Note: the following Op-Ed, “Scare Tactics Have Nothing to Do with Car Repair,” appeared in the September 25 edition of The Boston Herald.
Halloween came early to the Bay State this year. For the past two months, the airwaves have been filled with scary-sounding ads pushing tales of hacking, identity theft and cyber stalking. Their target: Question #1 a pro-consumer ballot measure that will give car owners and independent repair shops access to wireless maintenance data needed to service and repair modern vehicles.
Our group, SecuRepairs, represents some of the world’s top information security experts. We’re writing to urge readers to see past these industry scare tactics and VOTE YES ON #1. In our professional opinions, this small expansion to the state’s right to repair law in no way increases the risk of identity theft, cyber stalking or vehicle hacking.
If passed, Question #1 would close a loophole in an existing Massachusetts law that requires automakers to make diagnostic and repair data accessible to vehicle owners and independent repair shops. That law, which was passed in 2013, failed to explicitly cover repair data that is transmitted wirelessly. But seven years later, many newer vehicles transmit maintenance data this way: car based cellular Internet connections bypass the repair shop and talk directly to “cloud servers” operated by the automakers.
Question #1, which will appear on the November ballot simply closes that loophole. It requires automakers to make wireless data “needed for purposes of maintenance, diagnostics and repair” – the same data that automakers give to their dealerships – available in a standard format to vehicle owners and independent repair shops.
It goes without saying that competition for vehicle repair and maintenance services from independent repair shops keeps the cost of service and repair down. It also makes perfect sense that the same mechanical data shared via a wired connection from a vehicle to a computer in a repair shop should also be accessible wirelessly. That’s why automakers are anxious to change the subject. The “Coalition for Safe and Secure Data,” a group funded by automakers, is blanketing TV and radio with ads warning the public that Question 1 will give rapists and burglars the keys to your car and even your home.
These warnings about cyber security risk related to the mechanical data covered by Question 1 are misleading and with little basis in fact. That data might tell you why the “Check Engine” light is illuminated on your dashboard. It won’t open your garage door or let a cyber stalker follow you around town. In fact, the data covered by Question 1 is identical to the data that automakers have been sharing for years under Massachusetts’ existing right to repair law.
There is one thing the auto industry’s scare-mmercials have right: consumers should be worried about the reams of data that automakers collect from our connected vehicles. Modern Internet connected cars have access to everything from personal contact data shared from a driver’s mobile phone to video feeds from in-car cameras to the vehicle’s GPS data. Privacy and consumer advocates ranging from the ACLU to Consumer Reports warn that this galaxy of in-vehicle sensors pose acute privacy and civil liberties risks.
Automakers want us to believe that they and their dealerships are the best stewards of this data. But there is scant evidence to support that. In fact, in April, Toyota admitted that computer criminals breached the security of its dealerships, accessing millions of pieces of customer data. And cyber security firms have named automakers as a top target of computer criminals in both 2018 and 2019.
The ability to repair your own vehicle or to hire an independent repair shop – and access to the data needed to make repairs – are critical to keep automotive service and repair affordable. Affordable repair and servicing allows all of us to extend the useful lives of our cars, saving us thousands of dollars.
Rather than trying to frighten consumers, car makers should make owner access to this data easy, while also being transparent about what data they are collecting from smart vehicles and how they use it. Facts and transparency, not fear, are the antidote for the public’s anxiety about data privacy and security.
We urge readers to say “no” to the automakers cynical fear campaign by voting “YES” on Question 1 on November 3rd!
- Paul Roberts, Founder, SecuRepairs.org
- Jon Callas, Director of Technology Projects, Electronic Frontier Foundation
- Ming Chow, Associate Professor, Tufts University
- Dan Geer, Chief Information Security Officer, In-Q-Tel
- Joe Grand, Principal Engineer and Hardware Hacker, Grand Idea Studio, Inc.
- Gordon Fyodor Lyon, Founder, nmap Project
- Gary McGraw, Founder, Berryville Institute of Machine Learning
- Nicholas Percoco, Founder, THOTCON
- Billy Rios, CEO Whitescope.io
- Tarah Wheeler, Belfer Cybersecurity Fellow, Harvard University