This goes beyond the 'right to repair' to simply the right of ownership. These remote updates prove again and again that even though you paid for something you don't actually own it.
It's basically the same for our automobiles, just try to disable the "phone home" parts connected to the fin on the roof. Do we really own out cars if we can't stop the manufacturer from telling us we need to change our oil through email?
Hahah, I just traded in 2023 (unrelated brand) for 2012 model since it was less of a computer. Computer systems in the newer car kept having faults that caused sporadic electrical issues workshops couldn’t fix. I just want my car to be a car and nothing else.
... and get a Check Engine light+fault code for the built-in emergency SOS feature, thereby making it unable to pass vehicle inspection until you fix the antennae
so either 1) disconnect it most of the time and reconnect it for inspections, or 2) buy a dummy load RF terminator matching the resistance of your antenna
OnePlus and other Chinese brands were modders-friendly until they suddenly weren't, I wouldn't rely on your car not getting more hostile at a certain point
There was a video by MKBHD where he said that every new phone manufacturer starts off being the hero and doing something different and consumer/user friendly before with growth and competition they evolve into just another mass market phone manufacturer. Realistically this is because they wouldn't be able to survive without being able to make and sell mass market phones. This has already happened to OnePlus back half a decade ago when they merged with Oppo, and it's arguably happened with ASUS as well when they cancelled the small form factor phone a couple years ago.
A phone without SIM can still be used to call emergency services (911/999/0118999 8819991197253). The situation we're discussing though is an attack by an extremely-APT. You really think not having the SIM card is going to do anything? If the cell phone hardware is powered up, it's available. All the APT has to do is have put their code into the baseband at some point, maybe at the Volvo factory when the car was programmed, and get the cooperation of a cell-phone tower, or use a Stingray to report where the car is when in range.
My ownership is proved by my receipt from the store I bought it from.
This vandalization at scale is a CFAA violation. I'd also argue it is a fraudulent sale since not all rights were transferred at sale, and misrepresented a sale instead of an indefinite rental.
And its likely a RICO act, since the C levels and BOD likely knew and/or ordered it.
And damn near everything's wire fraud.
But if anybody does manage to take them to court and win, what would we see? A $10 voucher for the next Oneplus phone? Like we'd buy another.
A forced update or continual loop of "yes" or "later" is not consent. The fact that there is no "No" option shows that.
Fabricated or fake consent, or worse, forced automated updates, indicates that the company is the owner and exerting ownership-level control. Thus the sale was fraudulently conducted as a sale but is really an indefinite rental.
It Is not an indefinite rental. A sale can't be "misrepresented". It is a blatant CFAA violation. They are accessing your computer, modifying its configuration, and exfiltrating your private data without your authorization.
If I buy a used vehicle for example, I have exactly zero relationship with the manufacturer. I never agree to anything at all with them. I turn the car on and it goes. They do not have any authorization to touch anything.
We shouldn't confuse what's happening here. The engineers working on these systems that access people's computers without authorization should absolutely be in prison right alongside the executives that allowed or pushed for it. They know exactly what they're doing.
> If I buy a used vehicle for example, I have exactly zero relationship with the manufacturer. I never agree to anything at all with them. I turn the car on and it goes. They do not have any authorization to touch anything.
Generally speaking and most of the time, yes; however, there are a few caveats. The following uses common law – to narrow the scope of the discussion down.
As a matter of property, the second-hand purchaser owns the chattel. The manufacturer has no general residual right(s) to «touch» the car merely because it made it. Common law sets a high bar against unauthorised interference.
The manufacturer still owes duties to foreseeable users – a law-imposed duty relationship in tort (and often statute) concerning safety, defects, warnings, and misrepresentations. This is a unidirectional relationship – from the manufacturer to the car owner and covers product safety, recalls, negligence (on the manufacturer's behalf) and alike – irrespective of whether it was a first- or second-hand purchase.
One caveat is that if the purchased second-hand car has the residual warranty period left, and the second-hand buyer desires that the warranty be transferred to them, a time-limited, owner-to-manufacturer relationship will exist. The buyer, of course, has no obligation to accept the warranty transfer, and they may choose to forgo the remaining warranty.
The second caveat is that manufacturers have tried (successfully or not – depends on the jurisdiction) to assert that the buyer (first- or second-hand) owns the hardware (the rust bucket), and users (the owners) receive a licence to use the software – and not infrequently with strings attached (conditions, restrictions, updates and account terms).
Under common law, however, even if a software licence exists, the manufacturer does not automatically get a free-standing right to remotely alter the vehicle whenever they wish. Any such right has to come from a valid contractual arrangement, a statutory power, or the consent, privity still works and requires a consent – all of which weakens the manufacturer's legal standing.
Lastly, depending on the jurisdication, the manufacturer can even be sued for installing an OTA update on the basis of the car being a computer on wheels, and the OTA update being an event of unauthorised access to the computer and its data, which is oftenimes a criminal offence. This hinges on the fact that the second-hand buyer has not entered into a consentual relationship with the manufacturer after the purchase.
A bit of a lengthy write-up but legal stuff is always a fuster cluck and a rabit hole of nitpicking and nuances.
I don't really understand the legal arguments here:
> the manufacturer can even be sued [...] This hinges on the fact that the second-hand buyer has not entered into a consentual relationship with the manufacturer after the purchase.
Wait, but the first owner (presumably, for the sake of argument) agreed to this. Why isn't it the first owner's fault for not disclosing it to the second owner? Shouldn't they be sued instead? How is a manufacturer held responsible for an agreement between parties that they could not possibly be expected to have knowledge of?
Because common law is not a general «duty to disclose everything» bludgeon for ordinary used-goods sales, and the «why not sue the first owner» argument can only work in narrow fact patterns.
For example, if the first owner actively misrepresented the position (for example, they said «no remote access, no subscriptions, no tracking» when they knew the opposite), the second owner might have a misrepresentation claim against the first owner. But that is pretty much where the buck stops.
> «How can a manufacturer be liable for an agreement it cannot know about?».
That is not the right framing. The manufacturer is not being held liable for «an agreement between the first owner and the second owner». The manufacturer is being held liable for its own conduct (access/modification by virtue of an OTA update) without authorisation from the _current_ rights-holder because liability follows the actor.
It happens because, under common law, 1) the first owner’s consent does not automatically bind the second owner, 2) consent does not normally run with the asset, and 3) a «new contract with the second owner» does not arise automatically on resale. It arises only if the second owner consciously assents to manufacturer terms (or if a statute creates obligations regardless of assent).
So the manufacturer is responsible because it is the party _acting_. If the manufacturer accesses/modifies without a valid basis extending to the current owner or user, it owns that risk.
I am not saying that «every unwanted OTA update is a crime». All I am saying is that the legal system has a concept of «unauthorised modification/access», and the contention is over whether the access or modification was authorised or not.
Thanks for explaining. I just don't understand how society is supposed to function if laws work like this.
For example suppose I ask someone to come demolish my fence next week when nobody is home. And then I sell the house in between. So is the company supposed to run a title check the moment they arrive, because the owner may no longer have the authority they once had prior to that moment?
Or say I click Accept on an agreement, sleep/hibernate the device right as installation is about to start, and then transfer the rights to the device. Now the vendor is responsible for not running a title check or asking for confirmation a second time before the first confirmation? And I'm in the clear because I never claimed there's no installation pending?
I can't imagine the law really works this way... these sound absurd. Surely there's gotta be much more to it than what you're describing?
It is the clear separation of property and contractual rights, which I find to be pretty logical.
In fact, the separation of concerns actually makes things simpler as the property rights do transfer with the property sale (a car, a house, a computer, etc.), and the contractual obligations do not travel with the asset (unless the law or a properly formed new agreement makes it travel – jurisdiction dependent). It is also important to note that the contract between the former owner and the manufacturer does not automatically lapse with the property sale.
Let's pick the two examples apart.
> […] I ask someone to come demolish my fence next week when nobody is home. And then I sell the house in between. So is the company supposed to run a title check the moment they arrive, because the owner may no longer have the authority they once had prior to that moment?
They are not required to, but it is very prudent of them to ascertain that the person who signed the contract happens to be the current owner of the house before they commence the demolition works – unless dealing with a litany of lawsuits is their core business. By doing so, they save time and money.
Now, imagine that, as the previous owner of the house, you also instructed the company to demolish the fence and demolish the entire house after. It is hard to imagine that the new owner would be delighted or feel ecstatic about finding their newly acquired house to have been wiped out of existence.
From the legal perspective, the demolishing company would be trespassing on the property that now belongs to somebody else, and they are in no position to proceed as the contractual rights stay with the previous owner and not with the property [0]. So in this situation, it creates a dispute (and – not unfathomably – a legal action) between the previous owner and the demolishing company, which the new owner is not privy to. Again, such a separation appears logical to me. Otherwise, the new owner would inherit a barrage of clandestine or dodgy contracts that the first owner might have signed in the past.
> Or say I click Accept on an agreement […]
Same separation still applies:
1. The vendor’s contract with the first owner can remain on foot.
2. That does not automatically authorise a post-sale access/modification of the second owner’s device.
In real litigation, what happens next turns on how «authorisation» is evidenced and managed. If the system is designed so that the physical device is still cryptographically tied to the old account, a court may treat that as strong evidence of practical authorisation, but it is not the same as legal authorisation by the current owner if the current owner never agreed. Practically, however, the new owner simply wipes the device out or resets it, and I do not think that it is commonplace for new owners to sue the manufacturer for merely applying an update, although the possibility is there.
All of the above segues into… the practical implications of separating property and contractual rights. Especially in the case of computing hardware (and EV's as well!), they have become particularly important in today's world, where vendors have been increasingly trying to move towards the rent-seeking model, where they want the device sale to be seen as a lease or a licence to use but not the right to own the device.
Common law insists on the separation between property rights in the physical asset and contractual or statutory rights governing any assented or connected services (including the software). Vendors/manufacturers may market modern computing hardware as an inseparable «hardware–software package» and frame the transaction as a licence to use rather than ownership, but that characterisation does not, by itself, displace the purchaser’s ownership of the tangible chattel (e.g. a car or a laptop). The line common law draws is therefore real, but the contemporary contest is about how far licensing and service dependency can be used to diminish the practical incidents of ownership.
[0] Unless the new owner has acknowledged and agreed to the demolishing works in a separate contract.
This is the kind of nitpicking that I love to see on HN, it is establishes the boundaries of the relationship between manufacturers and owners and tries to lay bare the need for (informed) consent and what the legal basis for that is.