New 'Car Safety Bill' Would Make Us Less Safe, Block Security Research And Hinder FTC And Others
from the not-a-good-idea dept
The House Energy and Commerce Committee is pushing an absolutely terrible draft bill that is supposedly about improving “car safety.” This morning there were hearings on the bill, and the thing looks like a complete dud. In an era when we’re already concerned about the ridiculousness of how copyright law is blocking security research on automobiles (just as we’re learning about automakers hiding secret software in their cars to avoid emissions testing), as well as questions about automobile vulnerabilities and the ability to criminalize security research under the CFAA (Computer Fraud and Abuse Act), this bill makes basically all of it worse. From Harley Geiger at CDT:
CDT believes it would be inappropriate to create redundant penalties for accessing car software. Sec. 302 of the draft vehicle safety bill is unnecessary insofar as it duplicates the Computer Fraud and Abuse Act (CFAA) and the Digital Millennium Copyright Act (DMCA). Although tampering with car software can pose safety issues, this is not unique and does not require a new regulation ? the computers and software already covered under the CFAA and DMCA include everything from web servers to sensitive critical infrastructure.
The draft bill forbids ?access without authorization? to software ? but so does Sec. 1030(a)(2)(C) of the CFAA. If the purpose of forbidding access to the vehicle?s software is to prevent unauthorized modifications, this too is already prohibited under Sec. 1030(a)(5) of the CFAA. The CFAA carries both civil and criminal liability for violations, and penalties are almost universally viewed as disproportionately harsh.
If vehicle software is protected by an access control, as is often the case, then Sec. 1201 of the DMCA already forbids circumventing the software access controls without authorization. Sec. 1201 poses major problems for independent auto repairs, diagnostics, and cybersecurity research that require access to software, and numerous groups ? including CDT ? have repeatedly called on the Copyright Office to create exemptions for these purposes on behalf of consumers. The draft vehicle safety bill contains no such exemptions. In fact, the draft vehicle safety bill is actually stricter than Sec. 1201 insofar as it applies to software even if there is no access control.
And that’s not all that’s problematic with the bill. Marcey Wheeler notes that the program would basically allow carmakers to hide what they’re doing with the information they collect on you, merely by ponying up $1 million to the government. The bill is, of course, sneaky, in that it pretends to demand automakers reveal what they’re doing with your info, but then slips in a “cap” of $1 million for automakers that refuse to do so. In other words, car companies can just pay $1 million (pocket change) and not have to reveal anything.
There’s also some bizarre stuff having to do with cybersecurity, where the bill would let automakers set their own standards, and then keep them secret. Here’s Geiger again:
The Council will decide on weighty matters, including best practices for cybersecurity, fixing security flaws, coordinating vulnerability disclosure with security researchers, and even automobile design. [See pgs. 29-30.] Vehicle manufacturers may develop policies based on these best practices, yet the draft would explicitly forbid these policies from being disclosed to the public. [See pg. 31.] While companies might be wise to avoid disclosing sensitive technical details, it would be unnecessarily prescriptive and inconsistent with modern practice for the government to forbid companies from public disclosure of their own policies.
Upton?s [bill] would let the industry to establish a standard, than permit manufacturers to submit their plans that would fulfill ?some or all? standards. Once they submitted those plans they would disappear ? they couldn?t be FOIAed, and couldn?t be sued by FTC if they violated those terms.
Despite the fact that the bill is supposedly in support of the National Highway and Traffic Safety Administration, the NHTSA doesn’t seem to like the bill at all either:
The Committee?s discussion draft includes an important focus on cybersecurity, privacy and technology innovations, but the current proposals may have the opposite of their intended effect. By providing regulated entities majority representation on committees to establish appropriate practices and standards, then enshrining those practices as de facto regulations, the proposals could seriously undermine NHTSA?s efforts to ensure safety. Ultimately, the public expects NHTSA, not industry, to set safety standards.
Neither does the FTC, raising concerns about how the bill would basically exempt carmakers from FTC investigations and actions should they violate user privacy. The FTC also (thankfully!) raises similar concerns as CDT to the parts that would block security research:
Section 302 of the discussion draft would prohibit unauthorized access to an electronic control unit, critical system, or other system containing driving data. We support the goal of deterring criminals from accessing vehicle data. Security researchers have, however, uncovered security vulnerabilities in connected cars by accessing such systems. Responsible researchers often contact companies to inform them of these vulnerabilities so that the companies can voluntarily make their cars safer. By prohibiting such access even for research purposes, this provision would likely disincentivize such research, to the detriment of consumers? privacy, security, and safety.
The FTC is also concerned about that “cybersecurity” council thing, pointing out that it would be dominated by the carmakers, as well as the fact that the setup would inevitably lead to very slow reactions to real cybersecurity issues:
The discussion draft requires the Council to meet annually to review the best practices, but leaves it up to the Council to adopt additional best practices ?as necessary? in subsequent years, which could mean that risks are not addressed in a timely fashion. The discussion draft allows, but does not require, manufacturers to submit updated plans if they choose to modify their plans.
And then, of course, there’s this:
The proposed safe harbor is so broad that it would immunize manufacturers from liability even as to deceptive statements made by manufacturers relating to the best practices that they implement and maintain. For example, false claims on a manufacturer?s website about its use of firewalls, encryption, or other specific security features would not be actionable if these subjects were also covered by the best practices.
Yeah, that seems like a concern.
So who could possibly like this bill? Why, the automakers of course. The Alliance of Automobile Manufacturers — represented by former RIAA boss Mitch Bainwol, of all people — really likes these proposals, because why wouldn’t it? The only real complaint it seems to have is that the cybersecurity council wouldn’t have enough time to implement a plan and is apparently trying to push out the timeline.
Meanwhile, the key sponsor of the bill is Fred Upton who is (you probably guessed…) from Michigan, home of the American auto industry. It also probably won’t surprise you to discover that the automotive industry has been a big financial supporter of his campaigns for Congress, or that Ford Motor Company has been the second largest contributor to his campaigns over his career (behind the National Association of Broadcasters). This is all, of course, part of the process of how Congress works, but it does still seem fairly sketchy when that leads to a bill that certainly looks like a big gift to the automakers, and which would almost certainly destroy security research into automotive computer systems, while similarly leaving all cybersecurity decisions up to the automakers themselves (and removing the FTC and the NHTSA from key parts of the oversight process).
Filed Under: automakers, car safety, cybersecurity, fred upton, ftc, hacking, nhtsa, security research, software
Comments on “New 'Car Safety Bill' Would Make Us Less Safe, Block Security Research And Hinder FTC And Others”
Not a gift
“…a bill that certainly looks like a big gift to the automakers…”
It’s not a gift when it’s bought and paid for…
Stupid laws and unintended consequences.
If this sort of crap passes and becomes law I might just not buy a new car! Instead I will start building my own so that I have control over it. After all you can buy a new engine, pick up a body from a junk yard and rehab the thing. Just watch Fast and Loud and other similar shows.
A bit of misdirection
Something that needs to get corrected here: Vehicle diagnostics would not be an issue, because they are not a hack or do they require software modifcations. Cars (and trucks) are obligated to follow OBD II (and beyond) standards, including on board diagnostics, a standardized diagnostic port, etc. Since 2008, CANBUS or variations under an ISO standard are required on new cars.
So it’s incredibly misleading to suggest that an anti-tampering law would forbid this activity.
It should also be noted that the on board computers control important compliance systems such as emissions. Allowing the public to change this would be similar in nature to permitting them to remove the catalytic converter – a real no-no.
As for things like the VW emissions fiasco, remember that this “code” was basically detected not by hacking and viewing the code on the car, but by first observing the cars in operation and detecting a shift in behavior during the very specific circumstances of an emissions test. No “hacking” was required to show a problem.
Re: A bit of misdirection
Yes, “hacking” the “code” (why are we putting “code” in quotes again?) was not necessary to show the problem. Things need not be necessary to be useful. It would almost certainly have been easier to find this in the code than noticing that something seems off with the emissions test and modifying the car to record emissions in more normal operation (can you say “hacking” the hardware?). There is no reason why modifying the car itself is ok, but even viewing the software is wrong.
If nothing else, there could never have been negative results for the the method they used. If the results showed that the emissions test was accurate, that would prove nothing. It could be that there was no discrepancy, or it could be that the car’s software still thought it was in an emissions test and was still fudging the numbers. Advanced enough software could have made this nearly impossible to prove without seeing the software itself.
Re: Re: A bit of misdirection
Actually, it’s not hard to spot when you look at emissions running just slightly out of the normal testing range versus the test itself. The emission test cycle is a very strict set of circumstances, and the code was very specific to those circumstances. Move even a little bit off, and you get the more polluting code.
You don’t have to rip apart a black box to observe it’s results. The difference in the case of VW is significant enough that you it’s entirely visible to someone just looking at the results.
The biggest point of course is with the mandadted OBD port and pretty much standard coding, It means that a significant part of the arm waving in the OP is just that, arm waving. It’s nowhere as real as they would like to make it out to be.
The importance of Copyright
Without copyright to protect their software, automobile manufacturers would have ABSOLUTELY NO INCENTIVE to use software to control automobile functions.
By having software control various automobile functions, cars are cleaner, safer and cheaper to build. Large bundles of wires become simple network or fiber optic connections. Would you have us give up these advantages and go back to how cars once were designed?
(this concludes today’s twisted copyright contortions)
Re: The importance of Copyright
This has nothing to do with copyright! This is about locking people out of tinkering and repairing their own cars. It also forces people to take their cars to authorized dealerships for service instead of third-party independently owned and operated auto service shops at cheaper prices. This is a money grab by big auto that will result in lost jobs and the closing of places such as Driver’s Edge, Pep Boys, Midas, etc.
Along with that, some auto manufacturers claim that because the car’s software is licensed to you, you don’t actually own the car anymore. It is licensed to you.
Re: Re: The importance of Copyright
In a sense, you’re right. It SHOULD have nothing to do with copyright.
But in a sense you’re wrong. Copyright is the favorite tool everyone reaches for to prevent you from doing things that have nothing to do with copyright. Refilling ink cartridges. Working on your own car. Coffee machine refills. Removing unflattering posts about a person or product. Keeping laws secret unless you pay for a copy from a third party that has copyrighted the law (or part of it that is actually used when interpreting the law). And much more.
Don't existing laws cover this?
Leaving software and copyright completely out of the question, there are many ways I can tamper with my car that make it unsafe to other people on the public roads.
For example, I could tamper with my brakes.
Why is software tampering somehow different or uniquely new?
Re: Don't existing laws cover this?
Maybe it should be illegal to modify a car in any manufacturer unauthorized way.
Re: Re: Don't existing laws cover this?
Then would Volkswagen authorize modifying their cars to enable the emissions control systems while actually operating the car normally instead of just while it’s being tested at DEQ?
Re: Re: Don't existing laws cover this?
“Maybe it should be illegal to modify a car in any manufacturer unauthorized way.”
The manufacturers would love this, but it would be nothing but terrible for everyone else.
Re: Re: Don't existing laws cover this?
Why should the manufacturer get to authorize it? Maybe it should be illegal to modify the car in any way that would make it fail to pass a standard vehicle safety and road worthiness inspection.
“access without authorization”
I’m not a lawyer, so I guess I need to ask just who an “authorized” person is. Would it be the owner of the car under the doctrine of first sale, or is really the power play its being made out to be. Pardon my naivete.
The classics... they never die!
All this worry over whether or not one can tune or make an automobile more secure has shown us what happens copyright becomes more important than the ride itself.
Me.. I’m damn glad I own an 89 firebird. No worries about tripping over a minefield of DCMA & CFAA guidelines. The old brute is mostly mechanical… just the way I like it.
Stupidity through obscurity
Since there really is no such thing as security through obscurity, I’m renaming this technique to “stupidity through obscurity”. Just unbelievable.
What do the auto manufacturers want?
Apparently, they want to discourage people from buying cars.
Buying, owning, and driving a car has been an unpleasant activity for a long time now already, and getting more so as time goes on. This is a big reason why the younger generations are increasingly not even getting a driver’s license at all.
You’d think that auto manufacturers would want to make their cars more desirable, not less.
Make hacking cars criminal...
And only criminals will hack cars.
Re: Make hacking cars criminal...
And only criminals will hack cars.
Aside from the fact that they will only be criminals for doing something they have always done, but that the government decided (with obvious manipulation from their cronies) was somehow worthy of being illegal. Police officers aren’t suddenly going to start arresting people for working in the garage on their own car, and except for shutting down high-school and junior college auto-repair departments due to political/legal concerns, most people will pretty much ignore these laws.
It may be used by states to enforce their smog requirements, but unless the companies start putting intrusion prevention systems and call-home devices on their vehicles (I doubt, because it is going to be very expensive and difficult to manage,) unless you publish your findings, nothing will happen.
Where this is going to hurt, is in vulnerability disclosure. Media publishing reports in how VW is bypassing environmental tests will become hot-potatoes, since in order to discover this, someone must have discovered it, and to do that, they had to break the law by reverse engineering.
It’s nice to see that you guys generally don’t want cars that are increasingly connected and computerized. I see similar comments across the Net and it gives me hope because I also hate the idea of smart cars. However, how many of you have gone into a dealership and firmly objected when the sales person informed you that you could not order a vehicle without all the tech nonsense? How many of you went to buy a new car but then chose to buy a used/rebuilt vehicle instead (on principle)? Manufacturers will continue to build tech into cars until people become frustrated enough to stop purchasing.
Some Tesla vehicles recently received OTA updates that added self-driving capabilities. Think about that for a moment… that’s one hell of an update; especially if you didn’t want it!
I have two vehicles that are paid off but are now ~15 years old. I’ve maintained them well but they’re slowly becoming unreliable. I went car shopping in July and was shocked to discover that I really couldn’t buy a ‘dumb’ car any more. At each dealership, I voiced my concerns and objections but nobody cared. One salesman went so far as to tell me that I was the first person to ever bring it up.
You want change? Quit bitching on the Internet and stop buying products that violate your rights. Start pushing back for once. Be willing to walk away and take the harder path. Same for gaming, music, movies, cable tv, etc…
With a single exception (an emergency car purchase), I have always avoided buying new cars and buying cars from a dealership.
New cars are a terrible deal, when you can buy cars that are only a year or two old for substantially less, and I have witnessed far too many people being taken for a ride by dealerships to have any trust in them.