Boston, MA– Consumer Reports and Secure Resilient Future Foundation announced their support today for the introduction of Massachusetts Senate Bill 3606 and House Bill 5563, which would require manufacturers of connected consumer devices to tell buyers how long they plan to support their products with security and software updates.
These bills, introduced Tuesday by Senator William N. Brownsberger and Representative David M. Rogers, would protect consumer rights and boost Massachusetts’ and the nation’s overall cybersecurity. The proliferation of connected consumer devices in homes and small businesses has created a significant security challenge. When these devices reach their end of life and no longer receive software and security updates, they become vulnerable to exploitation by malicious actors. These “zombie devices” can be hijacked and used in botnets, posing a risk to individual users and the wider internet.
The proposed legislation seeks to address these issues by mandating:
- Clear disclosure of minimum guaranteed support timeframes: Manufacturers must clearly disclose the duration for which they will provide security and software updates, both on product packaging and online.
- Proactive consumer notification: Manufacturers must notify consumers when their devices are nearing the end of life and provide guidance on how to handle the device’s end of life.
- Information on lost features and vulnerabilities: Notifications about end-of-life must include details about features that will be lost, and potential vulnerabilities and security risks that may arise.
- Removal or replacement of company-provided connected devices, such as routers, security cameras, etc. by Internet Service Providers when those devices reach their end of life. .
“Most consumers have experienced the frustration that comes with buying a connected appliance or smart home gadget that abruptly stops working when the manufacturer decides to stop supporting it. This law helps consumers make informed purchasing decisions, while also letting consumers know when to take insecure and vulnerable devices offline,” says Stacey Higginbotham, a policy fellow at Consumer Reports. “With hackers seeking to infiltrate end of life routers and other smart devices, consumers need to know if the products on their network are still supported and secure.”
“As the population of software-powered, Internet connected products explodes, laws like these are necessary to stop corporate abuses and provide clear guidelines and guardrails for Big Tech: protecting the rights of consumers and promoting practices that ensure greater technology security and resilience,” says Paul Roberts, President, Secure Resilient Future Foundation. “We are thrilled to see this legislation introduced in Massachusetts, and look forward to working with legislators to address the serious consumer and public safety risks posed by abandoned, end-of-life Internet of Things devices.”
A nationally representative December 2024 survey conducted by Consumer Reports found that 72% of Americans who own smart devices believe manufacturers should be required to disclose how long they will support those devices’ software. These bills are based off of a model bill developed last year by Consumer Reports, Secure Resilient Future Foundation, US PIRG, and the Center for Democracy and Technology. The New York Senate also recently introduced a similar bill also based off of the coalition’s model bill.
Contact: cyrus.rassool@consumer.org