Massachusetts has long been a leader in the Right to Repair movement, thanks to a combination of principled lawmakers and a motivated citizenry that refuses to back down when well-heeled lobbyists subvert the legislative process.

In 2012, Massachusetts became the first US state to enact Right to Repair legislation, with an automotive law that protected the right of drivers to get their cars repaired by independent mechanics if they preferred them to the manufacturers' service depots. Though wildly popular, it took the threat of a ballot initiative to get the legislature to act, an initiative that ultimately garnered 86% of the vote. The initiative led to strong protections for independent repair in Massachusetts and set the stage for a compromise agreement leading to better access to repair information for most of the country.

Now Bay Staters are back in the legislature: in the years since the original automotive Right to Repair law was enacted, manufacturers have redesigned their products in ways that exploit loopholes in the 2012 law, effectively shutting out independent repair.

House Bill 4122 closes the loopholes in the 2012 law, and in-state advocates are gathering signatures for another ballot initiative should lobbyists defeat the bill in the legislature.

EFF was pleased to submit comments to the Massachusetts Legislature's Joint Committee on Consumer Protection and Professional Licensure for a hearing on January 13 in support of HB4122.

In those comments, sent to each member of the Committee, EFF Special Consultant Cory Doctorow wrote:

Auto manufacturers have argued that independent service endangers drivers' cybersecurity. In reality, the opposite is true: security is weakened by secrecy and strengthened by independent testing and scrutiny. It is an iron law of information security that "there is no security in obscurity"—that is, security cannot depend on keeping defects a secret in the hopes that "bad guys" won't discover and exploit those defects. And since anyone can design a security system that they themselves can't imagine any way of breaking, allowing manufacturers to shroud their security measures in secrecy doesn't mean that their cars can't be hacked—in fact, history has shown that vehicle computers depending on secrecy for security are, in fact, frequently vulnerable to hacking.

In 2018 and 2019, cities, hospitals, and other large institutions had their informatics systems seized by petty criminals using off-the-shelf ransomware that had combined with a defect in Windows that the NSA had discovered and kept secret—until an NSA leaker released it to the world. As these cities discovered, the NSA's decision to keep these defects secret did not put them out of reach of bad guys—it just meant that institutional Microsoft customers were put at grave risk, and that Microsoft itself did not know about the devastating bugs in its own products and so could not fix them.

Information security is absolutely reliant upon independent security researchers probing systems and disclosing what they discover. Allowing car manufacturers to monopolize service—and thus scrutiny—over their products ensures that the defects in these fast-moving, heavy machines will primarily become generally known after they are exploited to the potentially lethal detriment of drivers and the pedestrians around them.

The manufacturers' desire to monopolize bad news about design defects in their own products is especially dire because it rides on the tails of a strategy of monopolizing service and parts for those products. The uncompetitive, concentrated automotive sector has already brought itself to the brink of ruin—averted only by the infusion of $80.7B in tax-funded bailouts. More than a decade later, it remains in dire need of competitive discipline, as is evidenced by a commercial strategy dominated by reducing public choice, surveilling their own customers and selling their data, and extracting monopoly rents from luckless drivers who are locked into their proprietary ecosystems.