A user on Reddit reported that rabbit is making use of a refund strategy that is called a “Green Return”. He requested a return and refund for his r1. Rabbit support accepted it within minutes and said that he got a “Green Return”. This basically means that he can keep the item and get his money back once rabbit confirms they are going to deactivate the r1. In other words, he will get his money back and keep the deactivated r1.
While I can see the environmental benefits of a Green Return, it does raise a few concerns / questions, because a deactivated r1 would be useless!
Questions:
How can a potential buyer/new user see if a r1 has been deactivated as part of the Green Return (or after theft)?
Is it possible to reactivate an r1 that was deactivated as part of the Green Return, and under what terms?
Those are legitimate concerns, which is why I don’t recommend buying them secondhand. This isn’t a “money grab” thing… it’s really just that there are a lot of unknowns with used devices.
@mattdomko
Thanks for confirming that these are legitimate issues, and I agree that there are lots of unknowns with used devices. However, there is a potential legal issue lurking around the corner… consumer protection laws … if a vendor can deactivate a device with no option to have it reactivated. Innocent buyers who are willing to accept a certain level of risk when buying secondhand should have a fairly simple way to check that a device can potentially be used.
I know from experience (very nearby) how powerful these consumer protection laws are, and rabbit has got a good thing going, I would hate to see precious funds (and reputation goodwill) being wasted in legal actions.
I kindly suggest that you have some of your product / legal specialists look at this from a consumer protection angle, and publish how to detect a deactivated device (e.g. by using the IMEI number), what terms apply to reactivating a device, and which process to follow.
@tim@mattdomko : Thank you for making time to respond to my questions.
The link you provided is helpful, BUT there is no information that helps potential buyers/new owners to see if the r1 has been deactivated, e.g., as a result of a Green Return.
Please don’t take me wrong. I am a big fan of the r1 and believe in its potential. I look for clarity as I place myself in the position of a new/potential user (new & secondhand). That is also one of the drivers I have behind my publication about the r1.
Rabbit took quite a beating during the initial release, and when you look around on other forums, I am one of the users that tries to make it clear that ongoing bashing is totally undeserved. This unclarity around the Green Return is just throwing oil on the fire, and we’re already seeing influencers talking about this.
I.m.h.o., a tool to help potential buyers query a database to see if an r1 is deactivated (stolen or Green Return) would really help to bring this topic to a good closure. A final step could be to add a paragraph in the official policy to make it clear how you treat deactivated devices (and include a link to the search tool).
Thanks in advance for considering my constructively intended inputs.
I appreciate the fact that rabbit is a small team, so I’ve been asking around with the legal team in the company I work for and lawyers in my network. The replies are more or less the same. It is deemed illegal in Europe and possibly also a problem in other parts of the world.
If a device can be deactivated, then potential new owners should have a reasonable way to get the device reactivated.
If the deactivation is permanent (and this is where the company is deemed to be running the biggest risk) you at least need to update the policy and point potential buyers to a tool that enables them to see if an r1 is deactivated permanently.
I kindly suggest that you communicate what solution direction you’re choosing and give a timeline for implementation.
There are also other concers about security and privacy, for example if the device is taken from a table or lost, who take the device will be able to interrogate the device and exfiltrate all the infos asking it to reveal.
GDPR: The lack of adequate protection for personal data and the inability to delete it violate Articles 5 (this was corrected with the updates allowing the user to erase the data from rabbithole) and 32 of the GDPR, which impose data security and the right to erasure.
Cyber Resilience Act (CRA): Although it will come fully into effect in 2027, the CRA requires digital devices to meet strict standards against vulnerabilities such as those of Rabbit R1.
I think that here in Europe we are already again illegal without any method of protection like a lockscreen, so another concern it is physical access without protection with Article 32:
The device has no screen locking or any physical protection system. Anyone who comes into possession of the Rabbit R1 can access personal data, query the device and filter sensitive information.
Hmmm… I.m.h.o. any personal data would be stored in the rabbithole. Also, the cookies in the cookie jar don’t contain account credentials… You can’t access the rabbithole content with just the r1.
I agree that an option to have a screenlock would indeed be a good addition.
I understand your point, but there are some concerns that cannot be ignored.
First, even though personal data is primarily stored in the rabbithole, the Rabbit R1 device can still reveal sensitive information. For example, asking the device to reveal its name could already constitute a form of data exfiltration, or asking to make a list of the 5 last notes, as it could provide clues as to who owns it.
Furthermore, even though cookies do not contain login credentials, if the device is already logged in to online services, an attacker could access these services without having to enter credentials. This means that if the owner has stored cookies to stay logged in, a user who picks up the device could access email, the rabbithole, and other services without any hindrance.
The main problem is that while data can be deleted from the rabbithole, it cannot be removed from the device itself. This makes it difficult to protect personal data if the device is lost or stolen until a user mark it as lost.
Additionally, the lack of a screen lock makes impersonation easier, as anyone with physical access to the device can use it without restrictions.
I think that adding a screen lock would be an important measure to protect user data and prevent abuse, and I’m glad you, at least, understood the importance of having one.
I can see the “issue” but there are other devices out there that have a similar risk if you buy second hand. E.g. a Amazon Kindle locked by Amazon (marked lost/stolen) is hard to recognize. It won’t let you register the device (“account not recognized”), you have to contact Amazon support to find out why it won’t register.
Still it would be good if the deactivated R1 is permanently disabled (eg won’t turn on or show a “this device is disabled” message.
Reactivation is not a priority imo, it would need to be at least as expensive as deactivation which makes it an unattractive option.
I like that idea… If a r1 is permanently disabled, that it won’t turn on or show a “this device is disabled” message.
The fact that Amazon is doing this also opens the possibility for rabbit to do this, if they bring the same clarity that Amazon does for the Kindle. Modify the terms / policy, and a device disabled message on the screen.
One thing to note: there are topics that make sense for me to participate in, there are topics that I enjoy participating in, and there are topics I should avoid participating in until the team has a unified opinion and plan.
This is one of the latter. And that’s why you’ll probably see me giving passive answers. I hope it helps to know that your feedback is being read though
It’s been 17 days since we received the last update on this. Do you know how long it will take before “the team has a unified opinion and plan”?
@PaulBacon made a suggestion to show a message “this device is disabled”.
I spoke to the legal team in the company I work for. They also believe that deactivating a consumer device without the possibility for the consumer to easily see that it has been deactivated could be a violation of European consumer protection laws. A deactivation notification on the screen when you power on the r1 would potentially resolve this.
I hope this helps and look forward to seeing the communication when “the team has a unified opinion and plan”.
