Lawmakers Push to Make Companies Tell Customers When Their Products Are Going to Die
On Tuesday, two Massachusetts lawmakers have introduced two bills in the state House and Senate that, if passed, would establish a state law requiring companies to tell customers when service for their connected products will end. It is an effort designed to reduce cybersecurity risks and improve consumer protection. With information about future support, consumers can confidently buy a device knowing how long they can expect it to function reliably, and when they will plan for it to finally end.
Pieces of the proposed legislation, collectively titled An Act Relative to Consumer Connected Devices, were introduced by Massachusetts state senator William Brownsberger and state representative David Rogers in their chambers.
“Our daily lives are intertwined with smart devices,” Rogers said in a statement emailed to WIRED. “Once a company decides that it will no longer provide software updates for those devices, it becomes a ticking time bomb for hackers to exploit. We must ensure that consumers are given the tools to understand their devices and the risks, before they buy them.”
State Sen. Brownsberger’s office received a request for comment but has not yet responded.
The bills come nearly a year after a joint report by advocacy groups Consumer Reports, US PIRG, and the nonprofit Secure Resilient Future Foundation urged lawmakers to support a policy that would notify customers when their connected products will stop working. That includes a wide array of smart home devices, such as Wi-Fi routers, security cameras, connected thermostats, and smart lights. Although it is currently a proposed state law, supporters hope it will inspire more laws like it in the near future.
“Almost everyone has a story about a favorite appliance that stopped working the way they thought it would or died,” said Stacey Higginbotham, policy associate at Consumer Reports. “Your product is now connected to the manufacturer with this software data that says how it will work.”
The Massachusetts laws, if eventually passed, would require manufacturers to clearly disclose on product packaging and online how long they will provide software and security updates for the device. Manufacturers will also need to notify customers when their device is nearing the end of its service life and inform them of features that will be lost and security vulnerabilities that may arise when regular support ends. When a device stops receiving regular updates, it is prone to cyberattacks and becomes a vector for malware.
“This is an issue that is becoming more and more prominent as the Internet of Things ages,” said Paul Roberts, president of SRFF and a Massachusetts resident who has worked with lawmakers. “This is inevitable. We can’t just leave them connected and unprinted.”
Wi-Fi has been commonplace in the home and office for more than two decades, which means there is a rapidly growing population of older devices still connected to the Internet that may not have received security updates in years. These zombie gadgets—routers, sensors, connected appliances, home security cameras—are left vulnerable to attack by their unsuspecting owners.
“We’re trying to minimize the attack surface,” Higginbotham said. “We won’t be able to stop it, but we want to make consumers aware that there is something they can do. In fact, they have an open door that can no longer be locked.”
The bills’ focus on cybersecurity also has the benefit of catching the eye of people who might be concerned about that sort of thing—like US lawmakers.
“I hope the legislators will be able to roll their arms around this easily and understand the problem here,” Roberts said. “And we followed the solution.”
