Security Updates as Hostage Takers

January 6, 2023

This article was originally published by Security Boulevard (https://securityboulevard.com/2023/01/security-updates-as-hostage-takers/).

Software updates are an essential part of modern technology, as they provide necessary fixes, improvements and new features to devices and software. While some software updates are designed to improve or enhance functionality, many updates are designed to protect the privacy or security of the user or the community. For that reason, companies often urge users to ensure that they have installed and are using the most recent version of their software. Otherwise, there might be bugs or vulnerabilities that could be exploited.

However, software updates have a hidden and more nefarious advantage for companies: Such updates can also be used by companies as a way to get consumers to agree to new terms of service, which can sometimes include changes that are not in the best interests of the consumer.

Companies use software updates to get consumers to agree to new terms of service by making the update mandatory for the user to continue using the device or software. This can be done by making the update necessary for security reasons or by disabling certain features until the update is installed. This puts pressure on the consumer to agree to the new terms of service, as they may feel they have no choice but to accept them in order to continue using the device or software. This is particularly nefarious where the consumer has paid for a license for the software or service, and the “mandatory” update substantially changes the terms of the agreement. Pray I do not alter it again.

The consumer, who has already paid for the service, is left with the Hobson’s choice: Either accept the update (and the new terms) or abandon the already-paid-for service. Now, this is fine if the changes to the terms of service relate to the changes in the software. If the product has new functionality, that functionality may require changes to the terms of service.

But that’s not what is happening. Companies use software updates to get consumers to agree to new terms of service by making the terms of service more favorable to the company. This can include changes such as giving the company more control over user data or increasing the amount of personal information the company can collect and use. Companies can get consumers to agree to changes in privacy and data use policies, compel arbitration of disputes, waive the right to class action litigation or even disclaim liability altogether simply by having the consumer click “I agree” on the software update pushed out. Sure, there is likely to be language somewhere saying “by clicking ‘I agree’ and using the service, you have agreed to the terms of our End User License Agreement,” but in reality, the consumer thinks that they are merely installing a software patch. These changes may not be clearly explained to the user and they may feel like they have no choice but to accept them to continue using the device or software.

One specific example of a company using a software update to get consumers to agree to new terms of service is the case of WhatsApp. In January 2021, WhatsApp updated its terms of service to require users to agree to share their data with Facebook, its parent company. The update made it mandatory for users to accept the new terms of service to continue using the app, and it received widespread criticism from users and privacy advocates. The update also sparked a backlash, with many users switching to alternative messaging apps that offered greater privacy protections.

Another example is Apple’s iOS 14 update, which introduced a new feature called App Tracking Transparency. This feature required app developers to ask for the user’s permission before tracking their data and activity across other apps and websites. However, Facebook and other companies have criticized the feature, arguing that it will negatively impact their ability to target ads and generate revenue. In response, Facebook has launched a campaign to encourage users to opt in to tracking, which includes pop-up notifications and ads within its apps.

Similarly, AT&T, in response to attacks by SIM swappers on their network, changed its terms of service to indicate that its customers now agree that AT&T is not responsible for its own services and that it makes no promises about the privacy or security of the AT&T accounts it controls. The customer also agrees that the phone giant “has no control over the acts and conduct of third parties” even when it, in fact, does have such control either by contract, or otherwise, and that the phone company has no liability when you use AT&T (like SMS or other means) “as a source of authentication or verification in connection with any social media, email, financial, cryptocurrency or other account.” This is true even when AT&T acts willfully and intentionally, at least according to the language. All of these changes can be forced on a customer through a software update or carrier update, or even just by having people continue to use a service for which they already have a contract. Remember all those promises we made about privacy and security? Yeah, well, not so much anymore.

These examples demonstrate how companies can use software updates to get consumers to agree to new terms of service, and the potential security and privacy implications of these updates. In the case of WhatsApp, the update allowed Facebook to access and use user data in ways that may not have been explicitly agreed upon by the user. This raised concerns about the security and privacy of user data, as it was not clear how Facebook would use this information or how it would be protected.

The iOS 14 update, on the other hand, sought to increase the privacy and security of user data by requiring app developers to seek explicit permission before tracking user activity. This represents a shift toward greater user control over their data and how it is used, which is generally seen as a positive development for privacy and security.

Any time you click “I agree,” you might be agreeing to give up more than you thought. But not clicking “I agree” may mean that you don’t get the benefit of secure software. Damned if you do, damned if you don’t. This is no way to improve security.

Read the original article, as published by Security Boulevard, here.