President and CEO
1501 Page Mill Road
Palo Alto, CA 94304
September 26, 2016
Dear Mr. Weisler,
I write to you today on behalf of the Electronic Frontier Foundation, a nonprofit devoted to defending technological freedom, human rights and privacy in courtrooms, legislatures, and online. Like many others, we are alarmed by reports that HP has activated a dormant feature in Officejet Pro printers (and possibly other models), so that the printers now automatically verify whether its ink cartridges are official HP ink and not competitors' products or even refilled HP cartridges. If these printers detect third-party ink, printing stops. This activation was disguised as a security update.
You must be aware that this decision has shocked and angered your customers. Below, I have set out our concerns and the steps HP must take to begin to repair the damage it has done to its reputation and the public's trust.
HP deprived its customers of a useful, legitimate feature
HP customers should be able to use the ink of their choosing in their printers for the same reason that Cuisinart customers should be able to choose whose bread goes in their toasters. The practice of "tying" is rightly decried by economists and competition regulators as an invitation to monopoly pricing and reduced competition and innovation. HP customers should choose HP ink because it is the best, not because their printer won't work with a competitor's brand.
HP abused its security update mechanism to trick its customers
HP printers, like most other networked computers, have suffered well-documented, catastrophic security vulnerabilities that exposed customers' whole networks to attacks. Because security is a process, not a product, vulnerabilities will continue to surface in your products throughout their lifecycles. Customers need to feel confident that they can accept security updates without compromising basic functionality.
By co-opting the security update mechanism to deliver an anti-feature—that is, something that works against your customers' interests—you have introduced doubt into the patch process. Earlier proof-of-concept malicious software targeted to your products screened print-jobs for Social Security Numbers and credit card details and sent them to attackers, or scanned customers' networks and hijacked their connected computers. By giving tens of millions of your customers a reason to mistrust your updates, you've put them at risk of future infections that could compromise their business and home networks, their sensitive data, and the gadgets that share their network with their printers, from baby monitors to thermostats.
HP's time-delayed anti-feature is a bait-and-switch
The software update that prevented the use of third-party ink was reportedly distributed in March, but this anti-feature itself wasn't activated until September. That means that HP knew, for at least six months, that some of its customers were buying your products because they believed they were compatible with any manufacturer's ink, while you had already planted a countdown timer in their property that would take this feature away. Your customers will have replaced their existing printers, or made purchasing recommendations to friends who trusted them on this basis. They are now left with a less useful printer—and possibly a stockpile of useless third-party ink cartridges.
HP has posted a "keep out" sign for security researchers
In using a technical countermeasure to exclude third-party cartridges, HP is signalling that it may invoke Section 1201 of the 1998 Digital Millennium Copyright Act, which makes it illegal (in most circumstances), and potentially a crime, to bypass measures that control access to copyrighted works. Another printer manufacturer tried to invoke this law in similar circumstances, forcing its competitor to litigate the issue for years.
Security researchers rightly fear that disclosures of defects in products covered by Section 1201 could lead to severe punishments. Many respected researchers came forward at the Copyright Office's triennial 1201 exemptions hearing in 2015 to say that they'd been chilled from disclosing vulnerabilities in 1201-covered systems, from voting machines to tractors to insulin pumps. This means that bad guys are free to exploit vulnerabilities in these products, while good guys are scared off from warning the people who depend on them about the dangers lurking in them. Given the history of attacks on printers, and the widespread distribution of your products, this is the last thing you should want.
For all these reasons, we call on HP to take the following five steps, immediately:
- Apologize to your customers, and restore the original functionality of their printers with a firmware update that rolls back the self-destruct sequence;
- Publicly commit that you will never again use your software update process to distribute anti-features that work against your customers' interests;
- Publicly commit that the effects of any software updates will be fully disclosed;
- Prominently disclose any capability or plan to remove features from devices in your sales literature, so customers know what they're getting before they buy;
- Promise to never invoke Section 1201 of the DMCA against security researchers or competitors who make legitimate aftermarket products.
I would be happy to discuss these measures with you at your convenience, and I look forward to hearing from you.
Apollo 1201 Project
Electronic Frontier Foundation