The "nonpology" is a corporate standard: a company does something terrible, and then it tells you it's sorry that you found its behaviour upsetting. But HP's October 2016 public statement on its secret, aftermarket attack on its customers' property has made important advances in the field of nopologyology.
Last March, HP printer owners got an automated "security update." After running this update, HP customers would not have detected any outward changes their printers' behavior. But inside, the affected HP printers were secretly counting down to September, when the printers suddenly began rejecting ink cartridges with third-party "security chips" -- if you had opted to save 90% or more on your printer ink by buying unofficial cartridges, you were left in possession of a bunch of useless plastic and ink. In some cases, HP customers assumed their printers had packed in and threw them away.
After thousands of customers for third-party cartridges complained online, the story began to come into focus, and it became obvious that HP had deliberately installed time-delayed self-destruct code on its customers' property to punish them for failing to order their affairs in the way that was most profitable to HP. I wrote an open letter to HP CEO Dion Weisler on behalf of the Electronic Frontier Foundation and more than 10,000 people signed on (the number is now 15,000).
(I'm a special consultant to EFF, which is a charitable nonprofit that stands up for privacy, security, fairness and free speech in technology)
The ensuing press-storm prompted HP to issue its nonpology, a misleading document whose absurdity I will now discuss, with some assistance from various former HP employees -- including one 18-year HP printer division veteran -- who contacted me on condition of anonymity in order to help me translate the document from HP-ese to English.
HP starts by saying that it only blocked cartridges with "cloned third-party chips" but that "third party cartridges with original HP security chips continue to function properly." HP's "security chips" are on-board computers with many functions, including recording the ink-level in your cartridges. When a cartridge is empty, the chip registers this fact, and even if you refill the cartridge, it will not work, unless you find another a used chip from someone else's cartridge and swap it in. In theory, you could also swap in one of HP's original chips, but HP doesn't sell those. So in practice, most refilled and third-party cartridges have "cloned chips" in them, from massive printer supply companies like Apex and Static Control, while others buy used chips of unknown quality from recyclers.
In reality, what HP is saying, "We block all third-party cartridges, and unless you know the trick, we also block original HP cartridges if you refill them."
HP has a patent on these chips, but HP has lost a judgment against a Dutch company called 123inkt.nl when it tried to use that patent to shut out 123inkt's cartridges. HP's printers know which region they're in (that's how UK HP printers are able refuse to use ink bought in the USA) and the company could have chosen to patch only printers in territories where its patents were enforceable, but as far as anyone can tell, they revoked third-party ink for every HP printer in the world.
Further down in the nonpology, HP promises to make things right for its affected customers (the ones who didn't throw out their printers, anyway) with "an optional firmware update that removes the dynamic security feature." People who want to decide for themselves whose ink they'll use have to visit HP's support site, find the correct download, download it to their PCs, and install it.
My ex-HP sources tell me that updates pushed out via the automated method -- like the sneaky one HP sent out last March -- have a 95% or better installation rate. But optional patches, like the one that puts things back the way they were before HP's shenanigans are installed by fewer than 1% of HP customers. HP disputes these figures: they claim that only two thirds of their users run automated updates, and that they have no figures at all on manual updates because they are so rarely used.
If you're in the minority that can figure out how to run the update -- if you're a GNU/Linux user, you'll need to install a Windows emulator, and then buy and install a copy of Windows first -- don't get cocky. HP also notes that it "will continue to use security features to protect the quality of our customer experience, maintain the integrity of our printing systems, and protect our IP including authentication methods that may prevent some third-party supplies from working" but commits "to improving our communication."
Translation: the next update could take away your ability to print with third-party ink, but you'll be notified when the update arrives.
You could opt to refuse all future updates to your HP printer, assuming you're willing to leave out future security updates. Given that previous attacks on HP printers have allowed attackers to intercept copies of everything you print, search printed documents for credit-card numbers, and use hacked printers as a staging point for hacking all the other computers on your network, being shut out of future security updates is a very high price to pay for using ink of your choosing.
Even if you're not an HP customer, you're affected by this. There are hundreds of millions of HP products in the field, and the owners of those printers have been shown that HP will hide anti-features in their security updates, so running those updates may result in your printer being rendered less useful, or altogether useless. That means that all of us are now more vulnerable, because unpatched devices get hijacked into unimaginably large botnets that can be used to take down websites with the kinds of attacks formerly reserved to major governments.
HP is already facing two class action lawsuits (so far), and a favorable outcome for HP's customers will do some good at scaring off future manufacturers from trying this tactic on their own smart devices -- but it could also hasten the day when every device sold in the USA comes with a binding arbitration agreement forcing purchasers to waive their right to sue for these sorts of shenanigans.
Printing is in decline, thanks to mobile phones that make paper boarding passes, grocery lists, and family snapshots a thing of the past. HP's actions are the thrashings of a desperate company in a dying industry.
In early 2018, Apple SVP of internet software and services Eddy Cue and SVP of internet software and services Morgan Wandell instructed TV creators it had commissioned to produce content for Apple TV Plus to avoid plots and scenarios that held China and the Chinese state up in a critical light.
AT&T business customers, including those who've been promised a locked-in rate inclusive of all taxes and fees, are finding "property tax" surcharges on their bills of up to 7%. These charges represent an attempt by AT&T to pass on the property taxes it pays on its own offices and other facilities to its customers.
Google and the other big tech companies are some of the most lavish funders of climate denial "think tanks" and lobbying groups, something they've been at continuously for more than six years, without interruption.
Hey, we love Netflix and Hulu, but let’s face it: The whole setup doesn’t exactly encourage active viewing. For all the binge-watching we’ve done, it’s tough to expand our horizons or learn anything new – except for how many episodes of “The Office” it takes to make us fall asleep. It was only a matter […]
Still using elbow grease to clean the sinks, tubs and other grimy surfaces around your house? Save your elbows, and some time. If you’ve got a power drill, the RevoClean® 4-in-1 Drill Brush Cleaning Kit will instantly turn it into a professional scrubber that can tackle any stain on any surface. Attach the 4″ nylon […]
Need data storage? Join the club. It may still seem like the wild west out there, and for many companies, it’s a tough choice between security and accessibility. Luckily, there’s a platform that gives you a lot of both: Polar Backup Cloud Storage. Whether you’re a busy private citizen or managing valuable company data, Polar […]