Samsung escapes obligation to keep old phones patched
Dutch court rules orphan kit doesn't endanger users
The Dutch Consumers Association has lost a court case trying to force Samsung to ship security updates for older phones.
The case could have had far-reaching impacts, since there's little point in writing software for only one market. The Consumentenbond wanted the court to force the smartphone giant to provide security updates for four years after a product was launched, and/or two years after a product was sold.
It also wanted Samsung to deliver security patches to owners within three months of the patch becoming available to it.
The association's director Bart Combée said Samsung argued it was too hard to support all of the multiplicity of models it would market over a four-year period. Combée countered that car-makers don't see that as a stretch.
While Google handles bug patches in the first instance, the association noted, Samsung chooses which patches its users receive.
“An automobile manufacturer must also ensure that all its models are safe and reliable and remain [so]. Samsung has the same obligation. With this statement, consumers remain dependent on the goodwill of the manufacturer,” Combée said.
The court at The Hague didn't agree. In a decision announced yesterday, it said the Consumers' Association claims were inadmissible because they “relate to the future actions of Samsung,” and those future actions and the company's circumstances were “still unknown”.
As a result, “nothing can be decided on the nature and severity of any future security risks and the future actions of Samsung.”
The court did, however, agree that consumers should be protected against security vulnerabilities, something it said “is of great social importance”.
The Consumers' Association also lost on a second complaint, that Samsung provides insufficient information about its security upgrades to consumers. However, the association noted that Samsung's website now carries a banner about update policy, rather than leaving the consumer to hunt for it (this presumably applies to The Netherlands, since it wasn't in evidence at the company's Australian site).
The full judgement is here. ®
Sponsored: Becoming a Pragmatic Security Leader