Not a problem for government?
But if it was a tradies Ute, or the weekend 4WD camping and boat tractor? Oops!
Possibly the same response.
We get to keep our utes and 4WDs and our still functioning WEP or WAP only devices. After all, the risk of not changing is one for personal assessment.
The only immediate risk arising for government has recently been resolved, until the next time.
That is one direction which you have put up. The opposite direction would be: abandonware is not permitted for X years i.e. minimum warranty standards at the time of sale. (That might not deal with the situation where the manufacturer goes out of business but could deal with a simple abandonment.)
The generic point that you raise is a tricky one. When is it reasonable for government to change the rules for existing things and when would the rules only apply to new things?
For example, when seatbelts were made mandatory in all new cars, was it still legal to drive a car that was sold without seatbelts or were you required to retrofit within a grace period? (if not retrofitted, you as an owner of the old car are putting your passengers’ lives at risk, a far worse outcome than your internet-attached device becoming part of a botnet) What if the old car is a risk to other cars on the road?
There are many many other examples from all spheres of regulation e.g. tax and superannuation are topical.
That is a more general problem with planned obsolescence. It is certainly a real problem.
Abandonware is absolutely a major problem, but it is also something that cannot be legislated away. People and more particularly companies have routers that are in a cupboard somewhere and haven’t been seen for decades - but are still connected to the Internet and are incredibly vulnerable.
Japan is currently conducting a nation-wide IoT device security check in advance of the 2020 Tokyo Olympics, to try to avoid problems from hackers during the games. The trouble is that it still has to identify, contact, and persuade the device owners to fix their security.
Worldwide, millions of devices have already been effectively commandeered by hackers who use them as botnets and can rent them out on a timeshare basis to script-kiddies who are upset at losing an online game. There is an easy-to-use website that provides a search engine for IoT devices. Know the device’s flaw, go searching on Shodan, and you too can ‘try to catch them all’.
It doesn’t matter in which country the device is located - it is a worldwide threat as soon as its insecurities have been exploited. The only real solution is to wait 50 years or so for these devices to gradually die, or to no longer support new core Internet infrastructure. Whether in 50 years we will be able to be confident that online devices are secure is another question entirely.
Maybe so but the situation can be improved with legislation. From my previous comment, what is X years today? Perhaps 1. Perhaps even 0. A manufacturer could end-of-life a device a week after you bought it?
If we had a standard much longer “X years”, and a formal process for sending a device end-of-life (like the recall process in the sense that public notification is required) more devices would be being fixed more of the time and customers could also know when they need to consider that their device is now unsupported.
However I don’t want to lay down what the rules should be - only that the current situation is rubbish, and can be improved.
It is highly probable it can be legislated away. It might need a little time to implement. The politics may be the only point of argument.
We currently legislate for plumbing work, electrical work and in other areas. In telecommunications under the old Govt one provider system Telstra was a 100% residential solution.
There exists sufficient legislative precedent to return all things communication, including home networking and IOT to prescription. And only devices and infrastructure that has a government approval or certification are permitted. And all work must be by the registered authority.
Yes there is an easy pathway for disobedience. However the risk there would be to those who choose to do so.
In one way, we are now closer to the 100% externally managed home network with the NBN. How many self installs are there now? Typically with the NBN the RSP turns up and installs the last of the service including often a new router modem?
It’s a simple logical extension of being NBN connected!
So who is responsible for maintaining these devices? The manufacturer? Distributor? Retailer? The manufacturer is the only one in the chain that has the ability, and most of the time they don’t have any meaningful presence in Australia that couldn’t be outsourced quite easily.
Turning the clock back to require all devices to be registered/approved would drastically reduce the choices we currently have, and almost certainly stop the import of secure as well as insecure devices. Apple supports its devices for less than five years after release, while Google will only guarantee support for its Pixel range for two years after release. If you want to extend that time, how much power do you think Australia has to force the issue? I think we would simply be removed from the distribution network as too small to bother with.
You will note if you use those links above that simply supporting a phone is ‘complicated’. If you keep adding new features to your operating system, at some point the old models are unable to run it - whether by deliberate planning or simple ‘technological progress’. Phones using Android will probably not be able to use some of the security features included in the next big release (Q), because they don’t have the hardware to do the encryption it provides. They will still be able to use Q, but will miss out on some of the benefits.
I have a vague recollection that car makers are required to provide spare parts for x years after the model has ceased production. Probably someone on this forum can provide more precise details, but a brief Internet search indicates it may be ten years in the US.
There are several discussions on Whirlpool that appear to perpetuate a ten year legal requirement. It may be misguided based on what appears to be a requirement in some states of the USA?
The Govt of Vic published this guide to consumer law and motor vehicles. It acknowledges all the other states on it’s production.
From p31,
No ten years. Just the length of a piece of legal string. This is not a parallel to software updates?
They sometimes do place a device on their “legacy” lists after you purchase it. But if the device was purchased as new from a retailer, you do under current law have an expectation and right to service of that device for a period of time that varies with cost of purchase but at least 12 months. If you purchase a device that they will not service then you have the right to demand a refund. While this isn’t perfect as an answer it can cover where a vulnerability became evident and they refuse to upgrade firmware/software to address this. In this case you would argue if you had known about the fault you would not have purchased it and are thus entitled to a refund of your purchase and could even argue for compensation for any “loss” you suffered including return costs.
If they however provide manufacturers extended warranty on a vehicle such as KIA’s 7 year one then the length of string you would at least expect it to cover is 7 years, or in the case of computer hardware if they provide limited lifetime warranty (it’s limited terms generally mean it covers the initial purchaser only) then it can mean if it ever fails for that initial user it will be replaced/repaired. I personally have used this to replace some faulty equipment that failed several years after purchase and use. Many no longer offer this but some do have excellent customer service.
My approach is that a security flaw is a defect and hence subject to a warranty claim (if not proactively fixed). So responsibility is as normal, which in my understanding would be that both manufacturer and retailer are liable but that initially you ought to approach the retailer. In practice the retailer is limited in its options (e.g. could replace with a more modern unit that doesn’t have the same security flaw - but that would be unsustainable if applied en masse) and so the retailer would want to ensure that its distribution arrangement with the manufacturer covered the retailer’s liability.
That is not what I have in mind. I agree with the point that you make about the obvious negative.
A fair question. We could improve our success by getting a range of countries to opt for similar requirements.
However this idea is not all “doom and gloom” for manufacturers. A guaranteed support period of X years is a marketing opportunity to get customers to upgrade after X years, particularly if the device has access to the date and can proactively warn the customer about end of support. Just think how many sales Microsoft made from naming its operating system versions after the year of release.
There is also a NationalSecurity angle on this. Failure to support a device (in particular, orphaning a device) undermines the legislation that Lib/Lab passed late last year that requires companies to provide assistance to government agencies. So the government should get on board with this. 
In my opinion 12 months is nowhere near adequate.
If you purchased a product that was cheap eg $40 for a router then 12 months may be an appropriate period. If you spent several hundred dollars then a longer period is strongly arguable even if a warranty period of 12 months was the stated offer. ACL while it doesn’t specify times does indicate that the value of a purchase and it’s expected usage life are factors that are used to determine whether a consumer should be able to be covered for failures of goods even after a stated warranty period has been exceeded.
A security flaw is indeed a fault and one I consider that is major as the device would not function in the manner expected (my definition of major here is only my opinion and not a statement of law). Even if the fault was considered minor you as a consumer are entitled to a repair or replacement of the goods. As I expressed above then the value/cost of the item would affect the ability of a consumer to get a refund, repair or replacement after a 12 month warranty period had expired. As routers, modems, networking cards and adapters are expected to work for at least a couple of years this would also influence the ability to get a remedy after the 12 month period.
So at least a period of 12 months but a longer period of cover may be possible but you would need to state the reasons why you expect a greater period of coverage and perhaps be ready to seek redress through Administrative Tribunals or Courts of Law.
I cannot find the reference excepting I was an industry practitioner at the time, so consider this anecdotal.
A few decades ago a major software company had a product with many thousands of bugs and had a project to clean them up. They fixed the known bugs, but then 1,000 new ones were reported. They fixed those only to have another 1,000 new ones reported. The conclusion was that given a sufficiently complex bit of software it is (arguably?) impossible to remove all defects, so documenting them as a stable set of known defects is as good as it can get. This summarises it from a practical perspective.
The history of security software (including networking) reflects that as security protocols come, are found wanting, and subsequently superseded, each having been subject to real or theoretical faults.
Do you think that would be easier than getting 6 states and 2 territories to have unified road rules?
Back to the original premise, that ‘update’ replaces one set of bugs with a newer set of bugs, but at what cost?
Assuming you expect an international agreement, want to guess which countries would refuse to sign on?
That would be Microsoft. Product may have been Windows NT or Windows 2000, something in that timeframe anyway. https://slashdot.org/story/00/02/11/1840225/windows-2000-has-65000-bugs (link to source article appears to be broken, perhaps not surprising after 19 years).
That can partially be dealt with by restricting the scope of this proposal to security flaws in internet-connected devices. The justification is that your choice to run flaky software therefore affects all other internet users in the entire world. So a security flaw would be categorised as a major defect while other flaws could be minor defects.
Perhaps that is the sort of metaphorical and literal rubbish, which fails after 12 months plus 1 day, that we would prefer to keep out of our tips.
Paraphrase from last night’s “7:30”: Australians have an international reputation for caring more about price than quality. (Taking that as the gospel truth) one way of addressing that reputation would be for the ACL to be made more specific and more aggressive in protecting consumers … regardless of price, items such as we are discussing are required to last e.g. 3 years (and more expensive items must go beyond that).
You can seek redress for an item with a 1 year warranty that fails after 12 months plus 1 day, where such an early failure would be considered unreasonable, but most people do not have the financial resources, appetite for risk, or time and energy to go through the various tribunals and courts. A beefed up ACL that simply extended the warranty to e.g. 3 years would make court action less likely to be required and would reduce risk.
PS Don’t you sleep?
That situation could definitely arise (as it has already several times with WiFi). However in more general cases a manufacturer could still be obliged to update the software with mitigations. For example, if some particular feature is broken and can’t be made secure but also can’t be disabled, it may be reasonable for the manufacturer to update the software to allow the feature to be disabled.
It was not Microsoft, but includes Microsoft.
In these times of IoT what isn’t or soon won’t be an ‘internet connected device’? To paraphrase an acquaintance, Gordon Bell, back in the 1990’s, ‘Your toaster could talk to your washer. Only god knows what they would have to talk about, but they could. More likely your fridge will monitor what you put in and take out and order your groceries for you.’
Perhaps if manufacturers incurred a warranty burden for doing so they might think twice about pointless internet connectivity.
I doubt this one would be a pointless product, but illustrates how far to get ‘there’ from ‘here’. There are other products where the makers were probably more than just naive (warning:adult product example).
Legislating something reasonable into the future can be done, but how does one deal with the legacy problem? A cut-off date can have quite serious and unintended consequences even if it can be done.
Sigh. It is a long way to go but creating financial consequences for the manufacturer sends a price signal.
Of course I sleep but I get very little. 
I like the idea of some mandatory time that matches expected usable lifetimes but exactly how long do we set and then we have the problem that some manufacturers will rely only on the mandatory time even if the consumer expected much longer such as from their “light” usage habits of the item, that the item has a “good” brand name rather than generic even if the price was similar. I guess one way would be to match expected lease or depreciation timelines to the warranty period eg most IT stuff is around 3 years for depreciation or leasing so 3 years warranty??
Above I suggested 3 years for low priced items and more years for more expensive items.
3 years is still better than the 1 year that is typically offered.
