Right to Repair Policies are Government Mandates and will Jeopardize Consumer Privacy

Whether consumers should have the right to repair electronic devices, cars, and other products with a software component is a tough debate. On the one hand, those who support right to repair policies argue consumers should have the ability to direct maintenance and repairs of their electronic devices, whether or not consumers “own” devices or license software. On the other hand, free market and limited government supporters should oppose any form of government mandate dictating innovators’ behavior.

As currently drafted, right to repair policies,* or fair repair policies, are government mandates on innovators. They force innovators to hand over, “free of charge,” various categories of information to third-party repair shops. This includes diagnostics and repair information, diagnostic software, service passwords, firmware updates, and “related documentation.” Right to repair policies also force innovators to “make available for purchase” service parts including firmware updates, and would utilize a compulsory license for software involved. The legislation proposed in a handful of states would allow those governments, through the courts, to judge what prices innovators should charge for those products.

The arguments grow more complex when studying various definitions. According to advocates of right to repair, innovators must provide to third-parties free of charge information relating to “embedded software.” The policies define “embedded software” as “programmable instructions provided… with the digital electronic product for the purpose of product operation, including… ‘basic internal operating system,’ ‘internal operating system,’ machine code,’ ‘assembly code,’ ‘root code,’ and ‘microcode.’”

Definitions such as those including operating systems within the term “embedded software” conflate, when added with other definitions, firmware and software. In the technology industry, firmware is often different from operating systems. By requiring innovators to provide third-parties, free of charge, copies of operating systems and machine code, among other requirements, the policies require innovators to grant third-parties compulsory software licenses.

Handing such granular information to third parties is exceedingly dangerous for consumers. Innovators often build security practices, such as encryption algorithms, into operating systems. Requiring them to hand the information over to third parties could result in a watering-down, if not elimination, of these security practices. Further, if bad actors masquerade as independent repair shops, they could obtain the machine code from these companies, analyze it, and create backdoors or additional vulnerabilities they could exploit to capture consumers’ personal information.

Even if fair repair policies applied only to firmware, such policies would represent both a government mandate upon innovators and open the door to significant security risks. The policies also seem to lack an understanding as to how electronic devices today rely on highly customized firmware.

Firmware and hardware are nearly impossible to separate. The hardware in most devices has a software-like component called firmware. Firmware tells a device, or a part of a device, how specifically to operate. The firmware may be simple or it may be complex. Graphics cards, tablets, routers, car computer parts all have firmware.

Innovators update firmware in a number of different ways. The updates can be wireless or through a hardwired connection. The updates can be scheduled or as needed. The updates can impact the hardware’s performance or its security. Each innovator may push updates at different times, in different ways, for different purposes.

When electronic products break, consumers have the ability to repair the product. Every mall today seems to have a smartphone screen repair shop or kiosk. Innovators provide ways for devices to be fixed in ways that do not compromise consumer security.

Industry and innovation solve problems far better than government. While it may sound nice to provide consumers the “right” to repair a product, the question is at what price? At the price of consumer security? At the price of compelling innovators to act in a certain way, and at prices decided by the government and courts?

* The Communications and Technology Task Force considered right to repair policies in December 2013. After discussing these policies, the Task Force took no action on them.