Best Before date policy brief: Device sustainability through long-term software support

Out-of-date devices can become privacy and security liabilities, as well as tools of exclusion. To accompany the soaring demand for a right to repair, we are demanding for device sustainability through long-term software support and more transparency from manufacturers.

Advocacy
generic smartphone displaying a best before date on its back

Our environment is increasingly populated by devices connected to the Internet, from computers and mobile phones to sound systems and TVs to fridges, kettles, toys, or domestic alarms. There has been research into the negative safety and privacy impacts of inadequate security provided by the software in such devices (such as the creation of large scale botnets). This is also the case with outdated security, a risk enabled by software support periods that are shorter than a product’s usable life cycle and an industry focused on selling its future products. Additionally, this common practice contributes to the growing pile of global electronic waste and damages our environment.

Introduction and problem

The global generation of electrical and electronic waste (e-waste) is growing exponentially. Every year more and more consumers buy new devices, or replace their malfunctioning, broken or out-of-date phones, computers, TVs and other electronics, generating e-waste at a huge scale - an increase of 2.5 million metric tons (Mt) on average every year globally.

Around the world, people generated some 53 million tons of e-waste in 2019, projected to grow to a staggering 74.7 million tons by 2030. Recycling cannot keep up, even where infrastructures are developed: only 17.4% of 2019’s global e-waste was collected and recycled formally. In fact, much of e-waste is exported illegally from high income to lower income countries or is mixed up with other waste. It ends up improperly disposed of in landfills where toxins common in electronics like lead, mercury and cadmium can leach out and contaminate surrounding soils and groundwater.

Although it has the highest collection and recycling rate in the world, at 42.5% of total waste, Europe ranks first worldwide in terms of e-waste generation per capita (16.2 kg), so its mandated recycling schemes, however efficient, simply cannot keep up with the rate of new e-waste generation which is fuelled not just by increased consumption, but also by in-built short life cycles of devices (so called ‘planned obsolescence’) and few repair options.

In the face of this problem, consumers and environmental organisations, and movements such as the Right to Repair, demand that manufacturers are mandated to improve device sustainability and to tackle this acute environmental threat. And there is increased realisation amongst policy makers and legislators, that such measures cannot be left to producer initiatives and voluntary codes or guidelines alone, but must be tackled by adopting legally binding measures, developed holistically and cooperatively, given that this is a global problem.

What is Hardware and Software

Modern electronic devices require two main parts to function: the hardware and the software. The hardware usually refers to physical electronic pieces inside a device (usually a collection of microchips, logic gates and specialised processing chips, such as those to process radio waves for communication, or process audio for sound) while the software is the set of instructions that tells the device what to do. Hardware without software don’t do anything (a computer without an Operating System such as Windows or MacOS can’t run anything) and software without hardware have nothing to send instructions to (a copy of windows or MacOS is useless without a computer to run it on).

Motherboards, graphic cards, monitors, and hard disk drives are all examples of hardware contained in a computer that are useless without software. On the other hand, Microsoft Windows (or any other operating system like macOS or Linux), internet browsers (like Mozilla Firefox or Safari), applications like Instagram or Spotify, and drivers for sound or graphic cards are all examples of software.

Software - key to device sustainability

While initiatives to extend the useful life of the hardware are crucial in addressing this problem, our devices aren’t only made of hardware. Software, from the operating system (such as Android, iOS, Windows etc.) to the microchip firmware (low-level software for specific hardware, such as a smartphone camera), is what keeps our devices secure, functional, compatible with the latest apps and protected against known security vulnerabilities.

Out-of-date software on devices leave people vulnerable to hackers and cyber-attacks, often depriving them of critical services and resulting in significant financial losses and emotional distress. Consumers’ digital data is also at risk.

An out-of-date software on an otherwise functioning device can be a door to one’s bank account or the intimacy of one’s life, render a device unusable, or worst still endanger safety and life even. Such a risk is enabled by software support periods that are shorter than the product’s usable life cycle, and an industry focused only on selling its latest products rather than supporting earlier models. In other words, current market economics merely encourage the replacement of perfectly functioning devices. This does not only create extra e-waste, but it also puts people at risk. Both can be avoided.

When purchasing devices and services, it is often unclear until when these will be supported with software updates. We found reported examples of only a few companies being upfront and disclosing how many years a device will receive software and security updates for (see Principles, below), including Apple and Google.

Even when this information is public, it is not easily accessible to the consumer. An investigation by Which?, the UK consumer organisation, into how long major smart home appliance manufacturers will provide updates for the connected products, revealed that none published their update policies for consumers to see. And even if disclosed, this information can still be vague or confusing, allowing manufacturers to sell devices with “out-of-date” software, often at a discount, at the expense of consumers’ rights.

What is an Operating System (OS)?

An operating system is a core programme that manages the interactions between other programmes and the hardware. It usually consists of a core (also known as kernel) which enumerates the available hardware. It provides a scheduler which tries to balance the contention of multiple tasks (applications) being run simultaneously around the ability of the processor (the brain of the device) usually only being able to run one task at a time. For example, the Operating System will make sure that launching an app such as the web browser won’t interrupt the sound being played by another application. Modern operating systems like Windows, Android, iOS or Linux also usually bundle a number of ancillary services such as the user interface and basic utilities for the device. This includes for example a sound managing interface to set the volume of applications playing on the device or a network interface to easily connect to WIFI networks.

The concerns around the impact of software updates on electronics’ sustainability is increasingly on the radar of campaigners and policymakers. A few point out to the important distinction between security and functionality updates, and the need to differentiate between the two when mandating policy measures related to the lifetime of devices. Security updates are always essential and subject to cybersecurity guidelines or legislative measures, whereas functionality updates are not necessarily essential to the functioning of an ‘older’ device; they may in fact slow it down and therefore actively encourage users to replace it. Apple, for example, was famously subject to multiple class actions in the US and litigation and fines in the EU for its slowing down of older iPhone 6 and 7 via software functionality updates.

We believe that security and protecting the environment should go hand in hand, and consumers should not be forced to sacrifice the latter to achieve the former. This means a synchronized relationship between the expected lifespan of a device's hardware and its security software, with functionality updates clearly explained and left to user's choice, if not essential for older devices operation.

It is the responsibility of manufacturers and software vendors to enable long time software support and be transparent about their own practices, but this responsibility needs to be mandated as evidence shows that it is not being done voluntarily.

Five principles for software update

Privacy International is proposing a set of principles that should govern the software update policy of connected devices. These principles aim to encompass and add an additional layer to existing environmental impact standards. We believe that they should be legally mandated and enforceable, upheld by manufacturers and be effectively overseen and enforced:

1. Devices should be designed in an environmentally sustainable manner

Known as eco-design or design for sustainability (D4S) and defined as “the integration of environmental aspects into the product development process, by balancing ecological and economic requirements. Eco-design considers environmental aspects at all stages of the product development process, striving for products which make the lowest possible environmental impact throughout the product life cycle”.

Eco-design in the case of connected digital products should include essential elements, such as in-built durability, repairability, reusability and re-cyclability using minimum resources, and crucially have key functionalities maintained and be secure to use.

Good practice example:

Fairphone produces entirely repairable and upgradable phones (obtaining 10/10 repairability score from the independent organisation iFixtIt) while using fairer, recycled, and responsibly mined materials to increase industry and consumer awareness. They prove that designing and selling such device is possible and a viable business model.

2. Device manufacturers, software vendors, and service providers at a minimum should provide software security and key functionality updates for the expected lifespan of a product, while the nature and purpose of non- essential functionality updates and their impact on the performance of the device should be clearly stated and left to user choice.

This shall include:

  • providing support for OS updates.

  • providing security updates for drivers and firmware.

Lack of software updates might also negatively impact device functionality, for example, by making some functions obsolete (e.g., a browser that does not support the latest security protocols and thus can’t display websites properly). It might also mean that identified bugs or problems might not be fixed (e.g., poor battery).

Need for extended software support

Which? research carried out on Android devices in 2020 revealed that a staggering two in five (40%) of Android users worldwide are no longer receiving security updates from Google, and therefore at risk of data theft, ransom demands and malware attacks. These smartphones are not necessarily old models and still available to buy, but consumers are not aware of the risks.

Older Apple Macs’ security updates are also unsatisfactory - fixes are provided mainly for the latest version of their operating system, OS X (El Capitan). Older versions receive no security updates, or only for a few known vulnerabilities.

In the meantime, other device manufacturers will only provide an emergency security patch when a particularly damaging bug is in circulation, such as the one known as ‘stage-fright’ infecting Android phones. Only recent flagship phones were being ‘patched’ against the virus, but not older and cheaper phones.

However, extended security updates are possible and can be mandated.

Recent updates of EU eco-design regulations for televisions mandates manufacturers to provide firmware and security updates for eight years from the last unit of a model being put on the market; consumers must be informed regarding period of updates.

3. Device manufactures and software vendors should explicitly and prominently announce their end-of-life date for software support when sold (Best by Date or BBD), on the packaging, as well as in the product description available to users before they buy, online or in-store.

The date of expiry should be clear on purchase, as well as the defining factor for such date, i.e. the precise date rather than “1 year update support” and precise factor, such as security or functionality updates, e.g. “End of OS support”.

Current Best Before Date practices

The current situation is patchy, with practices varying among manufacturers and software vendors, and very few give clear, or any, information to consumers. We searched but struggled to find update policies for different kind of devices, and most often we could not find any clear ones.

  • Older Apple iPhones receive security updates for up to seven years after they go out of production. The software update was released in December 2020 to ensure support for its Covid-19 Bluetooth contact tracing function. The iPhone 5S ceased sales in 2014.

  • In August 2020 Samsung has announced that it will be providing at least three major Android updates to its flagship smartphones. Even then this information was reportedly hidden in the fine print.

  • Fitbit Legacy Device Policy states that “Our devices typically receive software updates for at least two years after the device is last sold on Fitbit.com” and provide a list of legacy products. Looking at this list, the life of expectancy of the product can be placed between 5 and 8 years.

4. Device manufacturers and software vendors should design the software running on the devices they sell to be sustainable and maintainable

Software and OS compatibility should not be the determining factor in the end of life of a product. Modern operating systems provide solutions for updates for an extended period and such solutions should be preferred and implemented.

Modern solutions for software updates

Google project Treble for Android (first available with Android 8) is a way to separate the implementation of Android drivers or software from the main Android codebase. This effectively makes it easier for manufacturers to update their devices as they don't need to recompile Google’s entire Android code every time an update is released by Google.

The operating system Windows 10 is said to run on "the broadest range of devices ever," from small Internet of Things gadgets set up in offices and homes, to game consoles, to handheld tablets and phones, to computer servers that drive websites, and other business software inside massive data centres. This would mean that, contrary to Apple, for example, which provides Mac OS for desktops and iOS for mobile devices, all different types of devices (e.g., wearables, consoles, tablets, laptops, phones, desktops and servers) will be running on the same core operating system code. While the latter will be the same for all devices, each device would still require an individualised software version, due to its unique characteristics. This translates into the real world with a variety of versions of MS Windows 10 running on a very high number of devices ranging from most commercial computers to Windows Server running on cloud infrastructures to Windows 10 IoT Core, which runs on very limited hardware such as Raspberry Pi, a low cost, credit-card sized computer that plugs into a computer monitor or TV, and uses a standard keyboard and mouse.

5. Open-source practices should be encouraged to allow consumers to maintain devices, however not at the expense of commercial support

Devices may have a hardware life expectancy longer that the announced software BBD. Manufacturers should enable any potential use of the device after the BBD by allowing users and other third parties to access and maintain the device’s software.

Examples of Open Source and alternative software support to product lifespan

webOS is an Operating System that was originally developed by Palm for its Personal Digital Assistant (PDA) devices. After acquiring Palm in 2010, HP announced that it would release webOS under an open-source license. HP later sold webOS to LG Electronics for them to use it on their web-enabled smart TVs. Today, LG has expanded the use of the webOS from smart TVs to IoT devices. And to further expand its reach and lure developers, LG has launched an open-source version of webOS called webOS OSE (Open Source Edition).

The Pinephone is one of the latest attempts at creating an entirely open-source phone. The purpose of the PinePhone isn’t only to deliver a functioning Linux phone to end-users, but also to actively create a market for such a device, as well as to support existing and well-established Linux- on-Phone projects. All major Linux Phone-oriented projects, as well as other FOSS OS’, are represented on the PinePhone and developers work together on our platform to bring support this this community driven device.25

OpenWRT is an open-source Linux-based Operating System designed for commercial routers. It has found success not only because of its features and stability, but also because it provides a secure and maintained alternative to the Operating System that might come pre-installed on commercial routers. OpenWRT will usually receive updates long after a device default OS has stopped receiving updates.