back to article Samsung escapes obligation to keep old phones patched

The Dutch Consumers Association has lost a court case trying to force Samsung to ship security updates for older phones. The case could have had far-reaching impacts, since there's little point in writing software for only one market. The Consumentenbond wanted the court to force the smartphone giant to provide security …

  1. Phil Kingston

    Good to see someone else falling foul of car analogies.

    Cars ain't phones.

    1. Anonymous Coward
      Anonymous Coward

      I can see why you may say that and in a way you are right and another wrong.

      They used it to show that car manufactures (as are also white goods manufacturers ) are legally obliged to carry parts and ensure their devices are safe to use.

      The issue becomes more back and white when you look at it in another context, yes the car maker is obliged to make sure it's safe for "normal" use but outside that, they are not. If you are chucking your Nissan Micra at full belt around a race track for 30 minutes and the brakes fade and fail, that is not Nissan's faults. If the windscreen pops out when driving, that's Nissan's fault, if some scumbag lobs a paving slab through it, it isn't.

      As much as Android is a piss poorly designed OS when it comes to updates, in "normal" use it is pretty safe. Additionally, if you are getting security updates, but no "feature" updates, i.e. OS versions, they have no legal reason to upgrade you, the phone was never sold with that OS.

      So as many others will say, the best way to get ANY company to do something is not to buy their products unless they do.

      1. BinkyTheMagicPaperclip Silver badge

        In 'normal' use Android is not pretty safe if there's an exploit the manufacturer refuses to patch..

        Naturally consumers should not be entitled to feature updates, but personally I think security updates should be a given.

      2. Waseem Alkurdi

        So as many others will say, the best way to get ANY company to do something is not to buy their products unless they do.

        I beg to differ. The majority of buyers are the proletariat class of users. They have no idea what security updates mean, nor they can be bothered.

        And not to forget the kinds who drop their phone as soon as the next shiny-shiny appears.

    2. pleb

      One major difference I see is that, in the main, flaws that have come to light over the years in cars have been defects in the design and build which were present from the start, whereas with phones they are generally vulnerabilities to new exploits which did not pertain when the phone was launched.

      1. Alan Brown Silver badge

        "with phones they are generally vulnerabilities to new exploits which did not pertain when the phone was launched."

        Erm, the vulnerabilities were there all along. It was the exploit that uncovered them.

        I can't see Nissan or anyone else getting away with refusing a recall because someone recently discovered that if you drive down a potholed road in a particular pattern the pins holding your brake pads in place all pop out and the brakes fall off. "It was perfectly OK until you found that" simply wouldn't wash.

        1. Anonymous Coward
          Anonymous Coward

          Wanna bet? They'll pin the blame on the driver for driving it rough and MAKE it wash.

  2. Joe Montana

    Phone contracts

    A lot of phones are purchased on 2 year contracts, so at the very least the manufacturer should be required to support the phone for the duration of any such contracts.

    1. Oengus

      Re: Phone contracts

      The issue here is that the contract is taken out with the carrier/mobile phone provider. Seldom is the contract with the manufacturer. It should be the carrier/provider's responsibility for the updates. If people stopped buying a particular brand from the carriers because of the lack of support maybe the carriers would apply pressure on the manufacturers.

      1. Steve Evans

        Re: Phone contracts

        @Oengus - In the UK carriers like Orange used to customise the Nokia smartphones with their own fork of the OS.

        It was a guaranteed way to never get a single OS update.

        The geekier amongst us would flash their Orange'd Symbian phone back to a Euro model number, and then apply the OS images direct from Nokia.

        The N95 was actually pretty sorted once you got the Nokia updates. The Orange'd one was condemned to spend it's life as a permanent beta.

      2. Mark 85

        Re: Phone contracts

        If people stopped buying a particular brand from the carriers because of the lack of support maybe the carriers would apply pressure on the manufacturers

        Updates, etc. cost the carriers money (bandwidth and managing costs) and thus profit. I agree that they should at least do some pushing for the updates but if it doesn't affect the bottom line, they won't do it. And here in the States, in most places changing carriers isn't an option.

    2. G2

      Re: Phone contracts

      In those contracts the phone manufacturer is often an unrelated third party (from the point of view of the contract), without any obligation to the customer.

      When the phone services company purchases phones in bulk to re-sell, it often doesn't give a crap about support past the initial few months.

      This is because in China there's no minimum warranty period mandated by law... and it must be specified in the contract. If the contract says that the warranty is only 5 minutes long after they buy a batch of phones, then that's the legal warranty that the phone manufacturer will provide.

      If the contract doesn't mention warranty at all then tough luck... there's no warranty and your provider should pay for repairs/replacements out of their own pocket.. and they often don't.

      1. Lusty

        Re: Phone contracts

        Maybe warranty is the way to approach this. The EU has a minimum warranty of 2 years so within that period the manufacturer is responsible for any faults from manufacture. If a bug is present which means the phone isn’t secure return the phone if a patch isn’t available. A few thousand full refunds later and maybe they will learn a lesson.

        1. G2

          Re: Phone contracts

          if you as consumer don't buy directly from Europe then the minimum 2 years warranty does not apply.

          Also, that minimum warranty period does not apply to goods purchased by companies, it only applies to purchases by consumers.

          if Company X buys a batch of phones from China, with 1 month warranty - it's legal.

          if person Y willingly buys a phone from China, with 1 month warranty - it's legal. The sale happens in China as far as the manufacturer is concerned, the fact that the phone is then moved to Europe - that's not their problem.

          if person Y, in Europe, buys a phone from Company X, from Europe - then company X has to provide a minimum 2 year warranty.... but this warranty only covers the device "as is" at the time of the sale - it does not include any operating system updates. (unless explicitly included in the sale contract)

          This is why many phone manufacturers don't give a crap about OS updates a few months after product release, because it's not their problem from the point of view of warranty laws.

          1. Norman Nescio Silver badge

            Re: Phone contracts / Guarantees

            I misread your post, but as I had collected together what may be useful information and links, I've removed some of my reply, and leave what may be useful to others below.

            ++++++++++++++++++++

            If you, as a consumer, purchase a phone from a retailer in Europe, then the guarantee is provided by the retailer, not the manufacturer, even though retailers try to obscure this. This guarantee is for a minimum of 2 years. Details are here: Your Europe:Guarantees and Returns

            Free of charge, 2-year guarantee (legal guarantee) for all goods

            Under EU rules you always have the right to a minimum 2-year guarantee at no cost, regardless of whether you bought your goods online, in a shop or by mail order.

            This 2-year guarantee is your minimum right. National rules in your country may give you extra protection: however, any deviation from EU rules must always be in the consumer's best interest.

            If goods you bought anywhere in the EU turn out to be faulty or do not look or work as advertised, the seller must repair or replace them free of charge or give you a price reduction or a full refund.

            As a general rule, you will only be able to ask for a partial or full refund when it is not possible to repair or replace the goods.

            As a citizen of an EU member, those are your minimum rights: national legislation is allowed to improve on this, and the main UK legislation is the 2015 Consumer Rights Act. Unfortunately, this legislation did not replace earlier legislation, such as the 1977 Unfair Contract Terms Act, the 1979 Sale of Goods Act and other assorted consumer protection legislation, so the older acts have not been repealed, and all legislation is in force.

            Ironically, the EU have information on the situation pertaining to Consumer Guarantees in the UK here: Your Europe:Guarantees and returns – United Kingdom

            Legal guarantee

            How long is the legal guarantee for new and second-hand goods?

            The duration is 6 years in England, Wales and Northern Ireland and 5 years in Scotland. This applies to new and second-hand goods.

            If the product is defective, who is responsible for putting things right?

            The seller, including purchases made on an Internet platform. In addition to this, the consumers can make claims against credit card and finance companies if the product is paid for by credit card (directly to the trader) or by finance arranged for this particular purchase. This applies to purchases of the goods of value between GBP 100 and GBP 30 000.

            Both of the 'Your Europe' pages have more information than I have quoted, and are worth reading.

            So it is the person/organisation who sells you the goods who is responsible for the guarantee, not the manufacturer, unless you have bought directly from the manufacturer as a consumer.

            If you choose to buy from a seller outside of UK or EU jurisdiction, then I expect the consumer rights legislation applying to the location where the trade legally occurred would apply (although I am not a lawyer, so don't take this as gospel). The applicable consumer rights could well be worse than those applying to transaction in the UK or EU, and enforcement could be difficult. Caveat emptor!

            I hope that helps.

          2. Alan Brown Silver badge

            Re: Phone contracts

            "This is why many phone manufacturers don't give a crap about OS updates a few months after product release"

            That really depends on liability laws and contracts.

            Unless you're a fleet purchaser, you don't buy a car directly from Nissan or Ford or any other manufacturer, you buy it from a franchised reseller which is _always_(*) an independent company and that seller bears the responsibility for the warranty.

            With the argument you're advancing, automakers couldn't be compelled to issue recalls.

            (*) unless you're dealing with a very small niche maker such as Morgan, or a paradigm-breaker such as Tesla.

    3. Anonymous Coward
      Anonymous Coward

      Re: Phone contracts

      Why should a manufacturer be on the hook for the networks' rip-off HP contracts?

  3. Charlie Clark Silver badge

    Odd judgment

    Declaring that the suit cannot cover future actions seems a bit of sophistry and to fly in the face of other consumer protection legislation. Does anyone know whether it's possible to appeal against the decision? Otherwise I suspect an initiative to improve consumer protection legislation in the Netherlands is the way to go. This is going to happen sooner or later as software gets into more and more products. Giving manufacturers a get out of jail free card like this isn't going to wash forever.

    1. ExampleOne

      Re: Odd judgment

      Not really, the court is saying you can't sue someone for not doing something in the future. You have to wait until they have failed to do the thing you want to sue them for. This seems reasonable to me. All the judge has said is wait for a required update to not be provided, and then we can discuss suing companies or people.

      The other thing I think the court is saying, which is also I suspect is reasonable, is that security updates should be provided, but not "feature updates". Now, due to the way the ecosystem works, it may well be easier for a provider of updates to simply provide everything then it would be to separate the two, but that's not relevant to the legal principles.

      I'm also curious as to who, technically, is on the hook for the updates anyway. It's quite possible that Samsung have no contract with the end users so are an uninvolved third party as far as the law is concerned.

      1. Dan 55 Silver badge

        Re: Odd judgment

        We are in the future, nine years since the first Galaxy was launched. Isn't it obvious by now that Samsung don't keep their phones patched?

        1. ExampleOne

          Re: Odd judgment

          So sue for the missing patches, not for the patches that might or might not be missing if they are ever needed (which they obviously will be) in the future.

          Also, sue the entity your purchased the phone from, because that is where your contractual relationship lies, not with some Far Eastern third party. (Unless you purchased your phone direct from Samsung, in which case they can't run that dodge.)

      2. Alan Brown Silver badge

        Re: Odd judgment

        "All the judge has said is wait for a required update to not be provided, and then we can discuss suing companies or people."

        Which it must be noted is NOT how Samsung is painting it.

  4. JassMan

    Built in obsolescence

    Since the EU has rules against built in obsolescence, perhaps the association should have argued that a phone without sufficient security upgrades is obsolescent. Samsung should be given the choice to continue updates or be forced to release (open source) the hardware drivers so that FOSS groups such as UBPorts could create a working version of Touch and KDE to port Plasma thus ensuring that the still working hardware doesn't become landfill.

    1. Jedit Silver badge

      "Since the EU has rules against built in obsolescence"

      Failure to support with software isn't built in, though? It's the manufacturer's choice when and if to stop supporting its devices. But you won't find me arguing that they should have to provide support for reasonable life of the device - two years should be the bare minimum because that's the typical contract length, and preferably it should be four or five years.

      Non-removable batteries, on the other hand...

  5. pleb

    Two things

    1) All this scary noise about security updates for phones; OK, I get the basic idea (my phone *could* be vulnerable to exploit xyz), but I've simply never heard of anyone having it happen to them. Loads of headlines about the possibility, none about the fact.

    2) My front door lock *could* be picked - is Yale obligated to upgrade it so it is hardened against the latest developments in lockpicking techniques?

    1. mark l 2 Silver badge

      Re: Two things

      "is Yale obligated to upgrade it so it is hardened against the latest developments in lockpicking techniques?"

      In the EU technically you could return your Yale lock to the retailer for up to 2 years after it was purchased if there was found to be a flaw in the lock that meant it could be opened without the key, as goods have to be sold fit for purpose.

      If more people took the issue for no security updates with the retailer they bought it from then they in turn would put pressure on the phone manufactures to do something about it, especially if the retailers threatened to pull none compliant devices from their stores.

      I don't necessarily agree with everything in EU regulations though, having the same 2 year warranty period for new and used goods seems a little unfair on retailers selling used goods. Surely if your buying used your getting it cheaper than new because there is a higher risk that something could go wrong with it.

      Does the law also take in to consideration the age of the the used item when purchased? A used item that was only 6 months old you could reasonably expect to last for a while, yet one that was 10 years old maybe nearing the end of its life. Especially with electronic items or goods with moving parts.

      If businesses have to give you the same warranty on all used items as new ones his will probably just result in more used items going into the bin, As companies will see them as a liability that they have to support for 2 years.

      As a consumer would be happy with anywhere between 1 - 6 months warranty on used items, depending on the cost i paid for the item and their age.

    2. Anonymous Coward
      Anonymous Coward

      Re: Two things

      Analogies time again...

      If Yale sold you a lock that had a manufacturing fault in it then they would clearly be obligated to replace it if you reported the fault within the warranty period. However, design deficiencies are much trickier because you cannot expect any given lock to be resistant to all possible methods of entry anyway.

      Your average one-star rated cylinder lock can be opened in a few seconds with a bump key, and as a purchaser you should be expected to know that. If you want a lock that is resistant to today's most common picking methods then get a three star lock, but who knows what techniques might be invented tomorrow by some miscreant.

      @ mark l 2, as I've pointed out, locks are not and cannot be expected to be resistant to all unauthorised attempts to open them. When you buy a lock, the various standards that it conforms to (if any) should guide your purchasing decision with respect to the security it can offer. So for example a TS007:2014 one star lock should not be expected to be bump-resistant, and therefore its fitness for purpose is not negated by someone being able to bump it open in two seconds flat.

  6. This post has been deleted by its author

    1. js6898

      Re: So What Is the Law for Updates...

      I think a guarantee is related to the spec at the time of sale. So if 2 months down the line the phone won't turn on then you can claim. If an attack vector is found and a security update issued then not. The sales literature etc never said they would be.

      Analogy time again - you buy a DAB radio. All goes well until 6 months down the line someone finds a way to inject their own (eg advertising) message into the DAB signal so interrupting your listening. All new radios are thereafter build with a software fix that means this can no longer happen. Should this fix be retrofitted to all existing older DAB radios?

    2. BinkyTheMagicPaperclip Silver badge

      Re: So What Is the Law for Updates...

      To be slightly fair to the phone manufacturers, it's not entirely straightforward.

      ARM (most Android phones) is a horrid platform, poor documented, and infested with binary blobs.

      The manufacturer chooses the CPU and the support chipsets. Often the drivers and binary blobs for the support chipsets (graphics, camera, HDMI output, etc) are provided by the manufacturer.

      So, basically the guarantee to security updates needs to apply all the way down the chain.

      Alternatively, enforce free and full documentation so that new drivers can be written, but that's unlikely to happen.

      1. Anonymous Coward
        Anonymous Coward

        Re: So What Is the Law for Updates...

        Your argument would give a different guarantee for the engine, brakes, wheels etc and each being with the manufacturer of said component.

  7. Archivist

    Who cares?

    Most consumers don't care as long as it's big and shiny.

    The contract is with the retailer, but try finding one of those who cares enough about it's buyers to do anything. If anything they are beholden to the manufacturer so they get first batch of a new handset.

    As a previous poster said: exploits rarely happen in the field. However once everyone's bank branch is in their mobile, the bad guys will try more and harder.

    1. Alan Brown Silver badge

      Re: Who cares?

      "The contract is with the retailer, but try finding one of those who cares enough about it's buyers to do anything"

      The fact that most of this stuff is tied to GPL means there's a legal contract the retailers are tied to anyway.

      A few more actions by gpl-violations might start waking management up to the liabilities they've accrued by selling things without disclosing the opensource.

  8. BinkyTheMagicPaperclip Silver badge

    Consumers largely don't care as most contracts are 2 years.

    Phone manufacturers don't care as they want to sell new shiny

    Even if they did care, the chipset providers don't want to provide security updates for many years either, and also want to sell new shiny.

    If you run your banking app on an out of security support phone you're an idiot. We'd better hope the situation is better, once criminals really start to target two factor authentication.

    We don't accept this for operating systems (even OS X isn't quite that bad), we shouldn't accept it for phones.

    This will only worsen as people keep their phones for longer, now functionality improvements continue to plateau.

    1. robin thakur 1

      It needs to be law for it to be taken notice of

      Consumers don't know anything about IT but they all use these devices constantly in high risk situations. This has the potential to affect everybody else if these devices are commandeered into a botnet or otherwise spread malware or leak bank details due to flaws in Android which are left unpatched by manufacturers who have absolutely zero incentive to do so and they barely break even on some of these devices.

      This is one way in which the law needs to be updated globally to force manufacturers of devices containing firmware towards a minimum 2 year period to have a security warranty with longer options for things like Teslas. This might even help reverse plateauing if everybody knows that after 2 years your phone cannot necessarily be used securely To do otherwise is the height of irresponsibility. Apple users don't have this issue obviously, so maybe buy iPhones until Samsung wakes up and takes notice.

  9. Norman Nescio Silver badge

    Security updates vs. general updates

    I agree with Linus Torvalds' view on updates: there is no such thing as a security-only update, just updates in general, some of which patch flaws that might be exploitable: and you do not know beforehand which flaws are the exploitable ones.

    He has explained this many times on the Linux kernel mailing list - obviously, not everyone agrees with this approach, but if you look at the output of Greg Kroah-Hartman, who is the lead maintainer for many of the 'Long-Term Support' kernels, you will see that Greg argues strongly that, where the linux kernel is concerned, you should be applying all patches to remain up to date, as being selective about patches leads to a support nightmare.

    This means that your most reasonable, least effort approach, is to make sure you stay on the most recent mainline kernel, or, if choosing to stay on a 'Long-Term-Support' (LTS) kernel, you should stay up to date on its releases. The kernel developers take kernel API forward compatibility very seriously*, whereas the ABI is not stable. This is why manufacturers with 'binary blobs' like to stay on a particular kernel version, as the work needed to get kernel drivers working with the proprietary hardware will need to be repeated when the ABI changes. As a result, you tend to end up with hardware 'sticking' on particular Long-Term Support versions of the kernel. The ABI is less likely to break if you keep the LTS kernel and simply apply the available updates to that LTS kernel.

    This is a long-winded intro to saying that there is a reasonable argument for saying that there is no such thing as 'only' security updates - you should be applying all updates. In the case of Linux, the kernel developers work hard to provide stable, long-term supported kernels to help hardware manufacturers (especially of embedded devices), but for consumer-oriented hardware/software, you should really be looking to have a robust update mechanism in place for at least the expected lifetime of the product.

    How this would translate legally, I don't know. For example, I don't know if the fitness-for-purpose test applies solely at the instant of the sale, or for the period of the guarantee. It would be unreasonable to expect manufacturers to be responsible for devices to be immune to exploits that were not known about at the manufacturing date. If you want all the software and hardware to be developed and manufactured to 'High Assurance' requirements, including things like formal validation of the proper functioning of code, you will be looking at adding one, if not two zeroes to the cost of everything remotely 'smart'.

    I don't know what the solutions is: 'forcing' manufacturers to provide updates; or 'forcing' manufacturers to enable updates by you or third parties contracted by you. Neither approach is simple, and neither is likely to be cheaper than the current situation. As I understand it, the current situation, in the EU at least, is that the produce has to be fit-for-purpose when sold, and remain in the same workable condition for at least two years, able to pass the fitness-for-purpose test at the time of sale.

    I hope cleverer people than me are working on how to solve the issues.

    *As Linus says: "You do NOT break userland."

  10. Steve Evans

    I'm sure Samsung's logic goes like this...

    When a phone becomes end of line, consumer will buy a new Samsung phone.

    In fact I think they rely on this as these days a high-end phone from 2-3 years ago is quite capable of pretty much anything a new one can do. The camera might not be quite as good, and it'll be a little slower, but there really has been no "must have!" feature added in the last 3 years. In fact the old phone will still have a headphone jack! (Not so applicable to Samsung as they seem to be one of the few clinging on!).

    The only thing that got me to upgrade my ageing Nexus 6 was the battery giving up the ghost (and every replacement cell I found looked like a Chinesium fire risk!). Apart from that it worked perfectly.

    Consumers need to get a little smarter. Look at the support track record of a company before buying a phone. Only then will OEM's like Samsung/HTC etc etc take updates and after sales support seriously.

    (Yeah, I know, fat chance!).

    1. Charles 9

      "Consumers need to get a little smarter. Look at the support track record of a company before buying a phone. Only then will OEM's like Samsung/HTC etc etc take updates and after sales support seriously."

      But we CAN'T expect that. Thus Stupid Users. If you can't make the Stupid User smarter, what else can you do?

      1. Reginald Pérignon

        Stupid users?

        Across two handsets and about 5 maybe 6 years I've been lucky enough to get ONE android update from GB to ICS. Hell I put CM 12 on my gen 1 Note and that never got a followup stable release or 'security update' either. Does any 'droid handset manufacturer have anything even approaching a 'support track record' to even look at?

        1. Cavehomme_

          Re: Stupid users?

          Yes, Nokia have very regular updates.

          I understand that Xiaomi also provides updates to it’s MIU OS regularly and one recently applied to devices as old as 3-4 years.

          1. onefang

            Re: Stupid users?

            I already have had to major updates on my Moto Z. Would not surprise me if I get a third. It had Android 6 on it when I bought it, and now has Android 8, all OTA updates from Motorola.

  11. Anonymous Coward
    Anonymous Coward

    Back to the drawer for my Samsung

    Candy bar running Symbian, then.

  12. adam payne

    The court did, however, agree that consumers should be protected against security vulnerabilities, something it said “is of great social importance”.

    Phew, that certainly reassures me.

  13. dheath2000

    Windows?

    I'm not sure why Samsung should be singled out.

    Personally, I think when you are buying new, the manufacture should be forced to produce an update policy, not suggesting hundreds of words burried within T&C's, but simple statements such as "Full OS updates until Jan2019, extended support until Jan2020". This should be headline information.

    Hopefully this would also discourage bloatware, closer to a vanilla android experience, to make updating easier.

    The transition away from Windows XP would have been fine if when the hardware was purchased we were told support would finish April 2014.

    My UAE Samsung Note8 has been updated monthly. This would be a selling point expect, BUT I don't know what the competitors are doing so I cannot make a decision based on this information.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like