Only three days after EFF's open letter to HP over the company's deployment of a stealth "security update" that caused its printers to reject third-party cartridges, the company issued an apology promising to let customers optionally install another update to unbreak their printers.
That's good for starters, but it's a long way from making up for one of the most egregious abuses of a security update in recent memory. With HP on the run, it's time to push for real, meaningful reassurances and remedies about this bad conduct -- not just to make sure HP does right by its customers, but also to put other companies on notice about the kind of drubbing they can expect if they follow HP's lead.
EFF's open letter has more than 10,000 signatures, and there's more flooding in as I type these words. If you haven't signed the letter, please do -- and then tell your friends. Even if you don't have an HP printer, we all share the same internet with tens of millions of these things, and the last thing we can afford is for HP to be giving its customers reasons not to run security updates, especially as these kinds of devices are being hijacked to perform unprecedented attacks on the net.
First: HP needs to promise never to use a security update to take away features again. There's hundreds of millions of inkjet printers out there, and they're vulnerable to malicious software that can conscript them into jaw-dropping internet attacks. Whether or not you own an HP printer, you have a stake in HPs' printers being swiftly updated when bugs are discovered in them. That means that HP must not give customers a reason to worry that the next "security update" is yet another self-destruct mechanism aimed at protecting the security of HP's cartridge division, rather than the security of our printers, to which we supply our credit card details, Social Security Numbers and personal photos.
Second: HP has to promise not to attack security researchers who disclose vulnerabilities in its printers. It's great to see HP underwriting tech-oriented podcasts and TV shows about security, but when they add digital locks to their inkjet cartridges, they're sending a legal signal that security researchers can hear clear across the net. That's because Section 1201 of the Digital Millennium Copyright Act -- which protects locks that control access to copyrighted works -- has been used to prosecute and harass security researchers who want to warn you about dangers lurking in the equipment you have put your trust in. When security researchers have to sue the federal government for the right to do their jobs, HP needs to tell us where they stand on this issue.
Third: HP needs to come clean. Which models does this affect? Have they put this in other models? How are they going to alert the customers whose printers they broke that there's an "optional" patch to unbreak them?
Tell HP: No to DRM [Petition/EFF]