Lawmakers in Massachusetts on Monday introduced new legislation to address the growing epidemic of abandoned smart, personal electronics.
Two closely aligned bills, dubbed“An Act Relative To Consumer Electronic Devices” were filed -one in the Massachusetts House of Representatives (HD 5563) and the other in the state Senate (SD 3606). If passed the bills will create new rules for the makers of personal electronics when it comes to supporting- and patching the software that runs the devices.
As written, the bills will require manufacturers to :
- Disclose a minimum guaranteed support timeframe to consumers before they purchase an electronic devices, informing would-be owners of the period for which they will provide security and software updates.
- Notify consumers when their devices are nearing the end of life and provide guidance on how to handle the device’s end of life.
- Inform customers about features that will be lost as a result of the end of life declaration as well as potential vulnerabilities and security risks that may arise after software support ends.
The proposed Massachusetts legislation follows the introduction of a similar bill, S8507, the “connected consumer product end of life disclosure act” in the New York State Senate in September by Senator Patricia Fahey.
A number of incidents in recent years have highlighted the phenomenon of functioning and even newly issued devices being “bricked” after manufacturers withdraw support or cease business operations. Spotify’s Car Thing portable device, which launched in 2021., was discontinued by the company within a year. Then, in May, 2024, Spotify declared its Car Things “end of life,” informing customers that it was ending support of the device, closing down the cloud based services that Car Thing relied on and essentially “bricking” the device: urging customers to bring it to their local electronics recycling center.
More recently, Google ended software support for millions of its first and second generation of its Nest Smart Thermostats, while Microsoft did the same for billions of devices running its Windows 10 operating system. And the list goes on. US PIRG’s Electronic Waste Graveyard documents more than 100 products abandoned by their manufacturers in recent years, including Amazon’s Halo Rise, a $140 smart alarm clock that the company abandoned and bricked less than a year after its initial release.
As SRFF has pointed out on many occasions: the security consequences of manufacturers abandoning devices are huge. Cybersecurity experts have identified numerous campaigns by cybercriminal groups and state-sponsored hacking crews from China, Russia, Iran and North Korea that search for and compromise “end of life” devices such as broadband routers, switches, and other connected devices. In May, the FBI issued an alert about the growing threat from criminals who exploit end-of-life (EOL) home routers by well-known vendors such as Linksys. Threat actors use malware to target EoL routers, exploiting known vulnerabilities using remote management software that is pre-installed on the routers to install malware that enlists the router in a criminal botnet or for other criminal purposes.
To address this cybersecurity risk, SRFF teamed up with Consumer Reports, US PIRG and the Center for Democracy and Technology in March to put forward the Connected Consumer Product End of Life Disclosure law, model legislation to promote new laws that protect consumers of smart, Internet-connected products.
The proposed Massachusetts- and New York laws are products of that effort. In addition to the disclosure requirements intended to inform consumers of software support lifespans, the bills require Internet Service Providers (ISPs) that lease equipment like broadband routers, security cameras or smart home devices to consumers to replace any leased devices that have been declared “end of life” at no cost to their customer.
“With hackers seeking to infiltrate end of life routers and other smart devices, consumers need to know if the products on their network are still supported and secure,” said Stacey Higginbotham, a policy fellow at Consumer Reports.
SRFF President Paul Roberts said the proposed laws are a natural response to a growing epidemic of EoL devices that poses a threat to both public health and safety. “As the population of software-powered, Internet connected products explodes, laws like these are necessary to stop corporate abuses and provide clear guidelines and guardrails for Big Tech: protecting the rights of consumers and promoting practices that ensure greater technology security and resilience,” Roberts said.
The proposed laws will also harness the power of consumers to promote more secure and sustainable practices by electronics makers, said Higginbotham. “Most consumers have experienced the frustration that comes with buying a connected appliance or smart home gadget that then stops working when the manufacturer decides to stop supporting it. This law helps consumers make informed purchasing decisions, while also letting consumers know when to take insecure and vulnerable devices offline.”
Roberts said the supporters of the EoL legislation are looking forward to working with legislators to get the laws enacted.
“We are thrilled to see this legislation introduced in Massachusetts and New York, and look forward to working with legislators in both states to address the serious consumer- and public safety risks posed by abandoned, end-of-life Internet of Things devices deployed in homes, businesses and on critical infrastructure.“