14 DAY TRIAL // Today, members of the US Congress' House of Representatives will be debating a newly proposed bill that, in brief, would make car hacking research illegal, infringing users facing potential fines of $100,000 (€88,000) every time they gain access to the car's computer without authorization.
The US government has made a habit of packing desired and much-needed legislation with incredibly outrageous clauses that clearly benefit one lobby group or another, a trick that has numerous times in the past either forced US lawmakers to knock down much-awaited bills, or approve laws that also provided backdoors for other types of nefarious activities (enter Patriot Act, stage left).
This seems to be the very same case yet again, and while there are some provisions in the law that limit the type and amount of data car manufacturers can collect from their users, other parts of the bill are clearly favoring car manufacturers, all covered up and hidden in muddled lawyer-speak.
So what does the proposed bill draft say? First off, there's the glaring issue of what the bill is calling "car hacking." To be more exact, this is:
“It shall be unlawful for any person to access, without authorization, an electronic control unit or critical system of a motor vehicle, or other system containing driving data for such motor vehicle, either wirelessly or through a wired connection.”
The text is quite fair and addresses the issue of car hacking. But it's not really needed since this was also covered by the very broad Computer Fraud and Abuse Act (CFAA).
The problem in the quote above, extracted from the bill, is the "without authorization" term, which is so vague it can easily be interpreted as referring to the owner of the car, or the car's manufacturer.
As the Electronic Frontier Foundation has pointed out numerous times, the very same term was used in the CFAA, and three different US Circuit courts have had troubles in past lawsuits and investigations in attributing the "authorization" part.
Will this be enforced as a the driver's authorization because they own the car? Or will it be enforced as a manufacturer's authorization because the car computer code, which a hacker, a tinkering mechanic, or security researcher is accessing, was only licensed to the person who bought the car, and that person does not actually own it, being only authorized to use it.
Do you see the dangerous situation shaping up? No? Then let me explain it further. Since today is October 21, 2015, the date on which Michael J. Fox traveled to the future in the famous "Back to the Future 2" movie, let's go to an alternative future, where this bill was approved and became law.
A fictitious case study of the dangerous provisions the proposed bill contains
Imagine yourself as a car security expert. You bought a new car from company X. One of those cool new cars, with lots of computer-aided features that you can control from your smartphone. Being an expert in your field, you notice some weaknesses in how some features were implemented.
Acting on a hunch, you hack into the car's computers, and verify your theory. You create a report detailing the problems, which could be exploited to put the lives of other drivers at risk if left unfixed.
You send the report to the car manufacturer, which brazenly replies it doesn't plan a fix in the upcoming future because it would damage its reputation or it would cost too much. Faced with such "madness," you decide to warn company X that you'll disclose your findings to the public, or go on and post them online, regardless.
A few days later, you get a fine in the mail for $100,000, while Company X is not even investigated by the Federal Trade Commission (FTC) for its poor security practices. Ooops! Did we forget to mention that the proposed bill also contains safe harbor measures that protect car manufacturers from both civil lawsuits and the FTC?
Here's one portion of the bill that you'll want to read: "A manufacturer is not subject to civil penalties described in section 30165(a)(1) with regard to a violation of the vehicle security and integrity plan of such manufacturer." And there are numerous other similar safe harbor provisions for various situations.
Are car manufacturing lobby groups trying to stifle car hacking security research?
Something like our "imagined future" is not really such a far-fetched scenario. Just this August, we reported on the story of three security researchers who found a flaw in the keyless start function of some high-end cars. Instead of fixing the security hole, Volkswagen spent two years dragging the researchers through courts, trying to prevent them from publishing their findings.
Let's just recount a few other car hacking stories. We had the famous OnStar hacking of GM (which took 5 years to fix), BMW, Mercedes and Chrysler cars; the hacking of the famous Tesla Model S; flaws in the LiDAR sensors of various self-driving cars; a Corvette that was taken over using an SMS message; the famous 2014 Jeep Cherokee hack; hacking tests carried out on the fleet of the Virginia State police force; and the recall of 1.4 million Fiat Chrysler cars due to security flaws.
All of the security researchers who put work into improving road safety would each have $100,000 less in their bank account. If you're a security researcher, you've just found the topic that you would never want to tackle. And if you do, then the TOR browser has just become your new best friend, and all car computer bugs will start appearing on Pastebin instead of 60 Minutes.
It is a well-known fact that all these hacks inadvertently chip away at the reputation of some car makers. Ultimately, all car manufacturers will be affected by this kind of problems.
It is important to understand that, while no modern cars computers with wheels are safe from hacking, users will eventually begin to trust the companies that reply to such incidents in a fast and proper way, and not the car makers that weasel their way out of the responsibility of dealing with security bugs, either by lobbying the government for friendly laws, or by harassing security researchers.
A response in the wrong direction for the Volkswagen fuel emissions scandal
We’ve all found out by now that Volkswagen hacked its software to be able to cheat fuel emission tests. Surprising is the fact that the new proposed bill also offers car makers a way to dodge this kind of tests.
According to the proposed bill, if a car manufacturer launches a vehicle that comes equipped with three out of nine safety features, it will get a pass on fuel-economy and emissions regulations.
You've read that right. If the car includes warnings for forward collisions, warnings for lane departures, a driver attention monitoring system, left turning guidance, a computer-powered system for going through intersections, an automated lane-driving system, adaptive cruise control, adaptive brake assistance, and an AI-powered emergency braking control, it can ignore decades-long legislation. Check proposed bill at § 32920 - a - 1 and 2 (page 59 and 60 in the document below the article).
You may consider the timing of this bill as coincidental, but I don't buy it. There were rumors that, besides Volkswagen, other car makers were also employing a similar fuel emissions cheating system. The proposed bill, packed with all kind of shady paragraphs, comes to help car makers avoid legislation that was put into place for a valid reason. Let's see how many US-based commenters can spell "corrupt government" in our comments section. There! I said it!
The proposed bill still has a long way to go before it becomes a law
Right now, the proposed bill needs to go through a long-winded review process. There are other laws with which it needs to play nice, like the Computer Fraud and Abuse Act, the Motor Vehicle Safety Act of 2015, and the Security and Privacy in Your Car (SPY Car) Act.
After this, both houses of the US Congress need to pass it, and usually this is where public awareness of the bill will go through the roof, this being the stage where other "sneaky" laws like SOPA have failed in the past.
In case the proposed bill is approved, President Obama still needs to sign it afterward, as many bills that went through Congress were shot down at the White House for various reasons before.
The proposed bill also includes some good parts
But let's no be all doom and gloom. We previously mentioned that the proposal has some much-needed provisions. The most significant refer to how data is collected from car users.
The bill would severely impede car makers from slurping data without any restrictions but will also make the entire process more transparent via official privacy policies, just as you see with websites and software products. Car makers that don't respect these new measures and don't take steps to protect user privacy will face fines up to $1 million / €0.88 million.
Additionally, the National Highway Traffic Safety Administration would get more power in managing and promoting vehicle recalls, and it will have to establish an Automotive Cybersecurity Council, for developing official best practices regarding smart-car cyber-security.
If you're accustomed to the way the US media machine works, these provisions are probably going be at the forefront of all public communications, trying to catch and draw the user's attention from the bill's "bad" parts. Unfortunately, this has become the norm for passing laws in the United States, and more and more legislation comes out as a double-edged sword, adding consumer protection regulation, but also greasing the way for nefarious business tactics for various lobby groups.
The full version of the bill introduced by the House Energy and Commerce Committee can be read below.