Electronics retailer not required to disclose security vulnerabilities and missing updates of the Android operating system
An electronics retailer is not required to inform about security vulnerabilities and missing updates of the operating system of the smartphones it sells. This was decided by the 6th Civil Senate of the Higher Regional Court of Cologne, confirming a decision by the Regional Court of Cologne to dismiss the action.
The plaintiff consumer association had conducted test purchases at the defendant electronics retailer and had the acquired smartphones examined for security vulnerabilities by experts from the Federal Office for Information Security (BSI). One of the devices exhibited 15 out of 28 tested security vulnerabilities, while another had only one, even though both devices nominally had the same older version of the Android operating system pre-installed at the factory. The background is that the operating system is adapted by the respective manufacturer for each specific smartphone model, and new versions of the operating system can only be used once they have been adapted for the particular smartphone model.
The BSI concluded that the device with 15 security vulnerabilities posed a significant security risk to users. After the BSI had unsuccessfully contacted the manufacturer, the plaintiff demanded that the operator of the electronics retailer cease selling the devices without disclosing the security vulnerabilities.
The subsequent action for injunctive relief was dismissed by both the Regional Court and the Higher Regional Court of Cologne. In dismissing the appeal, the 6th Civil Senate of the Higher Regional Court essentially stated that the conditions for an injunctive claim were not met. It would represent an unreasonable burden for the defendant to obtain information about security vulnerabilities for every single smartphone model it offers.
While information regarding the existence of security vulnerabilities is of great importance to consumers, as it could lead to violations of consumer privacy and the misuse of acquired data for fraudulent purposes, it must also be considered that the defendant could only identify security vulnerabilities through tests specific to each smartphone type. Furthermore, it is not feasible to identify all existing security vulnerabilities. All operating system providers themselves continuously discover security vulnerabilities in their operating systems, sometimes only after attacks by third parties. Finally, detectable security vulnerabilities could change at any time, requiring the defendant to repeat tests at regular intervals.
The same applies to information regarding the provision of security updates. Whether security updates would still be provided for a specific model was generally unknown to the defendant at the time of sale. Furthermore, the defendant had no means of obtaining this information without the manufacturers' involvement. Only the manufacturer decides if and when to adapt a security update for the respective smartphone model. Here too, the relevant information could change daily, especially since the manufacturer itself may not know if and when a security update, which could be adapted by them, will be released.
The Senate did not grant leave to appeal. The judgment will soon be published in its anonymized full text at www.nrwe.de.
Judgment of the Higher Regional Court of Cologne dated 30.10.2019 – Ref. No.: 6 U 100/19
Source: Press release from the Higher Regional Court of Cologne, Dr. Ingo Werner, Head of Press and Public Relations
