Endpoint Security , Governance & Risk Management , Internet of Things Security

FTC Nixes Cybersecurity as Point Against 'Right to Repair'

Agency Found No Evidence Independent Repairs Increase Data Security Risks
FTC Nixes Cybersecurity as Point Against 'Right to Repair'
Removing the screen on an iPhone 8 (Photo: iFixit/CC)

The "right to repair" movement is gaining momentum. This movement seeks to require manufacturers to offer diagnostic tools, manuals and other resources to allow for third-party or consumer-initiated repairs.

See Also: Live Webinar | The Role of Passwords in the Hybrid Workforce

The fact that software is wrapped into everything has made it easier for manufacturers to only allow authorized service providers to access trouble codes and reset systems. Proponents of the movement say manufacturers have made repairs difficult by only offering proprietary diagnostic software to authorized service centers.

There's much at stake in the "right to repair" battle - whether we can control our devices or our device manufacturers can control us. 

This issue has been a particularly pitched battle in agriculture, where farmers and tractor and equipment maker John Deere continue to spar, as noted in this video by Vice.

The FTC's report

Those advocating the "right to repair" also say manufacturers have made the hardware difficult to work with, for example, by gluing batteries in laptops and using proprietary screws. Overall, those moves by manufacturers have raised the cost of repairs, lowered their quality and narrowed the field of who can do repairs, they contend.

Increasingly, regulators agree. Last week, the U.S. Federal Trade Commission released "Nixing the Fix," an in-depth report on the issues. The report has been submitted to the U.S. Congress and could be used to formulate federal legislation. States could use it as a guide as well.

The FTC's report thoroughly debunks every argument made by industry against more open repair access, says Willie Cade of the web research firm Attack Eye, who's involved in the movement.

The report describes arguments from the technology industry on why the status quo should be maintained. The FTC rejects many points, including cybersecurity risk.

Cybersecurity Issues

A small section of the report is dedicated to how some companies and organizations oppose "right to repair" legislation on the basis of cybersecurity.

The FTC's report says Microsoft told it that "consumers face significant risks when they provide a device containing sensitive personal information to an independent repair shop because the device may contain a user’s pictures, sensitive documents, financial records, emails, passwords and personal contacts."

The FTC says the Computing Technology Industry Association, or CompTIA, argued that "providing diagnostic access to individuals or independent repair shops … may enable a repairer to identify consumer specific information, such as how often a device is used, when the device is used, IP addresses and other information, which could then be commingled with personally identifiable information."

Others weighed in as well. The National Association of Manufacturers contended independent repairs shops could inadvertently disable key hardware security features or prevent firmware updates, the FTC report says. And the Association of Home Appliance Manufacturers argued that meddling with devices could leave them "vulnerable to hacking and the downloading of malware."

FTC: No Evidence of Greater Risk

The FTC shot all those arguments down.

"The record contains no empirical evidence to suggest that independent repair shops are more or less likely than authorized repair shops to compromise or misuse customer data," the FTC writes. "Furthermore, although access to certain embedded software could introduce new security risks, repair advocates note that they only seek diagnostics and firmware patches."

Kyle Wiens, the founder of the do-it-yourself site iFixit.com, says the FTC sums it up well.

"There is no evidence that independent repair provides a greater or lesser threat to information security than branded manufacturer repair," Wien says. "The product is as secure as it was designed to be, and repair technicians do not influence that."

The FTC contends that giving the same parts and tools to independent shops could actually raise confidence that they'll do a good job with repairs.

"With appropriate parts and repair information, the record supports arguments that consumers and independent repair shops would be equally capable of minimizing cybersecurity risks as are authorized repairers," the FTC reports says.

The report could influence many states that are considering "right to repair" legislation.

As many as 20 states introduced such legislation in 2019, although work on those measure stalled last year due to the pandemic. But legislative activity on the issue appears to be ready to pick up this year. A chart and tracker from Repair.org, an advocacy group, shows the states with active bills.

Massachusetts has long led the charge on this issue. In 2013, a law took effect that required vehicle manufacturers to provide independent shops the ability to access diagnostic data. The law was amended last year to require vehicle manufacturers to use telematics systems with a standardized open data platform so independent repairers can get access to mechanical data and diagnostics with a mobile app.

Many believe "right to repair" laws are the equivalent of a consumers' bill of rights for the electronic age. The laws would assign more rights to owners of devices and perhaps eliminate or reduce legal risks in the U.S. under the Digital Millennium Copyright Act for altering devices.

There's much at stake in this battle - whether we can control our devices or our device manufacturers can control us.



About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology, ISMG

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.com, you agree to our use of cookies.