When it comes to telling customers about security weaknesses, there's a fine line between alerting customers and inviting attacks. With T-Mobile G1, the first phone to run Google's Android operating system, I think the companies are erring on the side of inadequate disclosure.
I've been testing a review model of the G1, and an update arrived first on November 1 and then a second a week later. Only by dint of much pestering and more than a week of waiting did I find out from Google what was in those two Android patches.
And T-Mobile has been pretty quiet, too. (I'm waiting for comment from the company about its choices.)
I'm not the type to blithely ignore patches. Sure, I'm not convinced the security patches I download for Adobe Reader, Microsoft Windows, and Firefox are flawless, but I think the odds are good enough they'll be an improvement that I install them.
But with the Android phone, I couldn't even tell if the patches were security related, much less how important they are, much less what they actually do. The closest I could come was figuring out what operating system build I had installed, then using that nugget of information to snoop around the T-Mobile forums, the Android bug-reporting system, and assorted Web sites to see if I could piece together what was going on.
In short, even if companies are generally looking out for their customers' best interests, I think it behooves them to keep the customers better informed. It prevents us from feeling like disempowered pawns. It helps us make intelligent choices with our products. And it can even make us happy, when pesky bugs are stamped out or useful features are added.
Even Microsoft, which hardly has a reputation for coddling its users, does a better job of keeping people in the loop. It gives a heads up a few days in advance about what's coming on its next monthly "patch Tuesday" upgrades.
In a pickle
Google writes the patches but relies on T-Mobile to disseminate them to its customers and to communicate with its customers, said Rich Cannings of Google's Android security team.
"We won't disclose the issue until all our users have been at least asked to update their phone," Cannings said.
T-Mobile's site says delivering over-the-air updates to G1 customers takes several days, with users selected in random order. Given the philosophy of not disclosing details until everybody has a chance to update, it would be impractical to include update details along with the update itself. Early recipients could simply publish details online.
Microsoft takes a different approach, though, publicly releasing details even before all computers have been patched.
Those who dig around T-Mobile's forums can find posts from a T-Mobile administrator named Will. "The first rule of updates is: you do not talk about updates," he joked in one post confirming that T-Mobile had begun sending out the TC30 patch, then only offered a hint about what was in the patch. He was more forthcoming in an earlier post, though.
Cannings said Google will release all the gory details about Android vulnerabilities eventually; the security announcements are automatically sent to the Bugtraq and Full Disclosure security mailing lists, for example, he said.
But that process doesn't take place on the same schedule as the patches T-Mobile distributes. It's been 11 days since I received the RC29 patch, and there's still no word published on the Android Security Announcements group. The only note is an August 18 introductory note with this advice: "If you would like to receive security patch announcements for Android, please join the android-security-announce Google Group."
The security fixes also take place behind closed doors, despite Android's open-source nature. After the report of the root-console bug that would cause a G1 phone to reboot if a user simply typed "reboot", Google's Dan Morrill added a note, "Marking as security problem, which will hide this issue until the fix is public," though it wasn't actually hidden.
Google has taken the same approach of hiding security issues with its Chrome browser, and updates are installed automatically with no option for users to approve the process. Again, it takes the approach that Google knows best, and users are best to trust the company to do the right thing.
Should I lighten up?
But here's the question: am I wrong to bridle at this somewhat paternalistic attitude? Given that the future no doubt holds updates for car engine firmware, home wireless network routers, universal remote control, and Internet-enabled stuffed animals, we'll all have to get more used to them. After all, security is a grave matter, and vulnerabilities lead directly to spam-sending botnets and other serious issues. Should I just relax and go with the flow?
Vote in the poll and share your thoughts in the comments below.