More than 10,000 people have signed onto EFF’s open letter to HP CEO Dion Weisler, taking the company to task for its dirty trick of using a security update to revoke its customers’ ability to print with third-party ink.
Now, less than a week after the story broke, HP has announced that it will push out an optional update that lets people restore the confiscated functionality. That’s good news, but there’s still plenty more HP needs to do to make amends for its egregious conduct.
10,000 signatures nudged HP in the right direction. The next 100,000 will nudge it further. Sign the open letter here.
First, we’d like to know what HP’s plans are for informing users about the optional firmware update. Right now, the vast majority of people who use the affected printers likely do not know why their printers lost functionality, nor do they know that it’s possible to restore it. All of those customers should be able to use their printers free of artificial restrictions, not just the relatively few who have been closely following this story.Second, we’re still asking HP to promise that it will never again use a security update to roll back features on which its customers rely. Customers should be able to buy an HP printer without fear that the company will later place artificial limits on the printer’s use. It would be a security nightmare for customers to avoid installing security updates for fear of unwanted and unannounced feature changes. Even people who don’t use Officejet printers should still be troubled by the possibility of thousands of printers running without security updates installed, leaving known vulnerabilities open to attack.
Third, HP should promise that it will never use Section 1201 of the Digital Millennium Copyright Act to sue or threaten security researchers for bypassing its digital locks in the course of their work. We’ve already seen how legal protections for DRM have dissuaded researchers for disclosing vulnerabilities. For the sake of its customers’ safety, HP should commit to immunizing security researchers from legal threats under DMCA 1201.
Don’t Hide DRM in a Security Update
[Elliot Harman/EFF]