Don't Hide DRM in a Security Update
HP Promises to Restore Printers’ Functionality, But Questions Remain
Over 10,000 of you have joined EFF in calling on HP to make amends for its self-destructing printers in the past few days. Looks like we got the company’s attention: today, HP posted a response on its blog. Apparently recognizing that its customers are more likely to see an update that limits interoperability as a bug than as a feature, HP says that it will issue an optional firmware update rolling back the changes that it had made. We’re very glad to see HP making this step.
But a number of questions remain.
First, we’d like to know what HP’s plans are for informing users about the optional firmware update. Right now, the vast majority of people who use the affected printers likely do not know why their printers lost functionality, nor do they know that it’s possible to restore it. All of those customers should be able to use their printers free of artificial restrictions, not just the relatively few who have been closely following this story.
Second, we’re still asking HP to promise that it will never again use a security update to roll back features on which its customers rely. Customers should be able to buy an HP printer without fear that the company will later place artificial limits on the printer’s use. It would be a security nightmare for customers to avoid installing security updates for fear of unwanted and unannounced feature changes. Even people who don’t use Officejet printers should still be troubled by the possibility of thousands of printers running without security updates installed, leaving known vulnerabilities open to attack.
Third, HP should promise that it will never use Section 1201 of the Digital Millennium Copyright Act to sue or threaten security researchers for bypassing its digital locks in the course of their work. We’ve already seen how legal protections for DRM have dissuaded researchers for disclosing vulnerabilities. For the sake of its customers’ safety, HP should commit to immunizing security researchers from legal threats under DMCA 1201.
Taking these steps can help fix HP’s mistake. But we remain troubled by the trend of companies using digital locks to break their own products’ functionality, and then representing those locks as security features. These anti-features endanger Internet security while making our products less useful. We hope that other companies learn from HP’s mistakes.