Here’s a question raised on a US legal technology list that seems relevant to Canadian law too.
What's the duty of care of mobile devices as pertains to patches/updates provided by the vendor and/or provider?
I bought an Android phone in June 2012, which received an over-the-air OS upgrade in late July to Android 4.0.4. This release was provided to me well after the version was released to the public. Also, since that time, 2 other versions of Android (4.1 and 4.2) have been made available. There are known security vulnerabilities in the 4.0.4 release.
Yet I've certainly not received a further update of any sort. Moreover, it's actually common for devices to only receive 1 update after their release, with future updates abandoned.
Now, previously, people would jailbreak their phones and force-feed the updates manually. However, for new tablet owners, thanks to a bizarre ruling under the DMCA, this is no longer a *legal* option (it's still apparently ok for smartphones). This is especially interesting since mobile carriers do sell mobile-enabled tablets.
So… what obligation do vendors and service providers have to provide updates to mobile devices? Is there a commercially reasonable duty of care that must be provided? Are they meeting it? Or, are they (vendors/providers) unfairly pushing this responsibility onto customers?
And, do customers have adequate grounds for legal recourse if their devices become compromised because the vendor or provider have failed to push out an available update? What do you think?
Views? What would you do for your phone, or advise your clients to do with theirs? Would it be a breach of warranty, say of fitness for purpose, for the manufacturer or vendor to allow a machine one has sold to become vulnerable to attack in such a short time? Does not that type of warranty sometimes require the product to stay operational for a period, depending on the price etc? What is a reasonable expectation of the sort that might give content to such a warranty?