No duty to noti­fy cus­to­mers of Android’s secu­ri­ty gaps

A ven­dor who was sel­ling Android smart pho­nes wit­hout dis­clo­sing to cus­to­mers that the smart pho­nes’ soft­ware has secu­ri­ty gaps and that the pro­vi­si­on of updates is no lon­ger gua­ran­teed did not breach its duties of inspec­tion and noti­fi­ca­ti­on, accor­ding to the Hig­her Regio­nal Court of Colo­gne in a Judgment of 30 Octo­ber 2019, Case No. 6 U 100/19.

The plain­ti­ff, a con­su­mer advo­ca­cy group, had pre­vious­ly con­duc­ted test purcha­ses and arran­ged to have the smart pho­nes tes­ted by the Fede­ral Office for Infor­ma­ti­on Secu­ri­ty (BSI). One of the smart pho­nes show­ed only one of the 28 secu­ri­ty gaps it was tes­ted for, but ano­ther had 15. BSI clas­si­fied that as a bla­tant secu­ri­ty risk and refer­red the mat­ter to the manu­fac­tu­rer, but wit­hout suc­cess. The group then filed suit against the elec­tro­nics store see­king an order requi­ring the store to refrain from sel­ling smart pho­nes wit­hout a noti­ce to this effect.

Accor­ding to the Judgment issued by the Hig­her Regio­nal Court of Colo­gne, no such cla­im exists becau­se the elec­tro­nics store did not breach its duties as the ven­dor. The court found that, while it had been estab­lished that the secu­ri­ty gaps pose a thre­at to buy­ers’ pri­va­cy, sin­ce the secu­ri­ty gaps can be exploi­ted to gain unaut­ho­ri­zed access to cus­to­mers’ data and abu­se this data for frau­du­lent pur­po­ses, this cir­cum­s­tance can only be ascer­tai­ned by run­ning tests to deter­mi­ne whe­ther the soft­ware of each indi­vi­du­al smart pho­ne has a secu­ri­ty gap. After all, secu­ri­ty gaps ari­se from the com­bi­na­ti­on of the ope­ra­ting sys­tem used and the spe­ci­fic cell pho­ne model, so that dif­fe­rent smart pho­ne models with the same ope­ra­ting sys­tem may have dif­fe­rent secu­ri­ty gaps. As a result, the ven­dor would have to test each smart pho­ne model indi­vi­du­al­ly in order to dis­co­ver the secu­ri­ty gap. The court found that this would repre­sent an unre­asonable demand for the vendor.

The court rea­ched a simi­lar con­clu­si­on with respect to soft­ware updates. It noted that the ven­dor typi­cal­ly does not have infor­ma­ti­on about updates at the time of sale and that pro­vi­ding updates is essen­ti­al­ly the manufacturer’s respon­si­bi­li­ty. Moreo­ver, it poin­ted out that ven­dors can­not obtain infor­ma­ti­on about soft­ware updates wit­hout unre­asonable expen­se, sin­ce even the manu­fac­tu­rer does not know whe­ther and when a soft­ware update will be provided.

The court left open the ques­ti­on as to whe­ther infor­ma­ti­on about secu­ri­ty gaps would have to be obtai­ned by the ven­dor from the manu­fac­tu­rer under cer­tain circumstances.

Also unclear is the ext­ent to which ven­dors are requi­red to dis­c­lo­se secu­ri­ty gaps which they are alre­a­dy awa­re of. The Judgment also makes no state­ments con­cer­ning the vendor’s duties in pro­duct lia­bi­li­ty and pro­duct safe­ty law with respect to mar­ket sur­veil­lan­ce. The court’s argu­ment that manu­fac­tu­r­ers do not know whe­ther and when they will publish an update and that the rele­vant infor­ma­ti­on and plans can chan­ge dai­ly is uncon­vin­cing. The court has decli­ned to allow an appeal on points of law, so that the Judgment is final and binding.