SecuRepairs (pron: “Secure Repairs”), a group of more than 300 information technology and information security professionals who support a legal right to repair, celebrates the passage and signing into law of the Digital Fair Repair Act in Minnesota, the nation’s most comprehensive state right to repair legislation, to date.
“This is a huge victory for Minnesota families, small businesses, communities and consumers,” said Paul Roberts, the founder of SecuRepairs and a board member at The Repair Coalition. “Minnesota is the North Star state, and on the critical issue of whether consumers have the legal right and the ability to repair and maintain their own property, Minnesota’s legislators and governor have shown us the way forward!”
The Digital Fair Repair Act was signed into law by Minnesota Governor Tim Walz on Wednesday, May 24th as part of an omnibus bill (SF 2774) which passed Minnesota’s legislature with strong, bipartisan support in both chambers on May 17th. Article 4, Section 11 of the bill contains language guaranteeing Minnesotans the right to repair all electronics except farm and construction equipment, video game consoles, specialized cybersecurity tools, motor vehicles and medical devices, according to the language of the bill. The new law will go into effect on July 1, 2024.
SecuRepairs would like to thank Governor Walz for his signature as well as Minnesota state Rep. Peter Fischer and state Sen. Rob Kupec for their tireless work promoting and championing the Digital Fair Repair Act. Without their determined efforts and the support of groups on the ground such as PIRG; the Repair Coalition; countless local repair professionals; environmental advocates and others it is unlikely the Digital Fair Repair Act would have become law.
SecuRepairs: fighting cyber FUD about repair
As it has done in statehouses across the U.S., SecuRepairs testified in favor of the bill and sought to help Minnesota legislators understand the true nature of cyber risks to smart, electronic devices.
In Minnesota, SecuRepairs members explained to legislators that right to repair laws merely require manufacturers to share with device owners and independent repair professionals the same tools, parts and information they already widely distribute to their business partners (authorized repair providers).
We also described how attacks on smart, connected devices are fueled by vulnerable and poorly configured software distributed by manufacturers, rather than by leveraging repair information and tools like schematic diagrams, service manuals and diagnostic software. As such, the laws do not create new cybersecurity risks but do help consumers, small businesses, communities and governments by fostering a robust, functioning marketplace for service and repair of smart, connected devices.
A Minnesota carve out for cybersecurity? No…and yes.
Our expert testimony helped debunk misinformation about cyber risk and repair spread by major technology- and other industry lobbying groups that opposed the Minnesota Digital Fair Repair Act. As passed by Minnesota’s legislature, the law includes language that will prevent manufacturers from sidestepping compliance with it by invoking “cybersecurity.” Parts, documentation, or tools “related to cybersecurity” are not exempted from the law when they are “necessary for the repair or maintenance of equipment,” the law reads.
However, opponents of the Digital Fair Repair Act were successful in adding vague language to the final wording of the Minnesota legislation that exempts original equipment manufacturers from having to make available “parts, documentation, or tools related to cybersecurity” which could “reasonably be used to compromise cybersecurity or cybersecurity equipment.” A broad reading of that language could enable manufacturers to misconstrue any type of information necessary to operate or service a device – from software updates to administrative credentials – as potentially furthering cyber attacks.
However, SecuRepairs is optimistic that Minnesota’s Attorney General, who is charged with enforcing the terms of the Digital Fair Repair Act, will interpret the meaning of this language in a way that reflects the true nature of cyber risks to connected devices, and recognizes the clear intent of the bill to foster user- and independent repair for the benefit of consumers and businesses.
Smartphones: ‘critical infrastructure’? ¯\_(ツ)_/¯
More concerning is an exemption in the law for “information technology equipment that is intended for use in critical infrastructure, as defined in United States Code, title 42, section 5195c(e).” That part of federal law defines “critical infrastructure” as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” That’s broad language.
What practical effect will this language have? It is unclear. Manufacturers may attempt to invoke it to avoid compliance with the Digital Fair Repair Act, arguing that a wide range of technologies – from routers and switches used by businesses to consumer cell phones – meet the federal definition of critical infrastructure. Here again, we expect that Minnesota’s Attorney General will demand that manufacturers asking for such exemptions produce concrete evidence and examples of critical infrastructure attacks stemming from the sharing of information, parts and tools needed for repair.
Those will be hard to come by. Examples of repair restrictions that harm our national security are not, however. There have been numerous reports in recent years about the ways that OEM monopolies on repair and service are hampering the readiness of the U.S. Military and the smooth operation of hospitals and critical care centers.
SecuRepairs believes Minnesota lawmakers saw through the fear uncertainty and doubt (FUD) foisted upon them by industry lobbyists to grasp that larger truth, as well. Our members look forward to implementation of the Digital Fair Repair Act in Minnesota and hope that the success of right to repair advocates in Minnesota, after a similar victory in New York in December, prompts other states considering right to repair legislation to also move forward.
SecuRepairs (pron: “Secure Repairs”) is a group representing more than 300 information security (cybersecurity) and information technology (IT) professionals who support the right to repair. Founded in 2017, SecuRepairs is a platform for cyber and IT pros to dispel fear, uncertainty and doubt (FUD) about right to repair laws and speak with one voice in support of a common Statement of Principles in the ongoing, national conversation about the rights of owners and independent repair professionals.
email: paul (at) securepairs (dot) org
mobile/signal: +1 617 817-0198