The Dutch Consumer Association has sued Samsung for "faulty software update policy" for Samsung's Android Smartphones. According to the organization, this amounts to an "unfair commercial practice".

As summarized by Swati Khandelwal from The Hackers News :

Last year, the discovery of the scary Stagefright Security Bug, which affected over 1 Billion Android devices worldwide, forced Samsung to implement a security update process that "fast tracks the security patches over the air when security vulnerabilities are uncovered (...)

However, the watchdog also blames Korean OEM Samsung for not being transparent regarding the critical security updates, like the update to fix Stagefright exploits, that are necessary to "protect [its] consumers from cyber criminals and the loss of their personal data."

The legal obligations of companies over data privacy are part of an emerging field of law which still needs to adapt to new realities, such as cloud computing and more.

Companies are constantly the object of cyber attacks and spyware software, but it would be a bad marketing to admit so.

That's even true of banks - they are constantly under attacks, but they would not admit it. Would you still deposit your money if the banks would tell you that it's not secure at all? By analogy, would you deposit your money if thefts were constantly showing with guns in the local bank? Probably not.

So basically, there is some sort of secret war going on which has led people to affirm that because of their choice to keep silence, businesses are making it easier for black hats hackers.

The argument is based on the assumption that not revealing the said attacks to police force prevents the development of adequate counter measures.

While this may be true, one must not forget that companies administrators have legal obligations among which being in charge of making the best decisions for their stake holders. So in the absence of a clear legal indication that they must report cyber attacks, administrator will be scared to engage their personal liability by causing financial lost to stake holders.

Of course, one must not forget that a few legal precedents have establish that the role of companies within society is also a factor to be taken into consideration when taking a business decisions - but I highly doubt that this factor (among other factors) will be sufficient to convince companies to go open about problems with data protection.

Suing a company which has made it public that it is working on improvements in regards to data protection, and using that statement as a legal argument, illustrates quite convincingly the danger of going public about any security issue. The official statement of Samsung regarding the law suits refers to its previous public claims :

“At Samsung, we understand that our success depends on consumers’ trust in us, and the products and services that we provide. That is why we have made a number of commitments in recent months to better inform consumers about the status of security issues, and the measures we are taking to address those issues. Data security is a top priority and we work hard every day to ensure that the devices we sell and the information contained on those devices (sic) is safeguarded.”

Overall, companies don't know what is their legal obligations with cyber security. Is it to try your best? Is it to be up to date with the standards of the market ? If so, which market? Are these obligations proportional to capabilities? Do we expect more from successful and international firm?

It is worth mentionning that the Dutch Consumers Association is suing Samsung because it is the most popular distributor of Android phone in the country - not because they have a policy that's different from other suppliers. Just because it's the biggest company on the market in the Netherlands.

It's true that their policy is messed up. This was pointed out by Sam Mobile a few months ago, and by many other commentators.

I'm not saying their policy is right, but that we need to sit down and discuss which policies are acceptable in regard to legal standards and which ones are unacceptable. It should not be the practice of the market that dictates what's legal. And we should not put the matter on shoulders of judge who know nothing of cyber security. It needs to be an informed decisions, from governments and international organizations, on which practices constitute the minimum standarf for the industry regarding software updates.

At the moment, businesses that operate in various countries have to conform to many different expectations.

And the law's choice of words (reasonable means?!) certainly adds to the confusion.

All of this explains why a cyber security law expert should be hiring internally when companies have the financial means to do so.

But it goes farther than this. How do we expect law enforcement to catch up with new forms of criminality if they don't get sufficient practice in doing so?

We can't expect the military to protect all of the IT structure in one country. Our national cyber security is as strong as its weakest element. And companies with international traffic are intrinsically a risk to national cyber security when they share data internationally.

#dataprotection #privacy #cellphone #softwareupdate