Naked Security Naked Security

“Right to repair” gets a boost from new DMCA software rules

It just got easier for owners of a wide range of home devices to hack and repair their software.

The Library of Congress and Copyright Office just made it easier for US owners of a wide range of home devices to hack and repair their software without fear of being prosecuted under the Digital Millennium Copyright Act (DMCA).
Exemptions to the DMCA are considered every three years to allow for adjustments where a convincing case can be made.
From 28 October, the organisation has decided that the list of exemptions should now include smartphones, tablets, motor vehicles, and a wide range of home appliances such as smart TVs and voice-controlled speakers. Specifically:

The Acting Register recommended a new exemption allowing for the circumvention of TPMs [technological protection measures] restricting access to firmware that controls smartphones and home appliances and home systems for the purposes of diagnosis, maintenance, or repair.

The expansion has attracted attention on the back of the growing ‘right to repair’ movement that contends that repairing and lawfully unlocking many of today’s consumer devices involves meddling with their software.
However, TPMs such as Digital Rights Management (DRM) can make that a tricky undertaking for anyone trying to stay on the right side of the law.
Exacerbating this is the growing complexity of products that embed proprietary software that can malfunction or limit the use of a device in ways the authorities are having to spend more time thinking through.

Any catches?

Unfortunately, just because it’s now legal to delve into the software innards of a product, doesn’t mean that this becomes easier in the real world.
Parts can be hard to find, repair manuals deliberately kept secret, or consumers end up being pushed to expensive repair monopolies.
A recently cited example of this is the “kill switch” Apple is accused of having placed in 2018 MacBook Pro computers which stops them from being repaired by anyone other than Apple-Authorised Service Providers (AASPs).
The reports have not been confirmed but, if true, would mean that anyone manually repairing one of the computers themselves would be at risk of bricking it. On the face of it, this approach flies in the face of the revisions.
Interestingly, the Acting Register can also reduce rights as well as add them, which is why it will be a relief that the ability of security researchers to poke around in software looking for holes has been renewed for another three years. Better still:

The Acting Register found that good-faith security research involving devices beyond those covered by the current exemption is likely to be a fair use.

Right-to-repair advocates will nevertheless be heartened that the power of tech companies to impose DRM on everything they sell to keep users out is now being balanced by a clear and expanding set of rights.
In a perfect world, the right to repair might morph into an enthusiasm for repair, for example patching older hardware that vendors have given up on – as they often do.
With sustainability and repairability criteria the next frontier after energy labelling in places such as the EU, clever manufacturers might do better to embrace the right to repair as a benefit rather than a threat.