Privacy International research shows that smart device security updates fail to meet consumers' expectations
As EU policymakers discuss new laws to empower tech consumers and increase cyber-resilience, PI's research points to an urgent need for regulation to ensure that device manufacturers provide longer term security updates to protect consumers from cyberattacks.
A YouGov survey commissioned by PI shows that consumers expect their smartphones, computers, smart TVs and gaming consoles to receive security updates for a much longer period than what several manufacturers actually provide, leaving consumers with expensive tech that is vulnerable to cyberattacks.
The majority of consumers in the survey assumed their devices would be protected beyond two years, but current industry practices fail to meet these expectations. PI investigated the software lifecycles of five of the most popular categories of smart devices used by consumers. We found that information about how long devices will be supported for was often absent from company websites.
Christopher Weatherhead, PI's Technology Lead said:
"Consumers are being kept in the dark. At the point of buying a new device, its incredibly difficult for you to know how long that device will receive security updates. That's not right. We store a lot of sensitive data on our laptops and phones, so to be left with a fully functioning but unprotected device after just a couple of years is unacceptable. Tech manufacturers know better than any of us how important security updates are. Why aren't they providing security updates for their devices for longer, and instead putting their customers on a two year cliff edge?"
PI is campaigning at EU level to ensure that the concerns raised above are taken into account and that any new legislation doesn't fall short of the standards required to protect us and our connected devices in the digital age.
Notes to editors
- While current EU initiatives to extend the useful life of hardware, are important, software must not be ignored; it is what keeps our devices and data safe in today's connected world.
- It is therefore critical that software remains up to date for a long time to ensure the device is secure and that any errors to the functioning of the device are resolved to reduce risks to consumers’ privacy.
- At the moment, EU laws require that smart devices receive software updates for the period of time that consumers can reasonably expect, which is often wrongly linked to the legal guarantee period (2 years).
- In 2022, PI examined the most popular manufacturers in the EU across 5 categories of smart devices. Our findings show not only that some of these manufacturers seem to fall short of this standard, but also that in many cases it is extremely difficult, if not impossible, for consumers to obtain accurate or reliable information about how long their devices will receive critical updates for.
- To better understand consumer expectations across the EU, PI commissioned a YouGov survey in August 2022. The survey involved a total of 6,331 consumers from Spain, Germany, Poland, France and Italy. All figures, unless otherwise stated, are from YouGov Plc. Fieldwork was undertaken between 11th - 19th August 2022. The survey was carried out online. The figures have been weighted. Specifically, respondents were asked: Thinking about purchasing new technology devices...For how long after purchasing each of the following devices do you expect them to be protected against malicious cyberattacks (e.g., hacking) by receiving regular security/ system updates (i.e., patches)?
- PI has proposed specific amendments to the Directive on empowering consumers, which is currently being debated by the European Parliament and aims aims at enhancing consumer consumer rights, particularly by ensuring that consumers obtain reliable and useful information on products, including on their lifespan.
For more information contact [email protected].