A plugin and library to permit the control of Haier, Candy, and Hoover appliances recently received takedown requests from Haier Europe's Security and Governance department.

The repositories, owned by Andre Basche, consist of a Python library to retrieve information and execute commands on appliances - for example, a smart washing machine - and an integration plug-in for the Home Assistant app.

The plugin supports anything from air conditioners to tumble dryers to wine cellars. It is also not something produced by Haier itself, and the repository for the library proclaims: "This python package is unofficial and is not related in any way to Haier. It was developed by reversed [sic] engineered requests and can stop working at anytime!"

Judging by the takedown notices, it could well stop working sooner rather than later. According to a notification in both repositories - https://github.com/Andre0512/pyhOn and https://github.com/Andre0512/hon - Haier has taken exception to the project and claimed: "The plug-ins are using our services in an unauthorized manner which is causing significant economic harm to our Company." Hence a cease and desist, coupled with legal threats.

A Register reader got in touch regarding the situation, saying: "Given that the DMCA and EU both specifically allow for interoperability work, this seems like quite a reach and Haier's threats will have a significant chilling effect on developers."

Our reader is correct, to a certain extent. Reverse engineering is a tricky area, but various court decisions have shown that it is mostly permissible, particularly when one is only using it to decode an interface. Similarly, it's risky for companies to erect interoperability barriers in the EU, especially considering the challenges faced by companies like Google and Microsoft.

Basche shared an email he received over the weekend, in which a Haier representative explained that the frequency of his plugin pinging the company's services was the main issue. The "substantial increase in AWS calls attributed to your plugin" triggered the takedown notices.

All those calls cost money, you see, and cost control is mentioned several times in Haier's email.

According to an FAQ posted by Basche, a request is sent once every five seconds to fetch the current state of each appliance. If a user were to trigger an action - for example, start some washing or switch air conditioning mode - more data would need to be posted.

Basche said: "Requesting every five seconds is a bit much (even if the app makes more requests more [frequently], but only in use). With a poorly implemented application, this could perhaps provide some load. The default interval for most integrations is 10 seconds.

"I would totally understand if Haier wanted a higher value here and would increase it, I have already asked them to suggest a poll interval."

Haier has yet to respond to a request for comment from The Register. On January 19, the company posted on its blog: "As we aim to provide the best experience for our connected users and improve the performance and reliability of the hOn app, we are committed to enhancing the smart home scenarios in line with authorized usages and intellectual property rights of Haier Europe."

It also stated that user privacy was a priority before saying: "As part of our IoT and ecosystem mission, we are keen to assess all opportunities and solutions able to expand and open our ecosystem and IoT platform integration."

The email Basche received over the weekend indicates a softening in Haier's stance. It is, however, a shame it wasn't sent before the alarming legal letters were fired off, which are somewhat at odds with the company's professed desire to open its ecosystem. ®

https://www.theregister.com//2024/01/22/haier_plugin_takedown/