The latest rules for the European Commission EcoDesign Directive now includes specific requirements for servers and storage manufacturers to make the firmware of their hardware available to customers.
The Commission’s Internal Market, Industry, Entrepreneurship and SMEs (ENTR) Lot 9, which becomes effective in March 2020, stipulates that built-in, software-based data deletion tools, and of the latest firmware version, should be made available.
Tomas O’Leary, president and founder of Free ICT Europe Foundation, who previously ran a hardware maintenance company, said: “We saw manufacturers started to introduce products where their firmware rules began changing. They were putting in rules limiting transferability and updates, to stop third-party maintainers.”
He said the limitations that were being imposed by the server and storage manufacturers also prevented decommissioned hardware from being resold in the second-hand market.
The Free ICT Europe Foundation was among a number of organisations that worked on putting forward a case for the availability of firmware in the EcoDesign Directive, which mainly covers power usage and recycling.
In datacentre technologies like enterprise servers, storage and network equipment, O’Leary said: “The denial of firmware updates has been used as a ransom to control what happens to products.” There is a direct correlation between the availability of firmware, how long a customer can keep the hardware and who is authorised to fix it.
Organisations with datacentres may have thousands of pieces of datacentre equipment, each with firmware. As and when this hardware environment needs updating, such as if a peripheral device is plugged into a server, this upgrade may not succeed unless the latest firmware for that server is available.
According to O’Leary, by limiting the availability of firmware and the ability for customers to resell hardware, the manufactures effectively made the hardware unsalable. “When you read the hardware licenses, you wouldn’t buy their technology,” said O’Leary.
This could have a profound impact on the ability of businesses to take out loans to fund hardware purchases, where the resale value of the hardware is part of the risk assessment. “How can you put a value on that asset if it is ruled by the manufacturer? If you can’t dictate who can buy the hardware, how can it have a value? Its value is then simply the value of the raw materials.”
He said the new rules mean that when a manufacturer releases a product with a three-to-five-year lifespan, it must now to ensure the firmware is available for eight years, either for free or at a price that is considered fair, transparent and non-discriminatory.