Repairing consumer privacy in a digital world

Recently introduced legislation in the California Assembly (AB 2110), would require manufacturers to provide independent repair shops with the same parts, tools, software, and other information that they provide to their authorized repair shops for the repair of Internet-connected electronics – from smart phones to home appliances to toys to fire alarms.

The idea is to create more repair options for consumers. One effect of the legislation, however, is that it would provide anyone with full access to the security and privacy features of these products, both physical components and software/firmware.

We as consumers should expect companies to invest properly in the design and execution of products and devices that protect our data privacy and security.

Unfortunately, AB 2110 follows in the footsteps of repair bills that have been introduced in 17 other states by some well-intentioned state legislators across the nation who have taken their eye off the ball and forgotten to prioritize digital privacy and security.

Twenty-five years ago, scammers and criminals needed to gain physical access to consumers’ wallets to steal their social security card or their ATM card to pilfer their bank accounts. Those times are long gone in today’s Internet-enabled world as private information and financial assets can be stolen from thousands of miles away with nary a fingerprint.

As we enter an age where society will be powered by trillions of Internet-connected devices in all aspects of our work, travel and personal lives and across all sectors of our economy from farming to power generation to industrial manufacturing, we need to redouble our efforts to advance data privacy and security. And we as consumers should expect companies to invest properly in the design and execution of products and devices that protect our data privacy and security.

Proponents of AB 2110 argue that prying open contractual relationships between device manufacturers and authorized repair shops to allow other, non-affiliated parties to fix broken products will help consumers.  The unfortunate reality is it will have the opposite effect. Enactment of the legislation will harm consumer privacy, data security, and safety.

Consumers want and deserve to have their personal data protected. Their personal data is the key to unlocking the rest of their lives, including information related to their finances, health, business matters, families, and other sensitive information. This raises the stakes for all companies and imposes responsibilities on them to protect their customers’ data.

Today, the onus is and should be on the manufacturer to design and build secure devices.

As a former privacy advocate for the American Civil Liberties Union, protecting consumer privacy has been a foundational tenet of my career and I have pressured companies to be held to a high standard of security and privacy protection. I want to see legislators and companies redouble their efforts for consumer data privacy and security, not have companies’ be forced to make it easier for identity thieves.

While requiring original equipment manufacturers (OEMs) to share their proprietary software, highly complex supply chains for parts, and other information might expand opportunities for some independent technicians to repair broken or misfiring computer devices, that limited potential benefit would be overwhelmed by the substantial dangers posed to consumers from this misguided effort.

The proposal is really a government mandate that forces companies to share how to unlock digital products. It is akin to government prohibiting you from locking the doors and windows of your home. That’s an invitation for the robbers to come in and take what they like.

The legislation does not include any consumer protection provisions, training, or other requirements for independent repairers. Without intensive, mandatory training and other requirements to protect consumers, as manufacturers and their authorized repair networks provide, consumers and network operators cannot have any confidence that repairs will not introduce new privacy or security vulnerabilities that would endanger consumers’ privacy or even allow devices to be taken over remotely.

Today, the onus is and should be on the manufacturer to design and build secure devices. But if bills such as AB 2110 pass, there will be far less control over the private data on Internet-connected products.  And breaches caused by manipulation at the individual product level will have repercussions across vast networks of thousands or millions of products.

Even the small, hard won improvements in digital security achieved over the last decade might be lost with the passage of this act and that is a risk we simply cannot take.
—
Ed’s Note: Tim Sparapani is the founder and principal of SPQR Strategies and a privacy adviser for the Security Innovation Center. He is the former vice president of policy, law and government affairs for the Application Developers Alliance and was the first director of public policy at Facebook.