If there was ever a case to keep that 2007 Mercury Grand Marquis in your driveway this is it. Automakers have recently told a federal judge they have taken absolutely zero action to carry out their obligations under a vehicle data access law passed by Massachusetts voters two years ago. What’s worse, the Massachusetts Attorney General’s office has agreed to not enforce the law.
Assistant Attorney General Jared Rinehimer said “The People’s Law Firm” will not enforce the law while the OEM-run Alliance for Automotive Innovation (AAI) challenges the law in U.S. District Court. More specifically, the AG’s office states “that it does not intend to, and will not, exercise its enforcement authority.”
From the automaker side, AAI claims, above all, that the Massachusetts Data Access Law will reduce the security of proprietary OEM vehicle systems, hampering their ability to keep data and systems safe from outside interference. The complaint also includes a statement from NHTSA claiming the new law forces “vehicle manufacturers to redesign their vehicles in a manner that necessarily introduces cybersecurity risks, and to do so in a timeframe that makes the design, proof, and implementation of any meaningful countermeasure effectively impossible.”
To be fair, under existing legislation automakers have made efforts to make mechanical and on-board diagnostic information available to independent repair shops. However, having wrenched at a dealership and independent level, there are still some functions, diagrams, and procedural knowledge that OEMs do keep from small shops. AAI claims noncompliance with the Data Access Law does not impinge on the consumer’s right to repair and the group argues greater public data access will amplify the ability of big box parts retailers to access maintenance data for marketing purposes, enabling them to target vehicle owners who may need an oil change or brake job.
Unfortunately for proponents of open access, the Massachusetts Data Access Law was poorly written and imposes requirements that are unnecessarily cumbersome. It asks for a “standardized on-board diagnostic system that does not require the use of any authorization, directly or indirectly,
from the manufacturer, unless a standardized authorization system is used across all vehicle makes and models and is administered by a third party.” According to AAI, no such system exists.
The Data Access Law also requires the implementation of a standardized, open-access, bi-directional platform that will allow third parties unfettered access to use and alter the “mechanical telematics data emanating from the motor vehicle.” AAI argues this back door could be used by bad actors for nefarious purposes, which is somehow different than the backdoor killswitch the federal government is asking for. The Massachusetts Data Access Law became operable for the 2022 model year, although not one single automaker has complied.
“Having considered for months now the Attorney General’s proposed solutions and interpretations, it remains my considered judgment that it is simply impossible to comply with the Data Access Law safely—and that the proposed methods of compliance proposed by the Attorney General’s experts are not viable and little more than interesting ideas that, when considered carefully, do not work,” Kevin Tierney, vice president of global cybersecurity at GM, wrote.
Stephen McKnight, head of global product cybersecurity for North American Engineering at Stellantis says the company would be required to remove “critical cybersecurity controls from its vehicles,” something that it cannot do without violating federal safety obligations. McKnight also said because AAI and the AG interpret the law differently, Stellantis has no clue how to comply with the law, and it cannot take action until the court issues a ruling.
Other parts of the law are written in a Catch-22 fashion which will continue to make ratification difficult. The law presumes a standardized authorization system and an unaffiliated third-party entity to manage those authorization systems. Unfortunately, no automaker can create a standardized system for other automakers without proprietary affiliation, nor can a third party create such a system without requiring affiliated access to OEM systems.
In conclusion, high-tech automobiles, with all of their capabilities and incredible software, will always present cybersecurity challenges. But like they say about safes and filing cabinets, good luck hacking into a 25 year-old car or pickup truck.