Security Experts Unite Over the Right to Repair

Neil Godwin/Getty Images

Two years ago, as Nebraska was considering a “right to repair ” bill designed to make it easier for consumers to fix their own gadgets, an Apple lobbyist made a frightening prediction. If the state passed the legislation, it would turn into a haven for hackers, Steve Kester told then-state senator Lydia Brasch. He argued the law would inadvertently give bad actors the opportunity to break into devices like smartphones. The bill was later shelved, in part because of industry pressure.

Now, with right to repair legislation gaining traction across the country, a new nonprofit advocacy group called Securepairs.org wants to push back against that kind of messaging, arguing instead that devices can be both easy to fix and secure. Democratic presidential candidate Elizabeth Warren recently proposed a national right to repair law , and the Federal Trade Commission is holding a hearing on the issue in July. Over a dozen states are also currently considering right to repair bills, including Apple’s home state of California, which will hold a hearing on its version Tuesday.

They plan to arrange for expert witnesses to testify at legislative hearings across the country.

Repair advocates say manufacturers have increasingly used restrictive warranties, digital locks, and more to make it hard, or in some cases even impossible, for consumers to fix everything from iPhones to John Deere tractors . To fix the problem, right to repair bills often mandate companies release manuals and diagnostic software, as well as sell replacement parts and repair tools to the public so device owners and third-party technicians can find problems and do repairs more easily. The laws are designed to foster competition in the repair industry, as well as benefit the environment, since people may simply buy a new device if they can’t get it fixed.

Securepairs.org, founded by technology journalist Paul Roberts, has already attracted the support of more than 20 security experts, including Harvard University’s Bruce Schneier , bug bounty expert Katie Moussouris, and ACLU technologist Jon Callas. They plan to arrange for expert witnesses to testify at legislative hearings across the country, in an effort to convince lawmakers that right to repair is inherently safe.

Roberts created Securepairs.org after he noticed industry groups drumming up fear about the potential security “risks” associated with right to repair. Last year, a newly formed lobbying group called the Security Innovation Center began placing op-eds in local newspapers like the Minnesota St. Cloud Times and the Illinois State Journal-Register advocating against right to repair bills in those states. The articles often argued, without much evidence, that the proposed laws would allow hackers to steal people’s personal information and sow chaos.

“At first it was kind of ridiculous, but then we started realizing that, no, they’re really scaring people,” says Nathan Proctor, the director of the right to repair campaign at US PIRG, a liberal advocacy organization.

In a statement, Josh Zecher, the executive director of the Security Innovation Center, said that “we welcome any group that is focused on ensuring that consumers have access to safe and secure repair.” But he also argued that current right to repair legislation offers “significant opportunities for hackers to steal personal information, putting consumers at risk of losing money, privacy, and safety.” Zecher didn’t answer a question about who funds the group, but Security Innovation Center lists a number of organizations that represent the technology industry on its website as partners.

Securepairs.org believes instead in the notion that there’s no such thing as security through obscurity; a robust system will still be secure even if people know how it works. Releasing repair manuals and spare parts shouldn’t undermine an already sound smartphone. The group even takes the idea one step further, arguing that right to repair laws would make devices more safe, by allowing consumers to quickly replace failing parts or update buggy software. For example, John Deere tractors can often only be updated by licensed technicians. Farmers who can't afford to wait have resorted to hacking into their tractors with black market firmware, a far less safe option than, say, using diagnostic tools John Deere could release itself.

Roberts and his organization are up against an industry with deep pockets, and it’s hard to know how well they will succeed in convincing lawmakers to enact right to repair initiatives. So far, only one repair law, targeting the auto industry has passed in the US, in Roberts’ home state of Massachusetts in 2012. But the bill had an outsized impact: After it was put in place, major car manufacturers agreed to share repair information with independent mechanics across the entire country.

The hope now is that Securepairs.org could help bring similar legislation to other places, starting with California. It's an enormous state, and the home of many of America's largest technology companies. This is the second time California has tried introducing a right to repair bill, after a previous effort failed last year. A representative from the Security Innovation Center is set to testify at the hearing, but so are experts who believe right to repair won’t pose any security risks to be worried about.

  • “If you want to kill someone, we are the right guys ”
  • The best speed climbers dash up walls with this move
  • Everything you need to know about open source software
  • Kitty Hawk, flying cars, and the challenges of “going 3D”
  • Tristan Harris vows to fight “human downgrading ”
  • 🏃🏽‍♀️ Want the best tools to get healthy? Check out our Gear team's picks for the best fitness trackers , running gear (including shoes and socks ), and best headphones .
  • 📩 Get even more of our inside scoops with our weekly Backchannel newsletter