Good thing that the EU is planning on mandating the amount of updates phones need to get[0]. It should cut down on the amount of phone model spam - or at least they get updated and not abandoned.
The regulators have suggested that phone vendors provide at least five years of security updates and three years of OS updates to their devices. Moreover, the said security and operating system updates should reach users “at the latest two months after the public release.”
It would have been interesting if CA legislature had focused on forcing companies to provide security patches for some number of years instead of the 'kill switch' issue.
Maybe the EU will take this up as a part of the baseline warranty requirements they push. You don't have to ship a perfect device, but you do have to provide support for security critical patches for a certain time frame. It seems beyond reckless, certainly unethical, borderline negligent, to ship a smartphone and then just leave it exposed as known vulnerabilities pile up.
Once we're talking about phones with a certain level of sophistication, I think 3 years of auto-pushed security updates is not too much to ask! To me, it's a minimum requirement of any device I would buy, but the average consumer has no idea how vulnerable their device actually becomes over time.
Note that WKRL and DIDRL (two new European directives) will be in effect in Germany starting Jan 1, 2022. They include a consumer's right to updates that allow the device to keep working (including security updates).
But they don't specify an actual period for updates (this will have to be decided by the courts). And, what I find worse, they force the seller to provide the update, not the manufacturer. If the seller is not able to do that (which will be the case most of the time), they can be relieved of their duty.
These findings should also apply to phone manufacturers -- mandate providing a more realistic number of years of security updates. Closer to 7y but definitely more than 3y.
My 73 year old mom is quite happy with the 2014 Moto G I got her three years ago. I guess she'll need something new now (No idea if it has a BCM wifi chipset, but I'm guessing so - how do you even find this out without having physical access to the device?).
I'm thinking Apple may be the way to go this time, because they maintain security updates for older devices for longer. (Seems like 5+ years.)
Another way of looking at this is that lacking security updates create unnecessary electronic/chemical pollution/waste. I think the EU should tackle this. I'm sure they could come up with some scheme for penalties for lacking security updates. (Does anyone know of any initiative in this area?)
Perhaps the way to push security into the industry is to use consumer's rights to their full capacity.
In the EU if you buy something, you get 6 months of warranty and 24 months of implied warranty.
If you buy an Android phone and stop getting updates after 18 months and there is a new security hole, you should return the phone to your dealer and demand your money back. After all, it's relatively easy to prove that the defect (the security hole) was already present when you bought the phone. The dealer must fix the defect. If he can't, he must take back the article. He will then complain to the manufacturer. The pressure from these complaints hopefully lead to a change of behaviour by the manufacturers (i.e. provide two years of security updates, for example, even if you buy a new phone that's already been available for a year or two).
You said that you'd be happy to get security updates beyond 3-4 years, this is what I was referring to. This is HN, so I assume you're involved in tech, so surely you understand that releasing security patches for legacy devices requires more engineers and therefore more money. Who's paying?
Not just that, often the new update is the only way to stay secure, at the cost of new interface/software/etc. Backporting security and reliability updates is all I expect; not new interface/software/etc. I didn't pay for these. I don't feel entitled to receive those to keep my device functioning.
The precedent is neither scary nor controversial. The European law says a device should keep functioning for a reasonable amount of time. A car completely breaking apart after 25 months is not normal. A smartphone being insecure is not normal either. Especially not considering how much personal data these contain.
If you ask me there should be a 5 year minimum on security software patches for smartphones. As it is now, it's as if a huge portion of the mobile world is still running "windows 98".
Sony mostly only commits for 2 years from launch for security updates. I only know because I'm looking for an Android that gets at least 3 years of security updates which seems reasonable for $800 phones, and I'd prefer it not to be a Pixel...
Okay, that is fair: I am also not happy about us being late with security patches for several weeks. I am not directly involved in that anymore, but I believe, we currently have a policy to release updates quarterly.
Back when I was still working on security updates, this took up so much resources that we struggled to work on anything else (bug fixes, major upgrades, etc.). It is unfortunately a compromise that we currently have to make with our limited resources.
Still, we are planning to release these regular security updates for 10 years and we have a track record of sticking to such plans. In my opinion, that is much better than having monthly updates for a couple of years. (Btw: outside of flagships, many models don't get monthly updates anyway and not even for long.)
If the EU agrees this will be very interesting for the smartphone market.
5 years of security updates is already great.
reply