No duty to noti­fy cus­to­mers of Android’s secu­ri­ty gaps

A ven­dor who was sel­ling Android smart pho­nes wit­hout dis­clo­sing to cus­to­mers that the smart pho­nes’ soft­ware has secu­ri­ty gaps and that the pro­vi­si­on of updates is no lon­ger gua­ran­teed did not breach its duties of inspec­tion and noti­fi­ca­ti­on, accor­ding to the Hig­her Regio­nal Court of Colo­gne in a Judgment of 30 Octo­ber 2019, Case No. 6 U 100/19.

The plain­ti­ff, a con­su­mer advo­ca­cy group, had pre­vious­ly con­duc­ted test purcha­ses and arran­ged to have the smart pho­nes tes­ted by the Fede­ral Office for Infor­ma­ti­on Secu­ri­ty (BSI). One of the smart pho­nes show­ed only one of the 28 secu­ri­ty gaps it was tes­ted for, but ano­ther had 15. BSI clas­si­fied that as a bla­tant secu­ri­ty risk and refer­red the mat­ter to the manu­fac­tu­rer, but wit­hout suc­cess. The group then filed suit against the elec­tro­nics store see­king an order requi­ring the store to refrain from sel­ling smart pho­nes wit­hout a noti­ce to this effect.

Accor­ding to the Judgment issued by the Hig­her Regio­nal Court of Colo­gne, no such cla­im exists becau­se the elec­tro­nics store did not breach its duties as the ven­dor. The court found that, while it had been estab­lished that the secu­ri­ty gaps pose a thre­at to buy­ers’ pri­va­cy, sin­ce the secu­ri­ty gaps can be exploi­ted to gain unaut­ho­ri­zed access to cus­to­mers’ data and abu­se this data for frau­du­lent pur­po­ses, this cir­cum­s­tance can only be ascer­tai­ned by run­ning tests to deter­mi­ne whe­ther the soft­ware of each indi­vi­du­al smart pho­ne has a secu­ri­ty gap. After all, secu­ri­ty gaps ari­se from the com­bi­na­ti­on of the ope­ra­ting sys­tem used and the spe­ci­fic cell pho­ne model, so that dif­fe­rent smart pho­ne models with the same ope­ra­ting sys­tem may have dif­fe­rent secu­ri­ty gaps. As a result, the ven­dor would have to test each smart pho­ne model indi­vi­du­al­ly in order to dis­co­ver the secu­ri­ty gap. The court found that this would repre­sent an unre­asonable demand for the vendor.

The court rea­ched a simi­lar con­clu­si­on with respect to soft­ware updates. It noted that the ven­dor typi­cal­ly does not have infor­ma­ti­on about updates at the time of sale and that pro­vi­ding updates is essen­ti­al­ly the manufacturer’s respon­si­bi­li­ty. Moreo­ver, it poin­ted out that ven­dors can­not obtain infor­ma­ti­on about soft­ware updates wit­hout unre­asonable expen­se, sin­ce even the manu­fac­tu­rer does not know whe­ther and when a soft­ware update will be provided.

The court left open the ques­ti­on as to whe­ther infor­ma­ti­on about secu­ri­ty gaps would have to be obtai­ned by the ven­dor from the manu­fac­tu­rer under cer­tain circumstances.

Also unclear is the ext­ent to which ven­dors are requi­red to dis­c­lo­se secu­ri­ty gaps which they are alre­a­dy awa­re of. The Judgment also makes no state­ments con­cer­ning the vendor’s duties in pro­duct lia­bi­li­ty and pro­duct safe­ty law with respect to mar­ket sur­veil­lan­ce. The court’s argu­ment that manu­fac­tu­r­ers do not know whe­ther and when they will publish an update and that the rele­vant infor­ma­ti­on and plans can chan­ge dai­ly is uncon­vin­cing. The court has decli­ned to allow an appeal on points of law, so that the Judgment is final and binding.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.