/ Cory Doctorow / 4 am Tue, Jan 24 2017
  • Submit
  • About Us
  • Contact Us
  • Advertise here
  • Forums
  • HP's Nonpology

    HP's Nonpology

    The "nonpology" is a corporate standard: a company does something terrible, and then it tells you it's sorry that you found its behaviour upsetting. But HP's October 2016 public statement on its secret, aftermarket attack on its customers' property has made important advances in the field of nopologyology.

    Last March, HP printer owners got an automated "security update." After running this update, HP customers would not have detected any outward changes their printers' behavior. But inside, the affected HP printers were secretly counting down to September, when the printers suddenly began rejecting ink cartridges with third-party "security chips" -- if you had opted to save 90% or more on your printer ink by buying unofficial cartridges, you were left in possession of a bunch of useless plastic and ink. In some cases, HP customers assumed their printers had packed in and threw them away.

    After thousands of customers for third-party cartridges complained online, the story began to come into focus, and it became obvious that HP had deliberately installed time-delayed self-destruct code on its customers' property to punish them for failing to order their affairs in the way that was most profitable to HP. I wrote an open letter to HP CEO Dion Weisler on behalf of the Electronic Frontier Foundation and more than 10,000 people signed on (the number is now 15,000).

    (I'm a special consultant to EFF, which is a charitable nonprofit that stands up for privacy, security, fairness and free speech in technology)

    The ensuing press-storm prompted HP to issue its nonpology, a misleading document whose absurdity I will now discuss, with some assistance from various former HP employees -- including one 18-year HP printer division veteran -- who contacted me on condition of anonymity in order to help me translate the document from HP-ese to English.

    HP starts by saying that it only blocked cartridges with "cloned third-party chips" but that "third party cartridges with original HP security chips continue to function properly." HP's "security chips" are on-board computers with many functions, including recording the ink-level in your cartridges. When a cartridge is empty, the chip registers this fact, and even if you refill the cartridge, it will not work, unless you find another a used chip from someone else's cartridge and swap it in. In theory, you could also swap in one of HP's original chips, but HP doesn't sell those. So in practice, most refilled and third-party cartridges have "cloned chips" in them, from massive printer supply companies like Apex and Static Control, while others buy used chips of unknown quality from recyclers.

    In reality, what HP is saying, "We block all third-party cartridges, and unless you know the trick, we also block original HP cartridges if you refill them."

    HP has a patent on these chips, but HP has lost a judgment against a Dutch company called 123inkt.nl when it tried to use that patent to shut out 123inkt's cartridges. HP's printers know which region they're in (that's how UK HP printers are able refuse to use ink bought in the USA) and the company could have chosen to patch only printers in territories where its patents were enforceable, but as far as anyone can tell, they revoked third-party ink for every HP printer in the world.

    Further down in the nonpology, HP promises to make things right for its affected customers (the ones who didn't throw out their printers, anyway) with "an optional firmware update that removes the dynamic security feature." People who want to decide for themselves whose ink they'll use have to visit HP's support site, find the correct download, download it to their PCs, and install it.

    My ex-HP sources tell me that updates pushed out via the automated method -- like the sneaky one HP sent out last March -- have a 95% or better installation rate. But optional patches, like the one that puts things back the way they were before HP's shenanigans are installed by fewer than 1% of HP customers. HP disputes these figures: they claim that only two thirds of their users run automated updates, and that they have no figures at all on manual updates because they are so rarely used.

    If you're in the minority that can figure out how to run the update -- if you're a GNU/Linux user, you'll need to install a Windows emulator, and then buy and install a copy of Windows first -- don't get cocky. HP also notes that it "will continue to use security features to protect the quality of our customer experience, maintain the integrity of our printing systems, and protect our IP including authentication methods that may prevent some third-party supplies from working" but commits "to improving our communication."

    Translation: the next update could take away your ability to print with third-party ink, but you'll be notified when the update arrives.

    You could opt to refuse all future updates to your HP printer, assuming you're willing to leave out future security updates. Given that previous attacks on HP printers have allowed attackers to intercept copies of everything you print, search printed documents for credit-card numbers, and use hacked printers as a staging point for hacking all the other computers on your network, being shut out of future security updates is a very high price to pay for using ink of your choosing.

    Even if you're not an HP customer, you're affected by this. There are hundreds of millions of HP products in the field, and the owners of those printers have been shown that HP will hide anti-features in their security updates, so running those updates may result in your printer being rendered less useful, or altogether useless. That means that all of us are now more vulnerable, because unpatched devices get hijacked into unimaginably large botnets that can be used to take down websites with the kinds of attacks formerly reserved to major governments.

    HP is already facing two class action lawsuits (so far), and a favorable outcome for HP's customers will do some good at scaring off future manufacturers from trying this tactic on their own smart devices -- but it could also hasten the day when every device sold in the USA comes with a binding arbitration agreement forcing purchasers to waive their right to sue for these sorts of shenanigans.

    Printing is in decline, thanks to mobile phones that make paper boarding passes, grocery lists, and family snapshots a thing of the past. HP's actions are the thrashings of a desperate company in a dying industry.

    / / 59 COMMENTS

    / / / / / / / /

    Loading...