Canadian Chamber of Commerce

Les informations de ce site Web à été fournie par des sources externes. Le gouvernement du Canada n'assume aucune responsabilité concernant la précision, l'actualité ou la fiabilité des informations fournies par les sources externes. Les utilisateurs qui désirent employer cette information devraient consulter directement la source des informations. Le contenu fournit par les sources externes n'est pas assujetti aux exigences sur les langues officielles et la protection des renseignements personnels.

Consultation on the Modern Copyright Framework for AI and IoT

Canadian Chamber of Commerce submission

September 17, 2021

The Canadian Chamber of Commerce welcomes the opportunity to participate in the consultation on a modern copyright framework for Artificial Intelligence and the Internet of Things. This consultation is timely and important for the conduct of businesses in the 21st century. However, we would like to stress that there is a need for a broader conversation on the right to repair, planned obsolescence, and IoT. Engaging in this conversation solely within the copyright framework is not wholly appropriate because concerns around Technological Protection Measures (TPMs) and software and copyright are distinctly different from considerations around the right to repair a physical device.

Businesses are supportive of further innovation, clarification, and investment in AI and IoT. We agree that that supporting competition, innovation, and the needs of the marketplace regarding IoT devices and software-enabled products is critical. Businesses also support measures to improve the cybersecurity of their networks, infrastructure, data and assets to protect Canadian intellectual property from growing risks related to cyber threats and cyber espionage.

We acknowledge that there should be a healthy balance between ensuring competition and preventing a monopoly while also protecting rights to repair devices. Businesses know that it is important to allow for the repair of products. However, it is also important to consider the safety and security related consequences of copyright infringement and piracy.

With this in mind, we primarily wish to provide comments on the repair of IoT.

We would like to highlight that repair capability can introduce uncertainty, the potential for misinterpretation, an opportunity for unwanted reverse engineering, a safety risk for Canadians, and an increase in cybersecurity breaches.

All products containing a computer program that have TPMs may be diagnosed, maintained, or repaired by whomever is authorized (typically “Authorized Dealers”). Authorization provides the copyright owner with control over access to their computer program(s). A computer program which is subject to a technological protection provides the owner with a competitive advantage in the marketplace and prevents unauthorized access to any trade secrets contained within the programming subject to the technological protection. The keys allowing access are carefully managed by the copyright owner through a program of selected authorization.

The concepts “diagnosing,” “maintaining,” and “repairing” without further definition or refinement, leave interpretation open to, at best, dictionary definitions. The concept of “diagnosing” is unconnected to any other purpose, as is that of maintaining. Given such open-ended terms the copyright owner is left without a right to include a meaningful technological protection measure to protect their intellectual property.  Repairing is a broad enough concept to include diagnosing, as it is difficult to repair a product without first diagnosing the basis for requiring repair. Maintaining is an even broader term possibly including within its meaning both diagnosing and repairing.  In short, the proposal is so open to interpretation and is so unlimited in scope as to permit anyone to circumvent a technological protection and refer to it as “maintenance” or “diagnosing” or “repairing”. 

It is worth mentioning again, to the extent a product containing any such technological protection measure requires attention, authorization is available from the copyright owner or their authorized dealers.

Further, any maintenance, diagnosis or repair that is performed by people/companies other than authorized dealers has a much higher likelihood of being performed in an unsatisfactory manner, resulting in frustration for the owner of that computer program and reflecting poorly on the copyright owner whose name and brand is on that product.

If consumers choose to attempt to fix their own product or hand it over to someone else to repair, that is their choice. However, right to repair capabilities can make it challenging for manufacturers to ensure their products are being repaired safely and securely by qualified trained repair technicians. This creates safety risks for Canadians.

Connected IoT devices, whether consumer or industrial, have vastly expanded the digital attack surface and exposed devices (including mission critical devices such as automobiles, Industrial Control Systems, and infrastructure) to increasingly pervasive and sophisticated cyber attacks. With remote work now the norm, the threat of cyber-attacks has also extended into the office and home. Without the proper cybersecurity training, qualified independent third party service providers, and a life-cycle approach to cybersecurity, consumers could be exposed to cyber-threats if repairs are conducted in an un-secured way. Right to repair can also disregard security implications brought to light by requiring the release of firmware and other software systems. 

Hacking, data privacy and cyber-threats are real concerns and right to repair concepts could increase the exposure and vulnerability of IoT devices to these very real threats. If a manufacturer is required to provide the firmware to third parties, the manufacturer is providing the keys to the operating system. Once the keys become public it breaks the firmware security chain and the item is not fully secure. It is essential that the safety and security of software be maintained throughout the life-cycle of a device (from development, to maintenance, and decommissioning). It is also essential that the software supply chain be safeguarded in a way that ensures transparency around the software-bill-of-materials and guarantees the integrity and security of software components and products.

This also applies to remote and wireless interaction. Connected appliances in some circumstances require Wi-Fi connectivity to the consumer’s personal in-home network. Manufacturer authorized technicians could gain access to those private networks when performing repairs or instructing consumers on the use of such products.  Manufacturer authorized technicians are under contract, for whom the authorized service providers may have traceability. Opening that access up to independent third parties may give unauthorized personnel access to a consumer's private Wi-Fi network as well as data, and create opportunity for further risk exposure. Privacy and security need to be a paramount consideration.

Fundamentally, we would like to stress that any consultation on IoT and the right to repair must take into account safety, privacy, and security of information, for the benefit of both Canadians and Canadian businesses.

Thank you again for providing the opportunity for the Canadian Chamber of Commerce to opine on the consultation on a modern copyright framework for Artificial Intelligence and the Internet of Things.