A group of automakers through the Alliance for Automotive Innovation is suing Massachusetts in federal court to block the new ‘Right to Repair’ law that passed on November 3rd. This law was known as “Question 1” to Massachusetts residents hitting the polls earlier this month.  As we discussed in our prior blog post, the new state law expands access to certain diagnostic and repair data collected by onboard computer systems that is currently only accessible in ‘real-time’ by the manufacturers (and in turn, their dealers). The lawsuit argues that it will impose a financial burden on auto manufacturers and threatens the privacy of car owners by exposing data from their vehicles. We discussed many of these privacy and security concerns in our post back in October when consumers were still contemplating whether they wanted their small autobody shops to have more access to their data or to prevent more sharing of their vehicle’s data.

The lawsuit asks the court to declare the new Right to Repair expansion to be legally unenforceable. It claims that this new law violates numerous federal laws related to cybersecurity and intellectual property. The lawsuit also poses the arguments that auto manufacturers made during the ballot campaign: that independent autobody shops already have access to the data they need to fix consumers’ vehicles under the existing Right to Repair law.

Moreover, manufacturers say the requirement that they install a standardized  “platform” on all cars equipped with telematic technology sold in Massachusetts by model year 2022 forces them to implement the requirement immediately because the first production of 2022 models are already getting ready to hit the market.

Finally, the lawsuit relies heavily on the testimonial letter that the National Highway Traffic Safety Administration (NHTSA) sent to a committee of the state legislature back in July that stated that Question 1 posed new cyber risks by compromising the integrity of a vehicles functions such as steering, acceleration and braking. However, the NHTSA also stated in its letter that manufacturers should continue to control those vehicle functions, which, on its face, the new Right to Repair Law also seems to support (i.e., the new system in 2022 models will communicate “mechanical data,” and the proposed definition of “mechanical data” states that it includes information that is “related to the diagnosis, repair or maintenance of the vehicle.” This would NOT include telematics data collected related to an immobilizer system or security-related electronic modules. That exception is not being stricken by these proposed revisions). 

We will follow this lawsuit to see how it shapes access to vehicle data not only in Massachusetts but across the country as a whole as more and more cars are equipped with real-time telematics data collection and transmission.

Ballot Question 1 in Massachusetts, if passed in November, would require car manufacturers that sell cars equipped with telematics systems (i.e., a method of monitoring a vehicle by combining a GPS system with on-board diagnostics to record – and map – exactly where a car is and how fast it’s traveling, etc.) to install a standardized, open data platform beginning with model year 2022. Such a system would allow the cars’ owners to access their telematics system data through a mobile app and give their consent for independent repair facilities to access those data and send commands to the system for repair, maintenance, and diagnostic testing.

An open data platform is primarily designed to help big-data developers in creating big-data applications on a common platform. It provides a baseline model to build applications and services that can be interoperable on different platforms. While this platform would allow for use by many different users, this proposed open data platform may also presents security risks to those providing the information. From loss of confidentiality, to the higher potential for compromising personal information, releasing data inherently puts the data at risk.

Currently, Massachusetts’ Right to Repair law (signed into law in 2013), exempts  telematics systems from accessibility by car owners and independent repair facilities. This means that the car’s telematics system may only be accessed by the brand manufacturer, which may limit a car owner’s ability to choose where the system can be updated or repaired.

A “yes” to the ballot question “supports requiring manufacturers that sell vehicles with telematics systems in Massachusetts to equip them with a standardized open data platform beginning with model year 2022 that vehicle owners and independent repair facilities may access to retrieve mechanical data and run diagnostics through a mobile-based application,” while a “no” opposes this initiative.

Tommy Hickey, director of Massachusetts Right to Repair Coalition, said, “This is really a fight for Massachusetts consumers. Without this information, people may lose the choice to bring their car to an independent repair shop.” Opposingly, the Coalition for Safe and Secure Data’s spokesman, Conor Yunits, said, “This ballot question will create easy opportunities for strangers, hackers and criminals to access consumer vehicles and personal driving data–including real-time location. It will put people at risk, without doing anything to improve the consumer experience.” Both sides seem to be part of a fight for consumers.

I previously wrote about a ballot question in Massachusetts this year that would update the “Right to Repair” initiative that was first passed in 2013. As a quick refresher, the Right to Repair law allows consumers to take their car to any repair shop (not just the dealer) and have their mechanic plug a cord into the car’s onboard computer system to figure out what’s wrong the car, or, alternatively, a consumer can buy a device and do this themselves.

Now, many say that Question 1 in the upcoming Massachusetts’ election seeks to close a loophole in that 2013 law, which exempts manufacturers from sharing data transmitted wirelessly from the vehicle to the manufacturer. The current law allows independent repair shops to access vehicle diagnostics through an On-Board Diagnostics (OBD) port (like in the example above), but proponents of this ballot question say that they are worried that manufacturers will do away with the OBD ports in newer models and collect and store all of the vehicle’s data wirelessly, which would exempt the manufacturers from the 2013 law. However, in a quick Internet search on this topic, it is hard to find a clear outline of what this really means and how Question 1 actually changes the current Right to Repair law. Let’s take a closer look.

Well, today, as mentioned above, most cars are equipped with an OBD port to diagnose a problem with your car in a local repair shop as opposed to at the dealer. This ballot question would require vehicle manufacturers to create a new open access data platform where consumers and their repair shops could use a mobile app to access telematic services data, which is data that is transmitted wirelessly from the vehicle to the manufacturer (and in turn, to the manufacturers’ dealers). Under the current law, manufacturers are only required to permit consumer/independent repair shop access to onboard data systems. However, cars now are equipped with the automobile equivalent of a FitBit or Apple Watch that monitors the car’s mechanical health and sends those readings wirelessly back to the manufacturer. This is “real-time” data about the vehicle. And, with this real-time transmission of data, there may be nothing wrong with the car yet, but telematics tell the manufacturer that a certain part of the car is wearing down or will need to be fixed soon -then the manufacturer (or the dealer) can send you an email (or even a message directly to the car’s dashboard screen) alerting the consumer to schedule maintenance to avoid greater cost in the future. It cuts out the local repair shop (or, it could).

Here’s the breakdown:

The Current Right to Repair Law (from 2013)

  • Vehicle manufacturers must make available for purchase by owners and independent repair facilities “diagnostic and repair information, including repair technical updates that the manufacturer makes available to its dealers through the manufacturer’s internet-based diagnostic and repair information system or other electronically accessible manufacturer’s repair system.” The manufacturer accomplishes this by selling a diagnostic tool to the independent repair facilities so that the small shops can communicate with the vehicle in the same way that the manufacturers/dealers do.
    • In simpler terms, manufacturers include OBD systems in their vehicles and local repair shops can plug in a cord at their shop and check out your car’s computer system.
  • Beginning with model year 2018, manufacturers must provide access to the car’s onboard diagnostic and repair information system through a daily, monthly or yearly subscription basis by the manufacturers.
  • Manufacturers DO NOT currently have to provide diagnostic, service or repair information necessary to reset an immobilizer system or security-related electronic modules. If this information is necessary, and owners and/or independent repair facilities need that information, it can be obtained through a “secure data release model system currently used by the National Automotive Service Task Force (NASTF) or other known, reliable and accepted systems.”
    • If the data relates to signaling the car to go or stop or turn the security system on or off, the information is obtained NOT through the OBD system, but through the NASTF’s Vehicle Security Professional Registry which only allows access by registered users (who are vetted) and protects the data with cyber security measures.
  • Telematics diagnostic and repair information necessary to diagnose and repair a consumer’s car (not otherwise available to independent repair facilities) IS disclosed (because it is ‘necessary’ for the repair by the independent repair shop). HOWEVER, telematics services and other remote or information services, diagnostic or otherwise, delivered to or derived from a [car] by mobile communications” are NOT disclosed to independent shops.

Note that the “telematics services” term means information relating to “automatic airbag deployment and crash notification, remote diagnostics, navigation, stolen vehicle location, remote door unlock, transmitting emergency and vehicle location information to public safety answering points and any other service integrating vehicle location technology and wireless communications.” Telematics can also include media streaming and geofencing. Basically, if the information is necessary for diagnostics and/or repairs then the manufacturer must share it with the owner of the vehicle and/or independent repair shops; if the information is NOT necessary for diagnostics and/or repairs then the information is not shared. Of course, this brings up the issue of repairs that WILL be necessary in the future that only the manufacturer is alerted to right now.

The Proposed Revisions to the Right to Repair Law (a “yes” vote to Question 1)

  • The proposed revisions will add a definition of “mechanical data” to the law, which will mean “any vehicle-specific data, including telematics system data, generated stored in or transmitted by a motor vehicle used for or otherwise related to the diagnosis, repair or maintenance of the vehicle.”
  • The proposed revisions will add a definition of “telematics system” to the law, which will mean “any system in a motor vehicle that collects information generated by the operation of the vehicle and transmits such information, [(referred to as “telematics system data” throughout the revised Right to Repair law)] utilizing wireless communications to a remote receiving point where it is stored.”
  • The proposed law states that the OBD system must be “standardized and not require any authorization by the manufacturer, directly or indirectly, unless the authorization system for access to vehicle networks and their OBD systems is standardized across all makes and models [. . .] and is administered by an entity unaffiliated with a manufacturer.”
  • The telematics services exception noted above will be stricken from the law; instead, all model year 2022 and thereafter must be equipped with an “inter-operable, standardized and open access platform across all of the manufacturer’s makes and models. Such platform shall be capable of securely communicating all mechanical data emanating directly from the motor vehicle via direct data connection to the platform.”
    • In simpler terms, vehicle manufactures must create a shared database for telematics that currently flow only to manufacturers (and in turn, their dealers). Consumers would then grant permission to a local mechanic to keep tabs on their car and allow that local shop to more easily anticipate a problem and schedule a service before something breaks -just like a dealer does now.
      • But note that this system will communicate “mechanical data.” The proposed definition of “mechanical data” states that it includes information that is “related to the diagnosis, repair or maintenance of the vehicle.” This would NOT include telematics data collected related to an immobilizer system or security-related electronic modules. That exception is not being stricken by these proposed revisions.
    • Note that all of this data will be “limited to the time to complete the repair or for a period of time agreed to by the vehicle owner for the purpose of maintaining, diagnosing and repairing the motor vehicle.” This access “shall include the ability to send commands to in-vehicle components if needed for purposes of maintenance, diagnostics and repair.” Again, control of in-vehicle commands may only be accessed for maintenance, diagnostics and repair.
  • The Massachusetts Attorney General will establish a “motor vehicle telematics system notice” for consumers explaining what telematics data consists of, how the information is accessed through a mobile app, the right to authorize an independent repair shop to access to this data, etc.

After a deeper dive, it appears that the biggest change is that if a manufacturer decides that it would be more lucrative to remove the OBD ports from its vehicles and transmit all of this data wirelessly to its dealers (essentially taking away access by the local repair shops, and still acting in accordance with the current Right to Repair law), there would be no way for the local repair shops to get the data needed to diagnose and repair its long-time customer’s car. Under these proposed revisions, telematics data related to the “maintenance, diagnostics and repair” of the vehicle must be disclosed by the manufacturers (immobilizer system and security-related electronic modules data would still only be transmitted through the secure NASTF registry. However, that’s not to say that there aren’t potential cybersecurity risks to this model proposed by Question 1.

The deputy administrator for the National Highway Traffic Safety Administration (NHTSA), James C. Owens, submitted a letter to the Massachusetts Joint Committee on Consumer Protection in response to a request for testimony on the effect of Question 1 on cybersecurity. The Committee requested “information about whether aspects of the initiative might introduce additional cybersecurity risks to motor vehicles and public safety risks to road users, such as malicious hacking attempts,” and  “information about whether the initiative might impact Federal motor vehicle safety efforts.” Owens’ letter said:

It is [the NHTSA’s] view that the terms of the ballot initiative would prohibit manufacturers from complying with both existing Federal guidance and cybersecurity hygiene best practices. NHTSA is also concerned about the increased safety-related cybersecurity risks of a requirement for remote, real-time, bi-directional (i.e., read/write capability) access to safety-critical vehicular systems. Given the multi-year automotive product development cycle, the deadline for compliance appears impossible for manufacturers to meet in a responsible manner, risking removal of existing cybersecurity controls over wireless access into vehicles as the ballot initiative directs, which increases the risk of cybersecurity attacks that could jeopardize public safety. Further, the requirement to establish universal and standardized access requirements increases the scale of risks of any potentially successful cybersecurity attack.

Further, Owens said that “while the initiative requires the system to be ‘secure,’ it does not define what that vague term means, nor does it reflect any established best practices or other measures to address cybersecurity risks. Further, the initiative does not discuss the variety of telematics offerings available to consumers today, nor does it address feasibility, practicality, or availability of protocols or other measures that could appropriately protect against cybersecurity risks that would be introduced via proposed forms of third-party telematics access.”

Owens’ letter listed specific cybersecurity concerns with Question 1 and some recommendations to remediate these concerns:

  1. Vehicle manufacturers should control access to firmware that executes vehicle functions (e.g. vehicle motion such as steering, acceleration, and braking).
  2. Vehicle manufacturers should implement logical and physical isolation techniques to separate processors, vehicle networks and external access points to limit and control pathways from external threat vectors to cyber-physical features of vehicles.

Perhaps even more important at this juncture to the passage (or failure) of this ballot question is the short timeframe for its implementation. In Owens’ letter he points out:

“NHTSA is not aware of any existing system architectures that would satisfy the requirements of the ballot initiative, and they are unlikely to be developed, tested, validated and deployed in the proposed timeframe. Therefore, manufacturers that offer telematics systems could find themselves in a situation that would require them to remove all access controls from their telematics systems, including controls designed to ensure the security of safety-critical systems.” Bryan Reimer, research scientist at the MIT Center for Transportation and Logistics said, “This is a hard topic for federal safety regulators who understand the intricacies of vehicle design development [ . . .] this ballot initiative creates a of series of unintended consequences because of the timeline and the vague wording of several aspects,” as noted by Owens in his testimony as well. Reimer says that vehicle manufacturers are already in the midst of making 2022 cars and requiring them to open up wireless data access at this point could open up potential cyber-vulnerabilities and possibilities for remote tampering. Reimer doesn’t necessarily oppose allowing telematics services data to car owners and independent repair shops, he just points out that the accelerated timeline increases the chances of flaws in the data transfer and maintenance. Of course, we need to assess just how risky it would be for that data (i.e. data related to maintenance, diagnostics and repairs) to end up in the wrong hands. Perhaps the data at issue is not quite as sensitive as other types of data collected by our cars like the immobilizer system data or security-related module system data (or geolocational data, etc.).

While the question is up for debate this November in Massachusetts, one thing is for sure, consumers should be worried about the vast quantities of data that automakers are collecting from our connected vehicles. Consumers should read the terms of automakers’ mobile apps and OBD systems (and wireless transmission services/platforms) and understand what type of information their vehicle is collecting about them and who might have access to that data and how.

As I wrote about previously on our blog, the Massachusetts Right to Repair amendment passed in November is up against a lawsuit from auto manufacturers. Now, the Massachusetts’ Attorney General’s office has responded stating that the state law does not conflict with any federal statute and that voters already rejected all of the lawsuits allegations. The Attorney General’s office further argues that the primary claim of this lawsuit relies on non-binding agency guidance, which is simply not enough to preempt the amendment. There is a heavy burden for facial, pre-enforcement challenges established by the Supreme Court and the First Circuit. At this point, the Attorney General has agreed not to enforce the law until the litigation has concluded. Massachusetts argues that rejecting the law before it takes effect is subversive to the democratic process. The case is set for a bench trial in June 2021. We’ll follow the case as it makes its way into the new year.

Although the Presidential race is unconfirmed at the time of this writing, there are several data privacy and security laws to put on your radar following the election this week.

Here is a brief list of laws that passed that we are aware of so far. We will provide more information as news breaks, but in this ever-changing area, we want to alert you to some important changes in the state law landscape following the election.

California’s Prop 24

 This proposition updates California’s CCPA, now referred to as California Privacy Rights Act (CPRA). In addition to other provisions [view related here and here], from a compliance perspective, it establishes a first-of-its-kind enforcement agency, the California Privacy Protection Agency, which will oversee enforcement of CPRA, and further establishes fines and penalties for violation of the law. The law goes into effect on January 1, 2023, for all data that are collected starting on January 1, 2022. Keep this one on your compliance radar and we will update you further.

Maine Approves Referendum on Limiting Use of Facial Recognition Technology 

Maine voters approved Referendum Question B, which strengthens the ban on the use of facial recognition surveillance technology by police and public officials. 

Massachusetts Votes in Favor of Ballot Question 1 

Massachusetts voted in favor of Ballot Question 1, which would require car manufacturers to equip vehicles using telematic systems with an open-access data platform starting with the model year 2022.

A detailed analysis of Ballot Question 1 is here.

Michigan Amends Constitution to Require Warrant for Access to Electronic Data

In Michigan, it appears that voters have approved an amendment to the state constitution to require search warrants for law enforcement to access electronic data and communications. The measure amends that part of the constitution that provides for the protection against unreasonable search and seizure.

Staying abreast of new state laws and regulations is a complex process for those charged with compliance adherence. We will continue to update you on the most significant changes to assist you in your compliance efforts.