The House Energy and Commerce Committee is pushing an absolutely terrible draft bill
that is supposedly about improving "car safety." This morning there were hearings on the bill, and the thing looks like a complete dud. In an era when we're already concerned about the ridiculousness of how copyright law is blocking security research
on automobiles (just as we're learning about automakers hiding secret software
in their cars to avoid emissions testing), as well as questions about automobile vulnerabilities and
the ability to criminalize security research under the CFAA
(Computer Fraud and Abuse Act), this bill makes basically all of it worse
. From Harley Geiger at CDT:
CDT believes it would be inappropriate to create redundant penalties for accessing car software. Sec. 302 of the draft vehicle safety bill is unnecessary insofar as it duplicates the Computer Fraud and Abuse Act (CFAA) and the Digital Millennium Copyright Act (DMCA). Although tampering with car software can pose safety issues, this is not unique and does not require a new regulation – the computers and software already covered under the CFAA and DMCA include everything from web servers to sensitive critical infrastructure.
The draft bill forbids “access without authorization” to software – but so does Sec. 1030(a)(2)(C) of the CFAA. If the purpose of forbidding access to the vehicle’s software is to prevent unauthorized modifications, this too is already prohibited under Sec. 1030(a)(5) of the CFAA. The CFAA carries both civil and criminal liability for violations, and penalties are almost universally viewed as disproportionately harsh.
If vehicle software is protected by an access control, as is often the case, then Sec. 1201 of the DMCA already forbids circumventing the software access controls without authorization. Sec. 1201 poses major problems for independent auto repairs, diagnostics, and cybersecurity research that require access to software, and numerous groups – including CDT – have repeatedly called on the Copyright Office to create exemptions for these purposes on behalf of consumers. The draft vehicle safety bill contains no such exemptions. In fact, the draft vehicle safety bill is actually stricter than Sec. 1201 insofar as it applies to software even if there is no access control.
And that's not all that's problematic with the bill. Marcey Wheeler notes that the program would basically allow carmakers to hide what they're doing with the information they collect on you
, merely by ponying up $1 million to the government. The bill is, of course, sneaky, in that it pretends to demand automakers reveal what they're doing with your info, but then slips in a "cap" of $1 million for automakers that refuse to do so. In other words, car companies can just pay $1 million (pocket change) and not have to reveal anything.
There's also some bizarre stuff having to do with cybersecurity, where the bill would let automakers set their own standards, and then keep them secret. Here's Geiger again:
The Council will decide on weighty matters, including best practices for cybersecurity, fixing security flaws, coordinating vulnerability disclosure with security researchers, and even automobile design. [See pgs. 29-30.] Vehicle manufacturers may develop policies based on these best practices, yet the draft would explicitly forbid these policies from being disclosed to the public. [See pg. 31.] While companies might be wise to avoid disclosing sensitive technical details, it would be unnecessarily prescriptive and inconsistent with modern practice for the government to forbid companies from public disclosure of their own policies.
Upton’s [bill] would let the industry to establish a standard, than permit manufacturers to submit their plans that would fulfill “some or all” standards. Once they submitted those plans they would disappear — they couldn’t be FOIAed, and couldn’t be sued by FTC if they violated those terms.
Despite the fact that the bill is supposedly in support of the National Highway and Traffic Safety Administration, the NHTSA doesn't seem to like the bill at all either
The Committee’s discussion draft includes an important focus on cybersecurity, privacy and technology innovations, but the current proposals may have the opposite of their intended effect. By providing regulated entities majority representation on committees to establish appropriate practices and standards, then enshrining those practices as de facto regulations, the proposals could seriously undermine NHTSA’s efforts to ensure safety. Ultimately, the public expects NHTSA, not industry, to set safety standards.
Neither does the FTC
, raising concerns about how the bill would basically exempt carmakers from FTC investigations and actions should they violate user privacy. The FTC also (thankfully!) raises similar concerns as CDT to the parts that would block security research:
Section 302 of the discussion draft would prohibit unauthorized access to an electronic control unit, critical system, or other system containing driving data. We support the goal of deterring criminals from accessing vehicle data. Security researchers have, however, uncovered security vulnerabilities in connected cars by accessing such systems. Responsible researchers often contact companies to inform them of these vulnerabilities so that the companies can voluntarily make their cars safer. By prohibiting such access even for research purposes, this provision would likely disincentivize such research, to the detriment of consumers’ privacy, security, and safety.
The FTC is also concerned about that "cybersecurity" council thing, pointing out that it would be dominated by the carmakers, as well as the fact that the setup would inevitably lead to very slow reactions to real cybersecurity issues:
The discussion draft requires the Council to meet annually to review the best practices, but leaves it up to the Council to adopt additional best practices “as necessary” in subsequent years, which could mean that risks are not addressed in a timely fashion. The discussion draft allows, but does not require, manufacturers to submit updated plans if they choose to modify their plans.
And then, of course, there's this:
The proposed safe harbor is so broad that it would immunize manufacturers from liability even as to deceptive statements made by manufacturers relating to the best practices that they implement and maintain. For example, false claims on a manufacturer’s website about its use of firewalls, encryption, or other specific security features would not be actionable if these subjects were also covered by the best practices.
Yeah, that seems like a concern.
So who could possibly like
this bill? Why, the automakers of course. The Alliance of Automobile Manufacturers -- represented by former RIAA boss Mitch Bainwol, of all people -- really likes these proposals
, because why wouldn't it? The only real complaint it seems to have is that the cybersecurity council wouldn't have enough time to implement a plan and is apparently trying to push out the timeline.
Meanwhile, the key sponsor of the bill is Fred Upton who is (you probably guessed...) from Michigan, home of the American auto industry. It also probably won't surprise you to discover that the automotive industry has been a big financial supporter
of his campaigns for Congress, or that Ford Motor Company has been the second largest contributor
to his campaigns over his career (behind the National Association of Broadcasters). This is all, of course, part of the process of how Congress works, but it does still seem fairly sketchy when that leads to a bill that certainly looks like a big gift to the automakers, and which would almost certainly destroy security research into automotive computer systems, while similarly leaving all cybersecurity decisions up to the automakers themselves (and removing the FTC and the NHTSA from key parts of the oversight process).