A very interesting verdict for dealers of all kinds comes today from Cologne. The versions can probably be transferred to most electronic devices and, of course, to online retailers.
The Higher Regional Court of Cologne has ruled that an electronics market does not have to point to security vulnerabilities and missing updates to the operating system of the smartphones it sells.
The plaintiffs’ consumer association had carried out test purchases at the defendant electronics market and had the purchased smartphones examined for security vulnerabilities by experts from the Federal Office for Information Security. One of the devices had 15 of 28 vulnerabilities tested, and another had only one vulnerability, although both devices were nominally the same older version of the Android operating system. The background is that the operating system is adapted by the respective manufacturer to the respective smartphone model and new versions of the operating system can only be used if the new version of the operating system is previously used for the respective model of the smartphones has been adapted.
The BSI concluded that the device with the 15 security vulnerabilities posed a glaring security risk to users. After the BSI had unsuccessfully contacted the manufacturer, the applicant asked the operator of the electronics market not to continue selling the devices without reference to the security gaps.
The subsequent action for an injunction was dismissed by the Landgericht and the Higher Regional Court of Cologne. In the context of the dismissal of the appeal, the 6th Civil Senate of the Higher Regional Court stated, in essence, that the conditions of an injunction were not met. It constitutes an unreasonable burden for the defendant to obtain information on security vulnerabilities for each individual model of smartphone it offers.
It is true that information on the existence of security gaps is of great importance to consumers, since it could infringe consumer privacy and misuse data obtained for fraudulent purposes. However, it should also be borne in mind that the defendant can only identify the security gaps by means of tests which must relate to the particular type of smartphone. Nor is it possible to identify all existing security vulnerabilities. All operating system vendors would find security vulnerabilities in the operating system again and again, partly only due to attacks by third parties. Finally, the detectable security gaps could change at any time, so that the defendant would have to repeat the tests at regular intervals.
Nothing else applies to information about the provision ingesnotating security updates. The defendant is not usually aware of security updates for a specific model at the time of sale. Nor does it have the possibility of obtaining that information without the intervention of the producers. The manufacturer alone decides whether and when to adapt a security update for the respective smartphone model. Here, too, the relevant information could change on a daily basis, especially since the manufacturer is not aware of whether and when a security update, which he could adapt, will be published.