New 'Car Safety Bill' Would Make Us Less Safe, Block Security Research And Hinder FTC And Others
from the not-a-good-idea dept
The House Energy and Commerce Committee is pushing an absolutely terrible draft bill that is supposedly about improving "car safety." This morning there were hearings on the bill, and the thing looks like a complete dud. In an era when we're already concerned about the ridiculousness of how copyright law is blocking security research on automobiles (just as we're learning about automakers hiding secret software in their cars to avoid emissions testing), as well as questions about automobile vulnerabilities and the ability to criminalize security research under the CFAA (Computer Fraud and Abuse Act), this bill makes basically all of it worse. From Harley Geiger at CDT:And that's not all that's problematic with the bill. Marcey Wheeler notes that the program would basically allow carmakers to hide what they're doing with the information they collect on you, merely by ponying up $1 million to the government. The bill is, of course, sneaky, in that it pretends to demand automakers reveal what they're doing with your info, but then slips in a "cap" of $1 million for automakers that refuse to do so. In other words, car companies can just pay $1 million (pocket change) and not have to reveal anything.CDT believes it would be inappropriate to create redundant penalties for accessing car software. Sec. 302 of the draft vehicle safety bill is unnecessary insofar as it duplicates the Computer Fraud and Abuse Act (CFAA) and the Digital Millennium Copyright Act (DMCA). Although tampering with car software can pose safety issues, this is not unique and does not require a new regulation – the computers and software already covered under the CFAA and DMCA include everything from web servers to sensitive critical infrastructure.
The draft bill forbids “access without authorization” to software – but so does Sec. 1030(a)(2)(C) of the CFAA. If the purpose of forbidding access to the vehicle’s software is to prevent unauthorized modifications, this too is already prohibited under Sec. 1030(a)(5) of the CFAA. The CFAA carries both civil and criminal liability for violations, and penalties are almost universally viewed as disproportionately harsh.
If vehicle software is protected by an access control, as is often the case, then Sec. 1201 of the DMCA already forbids circumventing the software access controls without authorization. Sec. 1201 poses major problems for independent auto repairs, diagnostics, and cybersecurity research that require access to software, and numerous groups – including CDT – have repeatedly called on the Copyright Office to create exemptions for these purposes on behalf of consumers. The draft vehicle safety bill contains no such exemptions. In fact, the draft vehicle safety bill is actually stricter than Sec. 1201 insofar as it applies to software even if there is no access control.
There's also some bizarre stuff having to do with cybersecurity, where the bill would let automakers set their own standards, and then keep them secret. Here's Geiger again:
The Council will decide on weighty matters, including best practices for cybersecurity, fixing security flaws, coordinating vulnerability disclosure with security researchers, and even automobile design. [See pgs. 29-30.] Vehicle manufacturers may develop policies based on these best practices, yet the draft would explicitly forbid these policies from being disclosed to the public. [See pg. 31.] While companies might be wise to avoid disclosing sensitive technical details, it would be unnecessarily prescriptive and inconsistent with modern practice for the government to forbid companies from public disclosure of their own policies.And Wheeler:
Upton’s [bill] would let the industry to establish a standard, than permit manufacturers to submit their plans that would fulfill “some or all” standards. Once they submitted those plans they would disappear — they couldn’t be FOIAed, and couldn’t be sued by FTC if they violated those terms.Despite the fact that the bill is supposedly in support of the National Highway and Traffic Safety Administration, the NHTSA doesn't seem to like the bill at all either:
The Committee’s discussion draft includes an important focus on cybersecurity, privacy and technology innovations, but the current proposals may have the opposite of their intended effect. By providing regulated entities majority representation on committees to establish appropriate practices and standards, then enshrining those practices as de facto regulations, the proposals could seriously undermine NHTSA’s efforts to ensure safety. Ultimately, the public expects NHTSA, not industry, to set safety standards.Neither does the FTC, raising concerns about how the bill would basically exempt carmakers from FTC investigations and actions should they violate user privacy. The FTC also (thankfully!) raises similar concerns as CDT to the parts that would block security research:
Section 302 of the discussion draft would prohibit unauthorized access to an electronic control unit, critical system, or other system containing driving data. We support the goal of deterring criminals from accessing vehicle data. Security researchers have, however, uncovered security vulnerabilities in connected cars by accessing such systems. Responsible researchers often contact companies to inform them of these vulnerabilities so that the companies can voluntarily make their cars safer. By prohibiting such access even for research purposes, this provision would likely disincentivize such research, to the detriment of consumers’ privacy, security, and safety.The FTC is also concerned about that "cybersecurity" council thing, pointing out that it would be dominated by the carmakers, as well as the fact that the setup would inevitably lead to very slow reactions to real cybersecurity issues:
The discussion draft requires the Council to meet annually to review the best practices, but leaves it up to the Council to adopt additional best practices “as necessary” in subsequent years, which could mean that risks are not addressed in a timely fashion. The discussion draft allows, but does not require, manufacturers to submit updated plans if they choose to modify their plans.And then, of course, there's this:
The proposed safe harbor is so broad that it would immunize manufacturers from liability even as to deceptive statements made by manufacturers relating to the best practices that they implement and maintain. For example, false claims on a manufacturer’s website about its use of firewalls, encryption, or other specific security features would not be actionable if these subjects were also covered by the best practices.Yeah, that seems like a concern.
So who could possibly like this bill? Why, the automakers of course. The Alliance of Automobile Manufacturers -- represented by former RIAA boss Mitch Bainwol, of all people -- really likes these proposals, because why wouldn't it? The only real complaint it seems to have is that the cybersecurity council wouldn't have enough time to implement a plan and is apparently trying to push out the timeline.
Meanwhile, the key sponsor of the bill is Fred Upton who is (you probably guessed...) from Michigan, home of the American auto industry. It also probably won't surprise you to discover that the automotive industry has been a big financial supporter of his campaigns for Congress, or that Ford Motor Company has been the second largest contributor to his campaigns over his career (behind the National Association of Broadcasters). This is all, of course, part of the process of how Congress works, but it does still seem fairly sketchy when that leads to a bill that certainly looks like a big gift to the automakers, and which would almost certainly destroy security research into automotive computer systems, while similarly leaving all cybersecurity decisions up to the automakers themselves (and removing the FTC and the NHTSA from key parts of the oversight process).
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: automakers, car safety, cybersecurity, fred upton, ftc, hacking, nhtsa, security research, software
Reader Comments
Subscribe: RSS
View by: Time | Thread
Not a gift
It's not a gift when it's bought and paid for...
[ link to this | view in chronology ]
Stupid laws and unintended consequences.
[ link to this | view in chronology ]
A bit of misdirection
So it's incredibly misleading to suggest that an anti-tampering law would forbid this activity.
It should also be noted that the on board computers control important compliance systems such as emissions. Allowing the public to change this would be similar in nature to permitting them to remove the catalytic converter - a real no-no.
As for things like the VW emissions fiasco, remember that this "code" was basically detected not by hacking and viewing the code on the car, but by first observing the cars in operation and detecting a shift in behavior during the very specific circumstances of an emissions test. No "hacking" was required to show a problem.
[ link to this | view in chronology ]
Re: A bit of misdirection
If nothing else, there could never have been negative results for the the method they used. If the results showed that the emissions test was accurate, that would prove nothing. It could be that there was no discrepancy, or it could be that the car's software still thought it was in an emissions test and was still fudging the numbers. Advanced enough software could have made this nearly impossible to prove without seeing the software itself.
[ link to this | view in chronology ]
Re: Re: A bit of misdirection
You don't have to rip apart a black box to observe it's results. The difference in the case of VW is significant enough that you it's entirely visible to someone just looking at the results.
The biggest point of course is with the mandadted OBD port and pretty much standard coding, It means that a significant part of the arm waving in the OP is just that, arm waving. It's nowhere as real as they would like to make it out to be.
[ link to this | view in chronology ]
The importance of Copyright
By having software control various automobile functions, cars are cleaner, safer and cheaper to build. Large bundles of wires become simple network or fiber optic connections. Would you have us give up these advantages and go back to how cars once were designed?
(this concludes today's twisted copyright contortions)
[ link to this | view in chronology ]
Re: The importance of Copyright
Along with that, some auto manufacturers claim that because the car's software is licensed to you, you don't actually own the car anymore. It is licensed to you.
http://consumerist.com/2015/05/20/gm-that-car-you-bought-were-really-the-ones-who-own-it/
[ link to this | view in chronology ]
Re: Re: The importance of Copyright
But in a sense you're wrong. Copyright is the favorite tool everyone reaches for to prevent you from doing things that have nothing to do with copyright. Refilling ink cartridges. Working on your own car. Coffee machine refills. Removing unflattering posts about a person or product. Keeping laws secret unless you pay for a copy from a third party that has copyrighted the law (or part of it that is actually used when interpreting the law). And much more.
[ link to this | view in chronology ]
Don't existing laws cover this?
For example, I could tamper with my brakes.
Why is software tampering somehow different or uniquely new?
[ link to this | view in chronology ]
Re: Don't existing laws cover this?
[ link to this | view in chronology ]
Re: Re: Don't existing laws cover this?
[ link to this | view in chronology ]
Re: Re: Don't existing laws cover this?
The manufacturers would love this, but it would be nothing but terrible for everyone else.
[ link to this | view in chronology ]
Re: Re: Don't existing laws cover this?
[ link to this | view in chronology ]
“access without authorization”
[ link to this | view in chronology ]
The classics... they never die!
Me.. I'm damn glad I own an 89 firebird. No worries about tripping over a minefield of DCMA & CFAA guidelines. The old brute is mostly mechanical... just the way I like it.
[ link to this | view in chronology ]
Stupidity through obscurity
[ link to this | view in chronology ]
What do the auto manufacturers want?
Buying, owning, and driving a car has been an unpleasant activity for a long time now already, and getting more so as time goes on. This is a big reason why the younger generations are increasingly not even getting a driver's license at all.
You'd think that auto manufacturers would want to make their cars more desirable, not less.
[ link to this | view in chronology ]
Make hacking cars criminal...
[ link to this | view in chronology ]
Re: Make hacking cars criminal...
Aside from the fact that they will only be criminals for doing something they have always done, but that the government decided (with obvious manipulation from their cronies) was somehow worthy of being illegal. Police officers aren't suddenly going to start arresting people for working in the garage on their own car, and except for shutting down high-school and junior college auto-repair departments due to political/legal concerns, most people will pretty much ignore these laws.
It may be used by states to enforce their smog requirements, but unless the companies start putting intrusion prevention systems and call-home devices on their vehicles (I doubt, because it is going to be very expensive and difficult to manage,) unless you publish your findings, nothing will happen.
Where this is going to hurt, is in vulnerability disclosure. Media publishing reports in how VW is bypassing environmental tests will become hot-potatoes, since in order to discover this, someone must have discovered it, and to do that, they had to break the law by reverse engineering.
[ link to this | view in chronology ]
Some Tesla vehicles recently received OTA updates that added self-driving capabilities. Think about that for a moment... that's one hell of an update; especially if you didn't want it!
I have two vehicles that are paid off but are now ~15 years old. I've maintained them well but they're slowly becoming unreliable. I went car shopping in July and was shocked to discover that I really couldn't buy a 'dumb' car any more. At each dealership, I voiced my concerns and objections but nobody cared. One salesman went so far as to tell me that I was the first person to ever bring it up.
You want change? Quit bitching on the Internet and stop buying products that violate your rights. Start pushing back for once. Be willing to walk away and take the harder path. Same for gaming, music, movies, cable tv, etc...
[ link to this | view in chronology ]
Re:
New cars are a terrible deal, when you can buy cars that are only a year or two old for substantially less, and I have witnessed far too many people being taken for a ride by dealerships to have any trust in them.
[ link to this | view in chronology ]