Providing Security Updates to Automobile Software

Auto manufacturers are just starting to realize the problems of supporting the software in older models:

Today’s phones are able to receive updates six to eight years after their purchase date. Samsung and Google provide Android OS updates and security updates for seven years. Apple halts servicing products seven years after they stop selling them.

That might not cut it in the auto world, where the average age of cars on US roads is only going up. A recent report found that cars and trucks just reached a new record average age of 12.6 years, up two months from 2023. That means the car software hitting the road today needs to work­—and maybe even improve—­beyond 2036. The average length of smartphone ownership is just 2.8 years.

I wrote about this in 2018, in Click Here to Kill Everything, talking about patching as a security mechanism:

This won’t work with more durable goods. We might buy a new DVR every 5 or 10 years, and a refrigerator every 25 years. We drive a car we buy today for a decade, sell it to someone else who drives it for another decade, and that person sells it to someone who ships it to a Third World country, where it’s resold yet again and driven for yet another decade or two. Go try to boot up a 1978 Commodore PET computer, or try to run that year’s VisiCalc, and see what happens; we simply don’t know how to maintain 40-year-old [consumer] software.

Consider a car company. It might sell a dozen different types of cars with a dozen different software builds each year. Even assuming that the software gets updated only every two years and the company supports the cars for only two decades, the company needs to maintain the capability to update 20 to 30 different software versions. (For a company like Bosch that supplies automotive parts for many different manufacturers, the number would be more like 200.) The expense and warehouse size for the test vehicles and associated equipment would be enormous. Alternatively, imagine if car companies announced that they would no longer support vehicles older than five, or ten, years. There would be serious environmental consequences.

We really don’t have a good solution here. Agile updates is how we maintain security in a world where new vulnerabilities arise all the time, and we don’t have the economic incentive to secure things properly from the start.

Tags: , , ,

Posted on July 30, 2024 at 7:07 AM33 Comments

Comments

wiredog July 30, 2024 8:00 AM

As far as security goes, if data connections are disabled that problem is solved. At least for remote access exploits. As always, if the Bad Guys have physical access they can do what they want. The data connection (an LTE connection on my car, and what happens when LTE goes away?) is used for navigation (I use my cell phone), the OnStar type services (ditto), and OTA software upgrades. The car runs fine if you pull the fuse for the LTE radio, though you do get error messages on some screens.

The easy thing for car manufacturers to do is get rid of the data connection and rely on the owner’s cell phone for any remote connectivity needed. The control bus (CANBUS, IIRC?) should be completely separated from the infotainment system, of course the two systems are getting more tightly integrated all the time.

I have a nasty feeling that this will all fly below the radar until either an update error, or cyberattack, bricks a bunch of cars. Bonus havoc if some of them are driving at freeway speeds when it happens with extra bonus wrongful death lawsuits.

Clive Robinson July 30, 2024 8:15 AM

@ Bruce, ALL,

Re : More than meets the eye.

“We really don’t have a good solution here. Agile updates is how we maintain security in a world where new vulnerabilities arise all the time, and we don’t have the economic incentive to secure things properly from the start.”

I think it’s fair to say that people now realise that “Code Signing” really is the “busted flush” identified on this blog way way more than a decade ago.

Also the latest bit of fun with CrowdStrike and Secure Boot in the past few days emphasize just how cracked and broken such “over the network updating is.

What has not been made clear but really should be is,

“What if the update completely borks the update process as part of the update problems?”

Yup 1ton bricks as far as the eye can see potentially blocking the roads and highways…

So the current way we do “agile updates” is really a bad idea, which we already know. Because high risk systems are not updated this way and in some cases is forbidden.

Imagine the flight system in your aircraft getting borked or worse bricked mid flight…

Why should any other vehicle be treated any less than “best practice” for vehicles.

But there is another issue which hides behind “we don’t have the economic incentive to secure things properly from the start”

Actually the opposite is the true state of things. The economic incentive is to get people to not own what they buy.

Hands up who remembers what Apple did to battery systems to get you to update faster?

How about HP Printers and the cartridges and the repeated unlawful scams they have pulled?

Then how about John Deere tractors?

And the now common in the car industry of making you rent what you have purchased like AirCon being built in but disabled unless you pay lots of money each month?

The best incentive is to make you pay over and over… But the lowest manufacturing cost is “pile it all in”. So all sorts of “security tricks” are being added to bleed you over and over…

Imagine the fun of you not wanting air-con any longer, so some low wage droid trying to make quoter accidently causes something else to be disabled like anti-lock breaks after all “one bit is the same as the next bit”.

Oh and the car manufacturers are without you permission selling as much data as they can to insurance companies and data brokers for less than a dollar per person…

So the new “Gypsies, Tramps, and Thieves” are not Standard Oil Execs, but the Execs in well known vehicle manufacturers. But we should know that after the “low emission scandal” by certain European Auto Manufactures.

Eriadilos July 30, 2024 8:18 AM

This is the problem with marketing & business driven features, and not engineer driven, or collegialy chosen ones in cars. To be fair engineers did quite a bit of funky things too : why would a Renault CLio need a V6 engine and 250 horsepower is beyond me.

Why do BMW’s need internet connectivity (that can communicate on the CAN bus to make things worse) ? To sell you subscription based add-ons such as heated seats ?

In my point of view the easiest security measure to put in place is reducing the attack surface, so “dumb cars” may be the future of secure cars. The question is : are consumers ready for the setback ?

We could also take an approach “à la Apple” : uniformisation. Updating a uniform automobile park of 2-5 software version each year for all manufaturers is a much simpler task, after all infotainement and connected features all work the same no mater the brand. This creates monopolies and has its own problems but hey, let’s have 3 manufacturers for the systems and not call it a monopoly !

Hannah S. July 30, 2024 8:52 AM

“Samsung and Google provide Android OS updates and security updates for seven years.”

May I ask if this is regionally different? I’ve got a Samsung Android phone bought in 2018 (6 years ago) that has stopped receiving OS updates for a few years (last update February 2022).

I agree that we need incentives/disincentives/rules about updates. Both for cars and for computing devices like phones. Of course specific enough to the needs of the respective class of products.

Quidnam July 30, 2024 9:06 AM

The best of the poor solutions to the problem would be to make car systems highly modular in terms of both hardware and software — telematics inputs and outputs should be somewhat standardized, and isolated in a secure network.

Of course, the industry seems to be going in exactly the opposite direction.

Snarki, child of Loki July 30, 2024 9:37 AM

Applies even moreso to aircraft, although the operation and maintenance is a lot more professional.

Stakes are higher, too.

Jimbo July 30, 2024 10:18 AM

In the aviation world, this has been a known (and solved) problem for decades. Any company that manufactures avionics (most especially safety-critical systems) are contractually required to support those units for FIFTY YEARS or more! That’s both software updates and physical repairs!

Making a new gizmo for a plane is not a trivial enterprise — the company has to predict how many they might possibly ever sell, then buy and warehouse enough spare parts for a fifty year support cycle. Source code has to be carefully archived along with all of the compilers and libraries needed to build it, possibly along with the workstations and operating systems needed to run them. If a unit can’t be repaired or updated for some reason, the company has to replace it with one that behaves identically to every input (and fits in the same hole and plugs into the same plugs).

Auto manufacturers could do the same. But your new entry-level sedan might cost $500,000.

Jim July 30, 2024 10:55 AM

A couple of decades of support won’t cut it. My car is only 27 years old and still going strong. My next one better last at least that long (or at least as long as I last).

Aaron July 30, 2024 11:29 AM

This is a solvable problem; it’s just a solution that automobile manufactures are to forward thinking to acknowledge… Stop making connected cars with sophisticated computer systems.

The industry, for +60 years, has sold grand visions of flying cars, self driving cars or networked cars; all which require complex computer systems which are vulnerable.

So they either suck it up and accept the challenges and complexities of the dreams they’ve pushed or they stop pushing dreams and stop making cars with computers.

Erdem Memisyazici July 30, 2024 11:34 AM

It’s possible to get your software checked as a public service but like you said we just don’t do that right now. What we do have is a game of find-the-needle-in-a-haystack and half the people don’t even know or expect a needle in their stack of hay.

If someone put anthrax in a shipment of celery we have a public inspection mechanism in place to prevent that from reaching every home that eats celery.

Someone puts a virus in your update, we leave that up to the good folks who own your phone (effectively that’s not you). Does the government not know? Not at all. We just don’t have a good national privacy law in the United States to scare anyone with. Well we do have the 4th as its spirit but that’s about it.

How much did X company who doesn’t give a damn about privacy end up having to have to pay Europe due to GDPR? Do the thieves break even or make money?

Policy and law is the only way forward here.

Bob July 30, 2024 12:37 PM

Auto manufacturers are just starting to realize the problems of supporting the software in older models

No. They’re just starting to acknowledge them. They’ve been made aware since the very beginning.

We saw the same thing with cigarettes and global warming. Corps will pretend not to know something, or to believe the opposite of reality, until they are forced to do otherwise.

Luz July 30, 2024 2:06 PM

try to run that year’s VisiCalc, and see what happens; we simply don’t know how to maintain 40-year-old [consumer] software.

We don’t know how, or we just don’t want to put the effort in? Tavis Ormandy ported “30[-year-old] abandonware” Lotus 1-2-3 to Linux in 2022—taking advantage of some debug data that’s usually not published, but with no source code available.

I kind Bruce is echoing a fairly defeatist and “software-exceptionalist” point of view here, which is all too common. If someone finds a non-software safety problem with a 14-year-old car, the manufacturer has to find some way to fix that (American law requires them to do it for free for vehicles under 15 years old). That means having to find and update 15-year-old plans, explaining to shops what needs to be done, then paying them to physically open up the cars and replace or repair the parts.

I think software’s really easy by comparison. Publish an update file and tell the shops “install this in the normal way”. Okay, maybe someone’s gotta figure out how to update and compile old stuff, but people regularly use and update decades-old software; we’re not talking about a COBOL “year 2000” level of difficulty here. With virtual machines now available, it’s almost trivial: boot up the 15-year-old system image in which you originally built the 15-year-old software. BSD is well-maintained 46-year-old consumer(-ish) software. Airbus is apparently still supporting A320 models dating back to 1989, famous for being software-controlled. Of course, by aircraft standards, that’s nothing; I regularly see hundred-year-old software-free bi-planes flying around.

We’re way too accepting of the view that software is somehow impossible to get right. As a programmer, I say that’s just laziness. People rarely treat software development as serious engineering, which results in frequent and spectacular failures. But we can create stuff easily and quickly, so people ask for things they wouldn’t ask of “real” engineers. How many software security problems in cars were caused by anything actually mandated to be there? (Don’t ask for or create features you don’t think will be supportable!) As far as I’m aware, the on-board diagnostics (OBD) port is the only required form of computer communication, and that’s not expected to be secure.

Maybe some exploit via the “infotainment” system can access the engine’s CAN bus and cause something terrible to happen, but connecting those two systems is nothing but a cost-saving measure. Trying to parse the 30 most popular types of audio and video files is a self-inflicted problem, too; most people would probably be happy if they could just connect their phones to a headphone jack (or USB equivalent) and not have to deal with whatever crap the car manufacturer shipped. Nobody requires cars to have wi-fi, cellular, or similar, though there’s been talk of mandating some form of “V2X” for the last decade (in which cases “data diodes” should be taken seriously, among other things).

XYZZY July 30, 2024 2:08 PM

This indicates that there is now (and always has been) an economic incentive to secure things properly from the start. However, the auto industry may not yet perceive this as economic. Taking a sail boat out for the day? There are incentives to secure things before you set sail. Every sailor knows this. Is there some way to incentivize todays MBA to at be aware of the issues? Does every manager know this? My experience is that management will take it under advisement and do nothing.

kiwano July 30, 2024 2:29 PM

That figure is for average age on the road, not average age on the tow truck to the scrapyard. With the (obviously false, but usefully simplifying) assumptions that all cars get scrapped at the same age, and are produced/scrapped at a uniform rate, the expected scrap date for a car rolling off the line now is more like 2050.

David Taylor July 30, 2024 3:28 PM

What if the automotive software was covered by a free software license or
even just an open software license?

Since the software would be available to everyone, there would be an
incentive to make it secure. And once the auto manufacturer stopped
supporting it, the community could potentially support it. At least
for security purposes.

David

Iustin Pop July 30, 2024 4:59 PM

I know people like to look down on Tesla – e.g. the article only mentions Tesla’s badly-named FSD – but, well, this is a long solved problem. Just that the rest of the industry is way behind Tesla.

And yes, just like new major OS updates bringing new functionality, Tesla does push new functionality a couple of times per year, aside from the usual bug and security updates.

Roberto July 30, 2024 6:00 PM

There is a simple solution, which is that, after maintaining it for the years during which the manufacturer wants to invest money in maintaining the versions, they can release it as open-source software and let the user community maintain it.

Daniel Popescu July 30, 2024 9:43 PM

Not a car owner, but it seems that some sort of global automotive software platforms standardization would help. Wishfull thinking?

Matt July 30, 2024 10:03 PM

The “good” solution requires legislation: Car software is escrowed for X years after release, and then is released to the public.

David Leppik July 30, 2024 10:54 PM

My mantra as a software engineer is: complexity is the enemy. In this case, simplicity truly is the solution.

You can write perfectly decent websites with HTML5 (circa 2008) and CSS (circa even earlier.) The original web page still renders about the same as it used to, though the Gopher links are broken. Frankly, I’m continuously shocked at how my knowledge of 20th century tech (Linux! SQL!) is still in high demand.

With some discipline and careful technology choices, car companies could choose to use evergreen technologies that will keep updates fairly well under control. (Though that flies in the face of enticing car buyers with new and shiny tech.)

Another advantage for car companies is that hardware requirements have plateaued for the most part. Car companies are going to want to add AI chips, but existing CPU and GPU technology is more than adequate to plaster the whole car with screens. Other than graphics, a modern vehicle’s needs can be taken care of by 20-year-old technology. (My VW ID.4’s shiny features involve arrays of colored LEDs that could be controlled by an Apple II.)

One of the big advantages of over-the-air updates is that you can keep older cars on the latest software, thereby reducing the number of versions of software you need. The Tesla Model S is now 14 years old, so this is hardly a new problem.

What it comes down to is that there is a strong disincentive to upgrade computer hardware between model years. Car companies already try to extend the life of their models for as long as possible, with minor (often superficial) changes between model years.

Unlike a smart phone, when you buy a car you’re mainly buying the non-computer components, and it’s reasonable to keep the computer platform more-or-less the same for up to a decade. So it’s not necessary to support 200 versions of software, though there may be hundreds of combinations of various software components. Which is nothing compared to the millions of supported combinations of Linux software out there.

ResearcherZero July 30, 2024 11:27 PM

@Iustin Pop

Industry doesn’t spend millions on lobbyists so that people can fix things themselves.

BP and the IEA imply that plastics demand will be the largest driver of oil demand growth.

‘https://carbontracker.org/oil-industry-betting-future-on-shaky-plastics-as-world-battles-waste/

“Lobbyists are appearing on country delegations and are gaining privileged access to Member State-only sessions, where sensitive discussions unfold behind closed doors.”
https://www.independent.co.uk/climate-change/news/global-plastics-treaty-fossil-fuel-lobby-b2535330.html

ResearcherZero July 30, 2024 11:38 PM

Good legislation and recommendations are not implemented due to lobbying by industry.

Bob prevented the closure of loopholes in FARA…

‘https://www.justsecurity.org/97840/menendez-guilty-felony-convictions/

Lobbying firms are reportedly rushing to drop clients from China
https://www.voanews.com/a/us-lobbyists-drop-chinese-clients-amid-tightened-scrutiny-/7513459.html

“At the time Menendez blocked it, senators said it was a huge missed opportunity.”

‘https://www.nbcnews.com/news/us-news/menendez-singlehandedly-blocked-bipartisan-effort-strengthen-law-regul-rcna117624

Manafort proposed a strategy plan as early as June 2005 for the Putin government.
https://www.pbs.org/newshour/politics/former-trump-campaign-chair-manafort-secretly-worked-advance-russian-interests-10-years-ago

For example, the term “lobbyist” was not in widespread use in 1937 and does not appear in the original statue.

‘https://theconversation.com/it-started-with-nazis-concerns-over-foreign-agents-not-just-a-trump-era-phenomenon-109025

Lobbying firm opened loophole for fossil fuel in 2019 with DOJ help.
https://www.citizensforethics.org/reports-investigations/crew-investigations/loophole-saudi-aramco-lobbyists-fara/

● “The absence of a national database of state-level lobbyists has likewise shielded non-fossil fuel companies and organizations from being held accountable for hiring lobbyists who work for the fossil fuel industry.”

‘https://globalenergymonitor.org/wp-content/uploads/2022/11/Fossil-Fuel-Lobbyist-List-Nov.-2022-FINAL.pdf

Consistently among the biggest donors to political parties.
https://www.crikey.com.au/2024/07/30/australia-oil-gas-industry-climate-change-1970s/

Clive Robinson July 30, 2024 11:51 PM

@ Roberto, Matt, ALL,

Re : Open Source can not be done.

“There is a simple solution, … they can release it as open-source software and let the user community maintain it.”

No they can not, that would be not just bad practice but illegal in several jurisdictions.

I could go through the long list of reasons but I will give you just one to think about.

Currently the only way we deliver patches or updates in “what is alleged” to be a secure way is by “code signing”.

To make it available so the “user community maintain it” would involve “handing over the signing keys”.

As the past few pages on this blog show that would be a very bad idea.

And there are a whole load more reasons.

For some reason I don’t understand very very few people in the software industry understand the differences between,

1, Physical Objects
2, Information Objects

Especially when it comes to security. Especially as I doubt there is still a software practitioner who was practicing before “Malware” became publicly known as a security issue back in the 1960’s.

Enrico July 31, 2024 6:53 AM

There are solutions. A simple one that comes to mind is mandatory open sourcing, and opening the boot loader of all hardware devices when the manufacturer drops support.

Uthor July 31, 2024 9:43 AM

@Hannah S

The length of updates have increased in the last couple of years. My Pixel 4a got 3 years of software updates. My 7a is promised 3 years of OS updates and 5 years of security updates. The Pixel 8 is promising 7 years of major updates.

JonKnowsNothing July 31, 2024 10:37 AM

@Clive

re: The economic incentive is to get people to not own what they buy

A recent MSM article about a major mouse mfg described how the company planned to make “Mouse as a Service” work for them, by having a subscription fee to “pay for updates”. However, the important part was actually missing because this “mouse subscription model” has been in place for some time, along with “keyboards as subscription” model for those who play high-end eSports video games, where every nano second delay gives the other team time to score points.

For many years, maybe decades or centuries, the manufacturing model used by nearly every country has had a serious flaw (more than one for sure), in how the business accounting systems handle End of Service or End of Use for physical and non-physical items.

In short,

  • once you sell it or lease it, the problem belongs to the buyer-lessee

In most lease contracts there are provisions that the lessee maintains the items in a satisfactory way. There are AI programs designed to analyze every scratch, dent, blemish, tire wear, and under carriage chip in 360 view of a car, any of which will reduce your “residual value”.

  • You don’t own it but you paid for it anyway

What we do, is transfer the End of Life problem through a series of brokers, and after a long trail it ends up in the landfill. Sometimes we tack-on a fee for “disposal” but the accounting for this is Not Adequate. There have been attempts to build accounting Cradle-to-Grave systems but they don’t really work very well.

Every step along the pathway is “someone’s profit”, however slim, someone makes a living from it. Eventually the item(s) end up in the landfill or forming battery acid lakes and the initial manufacturer has no responsibility. Modern accounting allows them to shuffle off that aspect to someone else.

When trying to sort out End of Service issues and why “40yr old code” is not maintained, you need to include the Off The Books Unrealized Costs currently ignored in the calculations.

Consider:

  • Why is 40yr code NOT considered an Asset?

JonKnowsNothing July 31, 2024 10:55 AM

@Roberto

re: after maintaining it for the years during which the manufacturer wants to invest money in maintaining the versions, they can release it as open-source software and let the user community maintain it

This is pretty much a non-starter for cars, there is too much liability (see legal suits) if anything goes wrong. There is plenty of liability for the original manufacturer which they offset by purchasing liability insurances. There would be a legal path back to the manufacturer if anything went wrong because someone decided to “pretty print” the code base.

  • Tabs v Spaces

Things do end up in Open Source, however getting a highly complex volatile high risk code system into Open Source with no residual back pathway liability would be a difficult challenge.

USA

Everything in the USA has to have a “profit” motive. Car manufacturers do not “maintain code” out of the goodness of their hearts, they do it because they can make a profit. They are not going to give away any profit unless-until the costs of business exceed the income from the objects.

JonKnowsNothing July 31, 2024 10:44 PM

@Clive, All

re: Footing the bill for End of Service End of Life Items

A MSM report (1) about the US Consumer Product Safety Commission (CPSC) ordering Amazon sales platform to take full responsibility for recalling and disposing of all faulty and dangerous products sold on their platform and to ensure these products are removed from consumer households. Telling people to “trash” the items is not sufficient.

  • 400,000 hazardous items were purchased off the Amazon platform

    There are at least 2 basic issues that are TBD

  • Does Amazon have any US Legal Liability for hazardous items sold under their banner?
  • Does Amazon have a “duty of care” to recall, retrieve, dispose of hazardous items now in the custody of consumers?

This is not unlike dealing with flawed software or faulty car control software or faulty airplane controller software, except it covers a much wider swath of items sold to consumers.

One important aspect is called

  • Deep Pockets

Who can pay for it, who can pay for the damages, who can pay restitution?

====

1)
ht tps://w ww.theregister.com/2024/07/30/amazon_ordered_to_handle_recall/

Clive Robinson August 1, 2024 12:28 AM

@ JonKnowsNothing, ALL,

Re : Buyer takes all risk was the way.

“For many years, maybe decades or centuries, the manufacturing model used by nearly every country has had a serious flaw (more than one for sure), in how the business accounting systems handle End of Service or End of Use for physical and non-physical items.”

The model was based around,

“Buyer beware”

From a time when most people could see and understand what they were buying and from who.

The flip side of this was

“Seller take care”

Of “reputation” because back then nearly all retailers were critically dependent on “repeat trade”, not just occasionally but weekly or even daily.

Thus the seller had reason not to “pass off dodgy goods” because they could not “externalise the risk” as you can one a,

“One and done and ride away”

Of the “Snake Oil salesman”.

We are coming toward legislation for “End of Life” in a kind of backwards way.

The EU introduced waste disposal legislation that much to many peoples surprise has been taken up by many countries the WEEE Directive of 2012 being one of note in this respect,

https://www.sciencedirect.com/science/article/abs/pii/S0956053X20305870

The problem is it’s tail legislation not head legislation.

We need to have legislation that enforces “design changes” such that recycling is preferable to stockpiling or landfill.

The sad reality is if I design for longevity I’m almost always designing against recycling / reuse in some way.

Take plastics for instance they break down quite quickly due to UV light (just as we do). The solution is to add certain chemicals to the plastics… These chemicals are “problematic” in many ways thus recycling is in a lot of cases not viable currently and may never be.

It’s a complex subject and changes quite rapidly. Having worked in both Hi-Rel and FMCE electronics I have a fund of “hair whitening” stories involving things like dioxin and worse combined with micro-particulates caused by mechanical wear.

A fun one is the 1980’s “soda test” for home electronics. As we know many humans are consumers of sweet acidic gased liquids that fizz out of a plastic lined pressure container. There are stories about what they do to your teeth and metal corrosion including acting as “rust remover”…

Well have you ever thought about what happens when soda goes through openings in cases for the likes of keys, connectors, and ventilation?

Lets just say “it’s chemically active”. But have you thought about what “bubbles out” and what might happen to you if you consume it?

My advice, don’t think about it if you want to sleep at night…

We need to radically rethink how we design, manufacture, supply, and reverse the process such that things are “sustainable”.

Chopping up old vehicle tyres to be used as surfacing for childrens playgrounds may sound good… But what about the Tetra Ethyl Lead and diesel micro/nano particulates that have become embedded in the “rubber” that are now going into children and grand children etc?

Wim Ton August 20, 2024 5:25 PM

When I worked for a large smart meter manufacturer, we factored in the longevity of our devices (20ish years).
The firmware contained 2 root keys to verify the updates: a working key, and a spare key in case the private working key got lost (in the sense of becoming unavailable). Every product category has its own PKI so we could sell it to another company without giving access to the remaining products.
The only thing that was missing was a quantum-resistant signing algorithm. Smart meters are restricted devices, and keys of 1 MB are not feasible.

Clive Robinson August 28, 2024 11:24 PM

@ dosch, Bruce,

Re : Not just about…

You make the valid point,

“This problem is not just about cars aging. It is also about companies going bankrupt…”

But as everyone should realise and complain to their legislators it’s even “planed obsolescence” forcing you to spend over and over on new product because you have no control over what you have purchased as tangible indivisible –by user– objects[1].

But first I should note HP Printer Cartridges is an example of this as is certain electronics by Amazon.

And the behaviour is at best “unlawful” if not thoroughly “illegal” due to legislation / regulations for “Waste Electrical and Electronic Equipment”(WEEE).

It also in many cases robs the end user of “second sale” value, because the physical objects can not be sold on as “second hand” etc.

The result is a very nasty “environmental disaster” that is “in the making”.

We need legislation to stop manufacturers making the function of products they produce dependent on services they control.

As noted on another thread with regards home “White Goods” (televisions) manufacturers are now making their products functionality not optional to the user, but dependent on the manufacturer via the Internet such that the manufacturer can surveil users and exploit them in any number of unsavoury and often unlawfully ways.

There is usually legislation already in place to stop this, but authorities will not use it, thus the unlawful behaviour not just continues it gets worse with time.

[1] The “indivisibility” of purchased objects by users is an idea that legislators have so far avoided like it’s a contagion of dire proportions. Because with Personal Computers it is possible for a user to not just pick and chose application software but Operating Systems as well thus the physical object does not become “non operable” (though this is being changed with “Smart Devices” like mobile phones). The problem is that there is no safety or similar requirement needed for the software operating on a personal computer, but the same is not true for nearly every other physical object that have software based functionality (think cars and electronic brakes / anti-skid etc). So manufacturers quite deliberately design products in ways that enable them to exploit this to their advantage and the consumer disadvantage. Not just core functionality but the ability to fully control the device should be available at any time to the purchaser not just in a short period of time defined by the manufacturer but indefinitely.

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.