Note: this post was shared from Fight to Repair Weekly, a weekly newsletter focused on the right to repair. You can read the post in its entirety there, or subscribe to get Fight to Repair content as soon as its published.
Sometime in the next month, a federal judge in Massachusetts will issue a ruling on what may be the most consequential legal case on the right to repair in a generation. At stake: owners ability to repair modern vehicles that wirelessly transmit maintenance data using so-called “telematics” systems.
The case, Alliance for Automotive Innovation v. Healy (PDF) stems from Massachusetts’ voters’ passage of Ballot Question 1 in November, 2020. That ballot question extended Massachusetts’ eight year-old, national standard-setting automotive right to repair law to encompass repair and maintenance data transmitted wirelessly to automakers via vehicle telematics systems.
The automobile industry spent tens of millions of dollars to defeat that measure – with little to show for it. Question 1 passed with almost three quarters of voters (74.9 %) voting “YES.” Immediately following its passage, the automotive industry sued to block implementation of the law. Their argument: that Massachusetts voters had illegally pre-empted federal guidelines for vehicle safety – and in a way that put drivers at risk. “Massachusetts’s new Data Law will reduce the security of these systems, seriously hampering manufacturers’ attempts to keep vehicle data and vehicle systems safe,” their complaint reads, in part.
Months of hearings in federal court in Massachusetts have weighed whether the case made by automakers is a valid one, and whether Question 1 is too flawed to implement. The case has delayed implementation of the law, with Massachusetts’ Attorney General Maura Healy saying she will wait until a decision in the case is reached before instructing her office to begin enforcing it.
At their last hearing in late July, Judge Douglas Woodlock told lawyers for the Alliance and the Massachusetts Attorney General’s Office (AGO) that he expects to issue a decision by August 20. Judge Woodlock asked the AGO to continue its stipulated stay of enforcement of the Data Law until that date. (AG Healy initially said she would delay implementation only until July 31st.) The judge subsequently delayed his decision to September 20th, citing the complexity of the issues and also confounding factors like the resurgence of COVID.
Whatever the date, a decision is coming. So what is at stake in this suit? What legal arguments are likely to hold sway as Judge Woodlock makes his decision? And what happens next? Fight to Repair spoke with attorney Alison Eggers of the law firm Seyfarth, which has been providing continuing coverage of the hearings on Question 1 and one of the most consistent sources of news and analysis about the hearing. (Thanks Seyfarth!)
This conversation happened at the beginning of the trial back in May, so some of this information is speculative. I’ll update this with links to coverage of the subsequent trial when appropriate. And, obviously, I hope to update this once a decision is out. In the meantime, here’s my conversation with Alison from May:
Paul Roberts, Fight to Repair: OK. First question: what is the crux of this lawsuit by automakers? What is the legal argument they’re making?
Alison Eggers, Seyfarth: Yeah, so the crux of this lawsuit centers around Question One for Massachusetts, which passed in 2020 and that ballot initiative requires manufacturers to provide access to telematics data in their vehicles that are sold in Massachusetts, beginning in model year 2022 to independent repair shops and even to individual consumers to be able to fix their own vehicles. The manufacturers object to that because, you know, vehicles at this point are computers on wheels. There’s a lot of IP, there’s a lot of proprietary systems, there’s a lot of research and development that goes into new vehicles.
And so the idea of having to hand over to a third party, all of that information and technology and software that they have developed is objectionable for a variety of reasons.
Paul Roberts: And if you can sort of rehearse it, the position of the state of Massachusetts, obviously the ballot measure wasn’t about handing over source code, but handing over software codes that used to do maintenance and repair, diagnose problems and maybe even add replacement parts to the car. So what is the position of the Bay State in this case?
Alison Eggers: So the position of the Bay State of the Attorney General who is tasked with defending Question One as a ballot initiative and then now as a law, is that this was a validly passed ballot initiative, the consumers of the state, the voters of the state spoke and they want to be able to access this information or more specifically, have independent repair shops, access this information so that they can repair vehicles outside of a dealership context.
Paul Roberts: OK, and as we know from the campaign for this and the ballot measure passed with – I think it got more votes than any other ballot measure in the history of the state – a very strong majority. But the crux of the campaign centered on cybersecurity or data privacy, kind of a mix of both. The automakers obviously were making claims that providing this information was going to put the safety of drivers at risk or their privacy or both. Is that is that one of the conversations that’s going on in the courtroom right now around the cybersecurity question? And if so, what does it center on?
Alison Eggers: It is so during the campaign for Question One, I think this was in summer of 2020. The National Highway Traffic Safety Administration actually submitted written testimony to the Massachusetts legislature expressing some concern that Question One would require manufacturers to redesign vehicles in a way that necessarily requires cybersecurity risks. And then that is compounded by the fact that they were required to do that in a timeframe that made design and implementation of any meaningful countermeasures effectively impossible. Keep in mind that manufacturers are planning vehicles years in advance.
So while we’re talking today in May of 2021, the model year, 2022 vehicles are already in production and for many manufacturers already rolling out. So it was a very short timeframe under the Question One outcome that required manufacturers to overhaul significantly in many respects the way that their vehicles are manufactured, simply a huge, huge challenge for them.
Paul Roberts: Indeed, indeed, and from reading your account of these, it seems like there is some contention or some back and forth about access to the actual code that runs on these cars to try and resolve these issues around cybersecurity risk. In other words, the Attorney General is saying, well, if you say there’s a cybersecurity risk, we have experts, please make the code available so that we can assess whether those claims have any substance, and the automakers seem very reluctant to do that. Is that an accurate kind of account of what’s going on?
Alison Eggers: That is absolutely fair. Absolutely. Yeah.
Paul Roberts: And I guess they made a hard copy of the code available in a room in Detroit, basically. And we’re asking that the Attorney General’s experts go to Detroit to this secure room to look at it. And I guess the judge said that that was not really feasible.
Yeah, I think Judge Whitlock said something along the lines of all roads don’t lead to Detroit. So the manufacturers had agreed to make some of the information available for inspection. And as you say, it was only at one location in Detroit, but solely on a read only basis. What the Attorney General wanted is…
Paul Roberts: Does that mean basically hard copy when they say read only basis? Does that mean…
Alison Eggers: No. Given the sheer amount of data and the fact that it is the software source code, it would probably be electronic on a computer or a secure terminal that the expert could review it. So, nobody’s printing out reams and reams of paper of the source code. My guess is it would be a secure computer. And the Attorney General objected to that and said that her expert should have access to it, a copy of it, because given the sheer volume and the complexity of the data, her expert would probably need to write his own code to understand and really dig into what was going on in this…
Paul Roberts: In the same way that you would want to use a search feature to find or I’m sure you guys lawyers have all kinds of litigation tools to find the relevant content and what you’re looking for, that that’s basically what they’re talking.
Alison Eggers: Exactly.
Paul Roberts: And the judge was actually not that amenable to that particular request that they be able to have the right tools to interrogate the code.
Alison Eggers: Exactly. Judge Woodlock did order that the manufacturers would set up additional sites in Boston and Seattle that would allow the Attorney General and her expert to look at that information, but did not order that it be produced wholesale in a standalone copy so that the expert can work on it, on his or her own writing code to analyze it.
Paul Roberts: And was I right to read that? Actually, a whole bunch of the litigants in this, particularly European automakers, basically dropped out of the suit rather than have to comply with that order to make their code available to the attorney general?
Alison Eggers: They did end up dropping out, the position for some of the foreign auto manufacturers was that the source code was not available to them because it was held by parent companies that were European or elsewhere. And the judge was not terribly sympathetic to that argument and said basically, you’re not going to be able to participate in a limited capacity. You’re either participating or you’re not. And so the end result of that is that those foreign auto manufacturers did drop out. Not all of them. Three of them.
Paul Roberts: Well, what are the legal questions here when we’re talking about going looking at source code and trying to ascertain whether these claims about cybersecurity risk are valid? I mean, I can understand those from a technical standpoint, whether there is any there there, whether there’s any cyber risk there. But like I’m trying to figure out, like, how would that intersect with the law at question here?
Alison Eggers: In a couple of different ways, the biggest one, at least in the way that the claims are pled in this case, is there’s an unfair takings claim, essentially that the state is taking the IP that is owned by the auto manufacturers and forcing them to make it available to third parties and so that the state is interfering with that right of theirs to own and control that source code and access to that data. So that’s the biggest place that it comes in. There are also arguments in the case that the state law is going to interfere with federal regulatory schemes, federal laws that would address how cybersecurity issues, data issues, ownership issues, and that’s really the biggest piece of the litigation itself or what we call these preemption claims.