Even before we were a country, the United States was a nation of tinkerers, innovators, and fixers. The right of owners to repair, re-use, fix, modify, and improve the stuff they own is central to our identity as a nation. For three centuries, an implicit right to repair – grounded in Common Law – has been central to our growth and development as a nation. It was the foundation for American “thrift”: helping farmers, business owners and individuals endure lean times by eeking extra years and decades out of tools, equipment, automobiles, electronics and other possessions. More recently, it has been core to the growth of the high-tech industry in Silicon Valley, Route 128 and elsewhere: allowing engineers to tinker and experiment with both hardware and software to invent and realize new products and services.
As information (“cyber”) security professionals we recognize and appreciate this long history and stand united in affirming the following principles:
The right to repair is inseparable from the rights of ownership. This idea is well supported by the laws of the United States and by Common Law in both this country and England stretching back centuries. Patents and other contracts (i.e. EULAs) should not create an exception to this.* The right to repair is part and parcel of this right of ownership. As such, it should be beyond the ability of manufacturers, resellers or others to control or limit via patents or other means as they seek to extend control over the use or disposition of an object after it is sold.
End User License Agreements (“EULA”) are commonly deployed to redefine the relationship between seller and buyer by inserting limitations on use that are not part of our traditional view of ownership.** Buyers often accept such agreements with a click, but without the option of negotiation. It is through EULAs that manufacturers and OEMs remove the legal right to repair, modify, re-use and independently service their property. The legal means to restore these rights to owners and their agents is through legislation, particularly statutes governing Unfair and Deceptive Trade Practises (UDAP) in state law. We recognize that right to repair laws seek such remedies and we support those efforts.
[ TOP ]
There is no security through obscurity. This is axiomatic and a core principle of modern information security, first articulated by the Dutch cryptographer Auguste Kerckhoffs who stated that a “cryptosystem should be secure even if everything about the system, except the key, is public knowledge” (Kerckhoff’s principle).
As information security professionals, we reject all arguments that proceed from the assumption that obscurity equates with- or enhances security. Arguments that seek to conceal the workings of a product in the name of security so as to undermine the rights of owners or their agents to service, repair or modify their property are prima facie false and should be rejected as such. True, verifiable security is the product of secure design and thorough testing and improvement, not secrecy. Systems that rely on secrecy rather than provable security are destined to fail. As the Boston-born lock maker Alfred Charles Hobbs noted: “Rogues are very keen in their profession, and know already much more than we can teach them.”
[ TOP ]
Far from posing a risk to security, repair fosters security in our homes, communities, governments and businesses. By erecting barriers – whether monetary or logistical – to owners and their agents to repair or service their property, manufacturers create the conditions by which needed repairs or maintenance will be delayed or put off entirely. This, in turn, creates the environment in which malicious actors thrive.
We believe that physical or virtual products, including machinery, electronics and other hardware and software, that are amenable to repair will be longer lived and more secure throughout their life. By increasing the population of owners and independent agents who can replace failing parts, update buggy software or otherwise close openings likely to be exploited by bad actors, we reduce the likelihood of attacks and other adverse events. Further, products that facilitate repair, maintenance, reuse and modification by owners and their agents benefit from the “wisdom of crowds.” To paraphrase Linus’s Law (for Linux creator Linus Torvald): “with enough eyes and hands all bugs are shallow.”
[ TOP ]
Our world is changing rapidly. Objects that 30 years ago were mechanical or electromechanical are, today, digital and software-driven. More and more of the “things” in our homes, workplaces, communities and physical surroundings are connected to the Internet and to each other: from cameras to appliances to clothing and medical devices.
These changes promise huge gains in productivity, efficiency and convenience. They also pose risks to our privacy and, increasingly, our physical safety. Securing these software-driven and Internet connected objects – the “Internet of Things” – is a monumental task that requires the joint efforts and cooperation of manufacturers, industries, owners, lawmakers and regulators and the information security community.
Insecure products don’t become more secure when neglected over time. Thousands, if not tens or hundreds of thousands of insecure products are entering the marketplace without any means to improve their security.***
As security professionals, we know that securing the Internet of Things is not a fundamentally different challenge from securing the Internet of computers.
We recognize the vast body of research and work that has identified proven methods for securing software and vast networks of connected devices. These methods include the use of rigorous secure design and development processes, the application of rigorous testing of devices prior to their release and the inclusion of features and systems for modifying and updating devices after they have been deployed (aka “patching”). It involves the opening and maintenance of channels of communication by which individual owners and independent professionals can report security or reliability issues in software or hardware that require attention, lest they pose a risk to owners of the public.
In short: we believe that true security is by design. It is part and parcel of the process of envisioning, designing, manufacturing and maintaining a product. It is not “bolted on” at the last minute. It cannot be imposed on a product by fiat or conferred on a product after it is sold. Manufacturers that promise their customers security need to make the investment in security throughout the entire lifecycle of the product. We hold ourselves to high standards. We expect nothing less of them.
[ TOP ]
As technology evolves and reaches deeper into our lives and communities, new and vexing problems and dilemmas are unavoidable. These new and unimagined problems may challenge the assumptions and truths – about security, privacy, and the rights and responsibilities of individuals – that we hold dear.
As security professionals we recognize this inevitability. We also believe that the best way to navigate these as-yet unseen challenges is by proceeding from facts and not FUD (fear, uncertainty and doubt). Too often in our field, fear of the unknown drives conversation about how best to manage technological change. Too often, scaremongering and hypotheticals that serve narrow commercial or political interests are used to derail otherwise fruitful discussion and debate.
As information security professionals, we know that only by focusing on facts and not FUD will we arrive at responses and policies that balance change and innovation with security, privacy, safety and civil liberties. In our advocacy, we will adhere rigorously to the facts and call out fear, uncertainty and doubt whenever and wherever we hear it.
[ TOP ]
(*) As recently as 2017, the U.S. Supreme Court noted in its ruling in Lexmark vs. Impression Products in 2017 (PDF), that the doctrine of patent exhaustion imposes a limit on the patent holder’s right to exclude. Namely: “when a patentee sells an item, that product ‘is no longer within the limits of the [patent] monopoly’ and instead becomes the ‘private, individual property’ of the purchaser.’”
(**) See The End of Ownership by Aaron Perzonowski
(***) Bruce Schneier’s Click Here To Kill Everybody is a great reference on risks of un-patched and un-patchable products.