Lexmark's inky fingers are all over your printer data - but did you say 'help yourself'?

Lexmark's printers are smarter than they look. Perhaps a little too smart -- a recent story showed that the printer drivers for a recent model were surreptitiously relaying information over the Internet back to base. Users were mystified, and more than a little outraged. Spyware, they said. Lexmark was stung. 'It's not spyware, it's remote reporting about printer parameters,' the company said after a marked pause. We told you all about it when you installed the drivers. It's even got a name -- Lexmark Connect.

Remote reporting is nothing new. Mainframes and minicomputers did it back in the 1970s, using a modem to dial up a service agent when something was amiss. More recently, printers on LANs have done it to warn the system administrator of paper problems or other mishaps. It's a simple enough task: the printer's internal microcontroller spots the error and sends a code down the communications link.

With PCs on broadband, it's just a matter of the printer driver parcelling up data collected from the printer, establishing an HTTP link -- thus bypassing any firewalls -- with a remote server, and sending the message. There's virtually no extra load on the connection, and the printer manufacturer gets valuable usage information that can be used in designing the next generation of products.

So what went wrong? The problem is that such behaviour is identical to that of spyware -- stuff you don't want -- which earns its crust in exactly the same way by quietly passing data back to a third party. The only difference is that users are supposedly informed about the Lexmark software. That clearly didn't happen, at least not in every case: if you don't know, then it's spyware.

That knowledge may be easy to miss. Not every user installs their own printer. Some systems come with printers pre-installed; some are set up by technicians on delivery; some by passing help. Not everyone reads all the disclaimers, end-user licence agreements, warnings, copyright statements and other densely worded legalese that habitually demands our clicks of allegiance when we load new software. This is partially the fault of the companies who rarely take the time to clearly, simply and unambiguously say what's happening and why -- and sometimes give the impression of omitting this deliberately. We have learned to think of this stage of installation as a pointless annoyance, to be got through as quickly as possible.

Users do have some responsibility. It is a commonplace in consumer electronic companies that you could print "READ ME FIRST" in the biggest, reddest letters available, on every part of the packaging, handbook, installation notes and CD covers, and the user wouldn't even glance at it until they'd plugged stuff in and failed to make it work. Even here, though, that's what people do -- manufacturers have to assume the worst and design their products accordingly.

Finally, people forget. They read something, click on OK, and move on. Life is too short to remember that an obscure piece of software attached to your printer will sometimes do something you'll never see. The company may well have made 'full disclosure' of Lexmark Connect during installation, but it patently wasn't full enough to prevent people from interpreting the subsequent behaviour of the software as underhand and unexpected.

Lexmark is also the architect of its own misery in other ways. It has got a rotten reputation for obstreperous behaviour with third parties. An ongoing case in the US has seen it try and use the controversial Digital Millennium Copyright Act (DMCA), a badly worded piece of legislation that exists to protect intellectual property, to prevent anyone making alternative ink cartridges. The Lexmark parts have a chip that tells the printer "I'm kosher": anyone wanting to build their own cart has to replicate the actions of that chip. Such replication is against the DMCA, says Lexmark as it unfurls its lawyers. So far, the case isn't going Lexmark's way -- and neither is the publicity. If people suspect that Lexmark is being underhand in collecting data, they'll be predisposed to believe it.

It is not unreasonable for Lexmark to want to know how its printers are being used. There are some good, solid commercial arguments for knowing this, even for using the data to remind the user when supplies are running low. It's possible to run a fully automatic delivery service: once you've signed up, you get new cartridges popping through your letterbox without any further effort on your part. Dell likes the idea of this -- it is using Lexmark technology to just this end -- but it's arguable whether this book club approach will really give users the full benefits of choice and competition. In the end, it's up to the users.

And this is where the Lexmark scheme falls down. By hiding the process of reporting from the user except at one easy to miss point, it disguises itself too well and removes the user from the process. Compare this with Microsoft's error reporting scheme -- when it wants to report home, it pops up windows, asks questions, offers to disclose everything that's being sent and provides links for further investigation. There has to be a balance -- nobody wants to be ticking boxes for every page of A4 -- and doubtless the amount of data passed back will be less, as more people choose to disable the reports either temporarily or permanently.

Proper social engineering is the answer for anyone seeking to avoid Lexmark's woes. The chance to know more about users is too good to pass up, and is just one of the ways that the connected enterprise can make good, effective use of the new opportunities of the Internet. Without a good understanding of how users will perceive the process, remote data collation can backfire: get it right, and everyone benefits.

Copyright © 1995-2008 CNET Networks, Inc. All rights reserved
ZDNET is a registered service mark of CNET Networks, Inc. ZDNET Logo is a service mark of CNET Networks, Inc.