No duty to notify customers of Android's security gaps

Category: cybersecurity, product liability Industry: consumer goods Author: Year:
 Philipp Reusch

A vendor who was selling Android smart phones without disclosing to customers that the smart phones' software has security gaps and that the provision of updates is no longer guaranteed did not breach its duties of inspection and notification, according to the Higher Regional Court of Cologne in a Judgment of 30 October 2019, Case No. 6 U 100/19.

The plaintiff, a consumer advocacy group, had previously conducted test purchases and arranged to have the smart phones tested by the Federal Office for Information Security (BSI). One of the smart phones showed only one of the 28 security gaps it was tested for, but another had 15. BSI classified that as a blatant security risk and referred the matter to the manufacturer, but without success. The group then filed suit against the electronics store seeking an order requiring the store to refrain from selling smart phones without a notice to this effect.

According to the Judgment issued by the Higher Regional Court of Cologne, no such claim exists because the electronics store did not breach its duties as the vendor. The court found that, while it had been established that the security gaps pose a threat to buyers' privacy, since the security gaps can be exploited to gain unauthorized access to customers' data and abuse this data for fraudulent purposes, this circumstance can only be ascertained by running tests to determine whether the software of each individual smart phone has a security gap. After all, security gaps arise from the combination of the operating system used and the specific cell phone model, so that different smart phone models with the same operating system may have different security gaps. As a result, the vendor would have to test each smart phone model individually in order to discover the security gap. The court found that this would represent an unreasonable demand for the vendor.

The court reached a similar conclusion with respect to software updates. It noted that the vendor typically does not have information about updates at the time of sale and that providing updates is essentially the manufacturer's responsibility. Moreover, it pointed out that vendors cannot obtain information about software updates without unreasonable expense, since even the manufacturer does not know whether and when a software update will be provided.

The court left open the question as to whether information about security gaps would have to be obtained by the vendor from the manufacturer under certain circumstances.

Also unclear is the extent to which vendors are required to disclose security gaps which they are already aware of. The Judgment also makes no statements concerning the vendor's duties in product liability and product safety law with respect to market surveillance. The court's argument that manufacturers do not know whether and when they will publish an update and that the relevant information and plans can change daily is unconvincing. The court has declined to allow an appeal on points of law, so that the Judgment is final and binding.

[November 2019]