A grass roots movement to win a legal right to repair digital devices arrived at DEF CON in Las Vegas on Saturday with a message for an estimated 30,000 attendees: ‘fight for repair.’
The panel of five right to repair advocates, including this author,* told attendees to get behind state-level efforts to pass digital right to repair laws before restrictions put in place by electronics and equipment manufacturers jeopardizes both repair and security research.
“It took 10 years for the auto (repair) coalition to pass their right to repair bill,” Kyle Wiens of the repair site iFixit.com told attendees. “We need to get this done in the next few years before there is too much money on the other side.”
Discussing the Ethics of Repair
The panel, Void if Removed: Securing our Right to Repair, came just days after Apple encountered criticism for disabling monitoring features for replacement batteries in its iPhones. Advocates for digital right to repair noted that controversy and warned DEF CON attendees on Saturday that device makers are increasingly turning to such restrictions to hamper repairs and servicing by device owners and independent repair professionals. Software controls that reject “unauthorized” repairs or degrade device behavior or performance as punishment turn the concept of ownership on its head and could make future security research on connected devices impossible, panel members agreed.
The panel took place in the DEF CON Ethics Village and brought together experts on repair, electronics and policy. Panelist Joe Grand of Grand Idea Studio, an electronics expert best known for designing the DEF CON conference badges, told attendees that electronics and technology manufacturers have become increasingly hostile to repair, modification and tinkering. Electronics products that came with service manuals and schematics in the past, no longer do. The result has been to stifle a culture of “do it yourself” and local repair, Grand said.
Employees and even executives at original equipment manufacturers (OEMs) may individually support the idea of a ‘right to repair,’ said Tarah Wheeler, a Cybersecurity Fellow at the New America Foundation, another panelist. However, concerns about everything from product liability lawsuits to corporate profitability create perverse incentives that shape their behavior and decision making within those organizations, she said. Those perverse incentives beget features designed to constrain repair, compel user behavior or lock in customer relationships, she said.
A sympathetic Ear
Panelists found a sympathetic audience. Polls of audience members showed the DEF CON attendees almost universally agreed that repairing devices like iPhones (with or without manufacturer supplied parts) was “ethical.” So too modifying devices like iPhones to serve entirely different purposes than those for which they were designed. Audience members spoke about frustrations with everything from smart phone repairs to software-based limits in medical devices such as blood glucose monitors.
The number and diversity of software-based devices that are working their way into homes and businesses is astounding. However, consumer protection laws have not kept pace with the change, Nathan Proctor the head of the right to repair campaign at the U.S. Public Interest Research Group (US-PIRG), told attendees. Still, any changes to consumer protection and safety laws should be pushed by- and responsive to the needs of consumers, not corporations, Proctor said.
Representatives working for the consumer electronics, telecommunications and technology industries have raised a wide range of objections to right to repair laws proposed in the states. The laws require manufacturers that offer diagnostic software and parts to authorized repair shops to make the same tools and parts available to device owners and independent repair providers, also. The laws are modeled on an automobile right to repair law enacted in Massachusetts in 2012.
In an FTC Workshop focused on repair restrictions in July, Dr. Earl Crane of the technology industry-backed anti-repair group the Security Innovation Center said right to repair laws would “force” manufacturers to open their products, violating what Crane called the products’ “integrity model” – a term he did not define. That would break the “chain of trust” in a digital ecosystem and make security features less effective, Crane argued.
In an interview with Security Ledger, Wiens of iFixit said DEF CON, with its hacking “villages” focused on everything from cars and Internet of Things devices to airplanes was a natural ally of the right to repair movement. “Its about learning how the things in our lives work,’ he said. “Back in the day when they designed them, maybe they knew how they worked, but now nobody does unless we figure it out.”
Still, he worried that the security researchers, tinkerers and hackers at DEF CON are unaware of how their work is constrained by manufacturers. “They have to work with the tools that are out there,” said Wiens. “What they don’t realize is that there’s a whole set of diagnostic tools manufacturers haven’t shared with anybody.” That could pose a security risk, he said. “The concern would be that the bad guys already have these diagnostic tools, but everybody else doesn’t.”
DEF CON and Black Hat have seen visits from a growing number of U.S. lawmakers, executives and manufacturers who are looking to tap the expertise in the information security community for causes ranging from national defense to product design. But Proctor of US PIRG said OEMs want it both ways: “They want to capitalize on the natural curiosity that allows (DEF CON attendees) to become experts in these things. But at the same time they have incredible hostility towards a community they don’t control exercising that curiosity,” he said.
DEF CON attendees were urged to engage in state-level efforts to pass digital right to repair laws, including Securepairs.org, a group of information security professionals who support right to repair laws. Twenty such laws were proposed in 2019. So far, however, none have been brought to a floor vote in any state capitol. This year, only two are still being considered by lawmakers: in Massachusetts and New York.
(*) Security Ledger Editor in Chief Paul Roberts organized and took part in the DEF CON panel. Additionally, Paul founded the group securepairs.org to organize information security professionals to advocate for the passage of right to repair laws proposed in 20 states.