Updated: A New Lobbying Group is fighting Right to Repair Laws

Consumer advocates and proponents of right to repair laws in 17 states have a new enemy to worry about. The Security Innovation Center, with backing of powerful tech industry groups, is arguing that letting consumers fix their own devices will empower hackers.*

The group released a survey last week warning of possible privacy and security risks should consumers have the right to repair their own devices. It counts powerful electronics- and software industry organizations like CompTIA, CTIA, TechNet and the Consumer Technology Association as members.

The group’s sponsored survey of more than 1,000 Americans was fielded by Zogby and suggests consumers are wary of the security of smart home and other Internet of Things devices. Almost two thirds of American consumers say that the explosive growth of Internet-connected products is making them more concerned about their privacy and security, according to the organization’s survey of 1,015 Americans. A similar share felt that they would not know if an Internet of Things device they owned had been compromised, while 84 percent told survey takers that they value the security of their data over convenience or speed of service.

The underlying message in the results is that security, not convenience is paramount for consumers of connected devices. That seems tailored to counter efforts in 17 states to expand consumer protection laws, giving the owners of connected devices from phones to automobiles the right to repair them.

In Massachusetts, for example, proposed legislation in the state Senate and House of Representatives is being considered that would extend an existing state right to repair law for automobiles to a wide range of consumer electronic devices. Manufacturers would be required to make diagnostic codes, technical manuals and, in some cases, software available to both device owners and independent repair shops.

[You can hear me interview Kyle Wiens of the group iFixit about various state right to repair laws on this edition of The Security Ledger Podcast.]

In an interview with The Security Ledger, Josh Zecher, the Executive Director of The Security Innovation Center, acknowledged that Security Innovation Center’s main purpose is to push back on efforts to pass right to repair laws in the states.

He said the group thinks such measures are dangerous, citing the “power of connected products and devices” and the fact that they are often connected to each other and to the Internet via wireless networks. Zecher said that allowing device owners or independent repair professionals to service smart home devices and connected appliances could expose consumer data to hackers or identity thieves.

17 states have introduced right to repair laws that will give consumers and independent repair shops access to information needed to service popular electronics like Apple’s iPhone.

“From the legislation we’ve seen, we believe there’s troubling policy in there,” Zecher told The Security Ledger in a phone conversation. “If everyone is writing to the (operating system) and doing other patches, there’s the potential for embedding malware or additional code that’s not there from the manufacturer.”

[Read: “EFF Seeks Right to Jailbreak Alexa, Voice Assistants”]

Asked whether Security Innovation Center was opposed to consumers having the right to repair devices they purchased and owned, Zecher said the group did oppose that right on the grounds of security, privacy and safety.

“People say ‘It’s just my washing machine. Why can’t I fix it on my own?’ But we saw the Mirai botnet attack last year…Those kinds of products in the wrong hands can be used to do bad things.” – Josh Zecher, Executive Director, Security Innovation Center

“Product owners should continue to have multiple options to repair their products. That is what iFixIt does,” Zecher wrote in an email, mentioning the popular self-repair website. “However, changes to a product should not compromise the privacy, security and physical safety of individuals and businesses.”

Zecher warned, for example, that stalkers could commandeer smart home devices to spy on occupants by taking advantage of open platforms like those proposed by Right to Repair laws. “Many of the bills don’t exclude security functions from diagnostic information,” Zecher said, noting the requirement under many right to repair laws that manufacturers make diagnostic information from devices available to owners. “That could allow a reset of security related functions, or you could have security data lost via mishandling.”

The group’s concerns extend to public disclosure of software vulnerabilities, as well. “In our principles on our website we explain that ‘the public disclosure of information about product alterations should be weighed against the public interest of choice, consumer security, privacy and intellectual property protection,'” Zecher wrote.

Consumers, he said, are less fearful of expensive vendor lock-in than of having their information stolen from connected devices.

Other surveys have found strong interest among consumers in do-it-yourself repair and independent repair of electronic devices. A survey of 164 independent repair shops nationally conducted by CALPIRG found a 37% increase in weekly battery replacement service requests in the month from December 20 2017 to January 22 2018, and a more than 100% jump in searches for iPhone repair from California residents during the same period.

“We should be free to fix our stuff,” said CalPIRG Director Emily Rusch in a statement. “But companies use their power to make things harder to repair. This survey shows that people are clearly looking for more options to repair their phones.”

[Listen to: “Episode 84: Free Alexa! Cory Doctorow on jailbreaking Voice Assistants and hacking diversity with Rapid7’s Corey Thomas”]

Millions of insecure, connected devices like Internet connected cameras, digital video recorders, home routers and toys pose a security and privacy risk.  With lax oversight of such devices, many linger online: vulnerable or infected, posing a threat to the larger online ecosystem.

Still, Zecher said that manufacturers were making progress on security. Device makers were being “pushed by security experts and privacy advocates to build security and privacy into the foundation of products,” he said.

But Kyle Wiens of the group iFixit said that many of the findings of the survey were the result of stilted questions. “I got the study and the questing were pretty amusingly biased,” Wiens said via email.

Wiens noted that the group is seeing progress on right to repair initiatives at the state level. Washington State’s Right to Repair Bill (HB 2279) cleared a committee there by a vote of 7-2 and could be voted on this month. In Massachusetts, right to repair legislation will be heard in April and is considered “very much alive,” according to a source with knowledge of the debate.

“We’re making good progress,” Wiens said.

(*) Updated with new comments from Josh Zecher regarding do-it-yourself repair and vulnerability disclosure. PFR 2/23/2018

 

28 Comments

  1. This is so obviously a veiled attempt to promote new products and prevent repairing broken ones it’s hard to support.
    Why are they called The Security Innovation Center… certainly no innovation or security here. Opening up a device to expose it’s cheap build cost, standardized chipsets and code lacking security is exactly what we need to keep the low cost producer countries from cutting corners and exposing our data.

    These manufacturers are desperate to make headway in a commodity business and every corner has to be cut to make any profit. If we’re not up for regulation we need to be up for self policing and laws like these predictably stifle that policing ability.

  2. Pingback: New Tech Industry Lobbying Group Argues 'Right to Repair' Laws Endanger Consumers - R- Pakistan Daily Roznama

  3. oh yeah, and i’ll also depend on the deputy sheriff at the door when the crap hits the fan…

  4. “No, sir! I cannot sell you that box of resistors on your Capacitor License! No, your Maker’s License does not cover resistors and diodes! Yes, MOSFETs and relays need additional insurance because you may be controlling higher voltage and current. Sell you that Arduino without your having a PhD and an MIT competence certificate? Come on Sir, that’s jail time!”

    “Yes, your Honor, I plead guilty to downloading the update from Apple and installing it myself without competent supervision.”

    “Yes, your Honor, I am guilty of knowing Linux!”

    “Your Honor? Does the second amendment not allow me to bear arm processors?”

    From the sublime to the ridiculous, I know, but is this not where this will head?

  5. Pingback: Lobbyists release push-poll in an effort to tank Right to Repair bills and control independent security research / Boing Boing – Technology and Electronics

  6. Pingback: Weekend tech reading: Build your own Altair 8800, 46% of last year's ICOs have failed already | The Viral Info

  7. Pingback: Lobbyists release push-poll in an effort to tank Right to Repair bills and control independent security research – Alyssa Fields

  8. Pingback: Lobbyists release push-poll in an effort to tank Right to Repair bills and control independent security research – Jill Tool Help

  9. Pingback: Lobbyists release push-poll in an effort to tank Right to Repair bills and control independent security research – Tess Kimball Blog

  10. Pingback: Lobbyists release push-poll in an effort to tank Right to Repair bills and control independent security research – Nilona Business Leslie

  11. Lol, “Mirai” has happened not because of users, but because of manufacturers 🙂

  12. I would like to see how changing a transmission or phone screen would open up a system to hackers? I am more worried about Chinese companies putting in built-in spying software in routers and phones than my mechanic changing a light.

  13. Maybe they are afraid that self hacking our devices will expose back doors and such for NSA and other alphabet groups placed by weak willed manufacturers.

    I don’t know how much legislation will help, but if “I fix it” could launch a good campaign to expose manufacturers who refuse to play ball, then people will turn away from those products and those companies will lose market share. In the end that’s all companies understand.

    • Scary thought. I doubt its that they’re worried about backdoors from three letter agencies. Maybe worried about the developer/QA backdoors they forgot to strip out before they shipped. 😉

  14. At one time, AT&T prevented any device from being connected to a telephone line if AT&T didn’t do it with one of their own devices. No competition, high prices, and lack of innovation was the result. I heard the same arguments. Customers will screw up the system. Customers don’t know what they’re doing. Etc, etc, etc.
    Finally there was a Supreme Court ruling that started opening it up to third parties and look at the progress we made!

    • Yes – this is a great analog to what big manufacturers are trying to engineer. The problem now is that the DMCA provides a legal framework (anti piracy) for monopolistic behavior – or am I missing something?

  15. Pingback: Lobbyists release push-poll in an effort to tank Right to Repair bills and control independent security research – Virginia Fletcher

  16. The discussion of “security” and connected devices has a giant blind spot. It typically limits itself to the possibility that third parties might break into the device and do harm to the user, while ignoring the likelihood that the manufacturer has designed the device to spy on or mistreat the user. Designing products with malware is common practice today; see https://gnu.org/malware/ for hundreds of specific examples.

    The only way users can rationally trust software is when the users have control over it: that is, when it is free (libre) software. See https://gnu.org/philosophy/free-software-even-more-important.html.

    • Hey Richard – first of all: honored to have you commenting on a SL article! Thanks. I would agree – in addition to the hidden “monitoring” or “reporting” features that may be included, there is also ample evidence of lax security practices (developer back doors), etc. The argument that prohibiting access to things like diagnostic codes or administrative features makes products more secure is prima facie false. We see countless examples in the real world of proprietary products that are woefully insecure and fall prey to hackers – no diagnostic tools needed. I put this point to the SIC representative, but their contention is that manufacturers are “doing much better.” Not sure I see evidence of that, though.

  17. Pingback: Wireless Carriers, Hardware Companies Use Flimsy IOT Security To Justify Attacks On Right To Repair Laws – Objective News

  18. Pingback: Wireless Carriers, Hardware Companies Use Flimsy IOT Security To Justify Attacks On Right To Repair Laws – Miller Trades

  19. Pingback: California joins 18 states proposing Right to Repair Act, takes on new lobbying group – Technology NEWS

  20. Pingback: California joins 18 states proposing Right to Repair Act, takes on new lobbying group - Profit Agency

  21. Pingback: California joins 18 states proposing Right to Repair Act, takes on new lobbying group – Next Gen Technology

  22. Pingback: California joins 18 states proposing Right to Repair Act, takes on new lobbying group – Technology Blog

  23. Pingback: BLU settles with FTC over unauthorized transmission of personal customer data to China | The Security Ledger

  24. Pingback: Should you be able to fix your own iPhone? – Reacle