ongoing developments
regarding the System’s balance sheet
that could affect the attainment over
time of the Committee’s objectives of
1 Copies of the Minutes of the Federal Open
Market Committee at its meeting held on January
29–30, 2013, which includes the domestic policy
directive issued at the meeting, are available upon
request to the Board of Governors of the Federal
Reserve System, Washington, DC 20551. The
minutes are published in the Federal Reserve
Bulletin and in the Board’s Annual Report.
VerDate Mar<15>2010
19:12 Feb 27, 2013
Jkt 229001
HTC America, Inc.; Analysis of
Proposed Consent Order To Aid Public
Comment
Federal Trade Commission.
Proposed Consent Agreement.
AGENCY:
ACTION:
The consent agreement in this
matter settles alleged violations of
federal law prohibiting unfair or
deceptive acts or practices or unfair
methods of competition. The attached
Analysis To Aid Public Comment
describes both the allegations in the
draft complaint and the terms of the
consent order—embodied in the consent
agreement—that would settle these
allegations.
SUMMARY:
Comments must be received on
or before March 22, 2013.
ADDRESSES: Interested parties may file a
comment at https://
ftcpublic.commentworks.com/ftc/
htcamericaconsent online or on paper,
by following the instructions in the
Request for Comment part of the
SUPPLEMENTARY INFORMATION section
below. Write ‘‘HTC America, File No.
122 3049’’ on your comment and file
your comment online at https://
ftcpublic.commentworks.com/ftc/
htcamericaconsent by following the
instructions on the web-based form. If
you prefer to file your comment on
paper, mail or deliver your comment to
the following address: Federal Trade
Commission, Office of the Secretary,
Room H–113 (Annex D), 600
Pennsylvania Avenue NW., Washington,
DC 20580.
FOR FURTHER INFORMATION CONTACT:
Nithan Sannappa (202–326–2674) or
Jonathan E. Zimmerman (202–326–
2049), FTC, Bureau of Consumer
Protection, 600 Pennsylvania Avenue
NW., Washington, DC 20580.
SUPPLEMENTARY INFORMATION: Pursuant
to Section 6(f) of the Federal Trade
Commission Act, 15 U.S.C. 46(f), and
FTC Rule 2.34, 16 CFR 2.34, notice is
hereby given that the above-captioned
consent agreement containing a consent
order to cease and desist, having been
filed with and accepted, subject to final
DATES:
PO 00000
Frm 00056
Fmt 4703
Sfmt 4703
13673
approval, by the Commission, has been
placed on the public record for a period
of thirty (30) days. The following
Analysis To Aid Public Comment
describes the terms of the consent
agreement, and the allegations in the
complaint. An electronic copy of the
full text of the consent agreement
package can be obtained from the FTC
Home Page (for February 22, 2013), on
the World Wide Web, at https://
www.ftc.gov/os/actions.shtm. A paper
copy can be obtained from the FTC
Public Reference Room, Room 130–H,
600 Pennsylvania Avenue NW.,
Washington, DC 20580, either in person
or by calling (202) 326–2222.
You can file a comment online or on
paper. For the Commission to consider
your comment, we must receive it on or
before March 22, 2013. Write ‘‘HTC
America, File No. 122 3049’’ on your
comment. Your comment ‘‘including
your name and your state’’ will be
placed on the public record of this
proceeding, including, to the extent
practicable, on the public Commission
Web site, at https://www.ftc.gov/os/
publiccomments.shtm. As a matter of
discretion, the Commission tries to
remove individuals’ home contact
information from comments before
placing them on the Commission Web
site.
Because your comment will be made
public, you are solely responsible for
making sure that your comment does
not include any sensitive personal
information, like anyone’s Social
Security number, date of birth, driver’s
license number or other state
identification number or foreign country
equivalent, passport number, financial
account number, or credit or debit card
number. You are also solely responsible
for making sure that your comment does
not include any sensitive health
information, like medical records or
other individually identifiable health
information. In addition, do not include
any ‘‘[t]rade secret or any commercial or
financial information which * * * is
privileged or confidential,’’ as discussed
in Section 6(f) of the FTC Act, 15 U.S.C.
46(f), and FTC Rule 4.10(a)(2), 16 CFR
4.10(a)(2). In particular, do not include
competitively sensitive information
such as costs, sales statistics,
inventories, formulas, patterns, devices,
manufacturing processes, or customer
names.
If you want the Commission to give
your comment confidential treatment,
you must file it in paper form, with a
request for confidential treatment, and
you have to follow the procedure
explained in FTC Rule 4.9(c), 16 CFR
E:\FR\FM\28FEN1.SGM
28FEN1
13674
Federal Register / Vol. 78, No. 40 / Thursday, February 28, 2013 / Notices
4.9(c).1 Your comment will be kept
confidential only if the FTC General
Counsel, in his or her sole discretion,
grants your request in accordance with
the law and the public interest.
Postal mail addressed to the
Commission is subject to delay due to
heightened security screening. As a
result, we encourage you to submit your
comments online. To make sure that the
Commission considers your online
comment, you must file it at https://
ftcpublic.commentworks.com/ftc/
htcamericaconsent by following the
instructions on the web-based form. If
this Notice appears at https://
www.regulations.gov/#!home, you also
may file a comment through that Web
site.
If you file your comment on paper,
write ‘‘HTC America, File No. 122
3049’’ on your comment and on the
envelope, and mail or deliver it to the
following address: Federal Trade
Commission, Office of the Secretary,
Room H–113 (Annex D), 600
Pennsylvania Avenue NW., Washington,
DC 20580. If possible, submit your
paper comment to the Commission by
courier or overnight service.
Visit the Commission Web site at
https://www.ftc.gov to read this Notice
and the news release describing it. The
FTC Act and other laws that the
Commission administers permit the
collection of public comments to
consider and use in this proceeding as
appropriate. The Commission will
consider all timely and responsive
public comments that it receives on or
before March 22, 2013. You can find
more information, including routine
uses permitted by the Privacy Act, in
the Commission?s privacy policy, at
https://www.ftc.gov/ftc/privacy.htm.
mstockstill on DSK4VPTVN1PROD with NOTICES
Analysis of Agreement Containing
Consent Order To Aid Public Comment
The Federal Trade Commission has
accepted, subject to final approval, a
consent order applicable to HTC
America, Inc. (‘‘HTC’’).
The proposed consent order has been
placed on the public record for thirty
(30) days for receipt of comments by
interested persons. Comments received
during this period will become part of
the public record. After thirty (30) days,
the Commission will again review the
agreement and the comments received,
and will decide whether it should
withdraw from the agreement and take
1 In particular, the written request for confidential
treatment that accompanies the comment must
include the factual and legal basis for the request,
and must identify the specific portions of the
comment to be withheld from the public record. See
FTC Rule 4.9(c), 16 CFR 4.9(c).
VerDate Mar<15>2010
19:12 Feb 27, 2013
Jkt 229001
appropriate action or make final the
agreement’s proposed order.
HTC is a mobile device manufacturer
that develops and manufactures
smartphones and tablet computers using
Google Inc.’s Android operating system
and Microsoft Corporation’s Windows
Mobile and Windows Phone operating
systems. HTC has customized its
Android-based mobile devices by
adding or modifying various preinstalled applications and components
in order to differentiate its products
from those of competitors also
manufacturing Android-based mobile
devices. HTC has also customized both
its Android and Windows Mobile
devices in order to comply with the
requirements of certain network
operators. As the customized
applications and components are preinstalled on the device, consumers do
not choose to install the customized
applications and components, and the
device user interface does not provide
consumers with an option to uninstall
or remove the customized applications
and components from the device.
The Commission’s complaint alleges
that HTC engaged in a number of
practices that, taken together, failed to
provide reasonable and appropriate
security in the design and customization
of software on its mobile devices.
Among other things, HTC:
(1) Failed to implement an adequate
program to assess the security of
products it shipped to consumers;
(2) Failed to implement adequate
privacy and security guidance or
training for its engineering staff;
(3) Failed to conduct assessments,
audits, reviews, or tests to identify
potential security vulnerabilities in its
mobile devices;
(4) Failed to follow well-known and
commonly-accepted secure
programming practices, including
secure practices that were expressly
described in the operating system’s
guides for manufacturers and
developers, which would have ensured
that applications only had access to
users’ information with their consent;
(5) Failed to implement a process for
receiving and addressing security
vulnerability reports from third-party
researchers, academics or other
members of the public, thereby delaying
its opportunity to correct discovered
vulnerabilities or respond to reported
incidents.
The complaint further alleges that,
due to these failures, HTC introduced
numerous security vulnerabilities in the
process of customizing its mobile
devices. Once in place, HTC failed to
detect and mitigate these vulnerabilities,
which, if exploited, provide third-party
PO 00000
Frm 00057
Fmt 4703
Sfmt 4703
applications with unauthorized access
to sensitive information and sensitive
device functionality. The sensitive
device functionality potentially exposed
by the vulnerabilities includes the
ability to send text messages without
permission, the ability to record audio
with the device’s microphone without
permission, and the ability to install
other applications, including malware,
onto the device without the user’s
knowledge or consent. The complaint
alleges that malware placed on
consumers’ devices without their
permission could be used to record and
transmit information entered into or
stored on the device, including financial
account numbers and related access
codes or personal identification
numbers, and medical information. In
addition, other sensitive information
exposed by the vulnerabilities includes,
but is not limited to, location
information, the contents of text
messages, the user’s personal phone
number, phone numbers of contacts,
phone numbers of those who send text
messages to the user, and the user’s web
and media viewing history.
The proposed order contains
provisions designed to prevent HTC
from engaging in the future in practices
similar to those alleged in the
complaint.
Part I of the proposed order prohibits
HTC from misrepresenting the extent to
which HTC or its products or services—
including any covered device—use,
maintain and protect the security of
covered device functionality or the
security, privacy, confidentiality, or
integrity of covered information from or
about consumers. Part II of the proposed
order requires HTC to (1) address
security risks related to the
development and management of new
and existing covered devices, and (2)
protect the security, confidentiality, and
integrity of covered information,
whether collected by respondent or
input into, stored on, captured with,
accessed or transmitted through a
covered device. The security program
must contain administrative, technical,
and physical safeguards appropriate to
HTC’s size and complexity, nature and
scope of its activities, and the sensitivity
of the information collected from or
about consumers. Specifically, the
proposed order requires HTC to:
• Designate an employee or
employees to coordinate and be
accountable for the information security
program;
• Identify material internal and
external risks to the security of covered
devices that could result in
unauthorized access to or use of covered
device functionality, and assess the
E:\FR\FM\28FEN1.SGM
28FEN1
mstockstill on DSK4VPTVN1PROD with NOTICES
Federal Register / Vol. 78, No. 40 / Thursday, February 28, 2013 / Notices
sufficiency of any safeguards in place to
control these risks;
• Identify material internal and
external risks to the security,
confidentiality, and integrity of covered
information that could result in the
unauthorized disclosure, misuse, loss,
alteration, destruction, or other
compromise of such information,
whether such information is in HTC’s
possession or is input into, stored on,
captured with, accessed or transmitted
through a covered device, and assess the
sufficiency of any safeguards in place to
control these risks;
• Consider risks in each area of
relevant operation, including but not
limited to (1) employee training and
management; (2) product design,
development and research; (3) secure
software design and testing, including
secure engineering and defensive
programming; and (4) review,
assessment, and response to third-party
security vulnerability reports;
• Design and implement reasonable
safeguards to control the risks identified
through risk assessment, including
through reasonable and appropriate
software security testing techniques,
and regularly test or monitor the
effectiveness of the safeguards’ key
controls, systems, and procedures;
• Develop and use reasonable steps to
select and retain service providers
capable of maintaining security
practices consistent with the order, and
require service providers by contract to
implement and maintain appropriate
safeguards; and
• Evaluate and adjust its information
security program in light of the results
of testing and monitoring, any material
changes to HTC’s operations or business
arrangement, or any other circumstances
that it knows or has reason to know may
have a material impact on its security
program.
However, Part II does not require HTC
to identify and correct security
vulnerabilities in third parties’ software
on covered devices to the extent the
vulnerabilities are not the result of
respondent’s integration, modification,
or customization of the third party
software.
Part III of the proposed order requires
HTC to develop security patches to fix
the security vulnerabilities in each
affected covered device having an
operating system version released on or
after December 2010. Within thirty (30)
days of service of the order, HTC must
release the security patches either
directly to affected covered devices or to
the applicable network operator for
deployment to the affected covered
devices. HTC must provide users of the
affected covered devices with clear and
VerDate Mar<15>2010
19:12 Feb 27, 2013
Jkt 229001
prominent notice regarding the
availability of the security patches and
instructions for installing the security
patches.
Part IV of the proposed order requires
HTC to obtain, within the first one
hundred eighty (180) days after service
of the order and on a biennial basis
thereafter for a period of twenty (20)
years, an assessment and report from a
qualified, objective, independent thirdparty professional, certifying, among
other things, that: (1) It has in place a
security program that provides
protections that meet or exceed the
protections required by Part II of the
proposed order; and (2) its security
program is operating with sufficient
effectiveness to provide reasonable
assurance that the security of covered
device functionality and the security,
confidentiality, and integrity of covered
information is protected.
Parts V through IX of the proposed
order are reporting and compliance
provisions. Part V requires HTC to
retain documents relating to its
compliance with the order. The order
requires that the documents be retained
for a three-year period. Part VI requires
dissemination of the order now and in
the future to all current and future
principals, officers, directors, and
managers, and to persons with
responsibilities relating to the subject
matter of the order. Part VII ensures
notification to the FTC of changes in
corporate status. Part VIII mandates that
HTC submit a compliance report to the
FTC within 60 days, and periodically
thereafter as requested. Part IX is a
provision ‘‘sunsetting’’ the order after
twenty (20) years, with certain
exceptions.
The purpose of this analysis is to
facilitate public comment on the
proposed order. It is not intended to
constitute an official interpretation of
the proposed complaint or order or to
modify the order’s terms in any way.
By direction of the Commission, Chairman
Leibowitz not participating and
Commissioner Ohlhausen recused.
Donald S. Clark
Secretary.
[FR Doc. 2013–04606 Filed 2–27–13; 8:45 am]
BILLING CODE 6750–01–P
PO 00000
Frm 00058
Fmt 4703
Sfmt 4703
13675
DEPARTMENT OF DEFENSE
GENERAL SERVICES
ADMINISTRATION
NATIONAL AERONAUTICS AND
SPACE ADMINISTRATION
[OMB Control No. 9000–0129; Docket 2012–
0076; Sequence 56]
Federal Acquisition Regulation;
Submission for OMB Review; Cost
Accounting Standards Administration
Department of Defense (DOD),
General Services Administration (GSA),
and National Aeronautics and Space
Administration (NASA).
ACTION: Notice of request for comments
regarding an extension to an existing
OMB clearance.
AGENCY:
Under the provisions of the
Paperwork Reduction Act, the
Regulatory Secretariat will be
submitting to the Office of Management
and Budget (OMB) a request to review
and approve an extension of a
previously approved information
collection requirement concerning cost
accounting standards administration. A
notice was published in the Federal
Register at 77 FR 69441, on November
19, 2012. Two respondents submitted
comments.
SUMMARY:
Submit comments on or before
April 1, 2013.
ADDRESSES: Submit comments
identified by Information Collection
9000–0129, Cost Accounting Standards
Administration by any of the following
methods:
• Regulations.gov: https://
www.regulations.gov. Submit comments
via the Federal eRulemaking portal by
searching the OMB control number.
Select the link ‘‘Submit a Comment’’
that corresponds with ‘‘Information
Collection 9000–0129, Cost Accounting
Standards Administration’’. Follow the
instructions provided at the ‘‘Submit a
Comment’’ screen. Please include your
name, company name (if any), and
‘‘Information Collection 9000–0129,
Cost Accounting Standards
Administration’’ on your attached
document.
• Fax: 202–501–4067.
• Mail: General Services
Administration, Regulatory Secretariat
(MVCB), 1275 First Street NE.,
Washington, DC 20417. ATTN: Hada
Flowers/IC 9000–0129, Cost Accounting
Standards Administration.
Instructions: Please submit comments
only and cite Information Collection
9000–0129, Cost Accounting Standards
Administration, in all correspondence
DATES:
E:\FR\FM\28FEN1.SGM
28FEN1
]]>Agencies
[Federal Register Volume 78, Number 40 (Thursday, February 28, 2013)]
[Notices]
[Pages 13673-13675]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2013-04606]
=======================================================================
-----------------------------------------------------------------------
FEDERAL TRADE COMMISSION
[File No. 122 3049]
HTC America, Inc.; Analysis of Proposed Consent Order To Aid
Public Comment
AGENCY: Federal Trade Commission.
ACTION: Proposed Consent Agreement.
-----------------------------------------------------------------------
SUMMARY: The consent agreement in this matter settles alleged
violations of federal law prohibiting unfair or deceptive acts or
practices or unfair methods of competition. The attached Analysis To
Aid Public Comment describes both the allegations in the draft
complaint and the terms of the consent order--embodied in the consent
agreement--that would settle these allegations.
DATES: Comments must be received on or before March 22, 2013.
ADDRESSES: Interested parties may file a comment at https://ftcpublic.commentworks.com/ftc/htcamericaconsent online or on paper, by
following the instructions in the Request for Comment part of the
SUPPLEMENTARY INFORMATION section below. Write ``HTC America, File No.
122 3049'' on your comment and file your comment online at https://ftcpublic.commentworks.com/ftc/htcamericaconsent by following the
instructions on the web-based form. If you prefer to file your comment
on paper, mail or deliver your comment to the following address:
Federal Trade Commission, Office of the Secretary, Room H-113 (Annex
D), 600 Pennsylvania Avenue NW., Washington, DC 20580.
FOR FURTHER INFORMATION CONTACT: Nithan Sannappa (202-326-2674) or
Jonathan E. Zimmerman (202-326-2049), FTC, Bureau of Consumer
Protection, 600 Pennsylvania Avenue NW., Washington, DC 20580.
SUPPLEMENTARY INFORMATION: Pursuant to Section 6(f) of the Federal
Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule 2.34, 16 CFR 2.34,
notice is hereby given that the above-captioned consent agreement
containing a consent order to cease and desist, having been filed with
and accepted, subject to final approval, by the Commission, has been
placed on the public record for a period of thirty (30) days. The
following Analysis To Aid Public Comment describes the terms of the
consent agreement, and the allegations in the complaint. An electronic
copy of the full text of the consent agreement package can be obtained
from the FTC Home Page (for February 22, 2013), on the World Wide Web,
at https://www.ftc.gov/os/actions.shtm. A paper copy can be obtained
from the FTC Public Reference Room, Room 130-H, 600 Pennsylvania Avenue
NW., Washington, DC 20580, either in person or by calling (202) 326-
2222.
You can file a comment online or on paper. For the Commission to
consider your comment, we must receive it on or before March 22, 2013.
Write ``HTC America, File No. 122 3049'' on your comment. Your comment
``including your name and your state'' will be placed on the public
record of this proceeding, including, to the extent practicable, on the
public Commission Web site, at https://www.ftc.gov/os/publiccomments.shtm. As a matter of discretion, the Commission tries to
remove individuals' home contact information from comments before
placing them on the Commission Web site.
Because your comment will be made public, you are solely
responsible for making sure that your comment does not include any
sensitive personal information, like anyone's Social Security number,
date of birth, driver's license number or other state identification
number or foreign country equivalent, passport number, financial
account number, or credit or debit card number. You are also solely
responsible for making sure that your comment does not include any
sensitive health information, like medical records or other
individually identifiable health information. In addition, do not
include any ``[t]rade secret or any commercial or financial information
which * * * is privileged or confidential,'' as discussed in Section
6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR
4.10(a)(2). In particular, do not include competitively sensitive
information such as costs, sales statistics, inventories, formulas,
patterns, devices, manufacturing processes, or customer names.
If you want the Commission to give your comment confidential
treatment, you must file it in paper form, with a request for
confidential treatment, and you have to follow the procedure explained
in FTC Rule 4.9(c), 16 CFR
[[Page 13674]]
4.9(c).\1\ Your comment will be kept confidential only if the FTC
General Counsel, in his or her sole discretion, grants your request in
accordance with the law and the public interest.
---------------------------------------------------------------------------
\1\ In particular, the written request for confidential
treatment that accompanies the comment must include the factual and
legal basis for the request, and must identify the specific portions
of the comment to be withheld from the public record. See FTC Rule
4.9(c), 16 CFR 4.9(c).
---------------------------------------------------------------------------
Postal mail addressed to the Commission is subject to delay due to
heightened security screening. As a result, we encourage you to submit
your comments online. To make sure that the Commission considers your
online comment, you must file it at https://ftcpublic.commentworks.com/ftc/htcamericaconsent by following the instructions on the web-based
form. If this Notice appears at https://www.regulations.gov/#!home, you
also may file a comment through that Web site.
If you file your comment on paper, write ``HTC America, File No.
122 3049'' on your comment and on the envelope, and mail or deliver it
to the following address: Federal Trade Commission, Office of the
Secretary, Room H-113 (Annex D), 600 Pennsylvania Avenue NW.,
Washington, DC 20580. If possible, submit your paper comment to the
Commission by courier or overnight service.
Visit the Commission Web site at https://www.ftc.gov to read this
Notice and the news release describing it. The FTC Act and other laws
that the Commission administers permit the collection of public
comments to consider and use in this proceeding as appropriate. The
Commission will consider all timely and responsive public comments that
it receives on or before March 22, 2013. You can find more information,
including routine uses permitted by the Privacy Act, in the
Commission?s privacy policy, at https://www.ftc.gov/ftc/privacy.htm.
Analysis of Agreement Containing Consent Order To Aid Public Comment
The Federal Trade Commission has accepted, subject to final
approval, a consent order applicable to HTC America, Inc. (``HTC'').
The proposed consent order has been placed on the public record for
thirty (30) days for receipt of comments by interested persons.
Comments received during this period will become part of the public
record. After thirty (30) days, the Commission will again review the
agreement and the comments received, and will decide whether it should
withdraw from the agreement and take appropriate action or make final
the agreement's proposed order.
HTC is a mobile device manufacturer that develops and manufactures
smartphones and tablet computers using Google Inc.'s Android operating
system and Microsoft Corporation's Windows Mobile and Windows Phone
operating systems. HTC has customized its Android-based mobile devices
by adding or modifying various pre-installed applications and
components in order to differentiate its products from those of
competitors also manufacturing Android-based mobile devices. HTC has
also customized both its Android and Windows Mobile devices in order to
comply with the requirements of certain network operators. As the
customized applications and components are pre-installed on the device,
consumers do not choose to install the customized applications and
components, and the device user interface does not provide consumers
with an option to uninstall or remove the customized applications and
components from the device.
The Commission's complaint alleges that HTC engaged in a number of
practices that, taken together, failed to provide reasonable and
appropriate security in the design and customization of software on its
mobile devices. Among other things, HTC:
(1) Failed to implement an adequate program to assess the security
of products it shipped to consumers;
(2) Failed to implement adequate privacy and security guidance or
training for its engineering staff;
(3) Failed to conduct assessments, audits, reviews, or tests to
identify potential security vulnerabilities in its mobile devices;
(4) Failed to follow well-known and commonly-accepted secure
programming practices, including secure practices that were expressly
described in the operating system's guides for manufacturers and
developers, which would have ensured that applications only had access
to users' information with their consent;
(5) Failed to implement a process for receiving and addressing
security vulnerability reports from third-party researchers, academics
or other members of the public, thereby delaying its opportunity to
correct discovered vulnerabilities or respond to reported incidents.
The complaint further alleges that, due to these failures, HTC
introduced numerous security vulnerabilities in the process of
customizing its mobile devices. Once in place, HTC failed to detect and
mitigate these vulnerabilities, which, if exploited, provide third-
party applications with unauthorized access to sensitive information
and sensitive device functionality. The sensitive device functionality
potentially exposed by the vulnerabilities includes the ability to send
text messages without permission, the ability to record audio with the
device's microphone without permission, and the ability to install
other applications, including malware, onto the device without the
user's knowledge or consent. The complaint alleges that malware placed
on consumers' devices without their permission could be used to record
and transmit information entered into or stored on the device,
including financial account numbers and related access codes or
personal identification numbers, and medical information. In addition,
other sensitive information exposed by the vulnerabilities includes,
but is not limited to, location information, the contents of text
messages, the user's personal phone number, phone numbers of contacts,
phone numbers of those who send text messages to the user, and the
user's web and media viewing history.
The proposed order contains provisions designed to prevent HTC from
engaging in the future in practices similar to those alleged in the
complaint.
Part I of the proposed order prohibits HTC from misrepresenting the
extent to which HTC or its products or services--including any covered
device--use, maintain and protect the security of covered device
functionality or the security, privacy, confidentiality, or integrity
of covered information from or about consumers. Part II of the proposed
order requires HTC to (1) address security risks related to the
development and management of new and existing covered devices, and (2)
protect the security, confidentiality, and integrity of covered
information, whether collected by respondent or input into, stored on,
captured with, accessed or transmitted through a covered device. The
security program must contain administrative, technical, and physical
safeguards appropriate to HTC's size and complexity, nature and scope
of its activities, and the sensitivity of the information collected
from or about consumers. Specifically, the proposed order requires HTC
to:
Designate an employee or employees to coordinate and be
accountable for the information security program;
Identify material internal and external risks to the
security of covered devices that could result in unauthorized access to
or use of covered device functionality, and assess the
[[Page 13675]]
sufficiency of any safeguards in place to control these risks;
Identify material internal and external risks to the
security, confidentiality, and integrity of covered information that
could result in the unauthorized disclosure, misuse, loss, alteration,
destruction, or other compromise of such information, whether such
information is in HTC's possession or is input into, stored on,
captured with, accessed or transmitted through a covered device, and
assess the sufficiency of any safeguards in place to control these
risks;
Consider risks in each area of relevant operation,
including but not limited to (1) employee training and management; (2)
product design, development and research; (3) secure software design
and testing, including secure engineering and defensive programming;
and (4) review, assessment, and response to third-party security
vulnerability reports;
Design and implement reasonable safeguards to control the
risks identified through risk assessment, including through reasonable
and appropriate software security testing techniques, and regularly
test or monitor the effectiveness of the safeguards' key controls,
systems, and procedures;
Develop and use reasonable steps to select and retain
service providers capable of maintaining security practices consistent
with the order, and require service providers by contract to implement
and maintain appropriate safeguards; and
Evaluate and adjust its information security program in
light of the results of testing and monitoring, any material changes to
HTC's operations or business arrangement, or any other circumstances
that it knows or has reason to know may have a material impact on its
security program.
However, Part II does not require HTC to identify and correct
security vulnerabilities in third parties' software on covered devices
to the extent the vulnerabilities are not the result of respondent's
integration, modification, or customization of the third party
software.
Part III of the proposed order requires HTC to develop security
patches to fix the security vulnerabilities in each affected covered
device having an operating system version released on or after December
2010. Within thirty (30) days of service of the order, HTC must release
the security patches either directly to affected covered devices or to
the applicable network operator for deployment to the affected covered
devices. HTC must provide users of the affected covered devices with
clear and prominent notice regarding the availability of the security
patches and instructions for installing the security patches.
Part IV of the proposed order requires HTC to obtain, within the
first one hundred eighty (180) days after service of the order and on a
biennial basis thereafter for a period of twenty (20) years, an
assessment and report from a qualified, objective, independent third-
party professional, certifying, among other things, that: (1) It has in
place a security program that provides protections that meet or exceed
the protections required by Part II of the proposed order; and (2) its
security program is operating with sufficient effectiveness to provide
reasonable assurance that the security of covered device functionality
and the security, confidentiality, and integrity of covered information
is protected.
Parts V through IX of the proposed order are reporting and
compliance provisions. Part V requires HTC to retain documents relating
to its compliance with the order. The order requires that the documents
be retained for a three-year period. Part VI requires dissemination of
the order now and in the future to all current and future principals,
officers, directors, and managers, and to persons with responsibilities
relating to the subject matter of the order. Part VII ensures
notification to the FTC of changes in corporate status. Part VIII
mandates that HTC submit a compliance report to the FTC within 60 days,
and periodically thereafter as requested. Part IX is a provision
``sunsetting'' the order after twenty (20) years, with certain
exceptions.
The purpose of this analysis is to facilitate public comment on the
proposed order. It is not intended to constitute an official
interpretation of the proposed complaint or order or to modify the
order's terms in any way.
By direction of the Commission, Chairman Leibowitz not
participating and Commissioner Ohlhausen recused.
Donald S. Clark
Secretary.
[FR Doc. 2013-04606 Filed 2-27-13; 8:45 am]
BILLING CODE 6750-01-P
