mitjam 1 day ago

This is something the EU Product Liability Directive potentially addresses. It demands that vendors (or importers) of products need to update their product if that's required to keep them secure. Otherwise they are liable for damages, even psychological damages.

There is no specific duration mentioned in the directive, so it's probably best from a vendor point of view to add product lifetime info to the product description or the contract, up front.

In Germany there is something similar in place, already and the expectation is that products (and necessary apps to run the products) need to be updated for 5 years on average.

2
zokier 1 day ago

> There is no specific duration mentioned in the directive

The directive has explicit 10 year expiry period, see (57)

> Given that products age over time and that higher safety standards are developed as the state of science and technology progresses, it would not be reasonable to make manufacturers liable for an unlimited period of time for the defectiveness of their products. Therefore, liability should be subject to a reasonable length of time, namely 10 years from the placing on the market or putting into service of a product (the ‘expiry period’), without prejudice to claims pending in legal proceedings.

https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A...

mnau 1 day ago

That D-Link DSL6740C device was released in 2014. It's well past lifetime. I am not sure about PLD, but CRA is only for lifetime or ~5 year.

> When placing a product with digital elements on the market, and for the expected product lifetime or for a period of five years from the placing of the product on the market, whichever is shorter, manufacturers shall ensure that vulnerabilities of that product are handled effectively and in accordance with the essential requirements set out in Section 2 of Annex I.

xmodem 1 day ago

The 5 year clock should start from the last time a consumer purchased the product new, though. I can't find anything concrete but some poking around on wayback machine indicates it was likely discontinued late 2018. Which probably still means they are in the clear in this instance even if you assume it takes a year for the inventory in the channel to sell through.

thequux 22 hours ago

The manufacturer can't control or even predict purchase dates, so that leaves potentially unbounded support lifetimes. I'd be comfortable with the 10-year timer starting from date of last manufacturer though

hyperman1 20 hours ago

If this works like a warranty, the manufacturer can stop 10 years after selling to the shop. The shop is the one providing the warranty to the user. The shop can oblige their warranty by replacing with a (more recent) equivalent model, even from another manufacturer.

bell-cot 1 day ago

> The 5 year clock should start from the last time a consumer purchased the product new...

Obvious problem - how could the manufacturer determine (let alone control) when, literally, that happened? They might tell when their major distributors and online retailers ran out of stock...but small distributors and bottom-feeding resellers and mom-and-pop retail? Impossible.

On-package labeling ("Software security updates for this thingie will be available until at least Dec. 31, 2029; also check our web site at https://support...") would be the only fool-proofish method.

xmodem 23 hours ago

I think on-package labelling is a good approach. You could also make the retailer liable for a lack of updates - just as they typically already are with defective products in most jurisdictions.

xp84 23 hours ago

Yeah, this isn’t that different than the food “best by date” requirements, and in most cases (despite popular belief) the likely consequences of eating old packaged food is not even getting sick, just staleness. Arguably, having exploitable electronics that are “expired” is a greater danger.