Cyber SecurityInternet

Samsung doesn’t have to offer updates for phones older than two years

Dutch consumer protection organization Consumentenbond took Samsung Netherlands to court, arguing that the company should provide updates and upgrades for their telephones “within one month after these become available, for a period of four years after the introduction to the market and/or two years after the time of the sale.”

Consumentenbond also asked the court to order Samsung to inform consumers “clearly and unambiguously” of its policy on updates and upgrades with regard to each model that Samsung has introduced or will introduce to the market.

But, alas, the court sided with Samsung.

Samsung claims to protect users

“The court in Den Haag was of the opinion that the Consumentenbond did not sufficiently demonstrate that there are actual security risks and that Samsung does too little to alleviate this issue,” the organization noted.

Attorney Christiaan Alberdingk Thijm, who assisted the Consumentenbond in this case, said that the court wants them to prove for all Samsung devices in all situations that there are security risks when Samsung does not provide consumers with any update, and that this requirement is unrealistic.

Hari Singh, an IT security professional from West London, agrees with the consumer protection group opinion that updates should be offered for a longer period.

“The court ruled in Samsung’s favor because it may happen in the future that Samsung can’t provide updates due to the nature of the bug and the limitations of older phone hardware. I understand the argument but if technical constraints appear in such a short period, then, in my opinion, some serious design flaws have been made,” he commented for Help Net Security.

“Imagine if PC manufacturers were to use the same argument and a company like Microsoft stopped offering security updates after just two years” The support period for Microsoft software usually runs into several years, regardless of which make or model of desktop/laptop one uses. Security updates for Windows XP were available for over 10 years. Of course, you have to draw the line somewhere, but designing phones that only accept updates for two years and not beyond seems ludicrous.

“My question to mobile manufacturers would be ‘What do you expect me to do with my phone after two years?’ If I pass my phone on to someone, it means they are now using a phone that is insecure. So, the right thing for me to do would be to destroy the phone? It seems they are discouraging re-use based recycling,” he adds.

“In the real world, a majority of people can’t afford new phones and will purchase a second hand model. This means that they are immediately at risk when they buy such a phone.”

Gert Jan ter Haar, head of technical product management at Samsung Netherlands, welcomed the court’s decision, and added that “Samsung has a robust and balanced system to protect users of Samsung phones against vulnerabilities.”

The company also noted that they guarantee that Samsung smartphone owners in the Netherlands would get software updates for two years after a handset first went on sale in the country.

There’s a benefit for users after all

Despite being disappointed with the court’s decision, Consumentenbond Director Bart Combée said that the lawsuit at least spurred Samsung to better inform users: they set up a banner on Samsung website’s home page that points to a page with the company’s update policy, which says clearly which devices obtain updates and how often.

“That used to be very different. Before, that information – if it was there – was hidden away on their site. Thus, we have brought some movement in the market with this case; as a result of which consumers are now, in any case, better informed,” he concluded.

As a side note: Google has recently announced that the company is working to make sure that all Android OEMs are delivering patches regularly to their devices, but did not say whether older devices will benefit from this push.

Leave a Reply

Your email address will not be published. Required fields are marked *