The Damage of Right to Repair

Across the country, states are considering versions of legislation broadly referred to as “right to repair.” Proponents tell, at best, half a story, demanding that consumers have the right to repair electronic devices, cars, and other products with a software component. Yet, they already have such a “right.” Proponents object to having be certified by the manufacturer, objecting to equipment manufacturers not disclosing their intellectual property and providing consumers with an expected experience with their devices.

Today, when electronic products break, consumers have the ability to repair the product. Every strip or indoor mall today seems to have a smartphone screen repair shop or kiosk. Innovators provide ways for devices to be fixed in ways that do not compromise consumer security.

Those who support right to repair policies argue consumers should have the ability to direct maintenance and repairs of their electronic devices, whether or not consumers actually “own” devices or the licensed software. In Florida and South Carolina legislation would include agricultural machinery, in Texas they want access to “critical medical equipment stuff—like anesthesia machines and even ventilators.” On the other hand, free market and limited government supporters generally oppose government mandates dictating innovators’ behavior.

Right to repair policies are government mandates on innovators. They force innovators to hand over, “free of charge,” various categories of information to third-party repair shops. This includes diagnostics and repair information, diagnostic software, service passwords, firmware updates, and “related documentation.” Such information was not acquired for free by the inventor or creator. In fact, that sort of information is of major value, having required a struggle to be gained and is often the greatest challenge to creating a truly marketable device or service. Right to repair policies strip this value from the owners and give it away to those who have not spent the time, resources, or energy to create electronic devices.

Right to repair policies also force innovators to “make available for purchase” service parts including firmware updates, and would utilize a compulsory license for software involved. A compulsory license is a fancy term for government forcing someone to give away their property so that others can copy the information and sell it as their own.

This is not some minor access or request either. According to advocates of right to repair, innovators must provide to third-parties free of charge information relating to “embedded software.” Embedded software as they define it is “programmable instructions provided… with the digital electronic product for the purpose of product operation, including… ‘basic internal operating system,’ ‘internal operating system,’ machine code,’ ‘assembly code,’ ‘root code,’ and ‘microcode.’”

Also dramatic, firmware and software are conflated. Firmware, a software-like component, tells a device, or a part of a device, how specifically to operate. Firmware is often different from operating systems and is often highly customized. By requiring innovators to provide third-parties, free of charge, copies of operating systems and machine code, among other requirements, the policies require innovators to grant third-parties compulsory software licenses. The government would forcibly divest companies of significant value.

Not only is firmware not the software, but firmware and the hardware are nearly impossible to separate. The firmware may be simple or it may be complex. Graphics cards, tablets, routers, car computer parts all have firmware. Putting it all together, a device acts as a unit not as sperate parts easily defined in legislation much less without an intricate understanding of how the technology “stack” interrelates.

But maybe worse, handing such granular information to third parties is exceedingly dangerous for consumers.

Innovators often build security practices, such as encryption algorithms, into operating systems. Requiring them to hand the information over to third parties could result in drastically weakened, if not the elimination, of these security practices. Today as criminals and even national actors infiltrate our technology to take advantage of U.S. citizens such protection could hardly be more valuable. Policy makers supporting such a move would be directly responsible for exposing their citizens to known harm.

Such a move could actually expose not just a couple people but in fact while swaths of consumers. If bad actors, perhaps again sponsored by a foreign nation state, masquerade as independent repair shops, they could obtain the machine code from these companies, analyze it, and create backdoors or additional vulnerabilities they could exploit to capture consumers’ personal information. As frightening personally and more damaging to national security, those foreign actors could remotely surveil large numbers of Americans.

Also a broad problem, consumers could be left without the sorts of updates and security fixes completely taken for granted today. Innovators update firmware in a number of different ways. The updates can be wireless or through a hardwired connection. The updates can be scheduled or as needed. The updates can impact the hardware’s performance or its security. Each innovator may push updates at different times, in different ways, for different purposes.

Market thinking policy makers would certainly balk at approving a law that required apartment building owners to allow tenants to engage their own repair people to reconfigure the walls of “their” apartment, requiring the building owners to provide privileged business information along the way. While it may sound nice to provide consumers the “right” to repair a product, the question is at what price? Consumer security? Property rights? At the price of mandating that innovators to act in a certain way, and at prices decided by the government and courts?