So, by now you've heard the story of how Wired reporter Andy Greenberg allowed two car hackers to hack into
a car that he was driving, remotely, while he was on a highway. The story is getting plenty of well-deserved attention, with some people raising a variety of concerns. The most obvious concern is the "holy hell, that seems scary, we should improve car security." And that's true. A second level of concern is over whether or not that experiment on a real highway
was appropriate, given the very real potential of danger (including the truck that almost hit Greenberg). A third concern is over the reality of the threat
, given that Greenberg was driving a car owned by the hackers, that they had the ability to touch previously (i.e. the "remote" part of the hack sounds scary, but it's less scary if hackers have to get into your car first).
However, the part that I wanted to focus on is related to a discussion we were just having a few weeks ago, in which General Motors (which was not the target of this
particular hack) claimed that any sort of tinkering with their software, such as to discover these kinds of security holes, should be considered copyright infringement
, thanks to Section 1201 of the DMCA. Section 1201, also known as the anti-circumvention provision, says circumventing "technological protection measures" (TPMs) -- even for reasons that have nothing to do with copyright -- should be deemed copyright infringement and subject to all the statutory damages (up to $150k per violation!) that copyright allows. Some have been pushing for an exemption for things like security researchers tinkering with new connected car systems to make sure they're safe. And GM and other automakers have said "no way." GM's argument
is, more or less, that the company would prefer to put its head in the sand, and not have security researchers help it discover security flaws in its systems -- leaving only malicious attackers to find those.
such as Electronic Frontier Foundation characterize the exemption as merely allowing the
vehicle owners to “tinker” with their vehicles “in a decades-old tradition of mechanical curiosity
and self-reliance,” if granted, the proposed exemption could introduce safety and security issues
as well as facilitate violation of various laws designed specifically to regulate the modern car,
including emissions, fuel economy, and vehicle safety regulations.
Of course, copyright is not the right law to be relying on if you think that tinkering with your software could lead to safety problems. Instead, it seems to be the law that automakers are relying on to try to hide some of the security vulnerabilities in their cars.
The Association of Global Automakers goes even further
with its argument, basically saying that since they already let security researchers of their own choosing
do research, no one else should be able to do that research also:
Automobile manufacturers are not adverse to external input and have a long and symbiotic
history with aftermarket businesses and others, but are justifiably unwilling to risk public safety,
security, and environmental wellness by compromising quality controls and oversight. Moreover,
the exemption is unnecessary given that automobile manufacturers already provide access to
their valuable copyrighted materials for the precise purposes proposed. By allowing every
automobile owner to access and copy automotive software in the name of research, the proposed
exemption undermines existing research efforts and, ultimately, wrests control of such research
from those in the best position to actually improve the security and safety of our automobiles: the
automobile manufacturers and their suppliers, who have the utmost responsibility to ensure that
vehicles are safe and secure. The very real risk that ostensibly legitimate research unwittingly
undermines vehicle security by serving as a guidebook to software vulnerabilities that enables or
even accelerates illicit hacking and malicious modifications to automotive software weighs
heavily against the proposed exemption. The balance of benefit versus detriment, in view of all
factors involved, simply dictates against the proposed exemption.
In short, since security researchers might find a really serious hole in our software that might put lives in danger, we're much better off using copyright law to make sure no one's even looking for such a hole. Are they serious? Wouldn't it be much better to give people incentives to find these kinds of security flaws so the automakers can fix them
rather than relying on security-by-head-in-the-sand?
Finally, the Alliance of Automobile Manufacturers also opposed the exemption
for some fairly bizarre reasons, claiming that it would magically free up researchers to disclose how a vulnerability works without first informing the manufacturer:
By arguing that the current legal landscape is too treacherous for independent researchers, proponents are in effect seeking to be freed from existing statutory constraints that are biased in favor of prudent and responsible practices – such as managing disclosure of security vulnerabilities to minimize the risk of legal violations and exploitation of those vulnerabilities by bad actors – to protect the safety and security of members of the public. For instance, under the proposed exemption, researchers who publish detailed analyses of vulnerabilities before sharing their findings with manufacturers would nonetheless benefit from a blanket exemption to circumvention liability, even though such premature publication could dramatically increase the risk of such harmful exploitations.
This is bullshit. There is nothing in removing the liability for circumvention that changes industry best practices of first alerting the manufacturer. That would still be standard practice. What it would do
, however, is stop those manufacturers from responding by threatening a ridiculous copyright infringement lawsuit instead of realizing they need to fix a real problem in their systems. And if the automakers don't think such threats happen, we've got plenty
If the automakers are serious about wanting to make sure their cars on the road are safe, they should be encouraging this kind of research (though perhaps not on actual highways... ). But the fact that copyright law is blocking some of this kind of research is a real travesty.