Hacker News new | past | comments | ask | show | jobs | submit login
HP printers try to send data back to HP about your devices and what you print (robertheaton.com)
497 points by darekkay 28 days ago | hide | past | web | favorite | 263 comments

> Tech Enthusiasts: Everything in my house is wired to the Internet of Things! I control it all from my smartphone! My smart-house is bluetooth enabled and I can give it voice commands via alexa! I love the future!

> Programmers / Engineers: The most recent piece of technology I own is a printer from 2004 and I keep a loaded gun ready to shoot it if it ever makes an unexpected noise.


I still have my trusty Brother HL-2270DW, most of its lifetime connected by Ethernet cable.

I recently got around to configuring the WiFi and it works. So call me a risk-taker!

Brother printers are amazing. I have a 20 year old laser from them, they stopped selling toner cartridges, at least around here, but toner refills seem to be working fine.

Another endorsement for Brother printers here. I actually just kind of default to their stuff at this point, because they invariably just do their job with no drama.

Agreed, I have an at least 10 year old Brother laser printer and while it doesn’t support any new standard like AirPrint, their iOS app can still print to it across the network, direct from an iPhone/iPad, despite it being made likely before iPhones/iPads could even print.

lol Same. I think going on a decade now. Have had the wifi working for a while now though.

The flip side of owning mechanical locks is someone like the Lock Picking Lawyer on YouTube makes it seem easy to defeat a mechanical lock in under 5 minutes.

Does your home have windows? Those can be defeated in way under 5 minutes as well.

The point of mechanical locks is not absolute security, it’s to be more work to break than any alternative.

..and attack surface - physical presence vs entire Internet is quite the difference.

Yeah, I want him to design a key that he can't open. He has pretty much shown that he can open any key, even those that have alarms in them.

Honestly I just want a few grams of explosives in my lock, wired so that they kill anybody attempting to pick the lock. Passive defenses are never enough.

Ask and you shall receive: https://www.youtube.com/watch?v=7JlgKCUqzA0 ("[527] Pickproof your Kwikset For Less Than $1")

I don't really trust any lock to keep out someone determined. At least a mechanical lock won't send who knows what data for who knows what purpose to the manufacturer.

You shouldn't. No security mechanism, physical or otherwise, will keep out someone with enough determination and resources.

The goal of all security methods is not to make breaching them impossible (since that can't be achieved), it's to make breaching them so expensive that it isn't worth what would be gained by doing so.

Someone need to make an xkcd like comic for this.

Sooo true, my non tech friends make fun of me for how little automation/tech I have in my home.

Probably because we see how the sausage is made and how everyone prioritizes cost over security. It’s incredibly hard to make something secure once it’s connected to the internet.

There was a time that I trusted HP and their products and would recommend their business line to friends and family. This has changed over the years.

Crummy software updates (had to install an old version of some Intel tool to get my laptop to sleep in Windows 10) and the crapware they still bundle with Windows has made me take a step back from that position.

With this move I'm done with HP. I would have accepted a simple and clear explanation and toggle to send the same information, but this is just too shitty.

If anyone from HP is reading this, tell your supervisor that you've just lost another guy-that-everyone-goes-to-for-pc-advice. I hope you're happy.

Telemetry systems are out of control, and really exploded with the smartphone era. Personally, I run application level firewalls on all my devices i) to stop ads & ii) to stop telemetry. Unfortunately, it's too hard/too much trouble for the average user to maintain.

We need to come up with a better way to (automatically) hobble this nonsense, probably at the os level.

Telemetry is fine when it is included with enterprise software with licensing agreements handled by lawyers and corporate security. Telemetry is actually helpful and a good thing in that use case.

It is not in consumer products, period. Unless you are paying me for this information (in actual money, not discounts, not services) telemetry should be banned.

Iftelemetry were so valuable (“data is the new oil”) the would/should pay us for it.

Like all those “We value your opinion” customer feedback surveys. Yeah, you value it at $0.

I absolutely disagree with these data collecting practices, but if your data is e.g. worth $5, that may have been already deducted in the printer's sale price.

If you have two feature-equal printers, but one doing data-collecting and $5 cheaper than the other, which one do you think will be sold out first?

I wish that manufacturers be forced to also show default/required data requirements on their products similar to how they already display minimum/recommended hardware requirements. This would at least increase consumer awareness of the issue, at best maybe abolish it entirely...

Printer hardware is usually sold at a loss or near a loss in order to focus profits on ink/toner sales. That's how you get the ridiculous DRM on ink.

Force manufacturers to allow third party ink and to disclose data collection and you get a much different, better for the consumer, printer market.

I don't want to be paid for it. I just want it to not happen.

Only when fully disclosed and blockable.

> ... with licensing agreements handled by lawyers and corporate security.

So it's helpful when it's someone else's problem?

It is helpful when the company doing the telemetry really values you as a customer and you have teams of people responsible for understanding and negotiating the details.

It is not helpful when the absence of competition forces you to accept one devil or another and little power (or time) to understand how your information is being gathered and used.

It's helpful when the iSeries calls IBM to get someone out for part replacement. Both parties know the whole deal since there is an actual contract with specifics. Consumers don't have 'contract support' unless they have cash.

> Consumers don't have 'contract support' unless they have cash.

So what do you propose then? Every website have a paywall and block poor people?

Plenty of people are happy to share information on the Internet and even to pay small sums of money to do so.

If you aren't interested in sharing information without selling visitors data, your service isn't viable without charge, or nobody is willing to pay you, everybody is probably better off without what you're trying to offer.

This isn't a website, it's a printer. We're already paying customers. If there was a paywall, we passed through it when we went to the store and dropped $100 on their product.

I suppose the big problem is that everyone gets into the data broker business when they get big enough these days. It fundamentally changes the expectations of your relationship with the company.

It's a lot like the Vizio/Samsung/etc Smart TV privacy fiasco. Back when you bought a $699 21" Zenith tube television, their business model was transparently "we make and sell televisions." The up-front cost was sufficient that they weren't too concerned with a trickle lifetime recurring revenue. There's no real place in that business model to focus on a data gathering side hustle, and you as a consumer had no reason to think they'd be interested that you kept the knob on UHF all night.

Similarly, if HP's business model is legitimately selling printers and printer accessories, there's very little information they need but are not getting from their existing "what retailers order for restock" and "direct sales and ink-as-a-service" channels. Even the obnoxious personalized 'you print lots of photos, buy our photo paper' ad doesn't require remote data submission; you could calculate it on the fly locally and pop up a banner, just like with 'you've printed 29 pages, time for a new cartridge!" I could see system and document info for crash log purposes, but even that's a one-time permission request you can make on demand.

I guess what's amazing is how much the tail has come to wag the dog-- they'd rather creep out people and run the risk people finding out losing the $100-plus-years-of-expensive-consumable sale in order to get that sweet sweet consumer-profile data worth a few dozen cents per-user in quantity.

Honestly, I want to replace my arthritic LaserJet 5 with something offering duplexing and more than four real-world pages per minute, but new printers seem to be doing everything they can to be a distasteful purchase instead of an exciting one.

Corporations with professional legal counsel have more power than individual consumers.

Realistically you want it at the router level. Force all traffic through a transparent proxy like mitmproxy with some custom code to strip out the sends you don't like. Stop all those IoT devices.

Its on my plate to make a go at it, with some inspiration from pihole. But really it'd be about enabling myself to use some of this great data without sharing it with a third party.

For example, I'd wear my fitbit if it wasn't reporting in to their servers. But if I force my phone through a VPN, which routes through my transparent proxy, I could feed fitbit junk data while scraping the pieces I want to my own system.

We need apps that take control of these devices and their telemetry away from the third parties.

Router solutions tend to work only for static/controlled lans. Nearly 100% of my time connected to a network is not under my control (someone else's wifi or telco). Another problem with router and other solutions such as pi hole / hosts is that they apply rules in a generic manner without regard to context. eg. On my Mac I use Little Snitch to disallow any comms with apple, except when it's App Store. Appalled at the telemetry that vscode allows, I've gone back to sublime text 2.

On my Android, (sadly without root) I use NetGuard for similar purposes. I blanket disallow google for many apps. I allow carte blanch to my personal servers for apps that I use, but any telemetry of theirs is stonewalled.

In Firefox I use containers to separate FB/Twitter to their own hole, while I blacklist them in uMatrix for every other circumstance.

That said, things like doubleclick and crashlytics are fine to be black listed throughout a network.

My thoughts were more targeted toward a properly sandboxed os that gives users the chance to control on a port/ hostname level what is being connected to.

> Realistically you want it at the router level.

I do both.

I run a firewall on my phone mostly to prevent applications from communicating out without my express permission. I also don't turn on my phone's radios without connecting to a VPN that I run at home, so that all of my phone's traffic gets routed through the defenses I've set up for my home network.

On top of that, I avoid using the web on mobile devices to the greatest degree possible.

Philosophically, I completely agree with you. The problem is that this isn't inherently possible because the whole thing could be E2E encrypted.

I know there is a Linux (python?) client that will sync (at least some models of fitbit) to their cloud service. But I've no idea if there is one that will dump the data locally. It's entirely possible that the cloud client is merely passing along an opaque blob.

Why not just block everything the printer sends? When does a printer actually need internet?

That's exactly what I do on my Mikrotik router. I assign a static address to my printer and then disallow any outgoing internet traffic coming from its internal IP.

Yes, removing Internet access is always an option (although eventually we might have to physically disconnect wifi antennas or use a Faraday cage...).

I was responding to a comment that was talking about creating Free Software to communicate with the device, specifically the idea of proxying access to the corporate server and modifying the communication, rather than implementing the whole protocol from scratch.

I'd guess the Fitbit protocol is encrypted, from a desire to keep people from cheating their activity reports. If a company wants to spend the development time, there is basically nothing that can be done to prevent a device requiring Internet access on a dumb-pipe all-or-nothing basis.

Although this comment may seem a bit extreme: I looked at the rubbish that Fitbit installed on my laptop several years ago. I decided to throw my Fitbit out after scrubbing my hard drive of their software. So, although it's fair to assume their software's probably improved since then, I'm not buying.

Faraday cage for the win. My printer stays offline - period. If something needs printing, I have to sneakerware it. If I'm unable to do that, I rethink whether it really needs printing in the first place :D

Hosts file blocklists work well for known domains. https://github.com/StevenBlack/hosts

Each application shipping with its own DoH resolver - spearheaded by browser vendors in the name of security - will put a lid on that.

They are rightly saying that DoH will secure requests from tampering --- but when it's the owner who's doing the tampering, it becomes yet another anti-user security feature.

Personally, I'm less concerned about privacy of DNS queries than the loss of control and need to have another centralised third-party in the process.

It was a bad security feature anyway, easy to bypass

On Firefox it is configurable or even disablable trivially. Much ado about nothing.

That doesn't mean the other apps which use DOH will also be trivially configurable to disable it.

This is exactly correct. The purpose of DoH is two-fold; for Google, to allow themselves to be the endpoint DNS resolver so they can both bypass local ad blocking and collect statistical behavioral data (I am aware that their policy does not permit them to do this; it will certainly not be the first time Google violates their stated policies in the mission of serving advertisements), and for e.g. Cloudflare, to centralize and control additional pieces of previously-distributed Internet infrastructure (and thus permit centralized monitoring not if but when they are compelled or subverted by the intelligence community).

Mozilla I don't understand. The most likely explanation appears to be that they are still in a catch-up-to-Chrome mindset, which is a disservice to themselves and their community.

DNS queries should be encrypted. Centralization-by-default is not the answer and people should look more closely at the incentives in play by those pushing the DoH standard. I appreciate the efforts of e.g. OpenBSD to prevent this side-channel leakage of user data to private corporations: https://undeadly.org/cgi?action=article;sid=20190911113856

> Mozilla I don't understand.

Mozilla also send tons of users data to Google, and, probably, gets money/better contracts/other benefits.

Proof: https://twitter.com/jonathansampson/status/11658588961766604...

A good DoH feature is that it distrusts the local network's services in favor of ones on the local device. Especially with Comcast, Verizon and others doing bad stuff with traffic, not trusting the network providers looks like a good thing.

Ideally one could change to any range of DoH resolvers - right now there's 3 or so.

DoT and running your own recursive resolver is better still.

Or if you work at an ISP, set up an alternative DNS that users can opt out of, for blocking telemetry for everyone except those that really wants it. Invert the playfield so to speak.

I'm glad I'm not the only one concerned about this.

As far as I'm concerned, Google are only interested in DoH so far as prohibiting DNS level adblocking within their walled gardens.

Everyone thinks they're working toward tamper proof connections for the benefit of users, but it's really for the ad companies IMO.

And manufacturers. I tried to install system-wide cert on my Android to intercept and see exactly what system apps on my old Nokia phone were sending to Chinese servers but couldn't because Google thoughtfully "protects" its users. Tivoization at its worst.

jup, I am concerned as well.

cloudflare DOH fortunately uses it own domain for dns, so you can block it at firewall level.

Google could be evil and make resolver "google.com", so you would have to block whole google.

I was talking to a few people, of creating a list of all public doh servers, so we could all use it on our firewalls to block them.

That doesn't help if ad companies and other attackers set up their own DoH resolvers.

That's why I've installed a MITM proxy for all HTTPS connections over my LAN.

Last time I put a large list of blocked domains in my /etc/hosts file, it was causing non-trivial amount of delay (hundreds of ms) to every dns lookup. I guess hosts file is not designed to be scalable. I ended up running a local dns server (which able to use those blocked domains list without noticeable performance hit). These day I just use pi-hole running on a spare raspberry pi.

Automatic blocking doesn't work cos they are constantly coming up with new ways to bypass blocks.

Here's what I use. There's a free tool called Windows Ultimate Tweaker. It'll help with basic settings.

Next, Du Meter - shows network traffic right on taskbar. If I'm not actively using the internet and Du Meter shows 1MB/s, I get suspicious.

Finally BWMeter. I'll say it's little snitch for Windows. It'll alert you any time an application tries to access the internet. You can allow/forbid temporarily or permanently.

They are all light on resources. BWMeter's UI isn't great but it gets the job done.

Anyone know Mac equivalents?

Litte Snitch


And Activity Monitor in the Dock (Icon set to Network Access)

iStat Menus will give you amazing insights on your system in the menu bar. It has a rich choice of views.

There's also Little Snitch for network monitoring.

For the rest, haven't researched much.

Not running any of bad oems specific software and relying on in kernel drivers to talk to whole classes of Hardware seems to work.

Pi hole, and similar, and block all other DNS, would probably be a good start.

Tackling on edge firewall, looking what goes through, and blocking it there is second step (but since a lot of it is going to various cloud providers and cloud flare) this is often not an option

I'm reasonably sure this stuff doesn't fly in the EU anyway (hiding away information like this deep within some privacy document is not the clear consent the GDPR requires).

Tools are becoming available though. Projects like PiHole are making it easier to block many malicious trackers. There are even companies selling pre-built PiHole devices. Unless HP is hardcoding IP addresses, it's only a matter of adding the required domains to a tracker blocklist (if they're not already on there) and most of these problems go away nearly instantaneously.

I've noticed my PiHole helping a lot in regards to stuff like mobile apps (Google Analytics, Facebook Graph, etc.) and embedded devices like these are probably no exception.

I can tell you that my UK printer has the same shit!

I went through it with a magnifying glass to make sure it didn't select anything.

In addition, I set up the IP stuff manually on the printer to ensure there was no gateway... can't get out without a gateway.

I used to do the same exact thing.

At some point, though, I noticed that "something" [0] still managed to "get out".

After running some packet captures, it became clear what was going on. Although the device was using the network settings that I had manually configured, I had not specified a default gateway. The device decided it would use DHCP to discover the default gateway for the network and began automatically using it so it could get out to the Internet.

Since then, I've started specifying a default gateway for any devices that I don't want to get out. I give 'em an IP address that isn't in use on the network and, fortunately, I haven't ran into any other instances of crap like this happening.

[0]: I really wish I could remember what device this was but it's been a long time ago and I really have no idea, sorry.

These kinds of concerns are why I put all my "untrusted" devices on a separate VLANs, so I can reliably shut them out of the internet. Simple VLAN-enabled switches don't cost that much any more. Such a switch allows you to treat any port of the switch as a distinct network interface on your main router, where you can just disable forwarding for selected interfaces entirely. It also prevents your untrusted devices from seeing each other, i.e. your printer wont't be physically able to send ethernet frames to your VoIP phone, even if connected to the same switch. Here is some introduction to the concept:


> Simple VLAN-enabled switches don't cost that much any more.

They're dirt cheap and have been for the better part of a decade. If you're looking to upgrade, cost isn't a reason not to.

I did exactly that:



My printer is in a VLAN which has no route out over the Internet. (The second link there uses VLANs).

True, but assigning it a static IP and blocking egress traffic originating from it should accomplish the same thing.

I think static IPs and blocking egress traffic only keeps well-behaved devices from doing any harm.

It does not protect you from compromised, malicous (IoT) devices. Think about a network printer doing ARP spoofing and MiTM-attacking your VoIP phone or IP cam. E.g. googeling immediately turns up vulnerabilities like this [1] one. A properly configured VLAN setup can help to prevent or limit this threat.

[1] https://www.scmagazine.com/home/network-security/hp-officeje...

New printer next year: "Hmm, I can't contact my telemetry server with these internet settings… time to connect to any open Wi-Fi I can find nearby!"

VLANs, huh? I'll have to Google that sometime. ;)

Are you up for filing a GDPR complaint with the Data Protection Authority? :)

I’d like to see a big hardware company explaining its shareholders that they got a fine of 4% of the company’s worldwide revenue because they wanted data that was supposed to increase sales.

I think we need laws.

Take a look at GDPR

I vote with my money. Laws are lazy, trivial to insert exploits into and stacked with unintended consequences. Eduication is much more effective.

Passing laws is pragmatic. Individual boycotts are idealistic, they go totally unnoticed and the status quo continues.

The "status quo" argument of apathy is self-fulfilling. There are few things that are more effective than market forces, hence the 24x7x365 war for your opinion.

Note how often people say "insert law here". Compare that with how many times they actually propose the text of a law. Our most effective laws are exceptionally simple and short. It's not accidental that "modern" laws are intractably complex.

How about try it? Propose the law.

Some people, dare I say most people, care more about results than dogmatic adherence to libertarian free market ideology. That is why effective regulation is everywhere you look. Regulation is popular and effective, regardless of how badly it offends your sensibilities.

Or? Is it in theory possible that your preception of reality is off?

Government regulation of the net (aka speech) is a non-starter, so the people who think "insert rule" fixes something are forced to rebrand it to "net betterness". More than half of the general public is wise to these techniques.

What "pragmatic" law do you have in mind?

Government regulation of businesses that happen to have websites (aka 'regulation of the net') is already reality. Pretty far from a "non-starter"

Surely you have atleast a sketch of the law in mind?

Hey I am interested in application level firewalls. Can you please share how you do this.

I think GDPR helps in some cases, but I suspect as the laws are analyzed and tested in court, the old habits will come back.

All OS vendors benefit from this telemetry, so they all have it and support it. Microsoft collects lots of data, but don't be fooled, Apple also collects lots of telemetry.

I think what folks will start to realize is that RMS was right and only free software will be the only way to navigate this mess (since users are not denied access to the source code, which can be analyzed and the idiocy removed, like people do with ubuntu).

Former HP employee here. HP made and still makes great hardware products. Ink is the cash-cow and this won't change in the near future. The thing I always hated though was the bloatware. I remember that everyone I was buying a HP laptop, I would back-up the drivers (.inf), then remove all the JUNK, and then reinstall all the drivers. JUST the drivers.

Fortunately for me I have the skills to do so. Unfortunately the majority of users have to suffer the bloatware and weep for the lost CPU and RAM that garbage wastes.

Nope, the hardware was great, back in the 80s,90s then once Compaq was swallows, HP lost their way. The only same answer has been to avoided their products since 2003.

Check our Samsung or Brother for printers that don't involve bullshit. Any Asus beats any HP laptop and HP "server" gear, jajaja

> Any Asus beats any HP laptop

The HP Spectre line runs Linux out of the box with full device support. Asus is hit or miss.

Otherwise, yes, you're absolutely correct.

> The HP Spectre line runs Linux out of the box

And guess most of HP ProBook line. Asus sucks here, plus zero chances to get any support.

Oh, yes, I fought for days with the trackpad on my Asus S410U. I forgot about that.

Samsung printers are owned by HP now. Expect the same within some time.

Using the manufacturer-provided drivers will usually result in junk as well. It is always best to know your hardware and try to find the drivers from each hardware vendor, or sometimes Windows 10 drivers work well too. You can usually get this info from the device hardware vendor ID and product ID if you're using Windows. With Linux, pretty much everything is automatically packaged with the kernel.

This. I simply don't trust manufacturer-provided drivers.

In college I worked at the computer support desk for students. Certain models of HP laptops were notorious for the wifi module failing, conveniently just outside of the warranty period. I would never trust HP hardware.

I gave up on them when the inkjet I had bought produced a small mountain of dried ink inside it with it's constant cleaning cycles. There was more money in that dried ink than I had paid for the printer.

This was very a different experience from the monochrome DeskJet 500 that was such a workhorse. And the 7470A plotter that dad used for over a decade.

If you don't need color, try a laser printer. Toner doesn't dry out; you only pay for what you actually print.

Toner doesn't dry out; you only pay for what you actually print.

Beware, however, that if you live in a very humid climate, toner will clump easily. I suspect this is why inkjets are very common in Southeast Asia, whereas lasers are not as popular there.

One needs to keep in mind that toner dust and ozone may pose a health risk when printers are used close to to where people live/work.

Many printer manufacturers nowadays sell inkjet printers with laser-printer like operating costs, where ink is dirt-cheap, but the printer is correspondingly more expensive. Google for Epson EcoTank or Brother Inkvestment.

Dust from toner clearly provokes cancer. You need to be careful for those who have a lot of printer work.

Get a laser printer EVEN if you need color.

Color laser printers are slow, but not expensive.

That's what I did. Got a Brother HL-5370DW and it's been excellent.

I have the HL-L2360D and it's been great. I love the IPP Everywhere drivers and don't have to worry about anything in particular anymore.

After this I would only get a printer which has IPP Everywhere or at least is supported by foomatic-db. hplip can get lost.

I can also get non Brother branded cartridges as they don't make a habit out of selling the printer so cheap that they have to then rape you on the price of the cartridges when it's time to refill.

The non-Brother branded cartridges work just as well as the official ones and I can go into any major office chain and buy them off the shelf.

Second this- the really great thing about the brother lasers is awesome Linux driver support. The install process was simpler on Debian than even the windows setup, which is certainly not the case for HP gear (hplip, the less I think about it the happier I am).

What? I've never had any issues with my HP laser printer in Linux.

I can attest that in Windows 10 I always have to delete and re-add the network printer whenever I want to print something because apparently being offline even once is enough of an upset to send the Windows printing system into paroxysms of fear, where it will tremble mightily, unable to re-try in less than 20 minutes. Don't get me started on how it's impossible to share a cellular connection over Ethernet because plugging Ethernet in turns the cell connection off to "save power" either. That little turd of a feature cost me a couple hours last week.

Same here never had a problem with my HP laser printers on linux

This, and for most Brother printers there is a page counter bypass for toner carts.

HP has this as well for the printers I have.

I have a color laser printer that's 4+ years old, was cheap, and still works great. Color laser is not expensive like it once was.

I once briefly owned an HP inkjet printer that I bought new for some ridiculously cheap price. When I found out what inkjet cartridges cost, I unplugged it, walked to that little room by the elevator in my high rise, and threw it down the dumpster chute.

HP went down the shitter as far as I was concerned when “the HP way” went. This happened when they spun off Agilent which took it with them.

I have actually physically assaulted several HP products since then. Literally nothing but aggro.

All the agilent test equipment I've worked with is still solid AF. It's sad HP consumer stuff, particularly ink jet printers, is cheap junk. Enterprise stuff is fine though

Yeah same. I just bought a new display for my 20 year old 34401A! That’s service.

Enterprise. Not so good. Arguing with Broadcom NICs and blade chassis switch problems for a decade and a half makes me happy about AWS.

Hahaha that’s exactly it

Exactly. And then that Republican philosophy major hag. And then the sex at work CEO.

Even if you take trust out of the picture, this sort of nonsense leads to a crummy user experience.

The customer needs to download and run an installer, accept a license agreement and configure a bunch of options that have nothing to do with the primary function of the hardware, then they can configure the actual hardware. In the end the user will usually end up interacting with vendor specific (or even model specific) software to manage the printer or configure print jobs.

None of that is truly necessary. Microsoft can detect hardware and provide plenty of drivers under their operating system. The typical desktop Linux distribution can do the same. In both cases, the key are licensing agreements that allow for it. Those licensing agreements are much more flexible if the software isn't collecting analytics (either for telemetry or marketing).


I don’t think that “is it OK if we have your printer collect metadata about your devices and what you print, and then use it online advertising?” is a question that HP should even be asking. They already know the answer, and all they’re really doing is giving people who have already paid them several hundred dollars for a cheap but functional printer the opportunity to make a mistake.

...is so true, and HP are far from the only culprits here.

The bloat in HP printer drivers has been well known for a long time, and I'm not surprised "telemetry" is now part of that. I stopped "upgrading" printers when they still used parallel ports and standard drivers the OS already had (no need to even touch the installation CD), so I don't know if the newer ones can also be used without installing the extra crap.

I imagine that a user’s data is exfiltrated back to HP by the printer itself, rather than any client-side software.

To me, that's a good reason (among others) to use a print server and plug the printer into it instead of a printer with its own networking; or if you must, keep it behind a firewall with no access to the Internet. Although I have no interest in owning one, I'd be curious to packet-sniff one of these.

To me, that's a good reason (among others) to use a print server and plug the printer into it instead of a printer with its own networking

That's an excellent idea. I wish I'd thought of it.

I have a couple of old Airport Expresses lying around with USB ports on them. I wonder if one of them could be pressed into service in this manner.

I did this, just needed to torrent and install an old version of 10.6 on a VM so I could configure the airport.

Raspberry pis also make decent print servers

Another option is to a) give your printer a static IP (or setup DHCP to assign it's MAC a consistent IP) and b) add a routing rule to not forward packets from that IP.

(However, a print server is strictly better if only because you just can't know what such a printer is going to do on your network!)

My epson printer specifically says this when you install the driver. At least they're being upfront.

I don't like it but I don't know how to disable it and don't have the time to look into it.

Arguably much worse than all this is the yellow dots tracking on some colour printers https://www.eff.org/deeplinks/2008/10/effs-yellow-dots-myste...

> I don't like it but I don't know how to disable it and don't have the time to look into it.

They know that almost nobody does, so they bank on it... it needs to be regulated.

This is foolish on HP’s part, not just because of the reputation fall out, but the low value of this data coupled with the massive risk it poses to governmental departments or journalists.

We don’t know how the data is being sent or stored nor whether it’s being anonymised sufficiently - if at all.

I would say this kind of data snooping is software malfeasance and could really pose a serious risk to individuals and organisations printing sensitive documents on HP printers.

What is a good low-end laser printer or multi-function device to recommend to non-technical friends that "just works" ? I don't like HP for the reasons mentioned in the article and other reasons (blaring WIFI-DIRECT interference from their printers in houses all around me)

We bought a Brother a few years ago, because it supported Google Cloud Print. The idea was that my son, who used a Chromebook, would be able to easily print. The problem came when the GCP worked only for a limited time, and then stopped working a few weeks after we got the printer. I was able to set it up to work via a Linux machine and the "cloudprint" daemon, but this was supposed to be _EASY_ and it wasn't.

Assuming this was just a problem with GCP, I recommended a Brother to an Apple-using friend who was trying to decide between an HP and a Brother. She uses airprint (I'm not a Mac/iPhone person, so I never tried it). And she has the same problems with the printer just not being found as an airprint device.

I have only good things to say about Brother printers. My old laser printer (actually a bigger printer/scanner/copier all-in-one with the option to autonomously scan to email) died just last year after 18? years of service. If I were to buy a printer today, I'd choose Brother again, but I just don't do much printing these days, and it's just a 2 min walk to Staples from my place where they do all kinds of printing, scanning, and photo services.

> I just don't do much printing these days, and it's just a 2 min walk to Staples from my place where they do all kinds of printing, scanning, and photo services

This is what I've ended up doing. We print maybe... 3-4 times a year? So I just walk down to a convenience store where they have a big multi copier/scanner/printer you can use for 10-20 cents a page. It also does photo printing so I don't have to choose between buying a laser or ink printer.

The only worry is you know the internal harddrives in those things are holding a copy of every thing that's gone through them, and god knows how they're going to be decommissioned...

Brother makes printers here with giant refillable ink tanks, instead of cartridges. Still on the ink that came with the printer when I bought it almost two years ago. On HP I would've had to replace the cartridge every few months for the same usage.

Except HP also offers printers with giant refillable ink tanks instead of cartridges.

Mine stopped working just after a year and a half. And replacing the printing head costs more than the printer.

We had a HP with replaceable ink tanks before. You still had to replace not just the ink tanks, but the whole printing head assembly because it would still clog up every half year anyway.

I've had a Samsung ML1665 for about a decade. I've needed one new toner refill in that period and I've not had any issues dusting it off every few months when I need to print a boarding pass or form. Oem refills are about £20.

Works fine with everything I've connected to it. Very basic, black and white, but it's fast and I see no reason to get a new printer any time soon. Occasionally I wish it had a scanner, but I can get away with photos. Never felt the urge to get a colour printer which pushes the price up significantly.

It doesn't do airprint directly, but most of these things will plug into a router with a USB port for network printing.

Note that Samsung sold their printer business to HP, unfortunately, so they are no longer an option.

There were brilliant until they were sold to HP. Great Linux/MacOS support. I bought one recently not knowing this, and though it works okay, there is no support, no driver updates etc.

I bought a cheapish Samsung laser printer.

I literally print about two pages per month, and it stopped being able to suck the paper up within the first three months. It can still print pages individually if you push the paper into it manually by sticking your hands into it.

It managed to print probably six pages before it stopped working properly.


There's a lot of variety within brands. An organisation I work at has a small Canon laser printer (generally no problem with Canon) - we travel around a lot and often don't have internet connectivity. That thing is useless. It doesn't work with generic drivers and the CD is out of date. Every time we want to use a new machine we have to remember to download the drivers in advance.

Many people swear by HPs older large-volume printers, such as the Laserjet 4200 or 4000 series. A toner cartridge lasts 10000 pages, and you can repair the things if the need arises.

I have a HP 4050N that I picked up at an 2008 financial crisis bank bankruptcy auction for 5 Euros.

I've printed thousands of pages and am on the same cartridge that came with the printer.

Amazing printer the way most HP devices were.

There is no USB, just LPT but there are USB->LPT adaptors

I've used brother laser printers, which seem to work without downloading an app or something.

We used the current model with USB, but it has ethernet and wifi and I have not analyzed what it tries to do with an active network connection. If I hook that up, I would give it an internal ip with no outside connectivity and see what happens.

I’ve also used a Brother laser for several years now and am happy with it. It doesn’t appear to try to phone home, but it’s on a VLAN with no internet access and limited connectivity to anything local. Even if devices like this are not phoning home, it’s still sensible to put them on their own isolated network (or network segment if you have an L3 capable switch) because the chances are their firmware doesn’t get frequent security patches so they could make a nice ‘beachhead’ within your network.

I personally use Canon Pixma series printers. They work really well with AirPrint and are not super expensive.

I’ve been using a Fuji / Xerox Docuprint M225 for a 5 or so years now. Replacement toner was dirt cheap, and I expect to continue using this printer for another 5 or so years. Works with AirPrint and Google Cloud Print. WiFi can be finicky at times but nothing a restart doesn’t fix.

If you don’t like HP because of the article, why do you like Google Cloud Print? Do you really believe Google is collecting less information about your printing?

I've been using a Brother HL-L2350DW on Wirecutter's recommendation for the last year, and it was just fine.

I don't know if it spied on me, though.

For anyone else looking to quickly block internet access from their printers (note this is IPv4 only):

  iptables -t filter -I FORWARD -m mac --mac-source "${macaddr}" \! -d "" -j REJECT
Replace with your subnet. You may also want to manipulate chains besides FORWARD as necessary.

When I got a modern LaserJet at home (my LJ5 lasted forever), I intentionally got one with Ethernet, and without WiFi.

But all the cloud-y firmware features of the new LaserJet looked so sketchy, I decided not to connect the printer's Ethernet to my LAN.

Instead, I set up a separate little print server, which connects to the printer's USB.

Of course there are still vulnerabilities, but at least now it's not as overtly sketchy.

Couldn't you just drop Internet-bound packets in your router?

But yeah, USB is good enough for printers.

Yes, and I could additionally filter the permitted traffic to/from the expected TCP port(s) and directions for each. But my current home routers are OpenWrt, tend to get reflashed, occasionally lose their configs various ways, and aren't documented as well as one would like, so I try not to add much complexity there. A little print server either works, or it fails conspicuously (unlike rules on my plastic router, which are most likely to fail silently). If I ever get time to build a bit different router (e.g., pfSense or atop a normal Linux distro), I'll revisit that.

I found pfSense far easier to setup than OpenWrt. I've been running it on an Atom desktop for about seven years. I've updated more or less annually, and have only needed to tweak the configuration when I've moved.

Good to hear that's worked well. Looks like there's now some Atoms with AES-NI, for future pfSense support.

I did splurge on an Intel server NIC card. Which is why I went with a desktop. And I don't run any VPNs on it.

What I do with untrusted wifi devices like my AV receiver and girlfriend's printer is put them on a separate network that has all Internet access disabled by default.

So if I lose my configs, these devices will simply stop working. There is no way for them to accidentally connect to my real network (since they've never known the passphrase to those).

Wifi is actually kind of better than Ethernet for this use case, since even if you set up certain switch ports to be part of a different virtual interface, if you reset to the default config they'll have full Internet access again.

> even if you set up certain switch ports to be part of a different virtual interface, if you reset to the default config they'll have full Internet access again

This is why you usually just blackhole the default VLAN 1, and configure all your trusted devices to be on an non-default VLAN. Then if your switch loses it's config, it defaults to nothing working rather than a free-for-all.

I like the idea of partitioning by networks, as well as a safe failure mode.

BTW, reportedly, there's already at least one brand-name TV in the wild that will automatically connect to any open WiFi it can find, for the purpose of phoning home. When I upgrade to 4K, I might have to get a commercial monitor instead, or do some Dremeling.

Do you happen to know which brand or even model of TV that is?

That still doesn't protect you from malicious drivers and bloatware installed on your workstation though.

Well, it's been several years since I used a printer.

But if I did, I'd use an open-source driver in Linux.

The relatively svelte "MakeModel HP LaserJet Series PCL 6 CUPS" driver works for my (newer) model, and is faster and much less nonsense than the hplip driver.

Good to know that the world and Hewlett Packard are just as disgusting as I assume they are. I get called cynical but it’s reality.

HP appears to only want to collect analytics metadata for product decisions, asks permission beforehand, grants the option to turn off telemetry, and are super transparent about exactly what's collected. That sounds reasonable to me. What does this Stripe employee have to gain from scaremongering people about HP? If corporations face unfair backlash for being open about their data policies, they'll just do it in secret.

My definition of super transparent and yours seem to be different.

> If corporations face unfair backlash for being open about their data policies, they'll just do it in secret.

Not in EU. (citation not needed, use google)

(edit: i do not agree its unfair)

They obscured as much as possible while still complying wit the law.

Turning it off is also not easy or straightforward as the article explained.

HP became one of the biggest in the printer market without their printers collecting so much metadata.

I agree with author, this reality where everything snoops on you pisses me off.

They are legally required to be open about their data policies.

The intention of course is to enable discussion like this.

If they start collecting data in secret they will be punished for it.

Collecting data on hardware devices, or anything else people pay money for should never be considered reasonable under any circumstances.

> If corporations face unfair backlash for being open about their data policies, they'll just do it in secret.

That sounds suspiciously close to extortion. "If we tell customers what we're doing and they hate it, let's stop telling them" vs "if we tell customers what we're doing and they hate it, let's stop doing that stuff".

HP lost my respect and recommendations for anything consumer level or that could be consumer level years ago, but I did like their largish printers (M600 series). Maybe not up to the standards of the older business LaserJet printers but still pretty good.

The thing that made me decide against HP products was the change on server firmware updates (bios, management controllers, etc) that basically requires an active warranty or service contract for updates. I'm just waiting to see a wormable iLO exploit that's easy to patch... As long as you're a paying HP customer.

As a diver, my personal favorite HP-related disaster is documented in Last Breath (1), where a saturation diver was almost killed when they support ship's dynamic positioning system failed. Ultimately, the solution was to reboot all the control computers. You have to pay attention, but they clearly show (I don't think it's an accident or a prop) that they're rebooting HP machines.

That had to make somebody in Palo Alto flinch.


> The thing that made me decide against HP products was the change on server firmware updates (bios, management controllers, etc) that basically requires an active warranty or service contract for updates. I'm just waiting to see a wormable iLO exploit that's easy to patch... As long as you're a paying HP customer.

LVFS is seeing some success in consumer stuff. I hope it starts to catch on for server gear as well. Then we can start requiring firmware update via LVFS [1] as a hard requirement in RFP's and wave goodbye to these kinds of shenanigans.

[1] https://fwupd.org/ . This uses UEFI Capsule support to distribute and install the updates, similar to what apparently Windows is also doing these days.

It needs to be a lot easier to detect this is happening and stop it from happening, in the router.

I almost never visit my router's web interface, and when I do it's either to reboot it because it's acting funky, or check if it needs a firmware update. There's just nothing useful there. It's absolutely packed full of totally useless information.

And yet such a golden opportunity to provide actually helpful management functionality of all the devices on the network.

I'm not saying there aren't good products out there that do this, just sort of lamenting that routers differentiate on the colorful plastic molding instead of actually helping to manage, monitor, speed up, secure, and protect my devices, and when needed, protect me from my devices.

Last small office system I ended up using Draytek Vigor ADSL as it had a sensible max device limit, the ISP one would crap out at around 30 MAC addresses. The device management was pretty good and I wish I had the same kit at home (currently using an ISP provider router).


We've been using HP's Instant Ink subscription service for about two years now. Basically, you pay $3 a month and can print up to 50 pages. HP remotely monitors your ink levels and sends you replacement cartridges automatically when the cartridges need to be replaced. We tend to print close to 50 pages a month but have never gone over, so it's not a terrible deal.

Obviously, I would prefer to go with lower-cost third-party ink cartridges. But the printer companies tend to be doing more and more to make that a pain. With my last printer, you could use a third-party cartridge, but only after you dissected the original, peeled off its chip, and glued the chip to the new cartridge. And even then, you'd deal with the perpetual warnings about low ink even though you know the new cartridge has plenty of ink.

So Instant Ink is something we've done begrudgingly, sort of like buying overpriced movie popcorn. And in order to work correctly, it needs to be able to track how many pages you've printed, and we get occasional alerts when it gets knocked off wifi and can't communicate with home base.

Please stop supporting that. That business model really needs to die.

> Basically, you pay $3 a month and can print up to 50 pages. HP remotely monitors your ink levels and sends you replacement cartridges automatically when the cartridges need to be replaced.

Ugh dollar shave club for printers or something?

I refuse to engage in thing-as-a-service. The only reason companies do this is because they know if they bleed a little bit out of you each month you're more likely to say "it's only a couple of dollars". It all adds up costing huge amounts in your monthly expenses.

They then also know there's a huge portion of customers paying for this who aren't using their '50 sheets', so wow, they've just built a model where customers pay for a thing they don't use and they don't have to provision for.

> Please stop supporting that. That business model really needs to die.

I would up vote you more than once if I could.

My friends love dollar shave club, and I'm like "buy a safety razor for $20-30 bucks and a bulk pack of razor blades and you will set FOR YEARS.

My grandfather would sharpen his razor blades on his jeans, one would only need one razor blade if maintenance included sharpening the razor.

I use straight razors. With the right care they will indeed last a lifetime but I’d caution that it’s more than ‘sharpen it on your jeans’. For a start most are made of mild steel rather than stainless so you need to store them completely dry otherwise they’ll rust (so keeping them in the bathroom is hard given it tends to be a moist environment).

Nitpick: mild steel is awful for blades as is it is too soft and cannot be hardened. Most likely they are some sort of high-carbon steel.

Sorry, yes you’re right! Carbon steel. I should add that you can buy stainless steel straight razors but they’re much harder to sharpen properly so I think not very popular.

> My friends love dollar shave club, and I'm like "buy a safety razor for $20-30 bucks and a bulk pack of razor blades and you will set FOR YEARS.

I got given one of these https://getrockwell.com/products/rockwell-6s-gift-set after I mentioned I wanted a stainless steel one and it was given to me as a gift.

Apparently it started from a kickstarter a few years ago https://www.kickstarter.com/projects/rockwellrazors/rockwell...

The person who gave it to me knew I am environmentally conscious. I remember reading that those cartridge razors are really bad for the environment as they are a mix of steel and plastic.

Now I can just use regular razor blades https://www.amazon.com/Feather-Razor-Blades-Hi-stainless-Dou... $22 for 100.

Feels good to not be locked into some proprietary mounting too, kind of the same feeling as using free software. hah.

I prefer it to my old Gillete one. More blades is not better, that is all marketing, and they just get clogged, ugh.

I don't see how being in a "club" that I have to pay any kind of "annual" fees would help me.

The idea is I have reduced my costs significantly and have everything I would want. Occasionally I buy a new tub of shaving cream when I run out. I am adult enough to go "that looks like a nice scent I will try that", and then decide if I want to buy more next time or buy something else.

I absolutely detest "monthly" or "weekly" payments of anything. The only exception I make is for utilities, or service contracts. If it's neither of those things why should I pay more than once? or pay for someone to trickle samples out in the post to me?

Or buy an electric shaver. Mine probably cost about AU$80, and has lasted at least 6 years. No sign of it going wrong, and I've never needed to replace/sharpen the blades, though apparently replacement blades are a thing.

Depending on how heavy your beard is, an electric shaver does not come close to the cleanliness a "wet" razor will get you. Maybe your mileage/needs vary.

> an electric shaver does not come close to the cleanliness a "wet" razor will get you

As someone who used to use an electric shaver since his teenage years I wholeheartedly agree. I do not grow a beard, hate them in fact and am always clean shaven.

I never ever once got a shave anywhere near as close as I did with a razor. After a while you can do it in the shower blind without a mirror just from feel.

On the other hand you never cut yourself with an electric razor. I used a wet razor for years but recently switched to electric because of this.

> On the other hand you never cut yourself with an electric razor. I used a wet razor for years but recently switched to electric because of this.

I only cut myself very early on when I was new to it. That was about 5 years ago. I have now been using a razor exclusively for years now and cannot remember when I last cut myself.

I also use it for trimming other places too, haven't cut there either.

Depends on the model. My first electric razor lasted somewhere around 10-12 years with no issues, before it broke and I needed a replacement. The replacement was a newer version of the same model, and caused bleeding around my adam's apple every day guaranteed; I downgraded and haven't had any issues since.

> The replacement was a newer version of the same model, and caused bleeding around my adam's apple every day guaranteed

Those rotary ones are notoriously bad, they will cause pulling. I found the foil based ones like the braun series 3 to be a lot better in that regard, closer shave too, still nothing like a razor though.

It wasn't a rotary one though. The one that caused bleeding was a Braun Series 1-195s, while the good one is a Braun Series 1-190s.

The blades on the 195s are parallel with the foil though, while the 190s are perpendicular, so I'm sure it's the same problem.

Interesting. Mine is an old Philips Philishave, which use the rotary blades.

Pulling isn't really an issue unless my facial hair is extremely overdue for a shave. eg 4-5 days worth of hair.

When that happens, I just use my trimmer to take it back to near stubble, then use the above Philishave to finish things off.

You definitely should replace the blades at least every couple of years. --The difference after doing so is noticeable.

Buy a cut-throat and be set for life.

Seriously though, I have a safety razor, but I can't get a satisfactory shave out of something where the head doesn't pivot, so I use the local coops budget razors. They are pretty much the same as dollar shave clubs, but I don't have it here, and I rather not buy shit on subscription.

There are two things in the home that can be reused when I am dead: my model M and the safety razor.

> Buy a cut-throat and be set for life.

You can get straight edge razors, a place I went to the other day was selling them. https://www.beardandblade.com.au/collections/straight-razors

They look really expensive, but I guess you'd only ever buy one once and then just sharpen with a strop https://en.wikipedia.org/wiki/Razor_strop

I think they would only be good for 'certain' places on your body though, ie your face.

>I refuse to engage in thing-as-a-service.

As a side note, whether one uses it or not, it should be called what it is: thing-as-a-monthly-subscrition (often automatically renewing itself).

Maybe it is just me, but to me something "as a service" is still something I pay "per use" and not something I pay a monthly or yearly fee in exchange for a given limited amount of something that I may or may not use.

There are legitimate advantages to this business model, and even though I'm not a fan of it myself I can appreciate the value proposition. One way to look at it is a form of insurance - it distributes an irregular large payment into a regular smaller monthly payment that makes it easier for budgeting. That can provide significant benefit in some contexts.

I mean - I can see why you would say that but Instant Ink has a free tier, and I actually am OK with selling my infrequent printing data for 15 pages a month + free ink so that I have a home printer for the few occasion when I need it.

There is no minimum usage level, and the fact they might know that some airlines require I print a boarding pass every few months, or some government for needs to be printed, filled out and posted - that's really not so bad for free (+ data).

I'm OK with them receiving that data.

$3 (I'm assuming USD) will buy you more than 100mL of black ink:


I have a CIS printer and dilute even further, usually a 5:1 ratio (it becomes slightly bluish beyond that point), but even as-is 100mL will print far more than 50 pages -- probably closer to 5000 if not more. At that point the cost of paper becomes more significant.

Edit: it looks like the other colours are the same price (when I last bought ink, which was a long time ago, CMY was slightly more expensive):


Thats $360 over 10 years. Spend that right now to get an excellent color laser printer that will last that long. Whereas your inkjet is very likely to fail sometime in the next two years (4~5 year typical lifespan). And with the amount of printing you're doing you probably won't even run out the toner that comes included with the printer.

In my family we use Instant Ink and actually love it. We're on the largest plan (300 pages/mo). We spend less on ink now than we used to, and it is a huge relief to not have to make a late-night run to the big box store because the school project is due the next day and the stupid magenta has run out. The ink is always there, waiting to be swapped out, then you recycle the used cartridges when they're done. It's incredibly convenient for us, is a cost-savings, and I am reasonably okay with the fact that they know how many pages I print and the types of documents.

HOWEVER, I was recently looking at the bandwidth stats from my network switch, and was pretty shocked to see the printer has sent out several hundred megabytes of data back to HP over the past month. I knew it had to communicate with the mothership so they could charge me for my usage, but that should be a packet that says something like "User XYZ just printed 7 pages," which would reasonably be 5kb per job. I have no idea why hundreds of megs of data need to go out, and so I'm planning of on doing some DPI investigation the to set what on the world it feels like it needs to be sending.

3 cent per page is surprisingly competitive, especially for an inkjet. I'm using a Color Laserjet 3600, a toner cartridge for which is about 40 dollars on Ebay. A colour cartridge lasts ~ 4000 pages, black ~ 6000 pages, that's 4 cents per page. Even though that is with second-hand supplies off Ebay it's still more than the official automatic ink in the mail.

>"User XYZ just printed 7 pages," which would reasonably be 5kb per job

Actually (of course IMHO) that should reasonably be (including the percentage of ink covered/black and a validation hash) below 150 bytes.

Sure, but let's face it, I don't think HP's top priority here is actually trying hard to make it small... :|

Yep, I surely agree :), the point is only on the use of reasonably , by allowing everyone to "grow" data (both when actually needed and when it is not) shifting everytime the range of "reasonable" we have today's monsters (web sites, OS's, you name it).

And surely I am (more than a bit) old-fashioned, but when you can use the Doom as a unit of measure, JFYI:


then it isn't reasonable anymore.

>print up to 50 pages

Is this some economy ultra light printer or something? I get several hundreds of pages from each syringe refill.

It’s 50 pages per month. The cartridges they get are probably the 150 or 200 per page ones. In other word they’re paying a monthly fee to get a max of 3 or 4 cartridges a year. Probably less.

I’ve grown to hate the modern ink jet printers with a passion. I moved on to the consumer laser printers. I’m sure I’ll hate them too soon enough.

What does the syringe refill cost? I also have the instant ink service and I want out

Ink seems to be virtually free at Monoprice. Like, "It costs more to ship this than the ink, so I guess I'll just buy 10 of each color, but now I have a drawer full of ink cartridges and need to find more things to print."

I refill it from the bottle. The bottle costed me under a fiver some years ago.

> But the printer companies tend to be doing more and more to make that a pain

It's actually the opposite, recently all the brands have been introducing "ink tank" style printers (e.g. Epson EcoTank, Canon MegaTank) where you just squirt ink into the printer from a bottle, no DRM involved.

i can't tell if this is real

I bought my printer for immigration purpose, I would be way over on some months.

HP really lost their way. Now it's all about selling ink and perhaps user data.

As a side note, I'm always surprised by how bad printer software still is(even on device). I'd be more than happy to support a startup in this space. HP, Canon etc frustrate customers by their aggressive actions to sell ink eg software updates that made it almost impossible to refill ink

Nice, more fodder for my “fuck HP” list.

I’m just forever bummed about Palm, I adored my Pre.

Give me an old HP 32S calculator or LaserJet III. Not this post Fiorina crap.

Gonna rant but other than using 100% open source software what can we do? I think I kind of wish it was illegal to collect data without very explicit opt in and no loss in functionality. (Note: HP apparently asked for permission

AFAIK Facebook spies on all Oculus usage. Every app you run on it, how often, even apps not from their store. Even not VR apps.

There is a law that a video rental store can not share your rental history. Facebook is going beyond that. Sure they know what apps I bought from their app store but they also know every non Oculus app as well. They aren't sharing it, or maybe they are to "trusted 3rd parties", but to me that's like the video rental store somehow tracking all videos I watch even ones not rented from them.

Note that I don't know that Steam and Valve are any better but I absolutely hate the idea that everything I do on my PC (or phone) is tracked.

I have no idea if Apple or Microsoft knows I watch ?? hours of video a week or what the names of the files are. Even my TV I have no idea if it reports every network connection back to Sony or that my Apple TV doesn't report similar things to Apple.

I feel like I want that kind of collection made illegal as an invasion of privacy with very large fines for non-compliance and I don't feel like my only option should be run nothing but open source software and by open source hardware.


> other than using 100% open source software what can we do?

Why is that option not on the table? That is the thing to do.

Because none of the software I want to run nor hardware I want to run is open source and there are no useful open source alternatives. AFAIK you can't use a Vive or an Oculus without proprietary drivers that spy on you. On top of which all the interesting content is also not open source. I don't actually mind paying for propretary software, especially entertainment software. I just care that now that all computers are networked nearly all software spies on you. Even an honest company is probably using 10, 20, 30 3rd party libraries which might also be spying on you.

I elected for HP to gather data in exchange for free ink and up to 15 pages of printing a month for free. They mail me ink. I know I'm selling my data for that ink but TBH I rarely print and it makes it free for me.

Instant Ink has really been a positive for me so far, and while at first I was a bit uneasy about data gathering it seems similar (and probably less invasive for my use cases) to using a Google product for example.

Guess I might as well keep running my old HP printer which uses a parallel interface.

It's good that I never trust printers to print my master passwords and just write them by hand. At least my pencil does not send anything yet...

HP pencils record arm movement and the eraser has a wireless transmittor.

Hmm, the same printer manufacturers that have, despite no laws requiring them to do so, entered into agreements with governments to embed secret identifying information into all produced documents, for decades, are also exfiltrating user data for profit?

Truly shocking, I cannot believe they have done this.

Don't all printer manufacturers do this?

> But even if you would be perfectly happy to publish all your printing and device data to the entire internet, I’d still argue that it’s a grim world in which HP feels entitled to take it from you.

But it's Microsoft who started all this. I remember a few years ago the would politely ask if I want to "send a report" home about a some crash etc. Now they don't bother. You need to bend over backwards to change obscure settings and still can't be sure they don't phone home. Moreover, updates introduce new privacy violations, and people only find it after installing them, so privacy-conscious people have a tough choice.

No wonder other companies stopped caring about these things if MS can easily get away with it.

What is the best "serious" office printer that doesn't have this kind of malware installed? Ideally that has a bay for multi-page document scanning and can print 100 double sided pages without skipping a beat? Bonus points for reasonably priced ink!

We have come to the point where 'Informed consent' has become so perverted that it should no longer hold up. Mostof the trickery companies seem to find acceptable obtaining it would be outright frauduleus and clearly a scam in other contexts.

I have this conspiracy theory that the NSA is using US monopolies to spy on the entire world.

I mean if you're holding the majority of the computer-related industry when it comes to making the software, it would be a pity to not benefit from it.

Sounds like we need the Raspberry Pi of printers.

I was just thinking more like using a raspberry pi for a home print server.

1. Load up the Pi with Cups, which has a web interface, and all the optional drivers and fonts it needs.

2. make sure ip_forward is off

3. set all your printers to use your Pi as their default network gateway

4. profit?

I do this but, I've missed step 4. There is a little more to the cups config but it "just works" (if you know cups well)

I don't print much. I bought an HP printer with Instant Ink strictly for the free tier (10 free pages p/m). This privacy issues concern me.

That aside, I've been thinking about what is the minimum amount data needed to identify what's being printed. For example, if you knew tbe lenght of the first X words, how many words would be necessary to identify a source? If you added the awareness of periods, how many words?

Long to short, it seems to me, simple and basic meta data used wisely could be used as a fingerprint (or sorts) to identify what's being printed without actually needing to capture the actual content.

Ha ha coincidence. I live in a high rise, so you can pick up about 10 wifi signals. My Brother all-in-one scanned three times last night on its own. I’m turning it off and on manually now.

As an aside, I found the opening paragraph amusing and painful in equal measure, given how I've often been treated by relatives because I, "work with computers."

No offense, but this guy is overhyping this more than I can stomach.

HP is collecting basic telemetry, analytics, and metadata, similar to... let me check... EVERYONE.

If you've ever worked in a large company, you'll know that you need that telemetry for debugging, first and foremost.

It's almost useless for analytic purposes. Let's be honest here. What advertiser cares about the number of pages you printed on Tuesday. Give me a break.

"If you've ever worked in a large company, you'll know that you need that telemetry for debugging, first and foremost."

If you worked in a large company before telemetry was available, you know it's actually possible to make a product that works out of the box, rather ship something barely working and use users as unpaid QA testers.

I wonder if, at this point, it isnt easier to write a service that floods all these companies with random made up telemetry. MS/HP/FAANG wants data? Lets bury them in it. We train some AI so it isn't obviously wrong. We start anti tracking lists like the spam blacklists. We se d GDPR requests to find out what sticks. With some luck, their firewalls block us and we're finally getting privacy.

That's been done already with ads: https://adnauseam.io/

I've heard that in practice it does get you on a blacklist and they'll start ignoring what you send, so perhaps it does have some effect.

Point of caution before using adnauseam: I installed and used it on 3 devices for about 6 months a few years ago. I have seen an increase of about 50 fold in the amount of targeted spam phone calls and physical mailers I receive since that time and they've only started to subside in the last year. I can't prove but highly suspect it's a result of my name getting added to a lot of lead DBs as an interested potential customer due to adnauseum ad clicks.

You took shots for the team. Keep up the good work!

Reading about the tool makes me kinda wanna install it ... that should mess up the targeting profile quite a bit for my ip.

That's still a win, I suppose.

It's so sad that every company seems to be willing to do shady stuff like this just to grab a couple of extra cents from selling their users out.

Technology companies should be leading the way for privacy.

You'd think it'd be very bad for business for a company like HP to demonstrate that they don't care about their user's privacy.

But they all seem to do dodgy stuff like this, selling people's privacy for cents.

Are HP doing this in GDPR-covered territory?

Possibly the requirement to download stuff is so they can geo-target?

Would it be feasible to create DIY printer?

As in buy or salvage the imaging and paper handling hardware, add your own CPU and software.

Or maybe root and reprogram an existing printer, like an OpenWRT for printers.

Soon, toilet paper will send your stool test back to its manufacturer without you knowing about it.

What are some good alternatives then? Laser, black and white and one that respects privacy ideally?

Are there any open-source telemetry detection tools out there to easily identify this sort of thing?

You can probably log traffic in your router.

Wouldn’t wire tapping laws apply?

Maybe not once you "accept" the EULA that you never saw or read.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact