A trend that has caught the eye of legal observers within the security industry in recent years has been the introduction of so-called “Right-to-Repair” legislation in a number of states.
By and large, these bills are intended to give consumers the ability to have their automobiles, appliances and other devices repaired by someone other than the original manufacturer by requiring said manufacturers to provide independent repair shops the tools and information they need to make necessary fixes. However, many of the bills that have been introduced in state legislatures are very broad in nature and could potentially raise of a number of issues for security equipment manufacturers.
The Security Industry Association (SIA) has been actively monitoring right-to-repair bills in several states and has recently begun to voice its concerns about them. In fact, earlier this week, Joseph Hoellerer, Manager of Government Relations for SIA, testified before the Vermont Senate Committee on Economic Development, Housing & General Affairs in opposition to S. 180, known as the Vermont Fair Repair Act.
According to SIA, the bill would require OEMs to disclose proprietary source code, diagnostic and repair information to independent repair providers, which the organization contends would jeopardize the security and cybersecurity of certain products and also void related warranties intended to protect consumers.
“Most (security) OEMs have authorized repair providers who go through rigorous training to ensure that they are knowledgeable, qualified and well-trained to service their specific product line,” Hoellerer explains. “Those authorized repair shops are small businesses, so they certainly like working with the manufacturer and having that steady stream of business.”
With regards to the Vermont bill, in particular, Hoellerer says there is nothing in it that would prevent independent repair providers from publishing proprietary source code or encryption keys to the general public. Additionally, Hoellerer says there are unaddressed liability concerns with the bill.
“Hypothetically speaking, let’s say this bill becomes law and a homeowner goes to an independent repair provider instead of the OEM with their security system,” Hoellerer says. “What happens if the reinstalled security system malfunctions and the consumer wants to take legal action? Where does the liability lie? Does it lie with the independent repair provider who fixed the equipment or does it lie with the OEM who originally made the equipment? In my opinion, the legislation does not adequately address that question.”
Despite the concerns raised by SIA, Gay Gordon-Byrne, Executive Director of The Repair Association, an organization that advocates for the adoption of right-to-repair legislation, says neither the Vermont bill nor any of the similar measures that have been introduced across the country ask manufacturers to reveal source code or trade secrets.
“Everything requested is already distributed to repair technicians only for the purposes of repair and is therefore already in distribution,” she says. “Firmware is required for purposes of backup and restore, but that’s not the same as tinkering with source code. ‘Tinkering’ with software remains under the control of the U.S. Copyright Office even if semantically incorrect.”
There is also the issue of product warranties, as many manufacturers have historically reserved the right to void such a warranty if the device in question is opened by anyone other than an authorized repair provider. “It puts a cloud of uncertainty around what would happen to warranties if the repair doesn’t go through the OEM or their certified repair provider,” Hoellerer says.
However, Gordon-Byrne contends that under federal law, product warranties cannot be voided by right-to-repair measures. “The Magnuson-Moss Warranty Act prevents consumers from losing warranty coverage by using either non-OEM original parts or by using independent repair,” she explains. “Further – as a practical matter – consumers nearly always take advantage of in-warranty repairs during the warranty period. Most independent repair is for equipment long out of warranty.”
According to Hoellerer, this type of legislation originated in Massachusetts – which enacted a law several years ago focused on the automotive industry, requiring car makers to disclose repair information to independent auto repair shops. States have subsequently sought to build on that by including other industries, including agriculture (farmers being allowed to repair their own tractors) and now consumer electronics.
In addition to Vermont, bills have been introduced in 13 other states pertaining to the right to repair digital electronics, including: Hawaii, Iowa, Massachusetts, Minnesota, Missouri, North Carolina, Nebraska, New Hampshire, New Jersey, New York, Tennessee, Virginia, and Washington.
Although none of these bills have yet been enacted, the Washington measure has made significant progress this year. According to Hoellerer, the bill, H.B. 2279, has been passed by the House Technology & Economic Development Committee; however, it must be approved by the full House by the middle of this month or it will be effectively dead for this legislative period.
While the security industry has been able gain special exceptions to certain pieces of legislation in the past – such as exemptions for energy use restrictions on things like security and fire alarms systems – Hoellerer says that doesn’t appear to be in the offing in these right-to-repair bills.
“Most of the exemptions we’ve seen deal with medical device manufacturers given the criticality of their equipment,” he says. “We’ve seen some that exempt cars and automotive equipment, but as far as security, I think it would be difficult for us to be exempt.”
Hoellerer says the closest thing he has seen to an exemption for the security industry is an amendment adopted in the Washington bill that narrows the scope by defining electronic equipment as including, but limited to: cellphones, tablets, computers, etc.
“At first glance you may think, ‘oh, that’s a consumer device,’ but we know most of our equipment is managed through a tablet, smartphone or computer,” Hoellerer explains. “I asked but didn’t get a sufficient answer: Would the OEM still be forced to disclose all of that proprietary information by virtue of the fact their security equipment is managed and connected through a tablet?”
Due to the sensitive nature of security devices, Gordon-Byrne says the language of right-to-repair bills is intended to allow for such products to have a controlled point of access for independent repair. However, because much of language is rooted in the automotive industry relative to car locks, she says they would like to work with SIA and other organizations to help improve this for things like physical security systems.
The good news for the security industry is that as of now, passage of any of these aforementioned bills doesn’t seem imminent. Hoellerer says that dialog between lawmakers and stakeholders across multiple industries will likely continue before any of the measures become law.
“I think we’re going to continue to see more communication with public officials across all states to ensure they are educated and well-equipped in understanding how these bills could hurt manufacturers across all sectors,” he says. “SIA is going to continue to testify in opposition to as many of these bills as we can and continue to meet with legislators and introduce them to the security industry. While this bill appears aimed at consumer electronics, it will hurt other sectors as well.”
Speaking of continuing the fight, Hoellerer will be testifying next week (Feb. 13) before the New Hampshire House Commerce and Consumer Affairs Committee in opposition to another right-to-repair bill, H.B. 1733.
About the Author:
Joel Griffin is the Editor-in-Chief of SecurityInfoWatch.com and a veteran security journalist. You can reach him at [email protected].