software – Techdirt (original) (raw)

Texas Will Soon Be The 9th State To Pass A Popular ‘Right To Repair’ Law

from the fix-your-own-shit dept

While U.S. consumer protection is generally an historic hot mess right now, the “right to repair” movement — making it easier and cheaper to repair the things you own — continues to make steady inroads thanks to widespread, bipartisan annoyance at giant companies trying to monopolize repair in creative and obnoxious ways.

Washington State just became the eighth state to pass a new law theoretically making it easier and cheaper to repair the technology you own. Now, barring a veto from Governor Abbott, Texas is poised to be the ninth state to do so after the State’s new right to repair law (HB2963) passed a vote in a the Texas state Senate last week 31-0. That comes after the House passed the legislation 126-0.

Again, this movement continues to make inroads because anti-consumer repair monopolies annoy everybody. Unlike many consumer reform efforts, companies haven’t had much success (yet) scaring the public away from “right to repair” reforms, despite a lot of scary (and false) claims about how such laws pose a risk to consumer security and privacy or aid sexual predators.

Texas’s new law requires manufacturers to make spare parts, manuals and repair tools available to consumers and independent shops. Consumer groups and “right to repair” advocates are unsurprisingly excited:

“When you can’t fix something, you either have to buy a new one or do without. It drives up waste and costs. People are tired of throwing away things they prefer to fix, and clearly this is a message that has gotten through to lawmakers,” said Nathan Proctor, PIRG’s Senior Right to Repair Campaign Director. “Congratulations to Rep. Capriglione for his excellent work standing up for the rights of product owners, and the small repair shops all across Texas. This is a Texas-sized win.”

This is definite progress, and I hate to be a buzzkill, but it’s worth reiterating that of the 8 states that have passed right to repair reforms so far, not a single one has actually enforced them in any meaningful way. This despite no shortage of bad corporate actors working overtime to kill independent repair shops, make manuals and parts hard to find, use obnoxious DRM, or claim that repairing your own stuff violates warranty.

Many states are facing unprecedented legal and financial challenges thanks to new Trump-triggered legal fights across everything from environmental law to healthcare. As a result most states aren’t going to be keen to launch costly new legal battles against deep-pocketed corporations.

Republican states like Texas, in particular, aren’t likely to say…start picking meaningful new fights with Apple or Sony. That runs in pretty stark contrast to the central Republican mission to effectively demolish whatever’s left of regulatory independence, consumer protection, and corporate oversight. They like to pick fights with “big tech,” but only in a bid to bully them into doing nothing about racist propaganda.

At some point at least a portion of the activism calories spent passing these right to repair laws needs to be redirected to yelling at states to actually enforce them, if the overall movement itself is to have any actual meaning and the laws are seen as anything more than populist set dressing.

Filed Under: antitrust, consumers, hardware, monopoly, right to repair, software, texas, tinker

Washington The Eighth State To Pass ‘Right To Repair’ Law

from the fix-your-own-shit dept

Mon, May 5th 2025 05:25am - Karl Bode

Washington will soon become the eighth state in the country to pass Right to Repair legislation. While U.S. consumer protection is generally an historic hot mess right now, the “right to repair” movement — making it easier and cheaper to repair the things you own — continues to make steady inroads thanks to widespread, bipartisan annoyance at giant companies trying to monopolize repair.

Technically Washington state is poised to pass two new right to repair bills.

HB 1483, which covers consumer electronics and appliances, was passed by a strong bipartisan vote of 48-1 on April 10, following a similar near-unanimous vote through the House on March 4. HB 1483 helps expand access to manufacturers’ spare parts, physical and software tools, and diagnostic and schematic information needed to make repairs on personal electronics and home appliances.

The Right to Repair bill for wheelchairs and mobility devices (SB 5680) also passed both chambers with unanimous votes. Getting both bills passed required a lot of hard work from activists across consumer rights, disability, and environmental sectors:

“I spent seven months in a wheelchair that would turn itself off without warning and refuse to start for varying periods of time. I found out after the chair was scrapped that it should have been an easy fix,” said Marsha Cutting, a member of the Governor’s Committee on Disability Issues and Employment. “This bill would have allowed me to fix my wheelchair instead of having to wait for several months. I’m grateful for the years of work on Right to Repair done by Rep. Mia Gregerson, and I hope that our community will continue to work together to make life better for people with disabilities.”

Ohio could potentially be the ninth state to pass such a law, again showcasing how the issue has broad, bipartisan support. Thanks in part due to the monopolistic behavior of agricultural giants like John Deere.

One problem, as noted recently, is that none of the states that have passed such laws have bothered to enforce them. Companies in most states haven’t really been asked to do anything different. In some states, like New York, the bills were watered down after passage to be far less useful.

That’s going to need to change for the reform movement to have real-world impact; but with states facing unprecedented legal threats across the board during Trump 2.0, it’s not hard to think that meaningful consumer protection — and picking bold new fights with corporate giants — will be among the first things on the cutting room floor for cash-strapped states.

Filed Under: consumers, hardware, HB 1483, ohio, reform, right to repair, software, washington

Google Kills Software Support For Many Nest Users, Eroding Trust In The Brand

from the 'I-am-altering-the-deal,-pray-I-don't-alter-it-further." dept

Wed, Apr 30th 2025 05:37am - Karl Bode

Google is developing a tried and true reputation for buying products people like, making them worse, then pulling the rug out from under users’ feet. That’s been a particular problem with Google’s purchase of FitBit, which has generally resulted in less useful hardware, more paywalls, more annoying nickel-and-diming efforts, and just a more miserable user experience overall.

It’s also been a pain in the ass for folks who bought into the Nest smart-home ecosystem. Google has consistently pared back on features and restricted openness for the platform, ensuring Nest doesn’t play as well with other systems. Now Google says it’s pulling software support for the first two generation of Nest thermostats (which made the brand popular in the first place), restricting a bunch of functionality:

“We made the difficult decision that starting October 25, 2025, Nest Learning Thermostat (1st gen, 2011), Nest Learning Thermostat (2nd gen, 2012), and Nest Learning Thermostat (2nd gen, Europe version, 2014) will no longer receive software updates. You will no longer be able to control them remotely from your phone or with Google Assistant, but can still adjust the temperature and modify schedules directly on the thermostat.”

Google is also stating that it has no plans to release additional Nest thermostats in Europe because it found adapting to European build requirements too much of a hassle. Google also just announced it was discontinuing the Nest Protect smoke and carbon monoxide alarm and Nest x Yale Lock.

You can argue that a decade is a reasonable expected lifespan for a product to have its support phased out, but many thermostats are historically used for decades. And Google is making absolutely no effort to open source the hardware to allow owners to explore extending the lifespan. Ultimately it’s both environmentally harmful and injures consumer relationships built over decades across brands.

Nest users in the Ars Technica and Verge forums are understandably annoyed:

“NEST is intentionally crippling a product that works well. How can I trust that they won’t do it again with other of their products?”

There’s no short term money in quality control and protecting your brand and existing relationships with consumers. So Google, chasing the impossible allure of unstoppable quarterly growth and the AI hype cycle, routinely has been cutting corners on product quality and longevity — increasingly notable in everything from its lagging interest in its own smart home line to sagging Google Search quality.

In the earlier aughts, Google was an interesting, innovative, and occasionally even ethical company. The fall off has been anything but subtle.

Filed Under: customers, enshittification, hardware, heating, nest, smart home, software
Companies: google

Whoops: White House Microsoft Cybersecurity Partnership Gave Company An Illegal De Facto Monopoly On Government Services

from the do-not-pass-go,-do-not-collect-$200 dept

Mon, Nov 25th 2024 05:35am - Karl Bode

Look: I think it was nice for a change that the Biden administration at least paid some passing but inconsistent lip service to antitrust reform. It was a lovely change of pace from decades of feckless careerists who pay empty lip service to market innovation while rubber stamping mindless consolidation at every turn. And a lot of the work, like advocating for right to repair reform, made a difference.

But, and this will probably all seem quaint in context of the mindlessly pro-consolidation corporate coddling coming under Trump 2.0, there were still ample instances where the Biden White House was caught talking out of both sides of their mouth when it comes to monopoly power.

Like the Biden FCC, for example, which repeatedly pushed decorative policies tackling the symptoms of telecom monopoly power, but had a bizarre aversion to even acknowledging the threat or harm of monopoly power and muted competition in public-facing statements.

Or this new report from ProPublica, for example, that found that a major 2021 partnership between the Biden White House and Microsoft, which involved Microsoft pledging $150 million in technical services to help the U.S. government upgrade its digital security, wound up giving the company a de facto illegal monopoly over government security services.

The original pledge made by CEO Satya Nadella, was supposed to prop up an Executive Order that modernized the Federal Government cybersecurity defenses. It involved Microsoft seeding its consultants across the federal government to install the company’s cybersecurity products free of charge for a limited time.

It helped repair Microsoft’s image after some of its own security lapses caused several high profile security scandals. It gave the White House a lot of breezy press about how it was taking cybersecurity seriously.

But as ProPublica notes, once the free period expired, the government was locked into using Microsoft’s products (and inevitably soaring subscription fees) for the foreseeable future. It also found itself paying more and more money for Microsoft cloud services to prop up the now locked-in use of those services. The whole thing, ProPublica notes, actively courted monopoly and was arguably illegal:

“But while Microsoft’s gambit paid off handsomely for the company, legal experts told ProPublica the White House Offer deals never should have come to pass, as they sidestep or even possibly violate federal laws that regulate government procurement. Such laws generally bar gifts from contractors and require open competition for federal business.

Accepting free product upgrades and consulting services collectively worth hundreds of millions of dollars is “not like a free sample at Costco, where I can take a sample, say, ‘Thanks for the snack,’ and go on my merry way,” said Eve Lyon, an attorney who worked for four decades as a procurement specialist in the federal government. “Here, you have changed the IT culture, and it would cost a lot of money to go to another system.”

If you have a moment, please read the whole thing. And note that the FTC is purportedly preparing to launch an investigation into Microsoft’s anticompetitive behavior as it pertains to cloud computing and Azure (though I suspect it won’t survive Trumpism, unless Trump needs leverage to bully Microsoft into coddling white supremacists or something).

Senator Ron Wyden warned about some of this. For all of the Biden government’s talk about monopoly power, government still has been broadly conditioned over decades to look the other way when it comes to monopoly harms to competition. That kind of rot takes far more than a few strategically chosen high profile antitrust lawsuits to address, it takes widespread, dedicated reform and an entirely new way of thinking.

The Biden administration at least tried, on occasion, to take aim at monopoly power. Though again it tended to focus on some high profile cases that it still managed to miss the mark on. There’s no limit of highly consolidated industries dominated by politically potent monopoly power the government routinely and comically turns a blind eye to (oh hi there telecom industry, didn’t see you standing there).

Now again, this is all going to seem downright adorable in the context of the unbridled corruption, monopoly coddling, mindless deregulation and rubber stamping of terrible mergers that’s coming under a second Trump term. But it still demonstrates that monopoly busting and antitrust reform, should this country ever choose to actually embrace it, needs to be consistent and more than decorative.

Filed Under: antitrust reform, cloud, cybersecurity, executive order, monopoly, privacy, security, software
Companies: microsoft

Will The ‘Right To Repair’ Movement Survive Trumpism 2.0?

from the convenient-lip-service dept

Thu, Nov 21st 2024 01:19pm - Karl Bode

U.S. consumer protection has been beaten to a pulp over the last few decades. Consumer protection regulators are routinely on the ropes, left understaffed, underfunded, and boxed in by an increasingly corrupt and radical 5th Circuit and Supreme Courts stocked with Trump sycophants.

One bright spot, however, has been the “right to reform” movement, or efforts to ensure that it’s easier and cheaper for consumers to repair their own technology, without being boxed in or overbilled by corporations (across numerous industries) looking to monopolize repair.

Last March Oregon became the seventh state to pass “right to repair” legislation. The bill’s passage came on the heels of legislation passed in Massachusetts (in 2012 and 2020), Colorado (in 2022 and 2023), New York (2023), Minnesota, Maine and California. All told, 30 states contemplated such bills in 2024.

While it seems extremely unlikely that any federal right to repair legislation takes root during a second Trump administration, right to repair advocates are trying to keep the faith. In part because right to repair reform historically has broad, bipartisan support:

“Right to repair has been firmly bipartisan from the beginning,” says Kyle Wiens, the CEO of iFixit and an occasional contributor to WIRED who has testified before the House Committee on the Judiciary about repairability policy. “I’m really not ‘doom and gloom’ on any of this. We feel very strong going into this. We have a really great working relationship with a lot of conservatives on the Hill, and we’re looking forward to continuing that.”

Of course Trumpism (read: authoritarianism) doesn’t really hew to traditional understandings of partisanship. The ideology professes to be populist, but broadly supports hugely unpopular policies across the spectrum — most notably the coming disintegration of consumer protection and public safety standards, environmental reform, female bodily autonomy, and labor rights.

Similarly, just because something has bipartisan appeal doesn’t mean it has a chance in hell of surviving Trumpism (see: net neutrality). Trumpism is populist when it’s convenient. In reality, it’s a highly performative ideology that coddles corporate power at every conceivable opportunity (see: the appointment of telecom industry coddling Brendan Carr to the FCC).

Trumpism’s primary belief, buried under all the racism, sexism, and populist bullshit, is utterly unchecked wealth accumulation free of government oversight regardless of broader public or market harm. That doesn’t gel particularly well with cracking down on corporate power’s efforts to monopolize repair.

So while I greatly admire Wiens and his work, I’m not sure the optimism he expresses in Wired is particularly realistic:

“Even if the FTC takes a hard swing to the right, I don’t think that impacts right to repair too much,” Wiens says. The position is just popular and gaining steam, he says, and he anticipates a wave of repair friendly-policies will come to red states soon. “I think it’s critical mass. I think the time has come. People see the economic benefits for their community.”

I mean yes, right to repair will remain hugely popular, because consumers across partisan ideologies don’t like being bullied by big corporations. But the idea that a Republican Congress or FTC will take this issue seriously strikes me as wish-casting.

The hope is a little brighter on the state level, where state laws continue to be passed. The problem is I’ve yet to see states actually enforce any of them, and most corporations are simply ignoring the laws without penalty. With state and legal resources about to be strained to an historic limit by a flood of battles across everything from immigration to environmental law, right to repair could easily get lost in the mix.

That’s not to say the right to repair movement won’t continue to gain traction and popularity, that advocates should abandon any hope, or that this groundswell of public support can’t be leveraged into expanded real-world change on the state or local level. But I do think keeping fascism from destroying democracy and the rule of law will overshadow more than a few reform efforts for the foreseeable future.

Filed Under: donald trump, drm, hardware, parts pairing, right to repair, software, software locks, state laws

Good News: Canada Passes Major New ‘Right To Repair’ Reforms

from the fix-your-own-shit dept

Thu, Nov 14th 2024 03:27pm - Karl Bode

The world might be going to hell, but at least activists’ efforts to protect consumers’ rights to affordable and easy tech repair continue to gain steam.

Most recently in Canada, where the country’s Copyright Act was amended by two different bills allowing the circumvention of technological protection measures (TPMs) if done for the purposes of “maintaining or repairing a product, including any related diagnosing,” and “to make the program or a device in which it is embedded interoperable with any other computer program, device or component.”

These TPMs take on a variety of shapes, whether it’s just password protected access to administrative functions, or the need for a USB dongle to unlock access to copyrighted parts of software. Initially implemented to “fight piracy,” such restrictions were quickly expanded to be leveraged to help companies monopolize repair. Like in the U.S., Canadian copyright bars circumvention.

Overall, Canada’s legal updates should be a great boon to independent repair shops looking to provide affordable repair options to Canadian consumers, and to tinkerers wanting to repair devices and hardware they own. iFixit calls the amendments a “huge step forward” for right to repair:

“These bills are a huge step forward for the right to repair, giving Canadians more freedom to repair their own devices without breaking the law. They make Canada the first country to tackle copyright law’s digital locks at a federal level in favor of repair access.”

iFixit notes there’s still work left to be done, given that Canada’s latest legal updates do nothing to help improve access to the needed repair tools:

“While Canadians can now legally bypass TPMs to fix their own devices, they can’t legally sell or share tools designed for that purpose. This means Canadian consumers and repair pros still face technical and legal hurdles to access the necessary repair tools, much like in the US.”

Here in the States, any hopes for a federal right to repair law have been crushed by Trump’s electoral win. Activists have, however, had considerable luck passing numerous state right to repair laws.

Last March Oregon became the seventh state to pass “right to repair” legislation making it easier, cheaper, and more convenient to repair technology you own. The bill’s passage came on the heels of legislation passed in Massachusetts (in 2012 and 2020), Colorado (in 2022 and 2023), New York (2023), Minnesota, Maine and California. All told, 30 states contemplated such bills in 2024.

The problem: I’ve yet to see any examples of these laws actually being enforced. And with Trumpism ushering in a whole bunch of new life and death legal struggles hinging at the state level (immigration, the dismantling of all federal consumer protection), I strongly suspect going toe to toe with major companies over right to repair won’t be a priority for state officials with limited resources.

Filed Under: canada, copyright, drm, hardware, locks, right to repair, software, tpms

John Deere Once Again Under Fire Again For Efforts To Monopolize Repair

from the do-not-pass-go,-do-not-collect-$200 dept

Fri, Oct 11th 2024 01:52pm - Karl Bode

A few years ago agricultural equipment giant John Deere found itself on the receiving end of an antitrust lawsuit for its efforts to monopolize tractor repair. The lawsuits noted that the company consistently purchased competing repair centers in order to consolidate the sector and force customers into using the company’s own repair facilities, driving up costs and logistical hurdles dramatically for farmers.

The lawsuits also noted how the company routinely makes repair difficult and costly through the act of software locks, obnoxious DRM, and “parts pairing” — which involves only allowing the installation of company-certified replacement parts — or mandatory collections of company-blessed components.

Last week John Deere found itself under fire once again, this time by Senator Elizabeth Warren, who sent a letter to the company noting that it continues to fail to inform customers in manuals that they don’t have to use expensive John Deere dealership repair options. According to Warren, this could be violating The Clean Air Act:

“This exclusion of language informing customers of their rights not only undercuts farmers’ ability to repair their equipment, but may also be illegal. The Clean Air Act, which governs emissions from all mobile sources of air pollution, including tractors and other farm equipment, directs the Environmental Protection Agency to require manufacturers to provide “any and all information needed to make use of the emission control diagnostics system . . . and such other information including instructions for making emission related diagnosis and repairs.” The law specifies that “no such information may be withheld . . . by the manufacturer to franchised dealers or other persons engaged in the repair, diagnosing, or servicing of motor vehicles or motor vehicle engines.”

This is, of course, probably the least of John Deere’s sins. The company constantly exploits its carefully cultivated repair monopoly to jack up costs for parts and repairs for its captive customer base. As a result there’s no shortage of stories about John Deere tractor owners being forced to haul their tractors thousands of miles — or pay thousands of additional dollars — just to keep them functioning.

The problem is that the company has repeatedly promised to do better, then turned right around and continued engaging in anticompetitive and anti-consumer behavior.

Last year, Deere struck a “memorandum of understanding” with the American Farm Bureau Federation promising that the company will make sure farmers have the right to repair their own farm equipment or go to an independent technician. But the promise wound up being largely performative, and primarily aimed at stopping the group from supporting state or federal right to repair laws.

Last March Oregon became the seventh state to pass “right to repair” legislation making it easier, cheaper, and more convenient to repair technology you own. The bill’s passage came on the heels of legislation passed in Massachusetts (in 2012 and 2020), Colorado (in 2022 and 2023), New York (2023), Minnesota, Maine and California. All told, 30 states are considering such bills in 2024.

While the new laws are promising for right to repair activism, in most instances companies in those states are just ignoring the laws with no repercussions so far.

Filed Under: drm, elizabeth warren, hardware, john deere tractors, parts, parts pairing, reform, right to repair, software
Companies: john deere

Kaspersky Leaves U.S., Deletes Itself, Swaps Everybody’s Antivirus For Software Nobody Asked For

from the didn't-ask-for-this dept

Wed, Sep 25th 2024 05:26am - Karl Bode

Back in 2017, the Trump administration signed new rules banning Russian-based Kaspersky software on all government computers. Last June, the Biden administration took things further and banned distribution and sale of the software, stating that the company’s ties to the Russian government made its intimacy with U.S. consumer devices and data a national security threat.

While there are justifiable security concerns here, much like the ban of TikTok, the decision wasn’t absent of lobbying influence of domestic companies looking to dismantle a competitor. It’s relatively easy to get Congress heated up about national security concerns, because it tends to mask anti-competitive lobbying in a way you can brush aside non transparently for the greater good of the world [echoes].

Nor is a ban entirely consistently with broader U.S. policy, since U.S. government corruption prevents it from passing a meaningful privacy law, or regulating dodgy international data brokers that traffic in no limit of sensitive U.S. location and behavior data.

China and Russia don’t really need TikTok or AV software, they can simply buy access to your daily movement and browsing data from data brokers. Or, thanks to our lack of privacy laws or real accountability for lazy and bad actors, they can hack into any number of dodgy apps, software, or hardware with substandard security.

Regardless, this week Kaspersky Labs effectively left the U.S., but not before engaging in a practice that doesn’t exactly scream “high security standards.” The company effectively deleted its products from U.S. user computers without anybody’s consent, then replaced it with UltraAV’s antivirus solution — also without informing users.

Many users understandably saw this nonconsensual transaction take place and assumed they’d been hacked or infected with a virus:

“I woke up and saw this new antivirus system on my desktop and I tried opening kaspersky but it was gone. So I had to look up what happened because I was literally having a mini heart attack that my desktop somehow had a virus which uninstalled kaspersky somehow,” one user said.”

One problem is that Kaspersky had emailed customers just a few weeks ago, assuring them they would continue receiving “reliable cybersecurity protection.” They didn’t make any mention of the fact that this would involve deleting software and making installation choices consumers hadn’t approved of, suggesting that their exit from the security software industry won’t be all that big of a loss.

That said, it would be nice if U.S. consternation about consumer privacy were somewhat more… consistent.

The U.S. isn’t actually serious about U.S. consumer privacy because we make too much money off of the reckless collection and sale of said data to even pass baseline privacy laws. And the U.S. government has grown too comfortable being able to buy consumer data instead of getting a warrant. But we do like to put on a show that protecting consumer data is a top priority all the same.

Filed Under: antivirus, ban, consumers, national security, privacy, security, software
Companies: kaspersky

FTC Pushed To Crack Down On Companies That Ruin Hardware Via Software Updates Or Annoying Paywalls

from the you-don't-own-what-you-buy dept

Mon, Sep 9th 2024 05:30am - Karl Bode

We’ve noted for years how you no longer really own the things you buy. Whether it’s smart home hardware that becomes useless paperweights when the manufacturer implodes, or post-purchase firmware updates that actively make your device less useful, you simply never know if the product you bought yesterday will be the same product tomorrow.

Now a coalition of consumer groups, activists, and lawmakers are pushing the FTC to crack down on “smart” device manufacturers that suddenly pull support for products or make them less useful — either by simply removing features or hiding them behind annoying new subscription paywalls.

In a letter sent last week to key FTC officials, a coalition of seventeen different groups (including Consumer Reports, iFixit, and US PIRG) requested that the agency take aim at several commonplace anti-consumer practices, including “software tethering” (making hardware useless or less useful later via firmware update), or the act of suddenly locking key functionality behind subscriptions:

Both practices are examples of how companies are using software tethers in their devices to infringe on a consumer’s right to own the products they buy. While the FTC has taken some limited actions with regard to this issue, a lack of clarity and enforcement has led to an ecosystem where consumers cannot reliably count on the connected products they buy to last.

The letter cites numerous instances of consumer harms Techdirt has covered at length, ranging from Peloton’s recent decision to charge used bike owners a $95 fee for no coherent reason, to the “smart” baby bassinet maker that recently decided to paywall most of the device’s most popular features.

The letter correctly points out that this environment, where consumers are constantly shelling out significant money for devices that can be killed or rendered less useful (often without clear communications to end users), is resulting in a “death by a thousand cuts” for consumer rights. And, the groups note, it’s likely to only get worse without clear guidance and enforcement by the FTC.

The FTC has occasionally made inquiries in this space, but often only superficially. For example the FTC launched an investigation into Google’s decision to turn Revolv smart home hardware into useless crap but then took no substantive action and implemented no meaningful consumer reforms.

But the (intentionally) underfunded, understaffed, and endlessly embattled agency only has so many resources, and struggles to tackle even far more pressing issues like widespread monopolization or privacy violations. Still, some federal guidance and a few warnings would probably go a long way in a “smart” hardware sector that’s become a hot mess in the cloud computing age.

Filed Under: bricked, consumers, ftc, hardware, ownership, smart home, software, subscriptions

Move Over, Software Developers – In The Name Of Cybersecurity, The Government Wants To Drive

from the unconstitutional-camel-noses dept

Earlier this year the White House put out a document articulating a National Cybersecurity Strategy. It articulates five “pillars,” or high-level focus areas where the government should concentrate its efforts to strengthen the nation’s resilience and defense against cyberattacks: (1) Defend Critical Infrastructure, (2) Disrupt and Dismantle Threat Actors, (3) Shape Market Forces to Drive Security and Resilience, (4) Invest in a Resilient Future, and (5) Forge International Partnerships to Pursue Shared Goals. Each pillar also includes several sub-priorities and objectives as well.

It is a seminal document, and one that has and will continue to spawn much discussion. For the most part what it calls for is too high level to be particularly controversial. It may even be too high level to be all that useful, although there can be value in distilling into words any sort of policy priorities. After all, even if what the government calls for may seem obvious (like “defending critical infrastructure,” which of course we’d all expect it do), going to the trouble to actually articulate it as a policy priority provides a roadmap for more constructive efforts to follow and may also help to martial resources, plus it can help ensure that any more tangible policy efforts the government is inclined to directly engage in are not at cross-purposes with what the government wants to accomplish overall.

Which is important because what the rest of this post discusses is how the strategy document itself reveals that there may already be some incoherence among the government’s policy priorities. In particular, it lists as one of the sub-priorities an objective with troubling implications: imposing liability on software developers. This priority is described in a few paragraphs in the section entitled, “Strategic Objective 3.3: Shift Liability for Insecure Software Products and Services,” but the essence is mostly captured in this one:

The Administration will work with Congress and the private sector to develop legislation establishing liability for software products and services. Any such legislation should prevent manufacturers and software publishers with market power from fully disclaiming liability by contract, and establish higher standards of care for software in specific high-risk scenarios. To begin to shape standards of care for secure software development, the Administration will drive the development of an adaptable safe harbor framework to shield from liability companies that securely develop and maintain their software products and services. This safe harbor will draw from current best practices for secure software development, such as the NIST Secure Software Development Framework. It also must evolve over time, incorporating new tools for secure software development, software transparency, and vulnerability discovery.

Despite some equivocating language, at its essence it is no small thing that the White House proposes: legislation instructing people on how to code their software and requiring adherence to those instructions. And such a proposal raises a number of concerns, including in both the method the government would use to prescribe how software be coded, and the dubious constitutionality of it being able to make such demands. While with this strategy document itself the government is not yet prescribing a specific way to code software, it contemplates that the government someday could. And it does so apparently without recognizing how significantly shaping it is for the government to have the ability to make such demands – and not necessarily for the better.

In terms of method, while the government isn’t necessarily suggesting that a regulator enforce requirements for software code, what it does propose is far from a light touch: allowing enforcement of coding requirements via liability – or, in other words, the ability of people to sue if software turns out to be vulnerable. But regulation via liability is still profoundly heavy-handed, perhaps even more so than regulator oversight would be. For instance, instead of a single regulator working from discrete criteria there will be myriad plaintiffs and courts interpreting the language however they understand it. Furthermore, litigation is notoriously expensive, even for a single case, let alone with potentially all those same myriad plaintiffs. We have seen all too many innovative companies be obliterated by litigation, as well as seen how the mere threat of litigation can chill the investment needed to bring new good ideas into reality. This proposal seems to reflect a naïve expectation that litigation will only follow where truly deserved, but we know from history that such restraint is rarely the rule.

True, the government does contemplate there being some tuning to dull the edge of the regulatory knife, particularly through the use of safe harbors, such that there are defenses that could protect software developers from being drained dry by unmeritorious litigation threats. But while the concept of a safe harbor may be a nice idea, they are hardly a panacea, because we’ve also seen how if you have to litigate whether they apply then there’s no point if they even do. In addition, even if it were possible to craft an adequately durable safe harbor, given the current appetite among policymakers to tear down the immunities and safe harbors we currently have, like Section 230 or the already porous DMCA, the assumption that policymakers will actually produce a sustainable liability regime with sufficiently strong defenses and not be prone to innovation-killing abuse is yet another unfortunately naïve expectation.

The way liability would attach under this proposal is also a big deal: through the creation of a duty of care for the software developer. (The cited paragraph refers to it as “standards of care,” but that phrasing implies a duty to adhere to them, and liability for when those standards are deviated from.) But concocting such a duty is problematic both practically and constitutionally, because at its core, what the government is threatening here is alarming: mandating how software is written. Not suggesting how software should ideally be written, nor enabling, encouraging, nor facilitating it to be written well, but instead using the force of law to demand how software be written.

It is so alarming because software is written, and it raises a significant First Amendment problem for the government to dictate how anything should be expressed, regardless how correct or well-intentioned the government may be. Like a book or newspaper, software is something that is also expressed through language and expressive choices; there is not just one correct way to write a program that does something, but rather an infinite number of big and little structural and language decisions made along the way. But this proposal basically ignores the creative aspect to software development (indeed, software is even treated as eligible for copyright protection as an original work of authorship). Instead it treats it more like a defectively-made toaster than a book or newspaper, replacing the independent expressive judgment of the software developer with the government’s. Courts have also recognized the expressive quality to software, so it would be quite a sea change if the Constitution somehow did not apply to this particular form of expression. And such a change would have huge implications, because cybersecurity is not the only reason that the government keeps proposing to regulate software design. The White House proposal would seem to bless all these attempts, no matter how ill-advised or facially censorial, by not even contemplating the constitutional hurdles any legal regime to regulate software design would need to hurdle.

It would still need to hurdle them even if the government truly knew best, which is a big if, even here, and not just because the government may lack adequate enough or current enough expertise. The proposal does contemplate a multi-stakeholder process to develop best practices, and there is nothing wrong in general with the government taking on some sort of facilitating role to help illuminate what these practices are and making sure software developers are aware of them – it may even be a good idea. The issue is not that there may be no such thing as any best practices for software development – obviously there are. But they are not necessarily one-size-fits-all or static; a best practice may depend on context, and constantly need to evolve to address new vectors of attack. But a distant regulator, and one inherently in a reactive posture, may not understand the particular needs of a particular software program’s userbase, nor the evolving challenges facing the developer. Which is a big reason why requiring adherence to any particular practice through the force of law is problematic, because it can effectively require software developers to make their code the government’s way rather than what is ultimately the best way for them and their users. Or at least put them in the position of having to defend their choices, which up until now the Constitution had let them make freely. And which would amount to a huge, unprecedented burden that threatens to chill software development altogether.

Such chilling is not an outcome the government should want to invite, and indeed, according to the strategy document itself, does not want. The irony with the software liability proposal is that it is inherently out-of-step with the overall thrust of the rest of the document, and even the third pillar it appears in itself, which proposes to foster better cybersecurity through the operation of more efficient markets. But imposing design liability would have the exact opposite effect on those markets. Even if well-resourced private entities (ex: large companies) might be able to find a way to persevere and navigate the regulatory requirements, small ones (including those potentially excluded from the stakeholder process establishing the requirements) may not be able to meet them, and individual people coding software are even less likely to. The strategy document refers to liability only on developers with market power, but every software developer has market power, including those individuals who voluntarily contribute to open source software projects, which provide software users with more choices. But those continued contributions will be deterred if those who make them can be liable for them. Ultimately software liability will result in fewer people writing code and consequently less software for the public to use. So far from making the software market work more efficiently through competitive pressure, imposing liability for software development will only remove options for consumers, and with it the competitive pressure the White House acknowledges is needed to prompt those who still produce software to do better. Meanwhile, those developers who remain will still be inhibited from innovating if that innovation can potentially put them out of compliance with whatever the law has so far managed to imagine.

Which raises another concern with the software liability proposal and how it undermines the rest of the otherwise reasonable strategy document. The fifth pillar the White House proposes is to “Forge International Partnerships to Pursue Shared Goals”:

The United States seeks a world where responsible state behavior in cyberspace is expected and rewarded and where irresponsible behavior is isolating and costly. To achieve this goal, we will continue to engage with countries working in opposition to our larger agenda on common problems while we build a broad coalition of nations working to maintain an open, free, global, interoperable, reliable, and secure Internet.

On its face, there is nothing wrong with this goal either, and it, too, may be a necessary one to effectively deal with what are generally global cybersecurity threats. But the EU is already moving ahead to empower bureaucratic agencies to decide how software should be written, yet without a First Amendment or equivalent understanding of the expressive interests such regulation might impact. Nor does there seem to be any meaningful understanding about how any such regulation will affect the entire software ecosystem, including open source, where authorship emerges from a community, rather than a private entity theoretically capable of accountability and compliance.

In fact, while the United States hasn’t yet actually specified requirements for design practices a software developer must comply with, the EU is already barreling down the path of prescriptive regulation over software, proposing a law that would task an agency to dictate what criteria software must comply with. (See this post by Bert Hubert for a helpful summary of its draft terms.) Like the White House, the EU confuses its stated goal of helping the software market work more efficiently with an attempt to control what can be in the market. For all the reasons that an attempt by the US stands to be counterproductive, so would EU efforts be, especially if born from a jurisdiction lacking a First Amendment or equivalent understanding of the expressive interests such regulation would impact. Thus it may turn out to be European bureaucrats that attempt to dictate the rules of the road for how software can be coded, but that means that it will be America’s job to try to prevent that damage, not double-down on it.

It is of course true that not everything software developers currently do is a good idea or even defensible. Some practices are dreadful and damaging. It isn’t wrong to be concerned about the collateral effects of ill-considered or sloppy coding practices or for the government to want to do something about it. But how regulators respond to these poor practices is just as important, if not more so, than that they respond, if they are going to make our digital environment better and more secure and not worse and less. There are a lot of good ideas in the strategy document for how to achieve this end, but imposing software design liability is not one of them.

Filed Under: 1st amendment, chilling effects, coding, computer security, cybersecurity, duty of care, innovation, liability, national cybersecurity strategy, software, standards of care, white house