Comment by ndriscoll
12 days ago
It Is not an indefinite rental. A sale can't be "misrepresented". It is a blatant CFAA violation. They are accessing your computer, modifying its configuration, and exfiltrating your private data without your authorization.
If I buy a used vehicle for example, I have exactly zero relationship with the manufacturer. I never agree to anything at all with them. I turn the car on and it goes. They do not have any authorization to touch anything.
We shouldn't confuse what's happening here. The engineers working on these systems that access people's computers without authorization should absolutely be in prison right alongside the executives that allowed or pushed for it. They know exactly what they're doing.
> If I buy a used vehicle for example, I have exactly zero relationship with the manufacturer. I never agree to anything at all with them. I turn the car on and it goes. They do not have any authorization to touch anything.
Generally speaking and most of the time, yes; however, there are a few caveats. The following uses common law – to narrow the scope of the discussion down.
As a matter of property, the second-hand purchaser owns the chattel. The manufacturer has no general residual right(s) to «touch» the car merely because it made it. Common law sets a high bar against unauthorised interference.
The manufacturer still owes duties to foreseeable users – a law-imposed duty relationship in tort (and often statute) concerning safety, defects, warnings, and misrepresentations. This is a unidirectional relationship – from the manufacturer to the car owner and covers product safety, recalls, negligence (on the manufacturer's behalf) and alike – irrespective of whether it was a first- or second-hand purchase.
One caveat is that if the purchased second-hand car has the residual warranty period left, and the second-hand buyer desires that the warranty be transferred to them, a time-limited, owner-to-manufacturer relationship will exist. The buyer, of course, has no obligation to accept the warranty transfer, and they may choose to forgo the remaining warranty.
The second caveat is that manufacturers have tried (successfully or not – depends on the jurisdiction) to assert that the buyer (first- or second-hand) owns the hardware (the rust bucket), and users (the owners) receive a licence to use the software – and not infrequently with strings attached (conditions, restrictions, updates and account terms).
Under common law, however, even if a software licence exists, the manufacturer does not automatically get a free-standing right to remotely alter the vehicle whenever they wish. Any such right has to come from a valid contractual arrangement, a statutory power, or the consent, privity still works and requires a consent – all of which weakens the manufacturer's legal standing.
Lastly, depending on the jurisdication, the manufacturer can even be sued for installing an OTA update on the basis of the car being a computer on wheels, and the OTA update being an event of unauthorised access to the computer and its data, which is oftenimes a criminal offence. This hinges on the fact that the second-hand buyer has not entered into a consentual relationship with the manufacturer after the purchase.
A bit of a lengthy write-up but legal stuff is always a fuster cluck and a rabit hole of nitpicking and nuances.
I don't really understand the legal arguments here:
> the manufacturer can even be sued [...] This hinges on the fact that the second-hand buyer has not entered into a consentual relationship with the manufacturer after the purchase.
Wait, but the first owner (presumably, for the sake of argument) agreed to this. Why isn't it the first owner's fault for not disclosing it to the second owner? Shouldn't they be sued instead? How is a manufacturer held responsible for an agreement between parties that they could not possibly be expected to have knowledge of?
Because common law is not a general «duty to disclose everything» bludgeon for ordinary used-goods sales, and the «why not sue the first owner» argument can only work in narrow fact patterns.
For example, if the first owner actively misrepresented the position (for example, they said «no remote access, no subscriptions, no tracking» when they knew the opposite), the second owner might have a misrepresentation claim against the first owner. But that is pretty much where the buck stops.
> «How can a manufacturer be liable for an agreement it cannot know about?».
That is not the right framing. The manufacturer is not being held liable for «an agreement between the first owner and the second owner». The manufacturer is being held liable for its own conduct (access/modification by virtue of an OTA update) without authorisation from the _current_ rights-holder because liability follows the actor.
It happens because, under common law, 1) the first owner’s consent does not automatically bind the second owner, 2) consent does not normally run with the asset, and 3) a «new contract with the second owner» does not arise automatically on resale. It arises only if the second owner consciously assents to manufacturer terms (or if a statute creates obligations regardless of assent).
So the manufacturer is responsible because it is the party _acting_. If the manufacturer accesses/modifies without a valid basis extending to the current owner or user, it owns that risk.
I am not saying that «every unwanted OTA update is a crime». All I am saying is that the legal system has a concept of «unauthorised modification/access», and the contention is over whether the access or modification was authorised or not.
2 replies →
This is the kind of nitpicking that I love to see on HN, it is establishes the boundaries of the relationship between manufacturers and owners and tries to lay bare the need for (informed) consent and what the legal basis for that is.