The deadline for NY Governor Kathy Hochul to sign the Digital Fair Repair Act into law is fast approaching. The bill, which passed New York’s legislature in early June, has been awaiting the Governor’s signature for more than six months and will expire at the end of December.
With a little more than a week left for the Governor to sign The Digital Fair Repair Act (S4104A/A07006), I am making public an email I sent to the Governor in early September urging her to pass the Digital Fair Repair Act, and addressing some of the misconceptions and outright untruths foisted upon her office by anti-repair interests including lobbyists for the electronics, telecommunications and home appliance industries.
I urge you to join me in calling on New York’s Governor to sign the Digital Fair Repair Act into law!
The Honorable Kathy Hochul
Governor of New York State
NYS State Capitol Building
Albany, NY 12224
Dear Governor Hochul:
My name is Paul Roberts and I am the founder of SecuRepairs.org, a group of more than 200 of the world’s top cyber security professionals including noted academics, researchers and technology industry executives. I am writing to you on behalf of our members to express our strong support for S4104A/A07006, The Digital Fair Repair Act and to urge you to join with a strong bipartisan majority in the New York Senate and the almost unanimous votes of members of the New York Assembly by signing this bill into law.
Our group would also like to set the record straight on the cybersecurity and data privacy implications of the Digital Fair Repair Act. Statements made in a June letter to you from the lobbying group The Repair Done Right Coalition are inaccurate and misconstrue the impact of the Digital Fair Repair Act on the cybersecurity of covered consumer electronics and other products.
Regarding the cybersecurity risk and the right to repair, here are some key points:
There Is No Cyber Risk In Repair
You have been told by manufacturers and industry lobbyists that digital right to repair bills such as S4104A/A07006 create new cyber security risks that will lead to hacks, data theft and other undesirable outcomes.
Let me be blunt: these claims are simply not true. As the language of the bill makes clear: the Digital Fair Repair Act requires manufacturers that already provide repair information to their authorized repair providers to provide the same information to the owner of a covered device and independent repair providers they may wish to hire.
Looked at another way: manufacturers are arguing that they should be free to share repair information with their business partners, but withhold that same information from the actual owner of the device – all in the name of data privacy? That argument defies logic.
In arguing against S4104A/A07006, opponents also gloss over the inconvenient truth that many authorized repair providers have a poor track record of protecting customer information. A prominent example is the 2016 case in which employees of an Apple authorized repair provider were caught stealing sensitive photos from a customer’s iPhone and posting them to social media sites.
Indeed, OEM claims about the superiority of authorized- over independent repair providers on matters of cybersecurity and data privacy are unsubstantiated. In its 2021 report Nixing the Fix, the Federal Trade Commission noted that “the record contains no empirical evidence to suggest that independent repair shops are more or less likely than authorized repair shops to compromise or misuse customer data.”
Manufacturer flaws – not repair – fuel hacked device epidemic
In arguing against S4104A/A07006, opponents also paint a misleading picture of the security of the Internet of Things. In their telling, device manufacturers are singly focused on device security and have done exemplary work in securing their smart, connected devices before they are sold to the public and deployed. A right to repair, they argue, would spoil that Shangri-La.
Alas, that’s not the reality we live in. Instead, consumers and small businesses today enjoy no “right to repair,” but instead face an epidemic of hacks and compromises of connected electronic devices. As I write, malicious “botnets” composed of hacked home routers, webcams and other devices form vast, global networks that are platforms for denial of service attacks, spam and malicious software distribution.
Rest assured: the hacked devices that make up these IoT botnets were not compromised because cyber criminals read their way through service manuals, scrutinized schematic diagrams or gamed diagnostic software and tools. Rather, home electronics, smart home devices – even vehicles and heavy equipment– roll off assembly lines and ship to customers with exploitable software vulnerabilities. Still more devices are insecure by design or in deployment, with vulnerable communications ports left open by default by manufacturers, and with easy-to-guess default username and password combinations. These are the digital equivalents of unlocked or unlockable doors that malicious actors simply step through.
Repair: Pro-Consumer, Pro-Competition, Pro-Environment
What can you do? On questions of information security and data privacy, we urge you to listen to what cyber security experts, rather than industry lobbyists, have to say! Our members are available to answer any questions you or your staff may have. I have included an email and mobile phone number below if you want to arrange a conversation.
In a world that is increasingly populated by Internet-connected, software powered objects, a digital right to repair is a vital tool that will extend the life of electronic devices, ensure their safety, security and integrity. S4104A/A07006 the Digital Right to Repair Act updates longstanding consumer and private property rights for a digital age. It does so just as manufacturers seek to turn hundreds of millions of owners into unwitting tenants of their technology.
Once signed into law, S4014A/A07006 will make New York cities and towns; homes; businesses; and schools longer-lived, more secure and less vulnerable to cyber attacks and other malicious behavior. We, the members of SecuRepairs, urge you to sign S4104A/A07006, The Digital Fair Repair Act, and look forward to passage of this historic legislation.
Paul Roberts, Founder SecureRepairs.org
paul (at) securepair (dot) org