Tuesday, two Massachusetts lawmakers introduced two bills to the state Home And Senate which, if passed, would create a state law requiring companies to notify their customers when service on their connected products ends. This is an effort to reduce cybersecurity risks and also strengthen consumer protection. By knowing future support, consumers can purchase a device with confidence knowing how long they can expect it to operate reliably and when to plan for its eventual obsolescence.
The proposed bills, collectively named An Act Relating to Consumer Connected Devices, were introduced by Massachusetts State Senator William Brownsberger and State Representative David Rogers in their respective chambers.
“Our daily lives are now closely intertwined with smart devices,” Rogers says in an emailed statement to WIRED. “Once a company decides it will no longer provide software updates for these devices, they become time bombs that hackers can exploit. We need to ensure consumers have the tools they need to understand their devices, and the risks, before purchasing them.”
State Senator Brownsberger’s office acknowledged our request for comment, but has not yet responded.
The invoices arrive almost a year later joint report by advocacy groups Consumer Reports, US PIRG and the nonprofit Secure Resilient Future Foundation who encouraged lawmakers to support a policy that would notify customers when their connected products were going to stop working. This includes a wide range of smart home devices, such as Wi-Fi routers, security cameras, connected thermostats and smart lights. Although it is a state bill for now, its supporters hope it will inspire more laws of this type in the near future.
“Almost everyone has a story about a device they love that suddenly stopped working like they thought it would or just died,” says Stacey Higginbotham, policy researcher at Consumer Reports. “Your product is now connected to a manufacturer through this software link that dictates its performance.”
The Massachusetts laws, if ultimately passed, would require manufacturers to clearly disclose on product packaging and online how long they will provide software and security updates for a device. Manufacturers should also notify their customers when their device is nearing the end of its lifespan and inform them of features that will be lost and potential security vulnerabilities that could arise when regular support ends. Once a device no longer receives regular updates, it is more vulnerable to cyberattacks and becomes a vector for malware.
“This is a problem that is becoming more and more pronounced as the Internet of Things ages,” says Paul Roberts, president of the SRFF and a Massachusetts resident who has worked with lawmakers. “It’s inevitable. We can’t leave them connected and unpatched.”
Wi-Fi has been commonplace in homes and offices for more than two decades, which means there’s a rapidly growing population of older devices still connected to the Internet that likely haven’t received security updates in years. These zombie gadgets – routers, sensors, connected devices, home security cameras – have become vulnerable to attacks from their unsuspecting owners.
“We’re trying to reduce the attack surface,” says Higginbotham. “We can’t prevent it, but we want to make consumers aware that they might be harboring something. Basically, they have an open door that can no longer be locked.”
The bills’ focus on cybersecurity also has the benefit of attracting the attention of people who might worry about this sort of thing, like U.S. lawmakers.
“I hope that legislators can pretty easily understand this and understand the problem here,” Roberts says. “And support the solution.”
These bills sit alongside similar laws intended to give people more control over the products they buy. An example is the Reparation Act in the House of Representatives is a bill that would require automakers to share data and information about their vehicles with owners and repair shops. In New York, the Connected Consumer Products End-of-Life Disclosure Act was introduced by New York State Senator Patricia Fahy and is currently in committee. None of them are guaranteed to succeed.
Like these other bills, the Massachusetts bill is several hearings, language changes, and votes away from being signed into law. But the goal is to continue passing laws at the state and federal level until something is applied more broadly and affects products in more than just one state.
“This is clearly an area where we need safeguards and guidelines for device manufacturers and for consumers to protect them and maintain their privacy,” Roberts says. “We cannot allow companies to privatize their profits and socialize their risks. »
