A bill that would have carved out exceptions to Colorado’s right-to-repair laws was voted down 7-4 in a House committee Monday.
The proposal, Senate Bill 90, arrived after three consecutive years of lawmakers passing right-to-repair legislation in Colorado, beginning in 2022 with a law that allows powered wheelchair users to bring their wheelchairs to an independent repair shop instead of relying solely on the manufacturer. That right was extended to agricultural equipment in 2023 — often laden with proprietary software that locks out third-party repairs — and finally to digital equipment in 2024, with an addition that prevents manufacturers from installing parts that lead to reduced functionality or misleading alerts about third-party parts. The most recent law took effect in January.
The current law requires manufacturers to provide documentation, parts, software, firmware or tools that enable someone other than the manufacturer to repair the items. It includes exceptions that protect a manufacturer’s source code and trade secrets, as well as any documentation or tools that would “disable or override any privacy or anti-theft security measures.” There are also carve-outs that exempt manufacturers of motor vehicles, medical equipment and certain digital road infrastructure, like electric vehicle charging stations.
Colorado is among a handful of states leading the charge with right-to-repair laws, part of a broader movement to empower consumers and limit manufacturer control over who can repair what.
The bill would have added language to the current laws to exempt information technology that is “intended to be used in critical infrastructure,” such as power plants, military installations and law enforcement agencies. Things like servers and routers are classified as IT equipment.
Rep. Chad Clifford, a Centennial Democrat who co-sponsored the bill, told the committee Monday that he has supported right-to-repair laws in the past, and that the bill was not an attempt to create loopholes in the current laws.
“I just want you to understand that what we’re trying to do here is make sure that something that’s used for a government purpose or critical infrastructure can get an exemption, if we determine that that device is used in government service or critical infrastructure,” he said.
The bill wouldn’t have automatically exempted IT manufacturers from the law, but would have created a process for the attorney general to evaluate whether a product should be protected from third-party repairs.
“I’m very, very, very proud that our state has gotten this right,” Clifford said during the committee. Adding later, “I think that there are additional items that are now covered by our right to repair that also we may still need to keep secret. Point blank.”
Right-to-repair advocates, including representatives from CoPIRG, Repair.org, iFixIt and Consumer Reports, testified against the bill at a State, Civic, Military and Veterans Affairs Committee meeting Monday, as did local environmental groups like Recycle Colorado and GreenLatinos.
“That critical infrastructure needs to be protected. We 100% agree,” Danny Katz, executive director of CoPIRG told The Colorado Sun. “And certainly IT equipment is on the front lines of the cyberattacks that happen every single day. But we don’t make our IT equipment safer by limiting repair tools. If our IT equipment goes down, we need it to be fixed right away.”
Cybersecurity expert Billy Rios, who testified against the bill Monday, told the committee that hacks are done rapidly and remotely, not by reverse engineering parts on an individual machine. (Rios would know — he once hacked a line of insulin pumps to prove to their manufacturer, Medtronic, how vulnerable they were.)
One misunderstanding that Katz thinks arose during the hearing is around what constitutes a “tool” that a manufacturer should provide. They’re not just talking about screwdrivers, he said.
Right-to-repair advocates, in this case, are mostly referring to the firmware that allows different parts within a machine to talk to one another. If a server’s fan breaks, for instance, the repairer should be able to pop out the fan and replace it with a new one. Right now, most manufacturers have firmware installed that blocks the machine from communicating with the new part.
If a company designs firmware intended to speak to a fan, but that can be hacked to control the server, that’s just bad design, Katz said. “We shouldn’t be punishing the owners of these servers because the manufacturer made a really poorly designed repair tool.”