Originally posted September 25th in the Boston Herald. This is a letter about right to repair sent to the editor by Paul Roberts, founder, SecuRepairs.org and signed by myself among many others.
To the editor:
Halloween came early to the Bay State this year. For the past two months, the airwaves have been filled with scary-sounding ads pushing tales of hacking, identity theft and cyber stalking. Their target: Question 1, a pro-consumer ballot measure that will give car owners and independent repair shops access to wireless maintenance data needed to service and repair modern vehicles.
Our group, SecuRepairs, represents some of the world’s top information security experts. In our professional opinions, this small expansion to the state’s right to repair law in no way increases the risk of identity theft, cyber stalking or vehicle hacking.
If passed, Question 1 would close a loophole in a Massachusetts law that requires automakers to make diagnostic and repair data accessible to vehicle owners and independent repair shops. That law, which was passed in 2013, failed to explicitly cover repair data that is transmitted wirelessly. Seven years later, many newer vehicles transmit maintenance data this way, using a car’s cellular Internet connection to bypass the repair shop and talk directly to automakers’ “cloud servers.” Question 1, which will appear on the November ballot simply closes that loophole. It requires automakers to make wireless data “needed for purposes of maintenance, diagnostics and repair” — the same data that automakers give to their dealerships — available in a standard format to vehicle owners and independent repair shops.
It goes without saying that competition for vehicle repair and maintenance from independent repair shops keeps the cost of service and repair down. It also makes perfect sense that the same mechanical data shared via a wired connection from a vehicle to a computer in a repair shop should also be accessible wirelessly. That’s why automakers are anxious to change the subject. The “Coalition for Safe and Secure Data,” a group funded by automakers, is blanketing TV and radio with ads warning the public that Question 1 will give rapists and burglars the keys to your car and even your home.
These warnings about cyber security risk related to the mechanical data covered by Question 1 are misleading and with little basis in fact. That data might tell you why the “Check Engine” light is illuminated on your dashboard. It won’t open your garage door or let a cyber stalker follow you around town. In fact, the data covered by Question 1 is identical to the data that automakers have been sharing for years under Massachusetts’ existing right to repair law.
There is one thing the auto industry’s scare-mercials have right: Consumers should be worried about the reams of data that automakers collect from our connected vehicles. Modern Internet connected cars have access to everything from personal contact data shared from a driver’s mobile phone to video feeds from in-car cameras to the vehicle’s GPS data. Privacy and consumer advocates ranging from the ACLU to Consumer Reports warn that this galaxy of in-vehicle sensors pose acute privacy and civil liberties risks.
The ability to repair your own vehicle or to hire an independent repair shop — and access to the data needed to make repairs — are critical to keep automotive service and repair affordable. Affordable repair and servicing allows all of us to extend the useful lives of our cars, saving us thousands of dollars. Rather than trying to frighten consumers, car makers should make owner access to this data easy, while also being transparent about what data they are collecting from smart vehicles and how they use it. Facts and transparency, not fear, are the antidote for the public’s anxiety about data privacy and security.
— Paul Roberts, founder, SecuRepairs.org
Jon Callas, director of technology projects, Electronic Frontier Foundation
Ming Chow, associate professor, Tufts University
Richard Forno, senior lecturer, cybersecurity, University of Maryland, Baltimore County
Dan Geer, chief information security officer, In-Q-Tel
Joe Grand, principal engineer and hardware hacker, Grand Idea Studio, Inc.
Gordon Fyodor Lyon, founder, Nmap Project
Gary McGraw, founder, Berryville Institute of Machine Learning
Davi Ottenheimer, vice president, trust and digital ethics, Inrupt
Nicholas Percoco, founder, THOTCON
Billy Rios, CEO, Whitescope.io
Is anyone working with the NHTSA to establish standards for vehicle data, including its security standards (authenticity, confidentiality and integrity preservation)? Seems to me, such data should be regulated by the agency whose mandate is to protect consumers when/where automobiles are concerned.