A consumer advocacy group in Germany has filed a law suit against a retailer in Cologne that sold an inexpensive smartphone made by Mobistel. The Mobistel model Cynus T6 was sold in Media Market stores for just 99 euros. Sounds like a great deal, right? Not so much. You see, the phone’s software came with 15 critical and known security vulnerabilities which were not disclosed to the consumer at the time of purchase.Instead, these security flaws were later identified by investigators from the Federal Office for Information Security (BSI). Unfortunately for Mobistel and Media Market, consumer advocacy groups tend to fight back when manufacturers and retailers sell products to consumers without disclosing “essential information” such as known security defects in a smartphone.
Although the complaint is at an early stage, it points to the possibility that companies manufacturing software applications could be held liable for selling defective products to consumers — in exactly the same way that auto makers have long been held liable.
The concept of software liability has long been debated. Although the internet of everything is upon us and software is eating the world -- we live our lives with license agreements that make software vendors immune to liability for damage or losses due to defects.
As Bruce Schneier observed more than a decade ago: there are no real consequences for having bad security, or having low-quality software of any kind. Even worse, the market often rewards low quality. More precisely, it rewards additional features and timely release dates, even if they come at the expense of quality.
Maybe things are changing? Let's watch and see what happens in a court room in Cologne.
Also, let's remember that courts are not the only arbiters of software liability. As highlighted in this year's State of the Software Supply Chain Report, organizations that promulgate defective software applications upon unsuspecting members of the public are being held liable by various regulatory entities. Just a month ago, Britain’s Information Commissioner's Office (ICO) -- the country’s data regulator, fined the Gloucester City Council £100,000 after a hacker exploited a well-known open source security flaw on a Gloucester City website months after the vulnerability had been publicly disclosed and fixes made available.