Appliances giant Haier issued a takedown notice to a software developer for creating Home Assistant integration plugins for the company's home appliances and releasing them on GitHub.
Haier is a multinational home appliances and consumer electronics corporation selling a wide range of products under the brands General Electric Appliances, Hotpoint, Hoover, Fisher & Paykel, and Candy.
Earlier this week, German software developer Andre Basche, who maintains plugins for the Home Assistant integration for Haier's hOn smart control app, claimed to receive a legal threat demanding the immediate removal of his tools from the GitHub platform.
Home Assistant is an open-source home automation platform enabling users to control and automate their smart home devices from a centralized interface. Apart from convenience and cost, Home Assistant offers superior security and privacy options not available on similar commercial apps.
The plugins offered in the GitHub repositories enable users to control Haier, Candy, and Hoover air conditioners, purifiers, dishwashers, induction hobs, ovens, fridges, washing machines, and dryers through Home Assistant.
According to a notice published by the repository owner, Haier claims these plugins cause the firm significant financial damage and violate copyright laws, requiring the developer to take them down to avoid further legal action.
"We are writing to inform you that we have discovered two Home Assistant integration plug-ins developed by you (https://github.com/Andre0512/hon and https://github.com/Andre0512/pyhOn) that are in violation of our terms of service," reads the notice from Haier Europe Security and Governance Department.
"Specifically, the plug-ins are using our services in an unauthorized manner, which is causing significant economic harm to our Company."
"We take the protection of our intellectual property very seriously and demand that you immediately cease and desist all illegal activities related to the development and distribution of these plug-ins."
The letter eventually delivers a legal threat to the developer, saying that if he fails to comply with the removal request immediately, the firm will take necessary legal action to seek compensation for the damage done to its business.
The plugins themselves are open-source, but it is unclear if they incorporate Haier's intellectual property, such as software code or proprietary protocols, which would give the firm a legal basis for the request.
On the other hand, if the plugins do not infringe on Haier's intellectual property or fall under fair use provisions, the creator could opt to defend his work and keep the plugins available to the community.
Nonetheless, Haier's legal threats have intimidated the developer, who announced that the project will be taken down in the next couple of days.
Meanwhile, the situation has sparked support for the developer and backlash on Haier, with users calling consumers to boycott Haier, finding the firm's approach excessively aggressive.
Targeting open-source software developers tends to backfire for companies, as others fork or clone the code repositories to prevent the projects from disappearing.
At this time, the Haier home assistant plugins have been forked 228 times, many occurring since the news of the legal threats.
BleepingComputer has contacted Haier with questions on the case, but a comment wasn't immediately available.
Comments
RaunchyButts - 3 months ago
Another scumbag corporation attacking someone who's making its products MORE VALUABLE, at no charge to them.
Sounds like U.S. broadcasters. Oh wait... GE is involved.
fromFirefoxToVivaldi - 3 months ago
At this point we need a legal framework which would force all smart home device manufacturers to open up their code. It's ridiculous that users have to jump through hoops to use what they prefer.
It should be possible for the user to set their own server and use whatever software they won't. That way manufacturers would not be incurring any loses and users would be free to chose whatever third-party solution suits them.
I have a washer from another company, not Haier, and I hate the app I'm forced to use to access any sensible configuration options. It's laggy, has trouble connecting to the device and frequently asks me to log in again.
That other company has for example decided to remove the extra water option from the device itself, so if I want my clothes to be washed well, I'm forced to use their app.
Wolphin - 3 months ago
'"firm significant financial damage" this shows that they are intentionally selling the data they collect through having the 'smart' devices.
To me, this is a clear bait and switch... they are selling you a device for the features on the device, but when you try to use the device how you want to use it (i.e. not have it call home to tell the manufacture how/when you use it (and maybe even other details on your home network, and maybe the app tracks your movements continually and reports that too)... they go after the 3rd party who did it.
This is clearly they don't like the separation of the control. I also hate how they can have the device push out an update to put features behind a paywall, when before it was free (and likely one which they advertised as part of it, with no mention of it needing a monthly payment for it...)
There totally needs to be legislation which
a) protects 3rd party developers from making a new interface for the device, and to even promote it by requiring the companies to publish an API (Application Protocol Interface) specifications to do all the functionality. This would include the ability to have the device talk to a server which is owned/operated by the product owner if they wished without any further contact from the manufacturer.
b) Be security/performance conscious by having the software made available to those who want it, so they can resolve bugs and security holes. Also for the company to resolve any bugs or security issues on the device promptly. It would also hold the manufacturer liable for if due to a security hole they aught to know or did know about but had not patched, if it is used to attack the customer's network.
c) The company being permitted to charge a small fee (no more than 10% of the purchase price (or $100, whichever is less) per year) for the hosting of the service and to use the attached website and cellphone app, with both having the same ability to control the device. This fee must be posted on the item for all to see when purchasing, and cannot go up, and the service must be maintained as long as there are users of the products (no unilateral decision on the company to say the device is 'too old' and just dropping support of it). The company is permitted to assist the customers to move to a 3rd party system at the company's expense, so they can take down their system. The company is permitted to outsource the service.
d) collection of the data from the users must be optional, and the decision a clear one by the customer, and not be required to use any of the functionality of the device.
UseCommonSense - 3 months ago
So....tell the cooperate Giants that if they weren't too busy screwing their employees and their customers alike to line their pockets, they would have done it themselves. In the mean time, they can either say thank you or go fu*c themselves.
CoyoteDen - 3 months ago
Unfortunately it looks like these projects do include Haier API keys, and spoof the hOn app:
AUTH_API = "https://account2.hon-smarthome.com"
API_URL = "https://api-iot.he.services"
API_KEY = "GRCqFhC6Gk@ikWXm1RmnSmX1cm,MxY-configuration"
APP = "hon"
CLIENT_ID = (
"3MVG9QDx8IX8nP5T2Ha8ofvlmjLZl5L_gvfbT9."
"HJvpHGKoAS_dcMN8LYpTSYeVFCraUnV.2Ag1Ki7m4znVO6"
)
APP_VERSION = "2.4.7"
OS_VERSION = 31
OS = "android"
DEVICE_MODEL = "exynos9820"
USER_AGENT = "Chrome/110.0.5481.153"
That is legally bad news for this, but not necessarily for the larger issue of "does 3rd-party access really impact a service?" What are the damages? As long as you're not hammering the API it won't be any different than using the manufacturer's app, it may be even more efficient.
I saw a similar issue with Select Comfort/Sleep Number. They requested the developer of a SleepIQ plugin for Homebridge take it down, not because it was 3rd party but because it was by default hitting the API every 5 seconds. Their smart beds don't even send updates that fast, every 5 minutes would be fine. The developer took it down and launched an identical project under a new GitHub account, but with more reasonable defaults. No complaints yet.
In other words, if you're going to do this without explicit approval, be very polite about how you hit their API and they won't notice.
Daniel15 - 3 months ago
This is not a legal issue. Reverse engineering an app for the purpose of interoperability is explicitly protected under EU law (Article 6 of the EU software directive).
The developer of the Home Assistant integration is based in Germany, and Haier's European division was the one that complained, so EU laws apply here.
MarkAtwood - 3 months ago
Copying the API keys is not illegal, nor is a a tort. The developer of this plugin did nothing wrong using those API keys. This plugin is not a security risk, not a "hack", and it does not give the person using the plugin "unauthorized access".
darkmonkey69 - 3 months ago
What's stopping us from hosting these two repos elsewhere and from many accounts?
h_b_s - 3 months ago
As the article says: nothing.
Just be sure one's outside the legal reach of the jerks at that corporation. IE: your legal jurisdiction doesn't recognize their arguments.
However, the better response is just not to buy any "smart" products. And if you have no choice in that matter, either don't give them any network access, or physically sever the antenna lead.
Keep in mind that GitHub is still beholden to US law and the DMCA, so they are still legally obligated to take down any such content that violates it regardless of whether or not the person publishing it is. Either self host, or find a host outside of US law's reach.
boosted1g - 3 months ago
I am going to guess that the real issue is that the company can not collect and sell your data if you are not using their app, and that is the real "financial hardship" this plugin causes.
Plus you are ruining their planned obsolescence of removong any 5+ year old products from their app.
agroszer - 3 months ago
Poll is open... What firmware/OS might their products using? I bet the appliances are running some linux.
povlhp - 3 months ago
Soon 1000 forks.
The law, at least in Denmark, Europe, is pretty clear. If I want to make it compatible with something else, I should ask for API and documentation. If they will not provide that for a reasonable fee (likely in relation to the product cost for me as a consumer), then I can reverse engineer their software and protocols, and I can even get 3rd party help to do this.
I see no way they would have a case here.
If they get too many requests, they should do like Miele, let people generate an API key they can rate limit.
I assume the next step here, to help GE, would be to do like Valetudo - Create a local server, and have people create their own DNS entry for the service. Then GE would save lots of money as devices disappears from the cloud. They really should help here an release the server as a docker container. Think about all the money saved.
lightmaster - 3 months ago
"Create a local server, and have people create their own DNS entry for the service."
I really wish more 3rd party developers would do this, figure out a way to allow users to host the cloud service locally and redirect API calls to their own server. Kinda like what you can do with Private Servers and World of Warcraft (or at least you could when I played it a decade ago). I really hate trusting that Company XYZ won't close up shop tomorrow and screw over their customers that rely on their cloud.
pauldsmyth - 3 months ago
As someone suggested, they're highly likely to be using Open Source software so I hope they've published all the source code under GPL
WeHateToRegister - 3 months ago
> At this time, the Haier home assistant plugins have been forked 228 times, many occurring since the news of the legal threats.
So wrong! Over 1300 forks at this very moment!
> Apart from convenience and cost, Home Assistant offers superior security and privacy options not available on similar commercial apps.
And Haier want that we are happy with their slow, sluggish and simply horrible app? No, we want to use our hardware with the superior stuff called Home Assistant - nothing else.
MarkAtwood - 3 months ago
There is no copyright, trademark, patent, or other intellectual property right in calling a network API. Reverse engineering for the purpose of interoperability is legal in the US and EU. There is no basis for a github takedown claim. If Haier sends a takedown to github, just file a counterclaim and it will go back up. If they send another ceise and desist, just post it publically. If they threaten to sue, post that publicly, and call the EFF and other such orgs. If Haier does sue, they will lose badly.