We looked into the software support practices for 5 of the most popular smart devices (and the results may disappoint you)
As EU policymakers are about to adopt new laws to empower consumers and increase cyber-resilience, PI's research shows that the existing practices of device manufacturers around software and security updates fail to meet the expectations of the vast majority of consumers.
- We are deeply concerned that companies are failing to provide smart devices with sufficient software and security updates to protect consumers from cyberattacks. This is why we are advocating for both transparency and long-term software support obligations to be introduced in relevant laws currently discussed.
- A YouGov survey, commissioned by PI, reveals that the majority of EU consumers surveyed expect their connected devices to receive security updates for a much longer period than what manufacturers currently offer.
- PI investigated the software lifecycles of the most popular smart devices used by consumers across the EU. Our research highlighted a lack of transparency and communication to consumers on how long their devices will be supported for.
Introduction
Several policy initiatives are in progress at the EU level. They seek to address the sustainability of connected devices such as smartphones, tablets and smart speakers. While initiatives to extend the useful life of hardware are important, software must not be ignored. Almost any digital device with which we interact today relies on software to function, which acts as a set of instructions that tells the hardware what to do. From smart thermostats to smart speakers, to our smartphones, computers and smart TVs, nearly everything in the digital economy requires software to operate. However, if software support for devices is inadequate it can have negative consequences for the security of the device. This is also the case when software updates, including security updates, are provided for a period that is shorter than the product's expected life cycle. It is therefore critical that software remains up to date for a long time to ensure the device is secure and that any errors to the functioning of the device are resolved to reduce risks to consumers’ privacy and security.
In addition to the YouGov survey, in 2022, PI independently investigated the software lifecycles of five popular connected devices, namely smartphones, personal computers, gaming consoles, tablets and smart TVs. For each of these five categories, we examined similar benchmarks (duration of software update support, duration of security update support, and the accessibility and/or availability of relevant information regarding those two). Within each category, we focused on the top three to five market players.
PI's methodology involved desk-based research into publicly available information on company websites, as well as third-party websites, including consumer electronics blogs, media and online forums. PI also reached out to all device manufacturers mentioned below for feedback, however not all of them responded to provide clarification. Of those who did, their comments have been incorporated into the present report. While every effort was made to ensure that the findings represent an accurate reflection of current industry practices, due to lack of available information, these can sometimes provide only a hypothetical or assumptive picture.
Findings
As PI's research illustrates, the support cycle for different devices can vary significantly depending on manufacturer and product. Despite some devices appearing to be supported longer than others, the findings confirm that the period for which a device will receive updates is left largely at each company’s discretion. Furthermore, it is rarely the case that the duration of software support meets consumers’ expectations regarding the life expectancy of their device.
The trends identified below seem to stand in contradiction to what EU consumers believe about the duration of security updates for their smart devices. In August 2022, PI commissioned a YouGov survey across consumers from five EU member states (Italy, Poland, Germany, Spain and France). The survey results confirm that consumers expect their connected devices to receive security updates for a much longer period than what several device manufacturers currently offer. Specifically, the vast majority of consumers expect their devices to be protected beyond 2 years (55% for smartphones, 57% for personal computers or tablets, 41% for gaming consoles, 53% for TVs and 49% for internet-connected home devices believed that the device would be protected beyond 2 years on average).
What the survey findings also illustrate is how confused consumers appear to be about what existing laws are about minimum duration that software updates must be provided. For example, more than 10% of respondents indicated that they expected their devices to receive security/system updates for at least 2 years or even less, despite the fact that those periods are already covered by device manufacturers as part of the devices' legal guarantee.
Smartphones
In Europe, 66.1% of smartphones in 2021 were sold by the top five ranking manufacturers including Apple, Samsung, Xiaomi, OPPO and Huawei. Except for Apple, all these manufacturers use the Android Operating System developed by Google. In contrast, Apple smartphones run their own operating system, iOS.
Our research found that the current landscape of smartphone software updates is extremely complex with varying approaches adopted across manufactures. While 54% of consumers expected their smartphones should be protected for longer than 2 years (25% 2-5 years; 15% 5-10 years and 14% beyond 10 years), company practices conveyed that software support can range from 3 years or less to a minimum of 6 for certain devices. Only one manufacturer provides both smartphone hardware and software, which lends to a degree of transparency regarding the expected support duration. In contrast, where companies provide the hardware device only, all of which use Google’s Android OS software on their smartphones, the research was unable to yield a clear or precise duration of how long devices are expected to receive software and security updates.
With regard to how manufacturers communicate the software support duration of devices, this information appeared largely absent from company websites. While only one company seemed to have an online policy dealing with software support, this appeared to exclude smartphones. As a result, relevant information can only be found through various third-party websites and largely external sources, such as media reports or online forums. This raises questions regarding the accessibility of information available to the average consumer to help them properly understand how long their smartphone will be supported for.
Personal Computers
When considering software update processes for computers, the operating system is usually separate to the hardware. This means that the lifecycle of personal computers is far more likely to be hindered by the limitations of the hardware rather than the software.
Compared to smartphones, companies’ governance of software support for personal computers appears to be less fragmented. In general, operating systems on personal computers appear to be offered for longer periods of time but, again, with varying periods of support across different manufacturers. The consumer survey commissioned by PI shows that more than 38% of respondents expect their personal computer or tablet to be protected for at least 5 years or more. PI's research findings show that current company practices do not always meet these expectations.
When it comes to accessibility or availability of information, only a few companies appeared to have detailed policies online. However, the software available on some laptops/personal computers may provide an ‘in app’ feature which provides information about when they will stop receiving software or security updates. Overall, the availability of information about software updates for specific devices was largely lacking or had to be learned through external sources. This conveys a lack of transparency towards consumers, which impacts their understanding of the duration of their devices’ support.
Gaming Consoles
With more than 46% of the population in Europe referring to themselves as 'gamers', the European video game market was valued over $32 billion in 2020, making it one of the most valuable markets outside mobile communications and smartphones. The video game console market in Europe is dominated by three major companies - Sony, Microsoft and Nintendo.
Overall, our research found that software and security updates for gaming consoles overall remained unclear. However, for several gaming consoles software updates appear to be often bundled with security updates. Information regarding how long devices will be supported for also appeared incomplete or lacking, leaving consumers to having to rely on predictions based on past practices for similar products or third-party sources.
Tablet Computers
Tablets have become increasingly popular and have a 2021 market revenue stream of around 59 billion dollars worldwide. As of April 2022, Apple was the European market leader with their line of iPad tablets, followed by Samsung and Huawei.
Similarly to smartphones, the landscape of tablet software and security support is complex, with software or security support ranging from 3 years or less to a minimum of 6 for certain devices. Only one company provides both the hardware and software for tablets, which provides somewhat greater transparency regarding the expected duration that a device will be supported for. On the other hand, regarding companies acting as hardware manufacturers only, all of which deploy Android OS on their tablets, our research was unable to yield a clear or precise duration of how long a tablet is expected to receive software or security update support for.
Information about how long tablets will be supported for seems to be often absent from company websites. Only one company appeared to have a policy in place, which nevertheless does not appear to include information for tablets. As a result, most information was gleaned from third-party sources.
Smart TVs
Across Europe, around 95% of households own a television. Nowadays “smart” televisions can access the internet enabling on-demand functionalities that allow consumers to instantly access a wide range of online video and music-streaming platforms. Samsung is the leading brand in the smart TV market with 29.5% of sales globally in 2021 followed by LG, Sony and TCL.
In general, the software or security support duration for smart TVs appeared to be quite unclear and, at times, unknown, with software or security updates varying across manufacturers, and depending on model or operating system. Moreover, information regarding software or security updates was frequently either absent from or extremely hard to locate on the companies' websites. This can accordingly add an extra layer of confusion for consumers as they might have to rely on unofficial, third-party websites for this information.
The EU should empower consumers and help us keep our digital life secure
The above research raises serious concerns about how long a device may be used by a consumer compared to the length of time it receives security updates for. As a result, this can have a detrimental impact for the security and privacy of users.
Across all manufacturers and products, PI found there was, in general, a lack of transparency and communication to consumers on how long their devices will be supported for. Very often, there appeared to be no designated place on company websites that clearly provided this information to consumers. How is an average consumer expected to understand how long their connected device will be protected for if they are unable to easily and readily find this information? Consequently, devices might inevitably be rendered vulnerable to malicious attacks, as consumers cannot ascertain if the product is still receiving critical security updates.
At the moment, two important legislative proposals being discussed at EU level, one for a Directive on empowering consumers for the green transition, and one for a European Cyber Resilience Act. The former aims at enhancing consumer rights, particularly by ensuring that consumers obtain reliable and useful information on products, including on their lifespan. Nevertheless, the proposal put forward by the European Commission contains certain shortcomings with regard to information on software support duration and the bundling of security with functionality or any other software updates. These need to be effectively addressed by the European Parliament before the text of the draft Directive is adopted.
As part of our Best Before Date campaign, PI has proposed specific amendments that seek to ensure that consumers receive adequate information about the duration of the software support their devices receive. We are liaising with several EU policymakers to ensure that the concerns raised above are taken into account and that any new legislation doesn't fall short of the standards required to protect us and our connected devices in the digital age.
Notes to editors: All figures, unless otherwise stated, are from YouGov Plc. Total sample size was 6331 adults. Fieldwork was undertaken between 11th - 19th August 2022. The survey was carried out online. The figures have been weighted.
Firmware
the abstraction layer between the physical chips and the software. Firmware allows the operating system to make generic calls to the hardware (e.g., open microphone, allowing for an audio recording or phone call, which the firmware interprets and then sends the correct instructions to the hardware to turn on the microphone). In other words, the firmware acts as the translator between hardware and software (most of the times, an operating system); it receives the software instructions and further passes them on to the hardware components.
Operating System (OS)
the core programme that manages the interactions between other programmes and the hardware. For example, the Operating System will make sure that launching an app such as the web browser won't interrupt sound being played by another application. Modern operating systems like Windows, Android, iOS, or Linux usually bundle several ancillary services, such as the user interface and basic utilities for the device. This includes, for example, a sound managing interface to set the volume of applications playing on the device or a network interface to easily connect to Wi-Fi networks.
Software update (also known as patch)
a set of changes to a software to update, fix or improve it. These changes will usually either fix bugs, fix security vulnerabilities, provide new features or improve performances and usability. Infrequently, patches may also be used to limit functionality, remove or disable features. Depending on the software, updates may be installed manually or automatically if the device is connected to the internet and has the appropriate capabilities (for instance, an Android phone that updates its software on its own). Software updates are particularly important when applied to the Operating System given the reliance of other software (such as apps or drivers) on it.