Unfortunately there are plenty of precedents for that kind of behavior. For example Google, Apple, Amazon all reserve the right to manipulate your Android device, iDevice, or Kindle as they see fit, and without asking you for permission (google "kill switch"). There's that endless discussion on the interwebs about "owning vs. licensing".
The good thing (relatively speaking) with RTCOA is that the thermostats have to initiate the communication. If you blank out the authkey and control the stats with your own program (as I do) then you have full control over if/when you accept firmware updates.