Introducing Fighting Infosec FUD for the Right to Repair

Cybersecurity luminaries including Bruce Schneier, Gary McGraw, Joe Grand, Chris Wysopal and Katie Moussouris are backing, countering industry efforts to paint proposed right to repair laws in 20 states as a cyber security risk.

Austin, Texas is a funny dateline for an op-ed in the Saint Cloud Times, a paper serving a central Minnesota city of 67,000 about 2 hours north of Minneapolis. But this is no accident. The editorial “Keep Repair Secure” hit doorsteps and inboxes in one of the most populous communities in Minnesota, which is one of 20 states where so-called “right to repair” legislation is being considered. It is penned by Dr. Earl Crane, a senior cybersecurity fellow at the University of Texas, Austin and an adviser to something called the “Security Innovation Center. ”

In recent months, Dr. Crane has emerged as one of a number of experts speaking for electronic device makers where- and whenever right to repair legislation is the topic: on radio shows, online, and in print.

Opinion: my Grandfather’s John Deere would support our Right to Repair

Let’s take the op-ed in the Saint Cloud Times as an example. The piece concerns pending legislation dubbed the “Fair Repair” bill in Minnesota. If passed, that bill would require original equipment manufacturers (OEMs) that sell digital electronic equipment or parts in the state to make available on “fair and reasonable terms” documentation, parts, tools and software updates used for “diagnosis, maintenance or repair” to the device owner independent repair providers.

Who’s afraid of Fair Repair?

As dozens of bills make their way through legislative committees in the states, Dr. Crane’s op-ed highlights the extent to which fears of hacking and data theft have become the point of the spear in efforts by the high tech, electronics and telecommunications industries (among others) to derail pro-consumer right to repair bills.

FixIt Clinic Camera Repair
A volunteer works to repair a digital camera at a FixIt Clinic outside Boston. (Image courtesy of Paul Roberts)

The law is very similar to laws pending in states like New York, California, Massachusetts and New Hampshire. Essentially: these laws formalize the rights of owners to be able to service and repair their own property. They also outlaw repair and service monopolies – just as automotive right to repair laws have prevented automakers from using software to lock out independent auto repair shops.

So who’s afraid of the right to repair? Lots of people, it turns out. As Security Ledger has reported before: industry groups including CTIA, TechNet and the Association of Home Appliance Manufacturers (AHAM) are lobbying at state houses against right to repair laws in every state where they’re pending.

If you’re a device manufacturer, there is reason for concern: when Massachusetts voters passed a right to repair automobiles in 2012, it resulted in a memorandum of understanding by auto manufacturers in 2014 to abide by its terms nationally to head off dozens of competing state laws. In other words: success in one state could open the flood gates for digital repair nationally. That’s a good thing for consumers and small business owners, not so much for companies like Apple or Samsung that want to limit competition for repair and servicing of their devices.

As for the Security Innovation Center where Dr. Crane is listed as a Cybersecurity and Privacy Advisor? We wrote last year about that group, which has the backing of many of the same industry groups actively lobbying against right to repair laws: CTIA, TechNET, CompTIA as well as the Entertainment Software Association, CTA (the Consumer Technology Association), NetChoice (an e-commerce industry group) and others.

Right now, the Security Innovation Center appears to have a short roster of experts like Dr. Crane – all with solid technology industry or information security bona fides. Those experts have been putting their names to opinion pieces like “Protect State Consumers Personal Data” in the Albany Times Union and “New Bill would set Dangerous Precedent for Cyber Security” in the Springfield, Illinois State Journal-Register, and “Repairing Consumer Privacy in a Digital World” in the Sacramento Capitol Weekly. If you’re wondering why they’d target opinion pages in small media markets like Albany, New York, Sacramento, California and Springfield, Illinois rather than huge media markets like New York City and Chicago, then you haven’t been paying attention.

Introducing infosec pros supporting right to repair

The saddest thing about these arguments is how effective they are. As we noted, in state after state, more or less baseless arguments about the cyber – or physical risks of repair have been enough to spook lawmakers into shelving or killing right to repair laws. (Listen to this SL podcast interview with Kyle Wiens of iFixit about the challenges facing right to repair in the states.)

In some states, these arguments have been persuasive enough to steer right to repair legislation into cyber security subcommittees for review and debate, as if the central issue in repair was not consumer rights, but information security. This, despite a lack of any evidence that repair poses a security risk to the public.

What’s needed, clearly, is for the information security community to weigh in. Policy makers need an infusion of accurate information about the real cyber risks to connected, electronic devices so they can make sense of the long-running debate surrounding right to repair. That’s why, in the last couple months, I’ve been working steadily to rally the information security community around this problem.

The result is something we’re announcing this week:, a group that exists to provide policy makers with accurate information about the information security risks of digital, Internet-connected “stuff.”

There’s a lot of work to do. These arguments, though absurd, are often enough to scare lawmakers away from right to repair laws. Though preposterous, to the uninitiated, warnings about safety and security from credentialed professionals sound plausible enough. In any event, the issues are so complicated that it pushes legislators towards less controversial fare. The result is that ordinary consumers  -all of us -pay the price. encompasses a set of common principles. Namely: that repair and re-use are rights of owners. Second, that there is no security through obscurity. Third: that repair fosters greater security. Fourth: that true security is by design. Finally, that we must make laws and govern ourselves with facts not FUD.

We have assembled some of the world’s top experts on our side to counter the FUD with facts. They include one of the most respected voices on the security of the Internet of Things (Bruce Schneier), on data security and privacy (Jon Callas), secure software and application design (Gary McGraw), on software application security testing (Chris Wysopal), embedded device security (Billy Rios, Joe Grand), and fostering a culture of security (Katie Moussouris). Our ask: be a voice of reason in the debate over a digital right to repair. We need their voices in the needed conversation about the (very real) security issues with connected, “smart” devices – and about the many security benefits of the kinds of requirements encapsulated in right to repair bills.

As of today, we’re inviting other like-minded information security professionals to join this esteemed list. In the months ahead, we look forward to speaking facts to FUD and to infuse the debate over right to repair laws with an understanding about the real risks posed by insecure, connected devices.

Check out our website and our full list of supporters. If you’re an information security professional and want to help support right to repair laws in your state or nationally, do us a favor and sign up to be a supporter!

Paul F. Roberts, Editor and Publisher
The Security Ledger