Lobbyists for major tech firms like Cisco and IBM are trying to push through legislation in Colorado that would drastically roll back a groundbreaking right to repair law under the guise of protecting national security and data centers.
The legislation, which passed through a Colorado state senate committee on Thursday, would exempt hardware from the existing right to repair law if that hardware “is considered critical infrastructure.” One of the issues with this is that “critical infrastructure” is very broadly defined, and could include essentially anything. In practice, the law could essentially repeal huge parts of one of the most important right to repair laws in the United States.
“It relies on a broad, vague definition that allows the manufacturer themselves to self-designate whether their equipment is for critical infrastructure,” Louis Rossmann, a right to repair expert and popular YouTuber, testified at a hearing on the bill Thursday. “So if a laptop manufacturer knows the Pentagon buys their laptops, they can declare that line exempt. If a networking company sells a $20 switch to a federal building, they can claim that hardware is critical infrastructure. It’s a blank check for manufacturers to exempt themselves.”
Ever since consumer rights advocates began pushing for right to repair legislation roughly a decade ago, hardware manufacturers have been fear mongering to lawmakers by telling them that right to repair would introduce security threats by requiring them to reveal proprietary information about their products. In practice, the exact opposite has happened, because greater access to repair parts, tools, diagnostic software, and repair guides means that broken equipment that could potentially be more vulnerable to hacking attempts can be fixed more quickly.
“When we talk about critical infrastructure and fixing things, we often do not have time to wait for an official fix from a company that may not be motivated to fix things,” Andrew Brandt, a security researcher and cofounder of the nonprofit Elect More Hackers, testified Thursday. “What ends up happening is that with smaller companies, where they may have spent most of their budget buying some firewall or router that they can no longer afford, they end up in a situation where they’re just going to keep running that device in an unsafe state and leave themselves vulnerable to cyber attack.”
The groups pushing for this legislative rollback appear to be legacy enterprise hardware manufacturers, who highlighted during the hearing the fact that their technology is increasingly being used in data centers, which seem to be one of the only things the current American economy seems capable of building. Lobbyists for the Consumer Technology Association, which represents many large manufacturers, testified in support of the bill, as did Joseph Lee, who works for Cisco.
“While Cisco appreciates the arguments offered in favor of right to repair devices, not all digital technology devices are equal. A router used in a home is fundamentally different from the infrastructure equipment used to manage a power grid or secure confidential state agency data,” Lee said.
Chris Bresee, a lobbyist with the National Electrical Manufacturers Association, also highlighted the fact that, broadly, there is IT equipment that will need repairs at data centers.
“A growing number of products in data centers with connection to our electric grid as well. It is of the utmost importance to safeguard these critical systems,” he said. “This is not an argument against repair or against consumers rights, it is a recognition that fixing a smartphone is not the same as modifying systems that keep the lights on for our country.”
The argument being made by these lobbyists and major tech companies is that only the manufacturers or their authorized representatives should be allowed to fix these types of electronics. But, again, the definition of “critical infrastructure” is so broad that it can be applied to almost any type of electronic, and there is nothing fundamentally different between a router used at a data center and a router used in a school, business, or home.
“You look at who is backing this bill, it is large firms like Cisco and IBM. They sell information technology equipment to tens of thousands of Colorado businesses, and they are looking to create a de facto monopoly on that service, which exists in the states that have denied this business to business right to repair,” Paul Roberts, a cybersecurity expert and founder of SecuRepairs testified. “The big tech companies backing the bill are using a very real concern about cybersecurity and resilience of US critical infrastructure to pad their bottom line, locking in a monopoly on service and repair. Cyber attacks on US critical infrastructure are rampant and have nothing to do with information covered by Colorado’s right to repair law.”
