Commentary: New York got it wrong on cybersecurity and the right to repair

Disabling software locks that prevent repair has no bearing on the cybersecurity of covered devices. The Digital Fair Repair Act should have reflected that.

When Gov. Kathy Hochul signed a drastically amended version of the Digital Fair Repair Act into law on the evening of December 28, she handed right-to-repair advocates both a victory and a defeat. 

It was a victory because the Digital Fair Repair Act is the first law in the nation to enshrine the right of consumers to have access to the information and parts needed to repair their electronics. 

It was a defeat because of a host of last-minute amendments, at Hochul’s request, that weakened the law. Among those: the removal of a requirement that manufacturers provide device owners and independent repair providers with “documentation, tools, and parts" needed to access and reset digital locks that impede the diagnosis, maintenance or repair of covered electronic devices.

As they have done on the road to burying more than 100 proposed pieces of repair legislation in 40 states since 2014, anti-repair groups argued – without evidence – that such information, if made available to owners and independent repair providers, would lead to cyberattacks and the theft of consumer data. 

Had the governor and her staff had no other information to guide them in making their decision, we might forgive them for erring on the side of caution. But the governor and her staff knew that the manufacturers’ arguments were bogus. I should know: My group told them. 

I am the founder of SecuRepairs, an organization of more than 300 IT and cybersecurity professionals who support the right to repair. In written communications and in a face-to-face briefing with the governor’s staff in October, SecuRepairs informed the governor’s staff that the proposed language preventing the disabling of software locks that prevent repair would have no bearing on the cybersecurity of covered devices. Instead, it masked efforts by manufacturers to put themselves in the position of deciding who can and cannot service and repair their products. 

As passed by the Legislature in June, the Digital Fair Repair Act asked manufacturers that already provide security codes and passwords to their authorized repair providers to also provide them at a reasonable price to the owners of covered devices and to independent repair providers. In opposing such requirements, manufacturers leaned on the idea that manufacturer-authorized repair is more reliable and secure than independent repairs, or repairs carried out by device owners. But the FTC noted in its 2021 “Nixing the Fix” report to Congress that there is no empirical data that supports those claims. Asked explicitly to present such evidence to the FTC, anti-repair groups were unable to. 

In our communications, SecuRepairs informed the governor’s staff that the root cause of cyberattacks on connected devices isn’t unrestricted access to repair tools and information, but a culture of lax security among smart-device makers. This is well documented in cybersecurity circles. A recent study of the security of IoT devices by Phosphorus Labs, for example, found that 68 percent of devices studied contained high-risk or critical software vulnerabilities. 

Properly implemented, right-to-repair laws actually promote device security rather than undermine it. That’s because maintaining deployed devices after manufacturers have walked away from the table (or gone out of business) is critical to maintaining a healthy “Internet of Things” ecosystem. Right-to-repair laws create the conditions under which such an aftermarket repair ecosystem can flourish. 

Alas, New York’s Digital Fair Repair Act, as amended by Gov. Hochul, falls short of the mark. It will now fall to other states to pick up where New York left off – passing their own versions of the Digital Fair Repair Act that close the loopholes created by Hochul’s amendments, including the amendment barring access to security codes. As we have since 2018, SecuRepairs will be there in the hearing rooms and on the Zoom calls to help educate lawmakers about cyber risk and repair. We hope, this time, they listen. 

Paul F. Roberts of Belmont, Mass., is the founder of SecuRepairs, a coalition of IT and cybersecurity professionals who advocate for consumers' right to repair.