COVID-19 laid bare the extent to which functioning, secure electronic devices are crucial to our lives. Legislation impacting those devices should therefore be examined with a critical eye, particularly when the effect is to create new safety and security vulnerabilities for New York residents.
The New York state legislature recently passed Senate Bill 4104, legislation that mandates electronics manufacturers treat repair shops without proper training or certification the same way as manufacturer’s authorized or affiliated repair networks. If Gov. Kathy Hochul signs this bill into law, manufacturers will be forced to supply unvetted, untrained repair shops with proprietary technical information about thousands of internet-connected devices like computers, tablets and smartphones. SB 4104 places consumers at a greater risk of safety and cybersecurity events, as it contains no protections, requirements, or restrictions on who could gain access to sensitive manufacturer or consumer information.
Because of the interconnectedness of our lives, most New Yorkers have smartphones containing their personal financial information, medical history, and pictures of their friends and family. In an era of unprecedented and sophisticated cyberattacks, the government should not make it easier for criminals whose real aim is the treasure trove of information contained in devices to get access to someone’s sensitive personal data.
Consumers, businesses of all sizes, schools, and hospitals need to know that the people who repair their products will do so safely, securely, and correctly. For years, manufacturers have invested in robust authorized and affiliated repair networks to provide assurance that technicians are properly trained, use genuine parts, and are accountable to customers’ needs. Authorized and affiliated repair networks ensure that technicians receive the appropriate training from manufacturers and third-party organizations. For example, CTIA, the trade association for the wireless industry, created its WISE certification program based on a set of industry-recognized standards which have been rapidly adopted, resulting in some 15,000 technicians and 2,300 locations.
SB 4104 will totally undercut those efforts without requiring any of the critical consumer protections afforded by authorized and affiliated repair networks. In particular, there are no requirements for training for repairers, which puts consumers at risk of receiving devices with compromised safety and security.
Once signed into law, for example, documentation to reset, open, and unlock security functions on electronic devices would have to be revealed to anyone who asks, including fly-by-night repair shops without any training, competency certification, or consumer data protection requirements. Without consideration of limiting access to certain parts, the risk of serious fraud such as serial number cloning could arise.
The safety risks are real. Most electronics are highly-integrated products, many of which use lithium-ion batteries. Enabling untrained and unauthorized third parties to open devices to replace lithium-ion batteries without adequate training may result in serious and avoidable injuries. In January 2021, the U.S. Consumer Product Safety Commission released a consumer safety warning that rechargeable lithium-ion battery cells, when they are “loose” and not installed in a device or part of an integral battery, are “potentially hazardous to consumers when handled, transported, stored, charged, or used to power devices” and “can overheat and experience thermal runway, igniting the cell’s internal materials and forcibly expelling burning contents, resulting in fires, explosions, serious injuries and even death.”
Security risks would also be amplified if Gov. Hochul signs SB 4104. Manufacturers work closely with their authorized and affiliated repair partners because it creates actionable accountability to protect consumers. If a consumer drops off their electronic device at a repair shop, they ought to be granted a reasonable level of security in the unfortunate circumstance that their data is compromised. But SB 4104 pushes in the opposite direction by requiring manufacturers to disclose sensitive diagnostic tools and proprietary software to unaffiliated, unvetted third parties.
Manufacturers make significant investments in the development of products and services, and the protection of intellectual property is a legitimate and important aspect of sustaining the health of all industries. The legislation puts manufacturer intellectual property at risk.
Repair mandate bills have been rejected by every other state legislature where they have been filed, as the market is already increasing consumers’ access for repair services, including expansion to include independent repairers and through self-repair. Policymakers should recognize that the change in law would eliminate safe, secure, and reliable repair options that their constituents rely upon.
New York residents deserve repair that is done right. We urge Gov. Hochul to veto SB 4104 and keep consumers safe and secure.
Dustin Brighton is the Director of the Repair Done Right Coalition.