A controversial bill in Colorado that would have undone some repair protections in the state has failed. The bill had been the target of right-to-repair advocates, who saw it as a bellwether for how tech companies might try to undo repair legislation more broadly in the US.
Colorado’s landmark 2024 repair law, the Consumer Right to Repair Digital Electronic Equipment, went into effect in January 2026 and ensured access to tools and documentation people needed to modify and fix digital electronics such as phones, computers, and Wi-Fi routers. The new bill, SB26-090, would have carved out an exception to those repair protections for “critical infrastructure,” a loosely defined term that repair advocates worried could be applied to just about any technology.
SB26-090 was introduced during a Colorado Senate hearing on April 2 and was supported by lobbying efforts from companies such as Cisco and IBM. It passed that hearing unanimously. The bill then passed in the Colorado Senate on April 16. On Monday evening, the bill was discussed in a long, delayed hearing in the Colorado House’s State, Civic, Military, and Veterans Affairs Committee. Dozens of supporters and detractors gave public comments. Finally, the bill was shot down in a 7-to-4 vote and classified as postponed indefinitely.
Danny Katz, executive director of the local nonprofit consumer advocacy group CoPIRG, says the battle was a group effort. Speaking against the bill were a cohort of repair advocates from organizations such as PIRG, Repair.org, iFixit, Consumer Reports, and local businesses and environmental groups like Blue Star Recyclers, Recycle Colorado, Environment Colorado, and GreenLatinos.
“While we were making progress at chipping away at the momentum for it, we had still been losing,” Katz wrote in an email to WIRED after the hearing. “So, we took nothing for granted, and I believe the incredible testimony from the broad range of cybersecurity experts, businesses, repair advocates, recyclers, and people who want the freedom to fix their stuff made a big difference.”
Supporters of the bill, backed by companies like Cisco, had pointed to the potential for cybersecurity risks as their motivation for altering the law’s language. If companies were required to make repair tools available to anyone, the theory goes, what’s to stop bad actors from using those tools to reverse engineer critical technology like internet routers? Withholding those tools, they posited, would make them less available to hackers who could misuse them. Advocates of the bill said that companies should be allowed to keep their secrets if it ensured security, though that argument starts to fall apart with a little scrutiny.
At one point in the hearing, Democrat Chad Clifford, a Colorado state representative and the House committee’s vice chair who was also a prime sponsor of the bill, pointed to what appeared to be a reference to Cloudflare’s very public use of a wall of lava lamps to help randomize internet encryption, citing that as an example of the need for sensitive systems to be inscrutable to be secure.
“I don’t know why anybody has to have lava lamps on a wall to keep the Chinese from getting into a network, but it’s what they came up with that worked,” Clifford said. “How they do that, I believe they should be able to keep it a secret, even in Colorado.”
The problem with that argument, as cybersecurity experts pointed out during the hearing, is that the vast majority of hacks are not carried out via replacement parts or by taking apart individual machines. They’re remote hacks, where the attacker makes changes in real time, and the people defending have to make changes on the fly without worrying about acquiring permission from the company that makes the equipment.
