FTC’s right-to-repair ruling is a small step for security researchers, giant leap for DIY hackers
When the Federal Trade Commission voted unanimously on July 21 to enforce rules against manufacturers who have made it difficult for consumers to fix their own devices, it marked a significant win for the “right-to-repair” movement that includes farmers, hackers and consumer advocates among its ranks.
The consumer watchdog agency’s decision to ramp up enforcement actions against illegal right-to-repair restrictions came after Americans, for years, had been limited by legal restrictions that prevented them from fixing technology they already purchased. For instance, manufacturers can withhold repair tools and implement software-based locks that prevent owners from making even simple updates unless they visit a repair shop authorized by the company. That has been the ongoing struggle for John Deere owners, some of whom resorted to hacking their tractors with Ukrainian software in order to fix them.
Companies like Apple, as well as industry groups, fought for years against state and federal legislation regarding the right to repair, arguing that opening up software and hardware to home and third-party fixes actually reduces security.
“This is a big win for the [do-it-yourself community], which is like the hacker ethos,” says Nathan Proctor, the director of consumer interest group U.S. Public Interest Research Group’s right-to-repair campaign.
“This was a huge challenge from just having in-house repairs by these companies to now they’re being forced to open up at least the hardware to access parts and service information,” he says. “I would think that should be seen as a win for that worldview.”
It’s a ruling that security researchers like Luta Security CEO Katie Moussouris also see as a “net good for security research and consumer choice.”
Some restriction practices flagged by the FTC for potential enforcement, such as the application of patent rights and end-user license agreements, have been deployed by companies to not only block repairs, but also security research. The overlap has sparked questions from hackers wondering: does the right to repair equal the right to hack?
“You shouldn’t be blocking me from not only fixing the hardware, but if I can find flaws in the software, or if the software has problems, I should be able to at least try to get that fixed,” says Jason Kent, hacker in residence at security firm Cequence. “And the way it is today is if you go to one of these organizations and say there’s a flaw in your API, they will say here is a letter from our lawyers saying shut up.”
The action by the FTC fits into a bigger push by the agency, now helmed by antitrust expert Lina Khan, to take on practices seen as anti-competitive. President Joe Biden also in a July executive order honed in on repair restrictions as inhibiting competition in the American economy and requested the FTC rule on the matter.
The FTC’s July 21 ruling, however, does not explicitly weigh in on security research.
“I think that the protection for security researchers is there in the broad language,” Moussouris said. “But unless they’re specifically going to try and create a fix, or patch for whatever it is they find, I believe there’s still risk there.”
The agency declined to comment for this story.
“Allowing unauthorized third parties with access to sensitive diagnostic information, software, tools, and parts would jeopardize the safety and security of consumers’ computers, tablets, and other devices and put them at risk for fraud and data theft,” Carl Holshouser, senior vice president at trade group TechNet wrote in a response to the FTC decision. Members of TechNet include Apple and General Motors.
The argument hasn’t held up to the FTC.
“The record contains no empirical evidence to suggest that independent repair shops are more or less likely than authorized repair shops to compromise or misuse customer data,” the FTC wrote in a May report. “Furthermore, although access to certain embedded software could introduce new security risks, repair advocates note that they only seek diagnostics and firmware patches.”
The FTC has, in recent history, largely been an enforcement agency. Chairwoman Lina Khan has expressed a desire to change that by further utilizing rulemaking authorities to address issues such as data privacy.
For hackers to have true safe harbor, they’re going to need legislators to act on laws companies employ to block security research, like Digital Millennium Copyright Act (DMCA) and the Computer Fraud and Abuse Act (CFAA), says Moussouris.
“I don’t think it’s the FTC job to [protect security researchers],” said Moussouris. “I think that the DMCA needs a fundamental carve out and reform. And that is the core that’s kind of the root cause of the bug in the system.”
Proctor also says there’s still legislative work to be done on the matter. Massachusetts, Rhode Island, California and Indiana all currently have right-to-repair laws. An additional 24 states have introduced right-to-repair legislation in the past year, demonstrating a growing interest. Rep. Joseph Morelle (D-N.Y.) in June introduced federal legislation guaranteeing consumers’ the right to repair their own products.