hacking and the downloading of malware.”[1] CompTIA stated that for connected devices, the harms resulting from insecure repairs can injure third parties. They noted that “[w]ith more than 20 billion connected products by 2020, including appliances, thermostats, fire alarms, automobiles, etc.,” the insecure repair of a device can place numerous other connected devices and the data they hold at risk because “[w]ith access to technical information, criminals could more easily circumvent security protections, harming not only the product owner but also everyone who shares their network.”[2]
Authorized repair professionals, according to the manufacturers, conduct repairs without compromising the privacy of device users or introducing security risks. AHAM explained that certified service technicians train to understand appliances’ functionality, perform repairs that do not introduce vulnerabilities, and are contractually accountable for their work.[3] The Consumer Technology Association (“CTA”) posited that prohibiting individuals and independent repair shops from fixing products is in keeping with the FTC’s guidance regarding manufacturers’ responsibility for product security over its lifetime, because the FTC’s 2015 Internet of Things staff report and its Start with Security guidance recommend that companies retain service providers that are capable of maintaining reasonable security, engage in reasonable oversight of these service providers, and monitor products throughout their life cycle.[4] As CTA’s Walter Alcorn put it, “if manufacturers are required to provide all the software and the ability to repair, to change products, well, that pretty much goes out the window.”[5] Security consultant Earl Crane similarly remarked at the Workshop that “mandating design decisions runs in direct contradiction of policies that focus on manufacturer accountability.”[6]
The record contains no empirical evidence to suggest that independent repair shops are more or less likely than authorized repair shops to compromise or misuse customer data. Furthermore, although access to certain embedded software could introduce new security risks, repair advocates note that they only seek diagnostics and firmware patches.[7] Furthermore, according to Gay Gordon-Byrne, replacing a part on a device with an identical OEM part or functionally equivalent aftermarket part is unlikely to create a cybersecurity risk.[8]
Providing individuals and independent repair shops with the diagnostic software to fix devices and with firmware patches is fully consistent with Commission staff’s 2015 Internet of Things report and its subsequent Start with Security guidance. Manufacturers can provide others with access to the same parts and tools that they provide to their authorized service providers. And, by providing such access to individuals and independent repair shops, manufacturers would have greater confidence in the repair activities that occur outside of their authorized networks. As noted above in connection with safety concerns, with appropriate parts and repair
- ↑ AHAM comment, at 13.
- ↑ CompTIA comment, at 6.
- ↑ AHAM comment, at 13.
- ↑ Consumer Technology Association comment (“CTA comment”), at 3–4.
- ↑ Transcript, at 44.
- ↑ Id. at 91.
- ↑ Id. at 66.
- ↑ See, e.g., Transcript at 118 (swapping out a memory card that is the same brand as the original memory card does not create a cybersecurity risk).
31
