In wake of EPIC data breach - Samsung forcing users to accept T&Cs or risk their data
Users attempting to take sensible precautions after a recent spate of data breaches at Korean techmonger, Samsung, are being forced to accept updated terms and conditions in order to do so.
Samsung has fallen prey to two data breaches in 2022 to date. The first orchestrated by the notorious Lapsus$ group, saw 190GB of data exfiltrated from the company, and included algorithms for all biometric unlocking operations, source code for the bootloader for newer Samsung products, and all the source code behind the process of authorizing and authenticating Samsung accounts.
The second affected users directly and saw Samsung wait a month before notifying customers that a huge trove of personally identifying information was now in the hands of criminals.
While the understated press release from Samsung reassured customers that there was no need for panic, prudent users - perhaps alarmed at Samsung’s lack of alarm - immediately logged into their Samsung account to change their password.
Many users create a Samsung account when they buy their phones and then immediately forget about it. Some read the terms and conditions, and some don’t. You should always read the terms and conditions.
And if you created your account before September 2021, Samsung is under no obligation to notify you when those terms change - unless you attempt to log into your online account, that is.
Samsung’s terms and conditions were last updated on 30 September 2021, in a change that went largely unnoticed by everyone.
While it’s technically possible to request a password reset without logging in and accepting the updated terms and conditions, you do need to accept them in order to access other security features of your Samsung account.
Who’s been snooping in your Samsung account?
If Samsung’s catastrophes have you worried enough to change your password, it’s natural that you would want to know if anyone has successfully managed to log into your account.
As a security-conscious entity which recognizes that its customers are also security conscious, Samsung offers a variety of tools to reassure you that your data and devices are in safe hands.
These include a “find my device” feature - something you most definitely do not want accessed by ne’er-do-wells, and a “Recent account activity” section, which lists all the devices that have signed in to your account or changed your security settings in the last 12 months.
In verifying your Samsung account’s integrity, this is a section you definitely want to access. Guess what? You have to accept the updated terms first.
What do Samsung’s updated terms say?
While the old terms and conditions ran to a headache-inducing 4,894 words, the most recent version have slimmed down to a svelte 3,894. A loss of exactly 1,000 words.
Most of these missing words relate to dispute resolution - and while all aspects of the old terms were, “governed by the law of the State of New York”, the new terms are instead, “governed and construed in accordance with the laws of the jurisdiction where you are a resident.” This could be good or bad, depending on where you live.
They also remove the prohibition against class action lawsuits, and allow disputes to be settled in court instead of through arbitration. This is actually good news for litigation-minded Samsung customers - especially in light of certain recent data breaches and unnecessary delays in reporting them.
One new aspect which may scare Samsung customers is:
“We respect the intellectual property rights of others. We may suspend or delete an account or stop providing all or part of our Services to an account if we reasonably believe that such an account has repeatedly infringed intellectual property rights.”
The terms don’t say what constitutes reasonable belief.
Accept the updated terms or leave
Whether or not Samsung’s updated terms affect you, you’ll have to accept them in order to get the reassurance that no-one has logged into your Samsung account, and is currently monitoring your whereabouts using the “find my device” feature, checking out your frequent locations in “Places”, or using your profile pic to create fake accounts elsewhere. If you don’t want to accept terms and conditions foisted on you with the barest nod towards consent, well, that’s tough really.