This is a guest post from Paul Roberts, Publisher & Editor-in-Chief of The Security Ledger and the founder of securepairs.org. It was originally posted on The Security Ledger, which you can view here.
Austin, Texas, is a funny dateline for an op-ed in the Saint Cloud Times, a paper serving a central Minnesota city of 67,000 about 2 hours north of Minneapolis. But this is no accident. The editorial “Keep Repair Secure” hit doorsteps and inboxes in one of the most populous communities in Minnesota, which is one of 20 states where so-called “Right to Repair” legislation is being considered. It is penned by Dr. Earl Crane, a senior cybersecurity fellow at the University of Texas, Austin and an adviser to something called the “Security Innovation Center.”
Let’s take the op-ed in the Saint Cloud Times as an example. The piece concerns pending legislation dubbed the “Fair Repair” bill in Minnesota. If passed, that bill would require original equipment manufacturers (OEMs) that sell digital electronic equipment or parts in the state to make available on “fair and reasonable terms” documentation, parts, tools, and software updates used for “diagnosis, maintenance, or repair” to the device owner independent repair providers.
The law is very similar to laws pending in states like New York, California, Massachusetts, and New Hampshire. Essentially: these laws formalize the rights of owners to be able to service and repair their own property. They also outlaw repair and service monopolies—just as automotive Right to Repair laws have prevented automakers from using software to lock out independent auto repair shops.
So who’s afraid of the Right to Repair? Lots of people, it turns out. As Security Ledger has reported before: industry groups including CTIA, TechNet, and the Association of Home Appliance Manufacturers (AHAM) are lobbying at state houses against Right to Repair laws in every state where they’re pending.
If you’re a device manufacturer, there is reason for concern: when Massachusetts voters passed a Right to Repair automobiles in 2012, it resulted in a memorandum of understanding by auto manufacturers in 2014 to abide by its terms nationally to head off dozens of competing state laws. In other words: success in one state could open the flood gates for digital repair nationally.
As for the Security Innovation Center where Dr. Crane is listed as a Cybersecurity and Privacy Advisor? We wrote last year about that group, which has the backing of many of the same industry groups actively lobbying against right to repair laws: CTIA, TechNET, CompTIA as well as the Entertainment Software Association, CTA (the Consumer Technology Association), NetChoice (an e-commerce industry group) and others.
Right now, the Security Innovation Center appears to have a short roster of experts like Dr. Crane—all with solid technology industry or information security bona fides. Those experts have been putting their names to opinion pieces like “Protect State Consumers Personal Data” in the Albany Times Union and “New Bill would set Dangerous Precedent for Cyber Security” in the Springfield, Illinois State Journal-Register, and “Repairing Consumer Privacy in a Digital World” in the Sacramento Capitol Weekly. And if you’re wondering why they’d target opinion pages in small media markets like Albany, New York, Sacramento, California and Springfield, Illinois rather than huge media markets like New York City and Chicago, then you haven’t been paying attention.
The saddest thing about these arguments is how effective they are. As we noted, in state after state, more or less baseless arguments about the cyber or physical risks of repair have been enough to spook lawmakers into shelving or killing Right to Repair laws.
In some states (like Illinois), these arguments have been persuasive enough to steer Right to Repair legislation into cyber security subcommittees for review and debate, as if the central issue in repair was not consumer rights, but information security. This, despite a lack of any evidence that repair poses a security risk to the public.
The result is something we’re announcing this week: securepairs.org, a group that exists to provide policy makers with accurate information about the information security risks of digital, Internet-connected “stuff.”
There’s a lot of work to do. These arguments, though absurd, are often enough to scare lawmakers away from Right to Repair laws. Though preposterous, to the uninitiated, warnings about safety and security from credentialed professionals sound plausible enough. In any event, the issues are so complicated that it pushes legislators towards less controversial fare. The result is that ordinary consumers—all of us—pay the price.
Fortunately, we have assembled some of the world’s top experts on our side to counter the FUD with facts. They include one of the most respected voices on the security of the Internet of Things (Bruce Schneier), on secure software and application design (Gary McGraw), on software application security testing (Chris Wysopal), embedded device security (Billy Rios, Joe Grand), and fostering a culture of security (Katie Moussouris).
We’re inviting other like-minded information security professionals to join this esteemed list. In the months ahead, we look forward to speaking facts to FUD and to infuse the debate over Right to Repair laws with an understanding about the real risks posed by insecure, connected devices.