September 28, 2016 | By Elliot Harmon

Don't Hide DRM in a Security Update

HP Promises to Restore Printers’ Functionality, But Questions Remain

 Say No to DRM

Over 10,000 of you have joined EFF in calling on HP to make amends for its self-destructing printers in the past few days. Looks like we got the company’s attention: today, HP posted a response on its blog. Apparently recognizing that its customers are more likely to see an update that limits interoperability as a bug than as a feature, HP says that it will issue an optional firmware update rolling back the changes that it had made. We’re very glad to see HP making this step.

But a number of questions remain.

First, we’d like to know what HP’s plans are for informing users about the optional firmware update. Right now, the vast majority of people who use the affected printers likely do not know why their printers lost functionality, nor do they know that it’s possible to restore it. All of those customers should be able to use their printers free of artificial restrictions, not just the relatively few who have been closely following this story.

Second, we’re still asking HP to promise that it will never again use a security update to roll back features on which its customers rely. Customers should be able to buy an HP printer without fear that the company will later place artificial limits on the printer’s use. It would be a security nightmare for customers to avoid installing security updates for fear of unwanted and unannounced feature changes. Even people who don’t use Officejet printers should still be troubled by the possibility of thousands of printers running without security updates installed, leaving known vulnerabilities open to attack.

Third, HP should promise that it will never use Section 1201 of the Digital Millennium Copyright Act to sue or threaten security researchers for bypassing its digital locks in the course of their work. We’ve already seen how legal protections for DRM have dissuaded researchers for disclosing vulnerabilities. For the sake of its customers’ safety, HP should commit to immunizing security researchers from legal threats under DMCA 1201.

Taking these steps can help fix HP’s mistake. But we remain troubled by the trend of companies using digital locks to break their own products’ functionality, and then representing those locks as security features. These anti-features endanger Internet security while making our products less useful. We hope that other companies learn from HP’s mistakes.

Take ActionTell HP: Say No to DRM.


Deeplinks Topics

Stay in Touch

NSA Spying

EFF is leading the fight against the NSA's illegal mass surveillance program. Learn more about what the program is, how it works, and what you can do.

Follow EFF

The M2 car hacking tool by @macchinaCC launches today. T-shirts help benefit EFF's fight for your right to repair. https://www.kickstarter.com/p...

Feb 21 @ 12:48pm

Fair use would be a boon for Australia, but big content industries are doing their best to block it. https://www.eff.org/deeplinks... #fairuseweek

Feb 21 @ 9:06am

This Wed 2/22 join EFF's @sheeyahshee at @PrototypePrime outside Atlanta to discuss surveillance and resistance https://www.eff.org/event/eff...

Feb 21 @ 6:19am
JavaScript license information