PALO ALTO, Calif. – An open letter alleging that HP Inc. intentionally programmed a recent security firmware update to shut down OfficeJet Pro printers using third-party ink cartridges presented a communication opportunity the company fumbled, its COO admitted Wednesday.
“It was not necessarily our finest communication moment,” Jon Flaxman told the media during an impromptu address at HP Reinvention Week on Sept. 28. “We did not adequately communicate to customers… what this firmware update was really going to do to the dynamic security chip that was built into our printers.”
To remedy the situation, HP will be sending aggrieved OfficeJet Pro owners a firmware upgrade that will roll back the controversial security update within the next three weeks, Flaxman said.
The controversy began on Sept. 26, when tech blogger Cory Doctorow posted an open letter to HP president Dion Weisler on behalf of the Electronic Frontier Foundation, a nonprofit dedicated to defending technological freedom, human rights, and data privacy.
“Like many others, we are alarmed by reports that HP has activated a dormant feature in Officejet Pro printers (and possibly other models), so that… if these printers detect third-party ink, printing stops,” Doctorow wrote. “This activation was disguised as a security update.”
“You must be aware that this decision has shocked and angered your customers,” Doctorow continued, noting that HP customers should be installing the company’s ink into their printers because it’s the best product available, not because they were forced to – and that by forcing users to download unwanted features, the company was reducing the likelihood of them downloading future updates.
“By giving 10s of millions of your customers a reason to mistrust your updates, you’ve put them at risk of future infections that could compromise their business and home networks, their sensitive data, and the gadgets that share their network with their printers, from baby monitors to thermostats,” he wrote.
In articulating HP’s position, Flaxman repeatedly said that security was a paramount goal for HP, and that in the company’s opinion the update delivered effective user protection; however, he also acknowledged that the company did not adequately explain the choices available to its customers, and that HP was keen to protect its intellectual property.
“We want to be advocates of great security… and we want to ensure that our intellectual property is not compromised,” he said.
Responding to Doctorow’s implication that HP could be trying to establish a monopoly on ink prices, however, Flaxman said that if the company’s competitors were willing to use an HP security chip HP was willing to compete with them, adding that he believes the company offers the best printing solution on the market.
“Our originals are 2X the number of pages that you would get from a cloned alternative,” he said. “So it’s in our best interest to get that story out there… in a very clear and concise way.”
Chris Fraser, deputy general counsel of HP’s global business units and Americas division, was more precise, telling reporters that HP’s competitors have brought a “robust” array of printer accessories into the market, and that they have equal access to the company’s security hardware.
“We obviously prefer if people use HP originals, but the only supplies that have been excluded are supplies that use infringing cloned chips on them,” Fraser said. “Any supplies, including refills, that use an HP security chip… have always worked and will continue to work… It’s only supplies using infringing clone chips that were excluded.”
Flaxman also repeatedly said that only a small percentage of HP customers reported difficulty using their printers, and that he believed the majority who did were likely using unlicensed products.
“What is really happening here is those untested solutions – primarily clones and counterfeit products – will no longer work effectively inside our printers,” he said. “This is all done to protect our customers, ensuring their experience is still a very reliable, highly security-oriented solution.”
Moving forward, Flaxman said that HP will continue providing the HP security chip to third parties, and that incompatible products will continue to be treated as a security risk without it.
For Doctorow’s part, he says HP’s decision to allow customers to roll back the update is good news, but does not go far enough. In an article yesterday, he continued to call for signatures to the open letter and asked HP to outline its plans to inform users about the optional firmware update. HP should also promise to never again use a security update to roll back features, and to not use Section 1201 of the Digital Millennium Copyright Act to sue or threaten security researchers for bypassing its digital locks.