How much of a security risk does right to repair really pose?
Image credit: Piotr Zajda/Dreamstime
While there are some grounds for the concerns being raised by big manufacturers, a more democratised approach to extending the life of devices is the way forward.
‘Right to repair’ legislation proposed by both the EU and the US government is yet another shot across the bows of big tech firms. The reforms would force device manufacturers to build their products in a way that allows consumers to fix and replace parts themselves, while also requiring companies to make spare parts more readily available.
A number of large vendors have unsurprisingly come out against these proposals, citing device security concerns as one of the major risks. But are these issues real, or is this just big tech trying to retain its current control over the lifecycles of its products?
The concerns raised – that independent repair could affect the security and safety of devices – are understandable. Manufacturers argue that spare parts and third-party vendors may not live up to their own security standards, for example. Others claim that sharing information will violate their intellectual property.
While there is merit to these arguments, they are outweighed by the potential positive impact of the reforms.
The growing pressure on manufacturers to allow consumers to repair their own device is, in general, a good idea. The UK government – which introduced ‘right to repair’ legislation in July – believes that such regulations will extend the lifespan of products by up to 10 years.
Having the right to repair will also reduce carbon emissions from electrical waste and help alleviate the frustration of having to throw a product away because a small part is broken – replacing an entire device seems unnecessary when, say, just the battery needs changing. It will also likely lead to the emergence of a ‘right to assembly’ sub-industry of vendors, offering cheap parts that are compatible with the world’s most popular devices.
End-user license agreements can easily be updated to support the right to repair, but the security considerations for some components – particularly where there is a dependency on encryption – may need to be rethought. This could lead to some fringe positives, with consumers remaining loyal to their preferred ‘app ecosystem’ having been able to maintain a device longer. Ultimately though, as we have seen in the past, there is nothing to stop any vendor releasing updates that make legacy hardware incompatible with new software.
That said, there has been a healthy after-market in white goods and consumer electronics for some time.
A report by the US Federal Trade Commission notes that “at present, the assertion of IP rights does not appear to be a significant impediment to independent repair”. It goes on to say that patents could potentially impact competitive markets for repair parts if there are valid and enforced patents protecting them, with only two respondents noting that manufacturers’ assertion of patent rights “impedes independent repair”.
Such a statement seems clear – just look at retail platforms AliExpress or Banggood and you’ll see a whole host of spare parts available for phones, tablets and everything else.
Security concerns can also be managed. The likelihood is that this will lead to the aforementioned ‘right to assembly’ sub-sector, which could see specific parts – like those with security modules in – only being made available direct from the original vendor.
It will be vital for this new ecosystem to be properly managed and regulated to ensure security standards are upheld, with a certification system being a viable option.
While the big firms have some right to flag security concerns, embracing this more democratised device market is the way forward. It needs to be carefully managed, and have a robust security infrastructure in place, but extending the life of devices can only be a good thing.
Andy Barratt is UK managing director of cyber-security consultancy Coalfire.
Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.