Duty of Care of Mobile Phone Provider (Or User)?

Here’s a question raised on a US legal technology list that seems relevant to Canadian law too.

What’s the duty of care of mobile devices as pertains to patches/updates provided by the vendor and/or provider?


I bought an Android phone in June 2012, which received an over-the-air OS upgrade in late July to Android 4.0.4. This release was provided to me well after the version was released to the public. Also, since that time, 2 other versions of Android (4.1 and 4.2) have been made available. There are known security vulnerabilities in the 4.0.4 release.

Yet I’ve certainly not received a further update of any sort. Moreover, it’s actually common for devices to only receive 1 update after their release, with future updates abandoned.

Now, previously, people would jailbreak their phones and force-feed the updates manually. However, for new tablet owners, thanks to a bizarre ruling under the DMCA, this is no longer a *legal* option (it’s still apparently ok for smartphones). This is especially interesting since mobile carriers do sell mobile-enabled tablets.

So… what obligation do vendors and service providers have to provide updates to mobile devices? Is there a commercially reasonable duty of care that must be provided? Are they meeting it? Or, are they (vendors/providers) unfairly pushing this responsibility onto customers?

And, do customers have adequate grounds for legal recourse if their devices become compromised because the vendor or provider have failed to push out an available update? What do you think?

Views? What would you do for your phone, or advise your clients to do with theirs? Would it be a breach of warranty, say of fitness for purpose, for the manufacturer or vendor to allow a machine one has sold to become vulnerable to attack in such a short time? Does not that type of warranty sometimes require the product to stay operational for a period, depending on the price etc? What is a reasonable expectation of the sort that might give content to such a warranty?


  1. The first step would be to read the license.

    My cynical guess (based on years of reading these things) is that (a) they exclude any implied warranties such as fit for purpose and (b) they exclude any obligation to update the software.

    The enforceability of clickthrough licenses is another matter, but the license is certainly the starting place.

  2. Agreed that the licence is important. Most sales laws or consumer protection laws do not allow vendors to opt out of the warranty of merchantability for consumer sales. Whether the manufacturer (the supplier of patches) is liable when the sale contract is with a device store or a telecom company is a different issue.

    I know of no cases here or in the US holding a click-through contract unenforceable, and know of no reason why one should be unenforceable. (‘Browsewrap’ contracts relying on implied consent are a different, and rather smelly, kettle of fish.)