A court in the Netherlands has made an interesting ruling that pontentially affects all smartphone users. Consumer rights group Consumentenbond said Samsung was creating a security problem for users by not promising to release patches for handsets beyond the two years the company already commits to. The group says this leaves users exposed to previously unknown vulnerabilities.
Consumentenbond wanted updates delivered for four years. And while Google does patch Android for more than two years, it's up to device makers like Samsung to deploy these patches more broadly. Samsung noted to the court that testing the patches released by Google takes some time as the company needs to ensure it works with their custom software.
Part of the court's ruling was a disagreement with Consumentenbond’s contention that users needed to bear protected against future risks. But it ruled that those risks weren't quantifiable. It also ruled that Samsung was letting users know about the two year window for updates.
It's interesting that the courts ruled that Samsung was acting reasonably. I'm not saying Samsung is doing the wrong thing. But we know handset sales have been stagnant over the last year and that people are holding onto their smartphones for a little longer. So, extending the policy to ensure users don't suffer a breach or some other security issue makes sense. The reputational damage to Samsung for not patching a known vulnerability could be significant.