Would it be reasonable to you to get something like 2 years of monthly security/software updates included in your purchase of a phone and then pay a nominal (like $25) yearly fee to continue getting only security updates beyond the first 2 years?
If not, then how would you suggest funding the people who perform the software/security update process for your phone?
The problem is: you and ten other persons might genuinely pay for that after three years (also considering the specs of this thing). In silicon valley, I suspect devs can't open up their env for that money and still put food on the table in the evening after paying for their morning outdoor coffee and rent.
I'm curious how much work honestly goes into these updates, though. How many patches do they maintain on top of Android that security updates would cause them to need to fix their patches again? Or how many parts of Android are even changed by those updates in a given month? I don't really have any idea of either proportion. How much money would it require us to pool to get one month longer security updates? One year?
May be something to ask Fairphone, they seem like the type of business that might be willing to share this for the purpose of pressuring the market to offer the support after a successful crowdfunding campaign.
You said that you'd be happy to get security updates beyond 3-4 years, this is what I was referring to. This is HN, so I assume you're involved in tech, so surely you understand that releasing security patches for legacy devices requires more engineers and therefore more money. Who's paying?
The benefit is receiving security updates. People may not choose to update their phones with security in mind, which is all the more reason to do it. Security updates is a place where consumers can be shortchanged simply because they are invisible, the consumer may not be aware that the security of their phone has been breached, and it is the sort of thing that consumers rarely think of until something bad has happened.
As for cost, I don't see why it would have to go up all that much. Apps are already upgradable on phones and much of the OS is hardware independent. So the only real pressure point is with the kernel and other hardware dependent code.
I think phones should get security updates for at least 4 years. Quite a few people use them that long themselves, as I have in the past, but even more people get them used from others, which means a phone gets to be used for 4 or 5 years pretty easily.
Those should shouldn't be affected by a myriad of security vulnerabilities that come up by then just because they are poor and because companies would rather have planned obsolescence. It's the digital divide between rich and poor. The rich get security if they buy a high-end phone every year (if we are to consider Android's average security update lifetime), and the poor do not.
Who supplies security updates for the "lifetime" of their product in your fantasy world? Three years is a good amount of time for security updates but could be extended to four years since people are keeping their phones longer these days.
You are comparing software security updates to products recalled for safety issues? Well phones are already subject to recalls for hardware/battery problems. Let me know when a phone kills or hurts someone due to lack of security updates.
I want updates mostly for security reasons. If your phone hasn't received a security update in a year, I can just go check security issues that were published online, pick one that I like, and write an app that will exploit it.
Perhaps governments should require phone manufacturers to provide security updates for at least 5 years, otherwise you can throw your smartphone out of a moving car every two years to keep your driver license secure.
These findings should also apply to phone manufacturers -- mandate providing a more realistic number of years of security updates. Closer to 7y but definitely more than 3y.
Well, I agree partly. I'm also on a phone which doesn't receive security updates anymore. I don't know how risky that is. However, it seems clear that longer security updates are much more desirable than increased repairability. Most people won't need to repair their phone, apart from changing the battery after a few years. Especially not when it is a cheap phone anyway, where any repair cost is likely higher than a new phone would be. So a device with longer security updates seems still better than this increased repairability.
Either people who care more pay a subscription for longer security update coverage or the cost of producing more security updates is baked in to the cost of the phone. Either way if people in poverty want security they're gonna have to pay for it.
The vast majority of security vulnerabilities and bugs that end users experience are fixed within the first few years of the device's shelf life. Security vulnerabilities tend to go unnoticed by most end users, and therefore don't really play a role in forcing users to upgrade.
Wouldn't it be nice though if users could choose to patch security vulnerabilities without installing updates that deliberately slow down the phone?
You wrote: "Forcing producers to provide 5(?)-years updates will make prices rise"...
I don't think so: it will oblige makers to standardize processes and software across phones... i.e. very basic specific drivers, then same OS and libs on all phones (with just different themes).
Then the Android security updates can be uploaded directly from Google at no cost. Just like for computers, and phones are computers with very few different features (input device, GSM chip).
My HP or Dell computer is not more expensive when Microsoft or Debian is pushing security updates.
In the end, unifying processes and software brings costs down.
Sure, that's not a particularly attractive outcome, either.
I just think it's unrealistic to think paid RE work is going to fill this need.
I think there are two realistic options: 1) the manufacturers suck it up and agree to support devices with timely updates over a longer lifespan, or 2) manufacturers open-source every bit of software that runs on the device.
#2 seems less likely, given that a lot of hardware is driven in part by loadable firmware these days. On the other hand, if that firmware is chipset-specific and not device-specific, and the chipset manufacturer can commit to releasing security updates for those, at least 3rd-party OS images could pull them in without help from the device manufacturer.
But really, it's all about demand: Apple tends to support hardware with new releases for 4-ish years as a matter of course, and i-device users are accustomed to expecting that. Android users just don't expect that, and your average user doesn't understand security enough to get why that's such a big problem. They likely mostly just think, "oh well, I won't get the new shiny Android version Jane has on her new phone, that's ok". If average users can be educated to the point where they will switch manufacturers if they're not getting security updates for the useful life of their phone, the manufacturers will listen to their declining sales. I just don't expect that to happen.
I, like the parent poster, am running the latest update for my phone. Yes, I know I'm a walking vulnerability, but short of purchasing a new phone, there is nothing I can do about it. IIRC, updates for my device were cut off before it was even out of warranty, and I'm sorry, I'm not dropping — I can't drop — $600 every year and a half on new hardware just to get new software. Vendors need to support devices for the actual lifetime of the device.
They have no incentives to do so. I would like Samsung to make it into a business. Have folks pay 5 dollars per year if they want to get ongoing security updates for older devices. I would pay in an instant.
reply