The fight to get better phone security seems to be a losing battle, quite literally, with a Dutch court ruling that Samsung isn’t obliged to patch its older phones.
While Google dishes out software updates for Android on a regular basis, it passes them on to the phone manufacturers for distribution to users. Samsung – like most other manufacturers – chooses if and when it wants to roll out those patches.
The South Korean electronics giant was taken to court by Dutch consumer rights group Consumentenbond, which argued that the company should update its phones for at least four years after they go on sale, or for at least two years after they are sold. It even wanted the company to provide the patches within three months of them becoming available.
Losing (court) battle
Consumentenbond alleged that Samsung was leaving users unprotected from security risks by not providing patches for its phones in a “timely” fashion, with some of its older models not receiving any updates at all.
The Hague administrative court, however, disagreed with Consumentenbond and ruled (opens in new tab) that the case was inadmissible because it relates to the company’s future activities. According to the court ruling, “nothing can be decided regarding the nature and severity of any future security risks and Samsung's future actions" as it’s hard to determine “specific circumstance” today.
That means that if a risk is discovered in future, Samsung could choose to distribute updates to all its phones, or may not patch the software at all, depending on the nature of the bug and the limitations of the phone hardware.
Most phone manufacturers support their handsets for two full years after launch, with some companies, including Google, adding another year to the support cycle for security updates. Samsung says that its two-year support tenure and update frequency are “reasonable” enough. After all, phones have a two-year warranty in many countries, including the EU, and one year everywhere else.
While this may not sound very reassuring from a consumer perspective, it must be noted that when it comes to security patches, they aren’t feature updates (i.e. an OS overhaul), so companies aren’t necessarily legally obliged to distribute them, especially given those security exploits don’t arrive with the phone at launch.
From a business perspective, patching old devices isn’t a particularly profitable practice — unless the company can show that not doing so affects sales. And so far, neglecting old devices doesn’t seem to have hurt anyone’s bottom line.
We’re not saying that Samsung, or the court ruling for that matter, is in the right, but extending the support cycle sounds reasonable enough when Android is a highly targeted operating system.