Big tech brands selling customers short on security – Which?

Major brands behind expensive smart devices such as smartphones, doorbells and tumble dryers are potentially breaking new product security laws, while others offer “pitifully short” support policies, according to a study.

Which? said its survey of more than 120 brands found that nearly a quarter (23%) could be flouting laws by not having a published policy stating a minimum time the manufacturer will prevent the products from losing functionality and becoming hacking risks.

Many other brands offered “pitifully short” support periods, the watchdog said.

While this did not breach the new laws, it essentially meant the manufacturer quickly abandoning the product and putting consumers at risk long before the end of the device’s natural life.

The Product Security and Telecommunications Infrastructure Act 2022 came into force in April this year, applying to the majority of smart products and making it illegal to sell products in the UK that do not have published product update policies stating a minimum time for support to uphold functionality.

Manufacturers that fail to comply with the laws face potential fines of up to £10 million or 4% of worldwide revenue.

Which? is now calling on the Office for Product Safety and Standards (OPSS) to investigate the issue and outline what it will be doing to enforce the new laws.

Which? researchers searched online for the support policies of 128 brands across around 30 product categories, and also asked them if they had a clear updates policy.

Some 23% did not have a policy in the public domain and gave no indication they were addressing this, the consumer group said, adding that they “would appear to be breaking the law”.

A further 23 brands (18%) had a policy that, in Which?’s view, was not clear.

The watchdog said it believed just 76 brands (59%) had a compliant published policy, stating a clearly defined support period.

The regulations state that the policy should be clear, accessible and transparent, and understandable by anyone, regardless of their technical knowledge.

However, Which? said most brands were burying policies in distant corners of their website, or in hard-to-read technical compliance documents.

In the smartphone category, Which? said Alcatel, Huawei and TCL did not have published policies on technology updates, although TCL said it was working on adding policy information.

Researchers considered Honor’s policy “insufficiently clear”, and found some brands such as Motorola and Xiaomi guaranteed just two years of support on some handsets, compared with seven or more from rivals, and despite smartphones having estimated physical lifetimes of around five years on average.

Washing machines have an estimated physical lifetime of 11 years, but Haier group’s policies, covering Candy and Hoover, in the washing machine, dishwasher, smart oven and fridge-freezer product categories were two years of support ‘from purchase’.

Liebherr also failed to publish clear support policy information for consumers buying its fridge-freezers.

For tumble dryers, Hoover did not appear to have any stated support policy and so was failing to comply with regulations, Which? said.

It said brands such as Beko and Hisense offered “pitiful” one and two-year guaranteed support periods respectively, compared with Bosch and Miele at 10 years.

Although smart TVs had an estimated average physical lifetime of almost seven years, Which? found TCL, Panasonic and Sony all had “poor” policies. Hisense offered two years of support from when a model was first released.

On smart speakers, Belkin and Audio Pro were silent on support policies, the watchdog reported.

And while wireless cameras and smart doorbells were particularly sensitive security risks as their primary purpose was to protect people’s homes, Which? found that Arlo and Ubiquiti said nothing about how long their products would be supported with security updates.

Which? said a number of companies either changed or were in the process of changing their policies after being contacted by the watchdog.

The consumer group made contact with all 128 brands twice, with the second phase being to clarify their positions.

At this stage, researchers also offered the chance to provide comment, alongside the policy, but no brand had done this.

Which? director of policy and advocacy Rocio Concha said: “It’s very disappointing that big brands are seemingly failing to comply with new product security laws despite having over a year to prepare, leaving customers in the dark about how long their products will be supported with vital security updates, and potentially putting them at risk.

“It’s bad news for consumers and the environment, especially when you consider these short support periods could result in smart tech ending up in landfill way before its time.

“The OPSS must urgently investigate this issue, provide clear guidance for manufacturers and explain how it is going to crack down on brands ignoring security laws designed to help consumers buy products that are built to last.”