No, Samsung doesn't have to keep patching old smartphones, court rules

Samsung beats consumer advocates in case over smartphone security updates.
Written by David Meyer, Contributor

The fight for better smartphone security has suffered a setback in the Netherlands, where a court has rebuffed an attempt by consumer advocates to force changes on Samsung.

The Dutch Consumers' Association, or Consumentenbond, sued Samsung back in November 2016, arguing that the phone maker was obliged to keep customers' smartphones safe by providing timely Android updates for at least two years after buying them, or for four years after the phones' launch.

However, on Wednesday The Hague administrative court ruled that Consumentenbond's case was inadmissible, because the organization was trying to influence Samsung's future activities.

"The specific (technical) circumstances are still unknown. Therefore, nothing can be decided regarding the nature and severity of any future security risks and Samsung's future actions," the court said.

The consumer group said it was disappointed, arguing that the court did not deal with the issue of whether Samsung's behavior constituted an unfair commercial practice.

See: IT pro's guide to the evolution and impact of 5G technology (free PDF)

Consumentenbond's attorney, Christiaan Alberdingk Thijm, said it was unfeasible and unnecessary to prove there are security risks when Samsung does not issue timely updates to its users, as the court demanded the group do.

"Google classifies the severity of each leak they discover and the possible consequences. The Consumentenbond does not have to also do that," said Thijm in a statement.

The extremely variable nature of Android security is because, while Google regularly issues patches for Android manufacturers to apply to their devices, it's up to the manufacturers to choose if and when to incorporate those fixes.

It sometimes takes longer for this patching to happen when the manufacturers offer heavily-skinned versions of Android, as is the case with Samsung.

Samsung, which did not respond to a request for comment on the Dutch ruling, issues monthly and quarterly security updates for a range of its products.

It insists that it tries to "respond as quickly as possible" to all known security issues, and it offers monthly security updates for its enterprise customers for "at least three years from general availability".

See: Google Analytics 101: Executive's guide to measuring business data

However, Samsung also sometimes continues selling phones that it has stopped updating. Earlier this year it dropped all updates for the Galaxy S6 range, even though the phones stayed on shelves.

The Consumentenbond also tried to get the court to force Samsung to give customers better information about its security practices. Again, it failed, but the organization's director, Bart Combée, noted that Samsung has recently started doing that anyway.

"We set the market in motion with this lawsuit, as a result of which consumers are in any case better informed," Combée said in the statement.

Last year, a German consumer-protection agency tackled a similar issue by suing a branch of the electronic retail giant Media Markt over its stocking of insecure Android phones.

The Verbraucherzentrale NRW agency was irked by the sale of Mobistel's cheap Cynus T6 phone, which -- the group established with the assistance of federal information security regulators -- was riddled with vulnerabilities.

Previous and related coverage

Insecure Android smartphone leads to court case for electronics retailer

Smartphone buyers should be better informed about security flaws in the devices they are sold, according to one consumer watchdog.

Android security triple-whammy: New attack combines phishing, malware, and data theft

Attacks on three fronts ensure attackers have all the information they need to steal banking details in the latest evolution of the Marcher malware, warn researchers.

Google Android Security report 2017: We read it so you don't have to

Google wants you to know that it's really progressing well on Android security. Here's a look at the key lessons learned, but save the rather futile debate over Android vs. Apple iOS on security.

Samsung mocks Apple again: This time it's poking fun at iPhone's throttling troubles

Samsung's new Galaxy S9 upgrade ad tries to capitalize on Apple's iPhone "battery slowdown" controversy.

Phoney Android security apps in Google Play Store found distributing malware, tracking users

36 apps that posed as tools to keep users safe from attacks were actually installing malware on their devices.

Editorial standards