Any device that requires someone to install and app and register to make it work should have a prominent label on the box.
There should be a labelling standard for this where the manufacturer must disclose if any registration is required to operate the device to its full potential, if any app or special software is needed other than a system driver, if any phone-home data is being sent, and what data is actually sent, when and why.
"Buyer beware" but most of the time you have no idea what the experience will be like. It's usually not disclosed on the box, reviews rarely mention it and I'd like to have a sure way of being informed before I make my purchase.
It's a similar thing with software, software and apps that require registration for no other reason than add you to their marketing list, but it's particularly egregious with physical items.
Then every printer would just have the warning, making it useless like the California Prop 65 warning label. Seems like everything is labeled with a prop 65 warning, and I for one completely ignore it because it doesn’t provide useful information (beyond ‘everything will kill you, good luck’). The printer manufacturers would say that the registration is super important and it’s critical to get their spammy low ink level warnings or something.
I won't say so. I own two Brother printers; both worked with standard Windows or Linux printing systems (with a simple driver because they talk PostScript), and did not require me to install any special apps. They of course asked to install things like toner monitoring utilities, etc, but I politely declined, and everything just works anyway.
Once advantage is that it leaves the door open for a company to market printers against the label. It could be similar to a 'GMO free' type premium. It seems there are many here who would pay extra for that.
I shopped specifically for one that didn’t do this. They are around my, canon G6020 does not require me to use an app and I never registered anything. It’s internet connected, so I’m sure it’s sending them info, but no GPS and no app.
One can create such a labelling standard by starting or partnering with a standards organization.
"This device certified not to compromise your privacy" could be a good selling point for a printer, especially if half of the printers have it and half don't.
Because that is good advice for want of a better workaround. You act like that is a huge burden, it's typically very easy to do! Searching for a model number and 'manual' will get you to a manual, most manuals are very short and quick to parse especially if all you are looking for is 'will this require an app' or similar.
So, yeah, it is good advice if the outcome is important to you and you dont know a better way to protect yourself from accidentally buying something like that. Unless you know a better way and are holding out on everyone?
I regularly download the manual prior to making large purchase, such as appliances, home control systems, etc. Checking out the app itself is good too.
For printers, I also recommend pricing out five years of supplies. I bought a printer that cost 5x as much as one with similar specs, but ends up costing less in supplies.
If you don't want to install the app or create an account you can return the device at no cost. I don't think most box stores will fight you on this. Online sellers usually will, return shipping can be very expensive.
No monetary cost, but there's definitely a cost. If a product blatantly disguises the fact that it spies on your location, then that's a form of deceit. As a result of their attempted deception, I have lost out on the time spent comparing the product against others, the time spent acquiring it, the time spent setting it up, and any opportunity cost of that time.
Not everything is measured in dollars, and getting back the dollars spent as a result of deceitful advertising does not undo the damage caused by the deceit.
I never disagreed with this. My point is, performing a return is a strong signal of dislike. Box stores hate returns as do online sellers. Failing anything else (because face it, ranting about it on the internet and pointing out the moral failures of a business model is not doing it) returning it is the best you can do.
People are also unlikely to return because they don't realize tracking exists. The iPhone permissions is a perfect example of this. People "knew" these apps were tracking them but didn't internalize them. When the UI changed to better highlight the tracking people did internalize it and denied it.
At the end of the day it's a team of psychologists, computer scientists, and super computers against one human. It's not a fair fight. There are plenty of dark patterns to make you not internalize the tracking. So while you're technically right, no one expects to see this happen in practice because your model isn't accounting for this.
You can actually measure time in dollars pretty often. And with all the time spent you mentioned for returning an item like this that time is likely as expensive as the printer itself.
Are you suggesting that an app that is purported to help you interact with your printer, but does not do that very well, but does track literally everything it can about you instead so that the parent company can sell that information, is not spying?
That is deceptive.
I think people are conflating my interpretation of personal agency with agreeing with the practice; I don't buy products that do these things, I'm merely explaining that by using this item and agreeing to their terms, it is in fact not spying, because you're informed ahead of time what will happen. Someone not reading the contracts they sign does not void the terms of the contracts.
> Someone not reading the contracts they sign does not void the terms of the contracts.
In some cases, it does. In medical trials, you need "informed consent", and not just regular consent. It doesn't matter what papers are signed, if a patient isn't informed what the trial is testing, what known side effects there are, and what alternatives there are, it doesn't count.
More relevant to this issue, GDPR also uses the concept of informed consent. Under GDPR, tracking is legal only if consent is informed and freely given. The example printer fails both these conditions. It is not informed consent, because the tracking is not prominently disclosed to the user, and merely mentioning it in the fine print is insufficiently prominent. It is not freely-given consent, because a service being conditional on acceptance of tracking means that there is coercion to accept the tracking.
My viewpoint on the ethics tends to follow somewhat close to the GDPR's requirements. Even if somebody clicked through a 50-page EULA, that does not give informed permission to track somebody, and so it is still spying.
The time spent trying to set it up is worth requiring a label on the box. I sort of assume it is already required. You need to agree to conditions to create an account anywhere, surely a product needs to tell you about it's data vacuum before you spend hundreds of dollars on it.
Permission to access location on Android is needed to scan for wireless networks (because such a scan allows to find your location from the networks in range).
It doesn't necessarily mean that the app accessed your GPS location.
Depending on your device, actual access might be shown, I recently installed an Epson printer and while the app needed location permission, it did not access might coordinates, it only scanned for wifi networks.
It still means it accessed location though; the scan for a printer to set it up on your wifi also collects the information about other APs visible, and that information is equivalent to location.
This is why a wifi scan requires location permission.
Scanning networks in range does actually reveal your location, if you know where those access points are. There's public databases and I wouldn't be surprised if printer companies have a more complete/accurate list. So while you're right that people are confusing the two I'm not sure it is meaningfully different in terms of potential outcome (i.e. can you determine my GPS coordinates).
people are ridicously paranoid with the "gps permission", when usually just connecting a device to the internet is likely to allow it to obtain its location with more accuracy than gps for over 50% of homes.
To be fair Android could be way clearer about this. Instead of "App wants to access your location [allow] [deny]" which is clearly confusing even for highly technical HN readers, why doesn't it say "App wants to access WiFi. This may reveal your location. [allow] [deny]" or something like that?
I had no idea that it worked like this either; if an app asks for "GPS permission" then I assume it wants to know my actual physical location. For something like Tinder or sharing your location on WhatsApp this of course makes sense. For something like a printer app much less so, and I'd be suspicious as well. I don't think that's especially paranoid.
There's a difference between being paranoid and not willing to risk it. You don't actually know which it was asking for, being that the access controls aren't fine grained enough is the problem here.
It's the same permission because WiFi networks are basically landmarks. If you see the Eiffel tower, you know you're in Paris. Similarly, if you see network id X, you know you're near location Y.
One day, the camera permission will probably have the same problem. The time of day and position of the sun can give a coarse location, and perhaps future algorithms will be able to search Google Street View to find your exact location.
> perhaps future algorithms will be able to search Google Street View to find your exact location.
So actually intelligence organizations already do this. If they have a mundane picture of an adversary they will try to pinpoint where the picture was taken. Of course there's more clues that they have because they know things about the target, but I guess I'm saying it's not unreasonable to believe such a thing could exist today.
It's not an issue of the granularity (which I agree with), the problem is that giving the program access to the internet _at all_ (which does not require any permission) already gives the program more information about your geographical position than GPS, in most situations people care about.
That makes me wonder: wouldn't there be a market for a printer that clearly doesn't leak any information? Say one with open firmware that parses PCL5 or Postscript or whatever the modern analog is.
"Keep your secrets safe with Printer X".
Or would the state come down hard on any such manufacturer?
Just one major telecommunications company refused to participate in a legally dubious NSA surveillance program in 2001. A few years later, its CEO was indicted by federal prosecutors. He was convicted, served four and a half years of his sentence and was released this month.
I'm not sure that's the case. Things do need to be printed because of arcane situations where paper still reigns supreme. Copy centers are not always accessible and sometimes are more costly in terms of travel and cost than the cost of ownership of a printer. Plus the yellow dots are not as ubiquitously known as I take your post to indicate.
It's hard to really buy with your wallet when you don't even know you have a reason to be cautious. Similarly, it's been suggested that boycotts and "vote with your wallet" are woefully ineffectual nowadays.
It's not that consumers don't care, it's that most don't have a choice or aren't even aware of such a need
It isn't the role of the public to regulate business. It is literally the role of the government to regulate business. Blaming your fellows for failing to stop multinational corporations in their endless search for more dollars is short sighted and as we have seen doomed.
While some market is there, making such a printer (hardware and firmware) would be non-trivial. Manufacturers did a lot of research to print well, and making even black and white printer of comparable quality may be very hard.
Most inkjet printers are cheap nasty bits of plastic - which is why the paper path works so badly and either jams or doesn't grab sheets reliably. It wouldn't require much engineering to build something better.
Print heads are a more of a challenge, but you can buy manufacturer originals and build a printer around them.
The firmware is a big problem, but there's a lot of research in the public domain that could be repurposed.
After all of that, you need compatible ink. You'd be reliant on third party ink clones and cartridge systems.
It wouldn't necessarily be harder than a 3D printer project, but it's not trivial, and it would be hard to make it work financially.
Given a choice between an official printer that costs $35 to buy and $60 for replacement inks, and an OpenPrinter that costs $60 to buy and $35 for inks, most people will buy the former.
that's terrible advertising I'd expect the secret service to come just to mock our pretensions
our biggest client just wants a offline ios printer driver for bouncing previews to Acrobat via the share option. ios so far off our path.. this client would talk about any OSS driver deal for commercial rates in fact they definitely don't want any unique driver to profile... we're totally lost to find resources we can understand or resources at all. for a business to thrive with critical necessities hobbled I think there's always a central crime like how drugs and spectacles frames prices shown constant price for 30 plus years.. something artificial is happening with pressure applied.
I have a Samsung printer, but support for that also switched to HP a number of years ago.
I would really like to know if there's a good printer manufacturer that makes simple, high quality printers that just work, don't require all these needless hoops, and respect the customer. Sounds like there should be a market for that, and yet somehow all printer manufacturers seem to suck.
I have a $100 brother laser printer, and it's not too bad. It took me a while to get it working on arch Linux reliably over wifi, but that was more of an arch issue.
Specifically, arch wasn't running any zero-conf services out of the box. CUPS would auto-detect the printer just fine, but then try to connect to it via an mDNS hostname, and the connection would fail. Once I figured that out and got mDNS working, it's been reliable.
A lot of wifi problems are due to bad/flaky access point hardware. Notably, a lot of the internet recommended "good" consumer wifi gear actually sucks from a reliability point of view. It took me months to get my home setup reliable enough to take it for granted.
Brother is pretty much the only printer brand I hear good stuff about anymore. I have no experience with them yet, but when I get sick of my Samsung, I'll probably check out Brother.
Using an Open Source OS helps with malware hidden into drivers or the related installed junk, but unfortunately most network printers phone home, officially to download updates, as soon as they detect a network connection, and there's no way to know or control what they'll do with that connection, short of putting them behind a dedicated firewall.
We have approached the era in which all networked devices should be considered as potentially harmful and dealt appropriately. From TVs to household appliances, home automation systems etc, everything could be used to grab personal information. Hiding a mic or a micro camera into a printer, or any other device, as of today is cheap and trivial. We should consider an untrusted separated network path for all these devices in the home network, so that they can't access our files and their connection attempts would be actively monitored and controlled.
We have approached the era in which all networked devices should be considered as potentially harmful and dealt appropriately.
We're well into that era, but neither the technological protections nor the legal ones have kept up.
Tech laws are still barely on the level of requiring manufacturers of network devices not to use the same default password every time and manufacturers of kitchen appliances to accept some basic "right to repair" provisions. These are steps in the right direction of course but they are small steps at the start of a marathon.
I think a lot of political leaders fail to appreciate the danger here. This has somehow remained true even as tech crime is rocketing. We are seeing more and more headlines about how some aspect of critical infrastructure has been brought down due to some form of technological attack, businesses have lost money due to data losses, people have had their identities stolen after data breaches, etc.
Meanwhile, the tech firms best placed to defend ordinary people and businesses against these kinds of attack are often the ones carrying out the attacks. The fox is guarding the hen house.
Just yesterday, there was a news story in the UK[1] about some home car charging stations being vulnerable to simple attacks. These devices get connected to both home networks and electricity grids. The specific models in question were government-approved too.
I think typical open-by-default networking is fundamentally broken today. It's like software for non-experts that doesn't have the option to install security updates automatically, or a browser or mobile OS that doesn't sandbox web pages or apps individually. Professionals use many tools to lock down organisational networks, audit and manage connected devices, and deal with modern challenges like bring-your-own-device, and they still get hit from time to time. Meanwhile home users are basically expected to install a new Trojan every time they buy a new device. This is not going to end well.
Consider using VLAN for your home network. You can put devices into a separate VLAN without Internet access. This is easy to setup and does not require expensive equipment.
Should use one VLAN per device. I think manufacturers will start using their own mesh networks. If your neighbors have a Vizio TV, your vizio TV will use their connection, same for Samsung, etc. If you have an open guest network, these devices will use it automatically.
The Brother printer I have attempts to hit some static IP in Japan for firmware updates, unencrypted http. So while on some OSes, you can use it without installing a drive, on MacOS, your desktop will automatically download the vendor's software indirectly from Apple. That is why installing printers is a separate permission as it updates system level components.
The only immediate solution I see to this is to have a protocol level firewall say running on an RPi that firewalls the printer off and intermediates all communication between the devices on the local network and the printer.
I need affordable latest WLAN AP with VLAN. Most consumer WLAN APs don't support so we need to buy enterprise or some enthusiast gear.
It seems that on some Xiaomi models, VLAN can't be configured but its firmware is based on OpenWRT, so it can be enabled by hidden API. So maybe SoC itself supports it but manufacturer disable/don't enable it.
I have a HL-1440 that is old enough to still have a Centronics connector (in addition to USB1) and it's a tank. I had to take it apart once between 2008, when I got it from a university that was throwing it out, and today. It prints all my shipping labels.
If you follow the link in the article to the EFF site, they basically warn that they no longer maintain a list of printers that have these dots, because every modern printer has these. Basically there are no options if you don’t want these dots.
I remember the advice to buy a brother circa 2015-2017. Apparently it has changed? Personally unsure, I just bought one, as I worked backwards from "which printer has the cheapest toner" and it is still brother.
There is no way to force the business models to keep printing on a full cartridge that has met its page limit(per reviews on Amazon), and the salesman at a store told me brothers have replaceable parts in them now besides the toner carts that they force you to replace.
Brother software has always been the worst experience for me. Its like some ancient Windows XP setup that you have to download from a 2003 website that sometimes gives errors and isnt very helpful. Uninstalling feels like Norton, where you probably need extra software to remove the crud it left behind.
Why do people waste time on any "bonus software" they found in the box with their printer?
This is why I love Brother printers: I've never had to touch their software. Ever. Been buying their printers for over a decade. You pipe postscript to them on port 9100, they print it. Done. Their software could be 100% refined APT-malware, and I'm totally okay with that.
Brother software? I bought a Brother a few months ago, no software install on any device required. I just plugged it in, and it worked. Hell I can even print from my phone to it.
The Brother software I have on Windows 10 opens an application window (as seen on the taskbar as a running app, not the system tray) that is trying to ask me to update, but there is no visible application window. I have to right click the icon and choose Exit to get rid of it.
I just recently set up one of those printers. They have a lot of dark patterns trying to steer you towards the app (and the "instant ink" junk), but it was still possible to skip over that and do all the setup on the printer itself, at which point it became a normal discoverable network printer.
I assume you're talking about WiFi setup? Ethernet to your switch or USB to a RPi should be a lot more reliable and works without an app. Then again, I haven't set up a printer in a decade.
Good luck finding a company that does things much differently. There is a printer cartel, and they want every penny they can squeeze out of those things.
It's the size of the market. The startup cost of making a competitively cheap printer is much larger than the expected revenue. Would you pay $2000 for a whitebox printer? Would anyone? It'd be a cool passion project, but making a legitimate business out of it would be hard.
One big question I have: "is it legal to sell a printer that requires the use of someone else's toner?". If so, then the concern about sourcing toner after the whitebox company fails can be addressed in the design stage.
What I really want to know is why there is no BYOPK whitebox TPM product. That should be easy to make and could dominate the market.
I recently got a HP LaserJet Pro M15W Printer and I didn't need to install an app... But I don't use it's wifi capabilities and plug it in with a USB cable.
- Required me to install an app
- Required me to enable gps on my device (and allow app to access)
- Printer phoned home after / during setup (as did the app)
They really don’t need the dots any more when they know the gps coordinates and have the ability to send anything they want to and from the device.
I personally spoofed the gps, ran a vpn and blocked the device from phoning home (after setup). Had me saying “what the f**!?” a couple of times.