That’s literally one of the jobs of government, to step in when the private sector does not regulate itself well enough to protect consumer interests. It’s not about wanting the government to step in, its about having no other recourse.
I'm not sure any of us has a right to speak for every consumer. I live in a country were majority would likely prefer cheaper devices w/o any security guarantees. Forcing producers to provide 5(?)-years updates will make prices rise, and it could be against interests of a large segment of consumers. The only regulation which I believe would be beneficial for all is obligatory transparency. There should be clear warnings like "The producer expects you to replace this device in 2 years, and will not support it after that", or "This producer doesn't promise anything in regard of this device - use at your own risk"
You wrote: "Forcing producers to provide 5(?)-years updates will make prices rise"...
I don't think so: it will oblige makers to standardize processes and software across phones... i.e. very basic specific drivers, then same OS and libs on all phones (with just different themes).
Then the Android security updates can be uploaded directly from Google at no cost. Just like for computers, and phones are computers with very few different features (input device, GSM chip).
My HP or Dell computer is not more expensive when Microsoft or Debian is pushing security updates.
In the end, unifying processes and software brings costs down.
I almost loved this idea on the first sight, but on the second I'm not sure I see how it can work. Will you mandate Apple to make iOS installable on Huawei's devices? If not, why? If yes, how? Who will bear responsibility if SailfishOS won't run on Samsung's hardware? Do you really think API standard can be enshrined in the law, and how you plan to make it safe from corporate abuse?
Btw, if Microsoft is pushing security updates you did pay additional cost for license. If it's Debian then quite possibly you still paid something to MS (if your computer was bought with OEM version), or in better case other corporations, and individuals pay for it (mostly to reduce Microsoft's power).
>I'm not sure any of us has a right to speak for every consumer.
Yet almost every civilization on Earth has already decided that we, the masses, _do_ have a right to speak for everyone when it constitutes a common good. In the US, you have to wear a seatbelt in most states. Your food is regulated by the FDA. Your cars must meet certain safety standards, as does your home. This list goes on and on.
You are referring to undefined terms to define undefined terms: "common good" is not something obvious in this particular situation. Food is poor example here because toxicity is more, or less the common denominator here, while safety of a smartphone has a very different value for someone whose life is immersed in digital services, and whose income allows to see a +/-50 dollars as a small variation, and one who uses only whatsapp, and weather service, and needs to save every penny. In fact majority of Android phones in the world right now are somewhat vulnerable, and it doesn't seem that people who use all these cheap stuff are eager for change. You already can be safer if you it's your priority by using more expensive brands (Apple, Samsung) which offer longer-term updates.
P.S. My food is not regulated by FDA, not everybody registered in HN are from States.
>Just because a lot of people do it doesn't mean it's the right choice though
Who said that it was?
The FDA, as it is known today, came into being in response to the public outrage at the shockingly unhygienic conditions in the Chicago stockyards that were described in Upton Sinclair’s book “The Jungle." Building codes exist to protect public health and welfare.
These weren't arbitrary decisions; they were made in response to real issues. Laws in general limit personal freedoms to protect society and the public. Also, some personal freedoms infringe on the freedoms of others. If murder were legal you would gain personal freedom, but your victims would lose theirs. I may want to have cows in my backyard, but my neighbors may have a few legitimate issues with that.
The fact is that the world has decided you are wrong, and for good reason. I don't need to prove why; you need to prove why everyone else is apparently incorrect.
>Most Republicans seem to disagree from what I can tell.
Uh huh, until we start talking about what you do with your body or who you want to marry. Many conservatives do believe in personal freedom over government rule, yes, but the best conditions are always brought about by balancing those, never in favoring one completely over the other.
Do you think companies are going to choose "security" issues wisely? Do you have an actual solution that doesn't involve government, doesn't have the companies deciding themselves, and that the general public can do?
The past decade has seen an explosion in software being put and used everywhere. With that comes an explosion of bugs that are exploited. Literally hundreds of millions of people have had all their shit stolen from numerous services that have a laissez-faire approach to application security. It's like getting into an automobile accident; you're basically guaranteed to get into at least one in your lifetime. If you've used the Internet, private data of yours is virtually guaranteed to be leaked by at least one service you use.
I'm not a fan at all of excessive government overreach, but the private tech sector is utterly incompetent of policing itself because a) they don't give a shit, and b) no one is holding them accountable enough (you could argue shareholder should, but there's rarely an impact to bottom lines when security breaches happen). The only thing that will make them care is if an impartial 3rd party that can force them to care.
They don't need to. For example in the UK, goods sold need to be of "satisfactory quality" at the time of sale, and if in breach then the seller has to make it good for up to six years after sale, depending on the expected market lifetime of the product.
Something like that is all that's required in primary legislation.
What is missing is a finding that a sufficiently severe security vulnerability present at time of sale falls short of the expected standard. The general concept could be enforced by a court ruling setting precedent or by still quite generic legislation.
Finally it would be up to the courts to decide on a case-by-case basis what constitutes "sufficiently severe" in specific cases. That's no different to how everything else in law works.
In an ideal world, my preference would be for the government to enforce some sort of standardized driver interface and user-modifiability guidelines, such that users have the ability to update their own devices.
Apple comes closer than most. The most recent unsupported device is the 5C, which was released 5 years ago and discontinued in 2016. Their end of support appears to be mostly in line with major architecture changes and not "too old, too hard, just buy a new one" as appears to be the case with Android.
You do realize that phone is only available for preorder? They may not even be around in 3 or 5 years. The OP likely suggested Apple (5s is in its 6th year of updates).
You pack a lot of fallacies into one sentence! False dichotomy, boogie man with the bonus of scare quotes. Mandating security updates for some amount of time after a product is sold isn't 'legislators defining security issues'.
Google has already addressed the issue with Android One. Android One certified devices are guaranteed at least two years of security updates. Most of the manufacturers already have such devices available.
No, that's not strong enough. It should be indefinitely (or owner has right to damages) UNLESS the entire spec and interface of a device is completely, comprehensively, and publically documented from the silicon up, and the device must either lack software integrity checking or it must be fully under the owner's control (eg purge OEM public key, replace with his own). This should apply to all products containing microprocessors and software to execute, and should apply to burned in ROMs too (since that software in ROM should be user writable/replaceable, this should discourage use of burn in ROMs). This should apply to the end product, so the whole car, TV, washing machine, vacuum cleaner, cellphone, game console, Intel CPUs and chipsets, etc, must have its microcontroller interfaces and specs fully and publically documented or damages could be awarded later once exploits appear. This should tamp down on IoT for fridges and can openers too as what OEM wants to either document IP xor expose themselves to potentially unlimited civil liabilities.