Are Walmart, Amazon and eBay liable for selling vulnerable devices?
In our recent research, we discovered that affordable Chinese-made routers sold by Amazon, Walmart, and eBay had critical vulnerabilities that could allow user data to be stolen. These affected routers include devices made by Wavlink, which was listed as an Amazon Choice, and Jetstream, which is “exclusive” to Walmart.
A major question has come up in light of that research: how liable are these companies for the faulty products they sell? eBay is an auction site, Amazon is a retailer/marketplace, and Walmart is a brick-and-mortar retailer with an online presence. With these different business models, how possible is it to determine fault?
This discussion would have to be based on existing laws, precedents, and proof of damages. We spoke with various legal and business professionals to understand the scope of these retailers’ liability and any actions they should take in order to best protect their customers from potential damage.
“Ascertaining liability for a defective product such as an unsecured piece of technology equipment is often complicated and difficult,” David Reischer, Esq., Business Law Attorney at LegalAdvice.com told CyberNews. He noted that a major difficulty lies in determining when a product has become defective: “A defect may occur at the design or production stage, or perhaps the piece of equipment was damaged and made defective in transit.”
Electronic devices like routers normally have a long production chain before they make it to Walmart, Amazon or eBay. While all evidence points to the conclusion that, specifically, Wavlink’s outdated firmware is the cause of the routers’ weaknesses, it can be harder to present that as fact without complete knowledge and investigation of the chain.
In the case of Wavlink, which is still listed on Amazon’s website as its Choice Router, the company is reachable and ascertaining where in the chain the fault lies is merely a matter of time and resources.
However, for Walmart’s “exclusive” Jetstream routers, this is much more difficult: there is no information related to Jetstream as a router maker anywhere online. While our research found evidence that it is most likely a sister company to Wavlink, both owned by a Shenzhen-based company known as Winstars Technology Ltd., this isn’t yet concrete fact. Therefore, getting in touch with any responsible party on Jetstream’s side will prove difficult if not impossible.
In that case, where do the Jetstream-related liabilities lie?
Retailers still liable
While a lot of that discussion revolves around the manufacturers or device makers themselves, the retailers Walmart and Amazon aren’t necessarily free from blame. Andrew Taylor, Director of Net Lawman, told CyberNews, “Retailers need to do their homework, and even if they unknowingly sell products that are not vetted (assuming that manufacturers are doing so), then they can come under fire and be subject to a class-action lawsuit for providing the public with such unsecure devices.”
Even then, Taylor believes that this is more a breach of warranty than anything else, and in most cases can be settled and refunded smoothly.
“A store like Amazon or Walmart should immediately discontinue selling a defective product or they may face legal liability for breach of contract, breach of covenant of good faith and any consequential injuries that flow from the defective product and attendant security breach.”David Reischer, Business Law Attorney
“When a store like Walmart or Amazon sells a defective piece of technology equipment,” Reishcer told CyberNews, “it is important to assess legal liability by determining if the store owner or manager or other high ranking employee knew or should have known that the items were substandard or if the defect became known after a customer reported a technology breach.”
In his opinion, once Walmart, Amazon or eBay are made aware of the defect, and they continue selling the products, they become liable. “A store like Amazon or Walmart should immediately discontinue selling a defective product or they may face legal liability for breach of contract, breach of covenant of good faith and any consequential injuries that flow from the defective product and attendant security breach.”
There does seem to be some precedent for this line of thought. Certainly, Walmart has faced its fair share of liability lawsuits, especially since it was founded as a brick-and-mortar retailer. Given that, strict liability applied in instances, for example, when portable plastic gas cans that it sold had safety defects that injured or killed customers. It fielded at least 80 separate lawsuits over the exploding gas cans, and agreed to pay $25 million in settlements.
With Amazon, it’s a lot less clear. It has no genesis as a brick-and-mortar retailer, and it has largely ducked multiple lawsuits over defective products – exploding blow dryers, vape pens, hoverboards, and even a faulty ladder – by claiming that it is simply a platform or marketplace. This positions it as an “intermediary” rather than a retailer, and for the most part courts have been satisfied with this positioning.
However, recent rulings have begun to challenge that. In the Bolger case in California, which involved an exploding laptop battery, a judge found that Amazon is similar to a physical retailer in that it is part of the distribution chain. The McMillan case in Texas found something similar, when a 19-month-old girl swallowed a small battery from a fake Apple TV remote. The judge there ruled that Amazon could be held liable for that item because it placed it “into the stream of commerce.”
But again, this liability is hard to prove, especially when considering such retail giants. “Product liability laws do protect consumers, but they do vary from state to state, country to country,” Taylor said, “and individuals are faced with quite a bit of a journey when up against retail giants such as Walmart and Amazon.”
One thing to consider, which is likely the biggest hurdle, is actually proving damages, especially considering the nature of the defect in vulnerable routers. Liability is based on some proof of damage, and it is a stretch to state that a vulnerable router, which may be added to a Mirai botnet, or could allow sensitive user data to be stolen, or possibly lead to a user’s other connected devices to be compromised, caused a person any real, practical damage.
All of the cases in which Amazon or Walmart have settled or were found liable involved bodily harm or property damage. Stolen data is neither of that, and a laptop exploding because it was hacked is usually a plot reserved for Hollywood movies.
Based on precedent, state or national laws, and proof of damage, there simply doesn’t seem to be much chance that Amazon, Walmart, eBay or any major retailer would be held liable for selling vulnerable, non-exploding routers.
Nonetheless, there is a pretty large area between legal liability and corporate action.
Alice Thwaite, founder of the London-based technology ethics firm Hattusia, believes it all boils down to responsibility.
“Responsibility is a big word,” Thwate told CyberNews. “Many businesses think of ‘responsibility’ as being the same as being ‘compliant’ – are we breaking any rules or laws? However, in today’s age, with raised awareness of climate breakdown and social injustice, responsibility has to encompass so much more. In this case, our democracies and personal freedoms are under attack from design surveillance and control of our personal devices.”