Security Experts Unite Over the Right to Repair
Credit to Author: Louise Matsakis| Date: Tue, 30 Apr 2019 13:51:14 +0000
Two years ago, as Nebraska was considering a “right to repair” bill designed to make it easier for consumers to fix their own gadgets, an Apple lobbyist made a frightening prediction. If the state passed the legislation, it would turn into a haven for hackers, Steve Kester told then-state senator Lydia Brasch. He argued the law would inadvertently give bad actors the opportunity to break into devices like smartphones. The bill was later shelved, in part because of industry pressure.
Now, with right-to-repair legislation gaining traction across the country, a new nonprofit advocacy group called Securepairs.org wants to push back against that kind of messaging, arguing instead that devices can be both easy to fix and secure. Democratic presidential candidate Elizabeth Warren recently proposed a national right-to-repair law, and the Federal Trade Commission is holding a hearing on the issue in July. More than a dozen states are also considering right-to-repair bills, including Apple’s home state of California, which will hold a hearing on its version today.
They plan to arrange for expert witnesses to testify at legislative hearings across the country.
Repair advocates say manufacturers have increasingly used restrictive warranties, digital locks, and more to make it hard, or in some cases even impossible, for consumers to fix everything from iPhones to John Deere tractors. To fix the problem, right-to-repair bills often mandate companies release manuals and diagnostic software, as well as sell replacement parts and repair tools to the public so device owners and third-party technicians can find problems and do repairs more easily. The laws are designed to foster competition in the repair industry, as well as benefit the environment, since people may simply buy a new device if they can’t get it fixed.
Securepairs.org, founded by technology journalist Paul Roberts, has attracted the support of more than 20 security experts, including Harvard University security technologist Bruce Schneier, bug bounty expert Katie Moussouris, and ACLU technologist Jon Callas. They plan to arrange for expert witnesses to testify at legislative hearings across the country in an effort to convince lawmakers that the right to repair is inherently safe.
Roberts created Securepairs.org after he noticed industry groups drumming up fear about the potential security “risks” associated with the right to repair. Last year, a newly formed lobbying group called the Security Innovation Center began placing op-eds in local newspapers like the Minnesota St. Cloud Times and the Illinois State Journal-Register advocating against right-to-repair bills in those states. The articles often argued, without much evidence, that the proposed laws would allow hackers to steal people’s personal information and sow chaos.
“At first it was kind of ridiculous, but then we started realizing that, no, they’re really scaring people,” says Nathan Proctor, the director of the right-to-repair campaign at US PIRG, a liberal advocacy organization.
In a statement, Josh Zecher, executive director of the Security Innovation Center, said, “We welcome any group that is focused on ensuring that consumers have access to safe and secure repair.” But he also argued that current right-to-repair legislation offers “significant opportunities for hackers to steal personal information, putting consumers at risk of losing money, privacy, and safety.” Zecher didn’t answer a question about who funds the group, but Security Innovation Center lists a number of organizations that represent the technology industry on its website as partners.
Securepairs.org believes instead in the notion that there’s no such thing as security through obscurity; a robust system will still be secure even if people know how it works. Releasing repair manuals and spare parts shouldn’t undermine an already sound smartphone. The group even takes the idea one step further, arguing that right-to-repair laws would make devices more safe by allowing consumers to quickly replace failing parts or update buggy software. For example, John Deere tractors often can be updated only by licensed technicians. Farmers who can't afford to wait have resorted to hacking into their tractors with black-market firmware, a far less safe option than, say, using diagnostic tools John Deere could release itself.
Roberts and his organization are up against an industry with deep pockets, and it’s hard to know how well they will succeed in persuading lawmakers to enact right-to-repair initiatives. So far, only one repair law, targeting the auto industry, has passed in the US, in Roberts’ home state of Massachusetts in 2012. But the bill had an outsize impact: After it was put in place, major car manufacturers agreed to share repair information with independent mechanics across the entire country.
The hope now is that Securepairs.org could help bring similar legislation to other places, starting with California. It's an enormous state and the home of many of America's largest technology companies. This is the second time California has tried introducing a right-to-repair bill; a previous effort failed last year. A representative from the Security Innovation Center is set to testify at the hearing, but so are experts who believe the right to repair won’t pose any security risks to be worried about.
https://www.wired.com/category/security/feed/