A House Energy and Commerce Subcommittee recently released a discussion draft of a bill on vehicle safety. Although the bill is well-intentioned, it includes a troubling section aimed at preventing “motor vehicle hacking.” Sec. 302 of the draft bill would create massive civil penalties – up to $100,000 per violation – for accessing a car’s software without authorization for any reason. [See pgs. 24-25 of the draft bill.]
Sec. 302 of the draft vehicle safety bill is:
- Unnecessary because access to vehicle computers without authorization is already illegal under existing laws.
- Overbroad because it would undermine cybersecurity and fraud research, as well as independent repair of vehicles.
The draft bill should be revised by:
- Removing Sec. 302, or
- Clarifying that the vehicle owner can provide authorization for access to the software, even if the manufacturer does not provide authorization, and
- Creating robust exemptions for research and repair.
When you purchase a car, you typically own the physical parts of that car. However, modern vehicles increasingly come embedded with software, and most vehicle manufacturers only license the use of that software to the purchaser of the vehicle. As a result, it is often just manufacturers who can give permission to access vehicle software, not the vehicle owner. If a car manufacturer does not support independent repair work or research – or has something to hide – the manufacturer can simply deny authorization for accessing the car software, even if the car owner wants to give permission. Accessing the software without authorization can incur heavy penalties from computer crime laws that make little to no distinction between research, repair, or malicious hacking. The draft vehicle safety bill under consideration by the House Energy & Commerce Committee would exacerbate this problem.
Unauthorized access already covered by law
CDT believes it would be inappropriate to create redundant penalties for accessing car software. Sec. 302 of the draft vehicle safety bill is unnecessary insofar as it duplicates the Computer Fraud and Abuse Act (CFAA) and the Digital Millennium Copyright Act (DMCA). Although tampering with car software can pose safety issues, this is not unique and does not require a new regulation – the computers and software already covered under the CFAA and DMCA include everything from web servers to sensitive critical infrastructure.
The draft bill forbids “access without authorization” to software – but so does Sec. 1030(a)(2)(C) of the CFAA. If the purpose of forbidding access to the vehicle’s software is to prevent unauthorized modifications, this too is already prohibited under Sec. 1030(a)(5) of the CFAA. The CFAA carries both civil and criminal liability for violations, and penalties are almost universally viewed as disproportionately harsh.
If vehicle software is protected by an access control, as is often the case, then Sec. 1201 of the DMCA already forbids circumventing the software access controls without authorization. Sec. 1201 poses major problems for independent auto repairs, diagnostics, and cybersecurity research that require access to software, and numerous groups – including CDT – have repeatedly called on the Copyright Office to create exemptions for these purposes on behalf of consumers. The draft vehicle safety bill contains no such exemptions. In fact, the draft vehicle safety bill is actually stricter than Sec. 1201 insofar as it applies to software even if there is no access control.
Blanket access restrictions undermine beneficial research and repair
Like the CFAA and DMCA, the draft vehicle safety bill would undermine cybersecurity by hindering the ability of computer researchers to independently find and report on security flaws or fraud in car software. This type of research enhances cybersecurity and helps keep people safe, but the draft bill would create a new and strict legal hurdle to such research.
The draft bill would chill independent vehicle repair as well. As written, Sec. 302’s blanket prohibition on access to auto software and hardware affecting the movement of the vehicle would seemingly prohibit many diagnostics and mechanical repairs from anyone not authorized by the auto manufacturer. That means a motorist may face stiff fines for repairing the vehicle she supposedly owns herself, or asking an independent repair shop to do so.
A scenario on fraud: In September. 2015, Volkswagen was caught using car software to skirt emissions restrictions. The software was explicitly designed to fool standard testing conditions, and researchers caught the fraud almost by chance on the road without accessing the software. A company using software with fraudulent or unlawful features is unlikely to authorize researchers to access that software, and the penalties under the draft vehicle safety bill could be used to fine or threaten any independent researchers.
A scenario on cybersecurity: In July 2015, security researchers publicly revealed that flaws in Jeep entertainment system software enabled remote access to the car’s brakes and accelerator, forcing a recall of 1.4 million vehicles. Yet, according to a statement, Jeep/Chrysler does not support “under any circumstances” the disclosure of vulnerabilities that others could exploit. If a car company does not authorize security research, this draft vehicle safety bill could be used to fine the researchers.
CDT believes the best course for addressing these problems would be to remove Sec. 302 entirely. It adds almost nothing to existing law and can negatively impact consumers. If Sec. 302 cannot be removed, the draft bill could mitigate unintended consequences by making two revisions.
First, the draft bill should make clear that Sec. 302 does not apply if vehicle owners/operators provide authorization to access vehicle software, even if the vehicle manufacturers do not provide authorization – and even if the vehicle manufacturer’s software licensing agreement has forbidden the owner/operator from authorizing access to the vehicle software. Vehicle manufacturers and owners may disagree over the licensing agreement terms, but the fines under Sec. 302 should not penalize someone who accesses the vehicle software at the behest of the owner.
Second, the draft bill should make clear that Sec. 302 does not apply to research or repair work. Sec. 302 should not apply when the access is solely for the purpose of good faith testing, investigating, correcting, or repairing:
- A security flaw or vulnerability in the vehicle software or hardware, or
- An unlawful or fraudulent feature of the vehicle software or hardware, or
- A broken or degraded component of the vehicle software or hardware.
Other issues – Cybersecurity council, nonpublic policies
While Sec. 302 of the draft vehicle safety bill raises the most serious issues, Sec 303 has glitches as well – though these may the unintentional results of ambiguous draft language.
Sec. 303 requires the National Highway Traffic Safety Administration to set up an Automotive Cybersecurity Advisory Council made up of federal agencies (including DoD) and every car manufacturer that sells more than 20,000 cars in the US – which is more than 40 companies. However, as written, the draft bill appears to reserve only one spot on the Council – total – for an academic, consumer advocate, independent repair shop, or security researcher. [See pgs. 26-28.] In light of the problems discussed above, the composition of this Council is far too heavily weighted in favor of manufacturers and federal officials, with virtually no voice for consumers, repairers, or researchers. This may be a drafting error – perhaps the intent was to reserve a seat for one of each – but the language should be clarified.
The Council will decide on weighty matters, including best practices for cybersecurity, fixing security flaws, coordinating vulnerability disclosure with security researchers, and even automobile design. [See pgs. 29-30.] Vehicle manufacturers may develop policies based on these best practices, yet the draft would explicitly forbid these policies from being disclosed to the public. [See pg. 31.] While companies might be wise to avoid disclosing sensitive technical details, it would be unnecessarily prescriptive and inconsistent with modern practice for the government to forbid companies from public disclosure of their own policies. This too may be a drafting error – perhaps it is the government, and not companies, that is prohibited from disclosing the policies – but the language should be clarified.
Recalculating the route
As vehicle manufacturers – and just about everyone else – rush to connect their products to the Internet, careful thought should be given to how best to handle access and use of software. We should avoid creating a legal and policy environment that erects artificial barriers to access, enforced by devastating penalties, that chill security research, repair, fraud detection, and innovation at a time that these activities should be encouraged. We hope the House Energy & Commerce Committee revamps its draft vehicle safety bill to reflect these considerations.