Last month, the US Federal Trade Commission (FTC) voted unanimously to enforce laws regarding consumers’ “Right to Repair” their electronic and automotive devices. The vote was seen as a validation of consumer rights and a rare bipartisan rebuke to manufacturers who have restricted repairs. An Executive Order from President Biden further advanced this right. These moves will make it harder for manufacturers to void warranties, restrict repair options or require consumers to return products only to them for costly repairs.
This is all great, but does it go far enough? The “Right to Repair” policy applies to hardware. For instance, you should now be allowed to replace your smart phone screen by yourself. But, what about the data on your phone? Should that be included in “Right to Repair” as well? According to Jason Kent, Hacker In Residence at Cequence Security, the answer is an emphatic “yes.”
“The data handling capabilities of your phone are a product feature that you should be able to modify under right to repair,” Kent explained. “We don’t think of the issue that way, because repair is usually seen as a mechanical issue, but we should broaden the definition of repair to include data.”
“Right to repair creates an environment where I am allowed to fix things and not be penalized.” – Jason Kent, Hacker In Residence at Cequence Security
In particular, Kent thinks consumers should have the right to repair a device’s data transmission settings and API interactions. “Your phone is constantly sending your information out to entities that you probably don’t know about,” Kent added. Telemetry data, location data, personal contacts and more are routinely transmitted by devices to third parties. The data may flow to the manufacturer, or it could go to totally unknown businesses.
The repair does not have to be done by the owner, either. For Kent, the concept of “fixing” an API and the data the device owner exchanges needs to be functionality they can request to be fixed. He said, “Right to repair creates an environment where I am allowed to fix things and not be penalized. If I fix a cell in a Tesla battery the monitoring system knows and disables supercharging. If I roll my own OS on a new Samsung Phone, they disable the camera. These examples go against right to repair. If I disable location or photos in a messaging app, it shouldn’t disable the app entirely. I should be allowed to repair the overstep there.”
The recent scandal surrounding a Catholic priest whose publicly available phone data revealed that he had patronized gay establishments offers a good example of the potential for device data abuse. Consumers should have the right to fix their device’s API settings and restrict outbound data flow. According to Kent, “Manufacturers should not be able to hide behind IP protection as an excuse to limit this kind of user repair.”
The difficulty, however, is that the average consumer, or even a highly knowledgeable gadget repair person, probably doesn’t know how to repair a device’s data sharing settings. Specialized software tooling will probably be required. API monitoring solutions can help, but these are not geared to consumer usage at this point. This could change, though, if enough people want to fix how their phones handle their data.