Sunday, 30 June 2019

Debunking Microsoft's anti-Right-to-Repair FUD

Microsoft is no stranger to the use of "Fear, Uncertainty and Doubt" in the pursuit of monopolistic goals; the company perfected the tactic in the early 1990s as a way of scaring enterprise customers away from GNU/Linux; today, the company shows off its mastery of FUD in its filings to the Federal Trade Commission condemning proposals for Right-to-Repair rules.

In its comments, Microsoft argues that allowing third-party repairs of Microsoft products could compromise its DRM systems, including dual-purpose security systems like the "Trusted Platform Module" (TPM) that are used to lock out rival operating systems as well as malicious actors.

Luckily, we have Securepairs, a coalition of security experts devoted to debunking claims from repair monopolists who claim that opening repair markets will pose a security threat.

Microsoft submitted its comments ahead of the FTC's "Nixing the Fix" workshop on Right to Repair, arguing that "If the TPM or other hardware or software protections were compromised by a malicious or unqualified repair vendor, those security protections would be rendered ineffective and consumers’ data and control of the device would be at risk. Moreover, a security breach of one device can potentially compromise the security of a platform or other devices connected to the network."

As Securepairs writes in rebuttal, this is undeniably true, as are the following: "If you invite someone into your home to repair your dishwasher they could, instead, pilfer your jewelry and credit cards," and "If you hire a managed service provider to do your network security they could, instead, compromise your network and steal your intellectual property."

That is: "In other words: the provisioning of repair or any other commercial service – requires trust between the customer and the service provider. There is, actually, no way to get around this, though you can use contracts to make your expectations clear and impose penalties for bad behavior. You can also use insurance to hedge your risk. Welcome to capitalism."

From the standpoint of a right to repair advocate, I actually think Microsoft’s argument about needing to preserve the integrity of its devices is mostly besides the point. There’s plenty of hand waving and portentous talk there to scare FTC folks, which is probably what they intended. Substantively, though, their arguments don’t really undermine the core argument being made by right to repair advocates.

In short: if Microsoft wants to make devices that nobody can service and repair without breaking their security model, they’re entitled to do that. They can make Surface Pros so hardened and tamper proof that merely opening them will destroy them.

What they can’t do is make devices that are repairable, and then lock out everyone but their own service technicians. In short: if its safe and possible for a Microsoft authorized technician to service a Surface Pro, then it is safe and possible for an owner of the device to do so, or an independent repair technician. Full stop.

In other words, Microsoft can’t have its repair cake and eat it too: it can’t argue that it designs hardware to be long lived and repair-able, then arbitrarily constrain the rights and ability of its own customers to service their own property, using security and safety as their argument.

Conversely, it can’t argue in good faith that its devices are just too sophisticated, tamper proof and secure for owners to service, but then make tools, diagnostic codes and schematics available to their authorized techs to service them.

Microsoft tells FTC Repair poses a Cyber Risk. It doesn’t. [Securepairs]

(via /.)