A Deeper Dive into the Privacy + Cybersecurity Concerns about Massachusetts’ Ballot Question 1

Robinson+Cole Data Privacy + Security Insider
Contact

I previously wrote about a ballot question in Massachusetts this year that would update the “Right to Repair” initiative that was first passed in 2013. As a quick refresher, the Right to Repair law allows consumers to take their car to any repair shop (not just the dealer) and have their mechanic plug a cord into the car’s onboard computer system to figure out what’s wrong the car, or, alternatively, a consumer can buy a device and do this themselves.

Now, many say that Question 1 in the upcoming Massachusetts’ election seeks to close a loophole in that 2013 law, which exempts manufacturers from sharing data transmitted wirelessly from the vehicle to the manufacturer. The current law allows independent repair shops to access vehicle diagnostics through an On-Board Diagnostics (OBD) port (like in the example above), but proponents of this ballot question say that they are worried that manufacturers will do away with the OBD ports in newer models and collect and store all of the vehicle’s data wirelessly, which would exempt the manufacturers from the 2013 law. However, in a quick Internet search on this topic, it is hard to find a clear outline of what this really means and how Question 1 actually changes the current Right to Repair law. Let’s take a closer look.

Well, today, as mentioned above, most cars are equipped with an OBD port to diagnose a problem with your car in a local repair shop as opposed to at the dealer. This ballot question would require vehicle manufacturers to create a new open access data platform where consumers and their repair shops could use a mobile app to access telematic services data, which is data that is transmitted wirelessly from the vehicle to the manufacturer (and in turn, to the manufacturers’ dealers). Under the current law, manufacturers are only required to permit consumer/independent repair shop access to onboard data systems. However, cars now are equipped with the automobile equivalent of a FitBit or Apple Watch that monitors the car’s mechanical health and sends those readings wirelessly back to the manufacturer. This is “real-time” data about the vehicle. And, with this real-time transmission of data, there may be nothing wrong with the car yet, but telematics tell the manufacturer that a certain part of the car is wearing down or will need to be fixed soon -then the manufacturer (or the dealer) can send you an email (or even a message directly to the car’s dashboard screen) alerting the consumer to schedule maintenance to avoid greater cost in the future. It cuts out the local repair shop (or, it could).

Here’s the breakdown:

The Current Right to Repair Law (from 2013)

  • Vehicle manufacturers must make available for purchase by owners and independent repair facilities “diagnostic and repair information, including repair technical updates that the manufacturer makes available to its dealers through the manufacturer’s internet-based diagnostic and repair information system or other electronically accessible manufacturer’s repair system.” The manufacturer accomplishes this by selling a diagnostic tool to the independent repair facilities so that the small shops can communicate with the vehicle in the same way that the manufacturers/dealers do.
    • In simpler terms, manufacturers include OBD systems in their vehicles and local repair shops can plug in a cord at their shop and check out your car’s computer system.
  • Beginning with model year 2018, manufacturers must provide access to the car’s onboard diagnostic and repair information system through a daily, monthly or yearly subscription basis by the manufacturers.
  • Manufacturers DO NOT currently have to provide diagnostic, service or repair information necessary to reset an immobilizer system or security-related electronic modules. If this information is necessary, and owners and/or independent repair facilities need that information, it can be obtained through a “secure data release model system currently used by the National Automotive Service Task Force (NASTF) or other known, reliable and accepted systems.”
    • If the data relates to signaling the car to go or stop or turn the security system on or off, the information is obtained NOT through the OBD system, but through the NASTF’s Vehicle Security Professional Registry which only allows access by registered users (who are vetted) and protects the data with cyber security measures.
  • Telematics diagnostic and repair information necessary to diagnose and repair a consumer’s car (not otherwise available to independent repair facilities) IS disclosed (because it is ‘necessary’ for the repair by the independent repair shop). HOWEVER, telematics services and other remote or information services, diagnostic or otherwise, delivered to or derived from a [car] by mobile communications” are NOT disclosed to independent shops.

Note that the “telematics services” term means information relating to “automatic airbag deployment and crash notification, remote diagnostics, navigation, stolen vehicle location, remote door unlock, transmitting emergency and vehicle location information to public safety answering points and any other service integrating vehicle location technology and wireless communications.” Telematics can also include media streaming and geofencing. Basically, if the information is necessary for diagnostics and/or repairs then the manufacturer must share it with the owner of the vehicle and/or independent repair shops; if the information is NOT necessary for diagnostics and/or repairs then the information is not shared. Of course, this brings up the issue of repairs that WILL be necessary in the future that only the manufacturer is alerted to right now.

The Proposed Revisions to the Right to Repair Law (a “yes” vote to Question 1)

  • The proposed revisions will add a definition of “mechanical data” to the law, which will mean “any vehicle-specific data, including telematics system data, generated stored in or transmitted by a motor vehicle used for or otherwise related to the diagnosis, repair or maintenance of the vehicle.”
  • The proposed revisions will add a definition of “telematics system” to the law, which will mean “any system in a motor vehicle that collects information generated by the operation of the vehicle and transmits such information, [(referred to as “telematics system data” throughout the revised Right to Repair law)] utilizing wireless communications to a remote receiving point where it is stored.”
  • The proposed law states that the OBD system must be “standardized and not require any authorization by the manufacturer, directly or indirectly, unless the authorization system for access to vehicle networks and their OBD systems is standardized across all makes and models [. . .] and is administered by an entity unaffiliated with a manufacturer.”
  • The telematics services exception noted above will be stricken from the law; instead, all model year 2022 and thereafter must be equipped with an “inter-operable, standardized and open access platform across all of the manufacturer’s makes and models. Such platform shall be capable of securely communicating all mechanical data emanating directly from the motor vehicle via direct data connection to the platform.”
    • In simpler terms, vehicle manufactures must create a shared database for telematics that currently flow only to manufacturers (and in turn, their dealers). Consumers would then grant permission to a local mechanic to keep tabs on their car and allow that local shop to more easily anticipate a problem and schedule a service before something breaks -just like a dealer does now.
      • But note that this system will communicate “mechanical data.” The proposed definition of “mechanical data” states that it includes information that is “related to the diagnosis, repair or maintenance of the vehicle.” This would NOT include telematics data collected related to an immobilizer system or security-related electronic modules. That exception is not being stricken by these proposed revisions.
    • Note that all of this data will be “limited to the time to complete the repair or for a period of time agreed to by the vehicle owner for the purpose of maintaining, diagnosing and repairing the motor vehicle.” This access “shall include the ability to send commands to in-vehicle components if needed for purposes of maintenance, diagnostics and repair.” Again, control of in-vehicle commands may only be accessed for maintenance, diagnostics and repair.
  • The Massachusetts Attorney General will establish a “motor vehicle telematics system notice” for consumers explaining what telematics data consists of, how the information is accessed through a mobile app, the right to authorize an independent repair shop to access to this data, etc.

After a deeper dive, it appears that the biggest change is that if a manufacturer decides that it would be more lucrative to remove the OBD ports from its vehicles and transmit all of this data wirelessly to its dealers (essentially taking away access by the local repair shops, and still acting in accordance with the current Right to Repair law), there would be no way for the local repair shops to get the data needed to diagnose and repair its long-time customer’s car. Under these proposed revisions, telematics data related to the “maintenance, diagnostics and repair” of the vehicle must be disclosed by the manufacturers (immobilizer system and security-related electronic modules data would still only be transmitted through the secure NASTF registry. However, that’s not to say that there aren’t potential cybersecurity risks to this model proposed by Question 1.

The deputy administrator for the National Highway Traffic Safety Administration (NHTSA), James C. Owens, submitted a letter to the Massachusetts Joint Committee on Consumer Protection in response to a request for testimony on the effect of Question 1 on cybersecurity. The Committee requested “information about whether aspects of the initiative might introduce additional cybersecurity risks to motor vehicles and public safety risks to road users, such as malicious hacking attempts,” and  “information about whether the initiative might impact Federal motor vehicle safety efforts.” Owens’ letter said:

It is [the NHTSA’s] view that the terms of the ballot initiative would prohibit manufacturers from complying with both existing Federal guidance and cybersecurity hygiene best practices. NHTSA is also concerned about the increased safety-related cybersecurity risks of a requirement for remote, real-time, bi-directional (i.e., read/write capability) access to safety-critical vehicular systems. Given the multi-year automotive product development cycle, the deadline for compliance appears impossible for manufacturers to meet in a responsible manner, risking removal of existing cybersecurity controls over wireless access into vehicles as the ballot initiative directs, which increases the risk of cybersecurity attacks that could jeopardize public safety. Further, the requirement to establish universal and standardized access requirements increases the scale of risks of any potentially successful cybersecurity attack.

Further, Owens said that “while the initiative requires the system to be ‘secure,’ it does not define what that vague term means, nor does it reflect any established best practices or other measures to address cybersecurity risks. Further, the initiative does not discuss the variety of telematics offerings available to consumers today, nor does it address feasibility, practicality, or availability of protocols or other measures that could appropriately protect against cybersecurity risks that would be introduced via proposed forms of third-party telematics access.”

Owens’ letter listed specific cybersecurity concerns with Question 1 and some recommendations to remediate these concerns:

  1. Vehicle manufacturers should control access to firmware that executes vehicle functions (e.g. vehicle motion such as steering, acceleration, and braking).
  2. Vehicle manufacturers should implement logical and physical isolation techniques to separate processors, vehicle networks and external access points to limit and control pathways from external threat vectors to cyber-physical features of vehicles.

Perhaps even more important at this juncture to the passage (or failure) of this ballot question is the short timeframe for its implementation. In Owens’ letter he points out:

“NHTSA is not aware of any existing system architectures that would satisfy the requirements of the ballot initiative, and they are unlikely to be developed, tested, validated and deployed in the proposed timeframe. Therefore, manufacturers that offer telematics systems could find themselves in a situation that would require them to remove all access controls from their telematics systems, including controls designed to ensure the security of safety-critical systems.” Bryan Reimer, research scientist at the MIT Center for Transportation and Logistics said, “This is a hard topic for federal safety regulators who understand the intricacies of vehicle design development [ . . .] this ballot initiative creates a of series of unintended consequences because of the timeline and the vague wording of several aspects,” as noted by Owens in his testimony as well. Reimer says that vehicle manufacturers are already in the midst of making 2022 cars and requiring them to open up wireless data access at this point could open up potential cyber-vulnerabilities and possibilities for remote tampering. Reimer doesn’t necessarily oppose allowing telematics services data to car owners and independent repair shops, he just points out that the accelerated timeline increases the chances of flaws in the data transfer and maintenance. Of course, we need to assess just how risky it would be for that data (i.e. data related to maintenance, diagnostics and repairs) to end up in the wrong hands. Perhaps the data at issue is not quite as sensitive as other types of data collected by our cars like the immobilizer system data or security-related module system data (or geolocational data, etc.).

While the question is up for debate this November in Massachusetts, one thing is for sure, consumers should be worried about the vast quantities of data that automakers are collecting from our connected vehicles. Consumers should read the terms of automakers’ mobile apps and OBD systems (and wireless transmission services/platforms) and understand what type of information their vehicle is collecting about them and who might have access to that data and how.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Robinson+Cole Data Privacy + Security Insider | Attorney Advertising

Written by:

Robinson+Cole Data Privacy + Security Insider
Contact
more
less

Robinson+Cole Data Privacy + Security Insider on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.