While right-to-repair legislation is being taken up in dozens of states across the U.S., two industry groups want the federal government to provide even more help on loosening up the repair guidelines.
The U.S. Public Interest Research Group Education Fund and iFixit have petitioned the Federal Trade Commission (FTC) to take a more active role in the RTR fight by creating rules governing consumers’ rights repair their own devices or have a contractor of their choice do so.
Advocates for the petition say the FTC’s rulemaking powers are different than legislation. They want the FTC to create rules that will force manufacturers to stop making design choices that allegedly create barriers to consumer repair, such using adhesives, requiring parts that are hard to obtain, or requiring specialty tools not commonly accessible to the public to repair a device.
The FTC is taking public comments on the petition through Feb. 2, and as of this week more than 500 comments have already been submitted.
The Security Industry Association said it plans to continue working with parties to hopefully avoid any policies that might be harmful to the industry’s interests.
Colby Williams, Associate Director of Government Relations for the Security Industry Association (SIA), said the association has and will continue to engage in any states or federal agencies where broad right-to-repair efforts are being proposed in an effort to educate officials on the safety and security risks, “as well as advocating for clear exclusions of security and life safety devices and products from any right-to-repair provisions.
“While we understand this is a complex issue being pushed with the best of intentions, these bills could have drastic unintended consequences and compromise the safety and security of individuals and businesses which rely on electronic security systems,” Williams said.
“We have seen substantial success tabling these measures in a long list of states with the only 3 states to have adopted right to repair (New York, Minnesota and California) having included provisions added to protect our industry’s products in response to our concerns. So far in 2024 we are seeing some right-to-repair proposals that include these provisions from the get-go.
“SIA will continue to work with industry leaders, allied organizations, and lawmakers address the risks posed by right-to-repair provisions which do not adequately address our security and life safety concerns.”
Exemption Required
The Monitoring Association and its related advocacy entity, the Alarm Industry Communications Committee, are also analyzing the petition. In general, TMA and AICC do not oppose expanded consumer repair options.
“However, any such regulations must create an exemption for alarm systems and related security devices,” said John Prendergast, an attorney representing AICC.
He noted that if alarm device manufacturers and service providers had to disclose passwords, access codes, schematics and other sensitive information under right to repair regulations, “consumers who invested in safeguarding their homes and businesses would become vulnerable, while at the same time public safety would be endangered from the threat of fires, medical emergencies and other life-threatening issues.
“Consumer-minded states such as New York and California have recognized this serious issue and included an alarm exemption in their recently enacted right-to-repair legislation,” Prendergast said.
FTC Leaning into RTR?
It appears the FTC may be amenable to getting more involved, after releasing a report in 2021 – Nixing the Fix: An FTC Report to Congress on Repair Restrictions – outlining anti-competitive practices being used in repair markets. The report was requested by Congress.
The FTC’s report asserts manufacturers say repair restrictions often arise from their “desire to protect intellectual property rights and prevent injuries and other negative consequences resulting from improper repairs,” the report says.
Manufacturers also believe that repair restrictions protect consumers from cybersecurity risks. In the report, Microsoft explained that consumers face significant risks when they provide a device containing sensitive personal information to an independent repair shop because the device may contain a user’s pictures, sensitive documents, financial records, emails, passwords, and personal contacts.
Furthermore, Microsoft noted that individuals and independent repair shops that conduct repairs could compromise the embedded hardware security technology that manufacturers use to protect user data and ensure that device integrity is maintained during boot up.
Individuals and independent repair shops can introduce new security risks by inadvertently disabling key hardware security features or preventing firmware or software from accepting or installing updates, they added.
Security consultant Earl Crane similarly remarked in the report that, “mandating design decisions runs in direct contradiction of policies that focus on manufacturer accountability."
At the time the report was released, the FTC indicated it will pursue appropriate law enforcement and regulatory options to address unlawful repair restrictions, as well as consumer education, “consistent with our statutory authority.
“The Commission also stands ready to work with legislators, either at the state or federal level, to ensure consumers have choices when they need to repair products that they purchase and own."
Can Independents Do the Work?
The FTC added there is no empirical evidence on record to suggest that independent repair shops are more or less likely than authorized repair shops to compromise or misuse customer data.
Furthermore, although access to certain embedded software could introduce new security risks, repair advocates note that they only seek diagnostics and firmware patches.
Gay Gordon-Byrne, Executive Director of The Repair Association, said replacing a part on a device with an identical OEM part or functionally equivalent aftermarket part is unlikely to create a cybersecurity risk.
Some are calling for a label on products or other types of initiatives to outline the repairability of devices.
Gary McGraw, Vice President of Security Technology at Synopsys, said in the report that consumers are “woefully misinformed” about repairability in devices. He serves as a security researcher with Securerepairs.org, an organization of information (“cyber”) security professionals who support the right to repair.
Earl Crane, a security advisor with the Security Innovation Center and former Director for Federal Cybersecurity Policy for the White House, said consumers can only make buying choices based on repairability if they are aware of how easily a product can be fixed.
John Dobberstein is managing editor of SecurityInfoWatch.com and oversees all content creation for the website. Dobberstein continues a 34-year decorated journalism career that has included stops at a variety of newspapers and B2B magazines.
