"And the lights all went out in Massachusetts" - The Bee Gees "Massachusetts"

It may be no surprise that in the year of presidentially alleged voting fraud and presidential accusations of “fake news” dissemination, the automotive industry would lead its own massive disinformation campaign. In November, Massachusetts voters passed a ballot initiative extending the state’s existing right to repair law to include connected car telematics systems in the face of concerted auto maker opposition. Now the auto industry is suing to overturn the law.

In the run up to the November vote, auto makers – represented by the Coalition for Safe and Secure Data and the Alliance for Automotive Innovation – claimed the new law would open the door to massive violations of consumer privacy and possible identity theft or worse. This hysterical reaction distorted the contents and potential implications of the legislation and obscured what might have otherwise been a useful teachable moment and turning point for the industry.

The nub of the dispute boils down to a single paragraph in the four-page Massachusetts initiative – called “An Initiative Law to Enhance, Update and Protect the 2013 Motor Vehicle Right to Repair Law.” The operative paragraph states:

“Be it enacted by the People and by their authority, Section 1 of Chapter 93K of the General Laws is hereby amended by inserting after the definition of “Manufacturer” the following definition: — ‘Mechanical data,’ any vehicle-specific data, including telematics system data, generated, stored in or transmitted by a motor vehicle used for or otherwise related to the diagnosis, repair or maintenance of the vehicle.”

It's pretty clear that this means data relevant to “the diagnosis, repair, or maintenance of the vehicle.” In opposition to this proposition, the Coalition for Safe and Secure Data ran disingenuous television ads suggesting that criminals would use the data access to remotely control cars, invade people’s homes by using hacked garage door openers, or track vulnerable vehicle owners to empty parking garages for criminal purposes.

In spite of those TV commercials, voters passed the legislation. Those votes signified that Massachusetts consumers were not only interested in having access to and control over their own vehicle data, they were willing to inflict that consumer value on the industry in the interest of all Americans. (They also demonstrated that they would not be so easily misled by those television spots.)

Now the Alliance for Automotive Innovation has filed a legal action in the U.S. District Court for the District of Massachusetts to “temporarily and permanently enjoin enforcement of the Data Law.” The AAI falsely claims, in its press release, that the Law “directs automakers to immediately strip away vital security safeguards. This Data Law makes personal driving data available to third parties with no safeguards to protect core vehicle functions and consumers’ private information or physical safety. The lawsuit requests that the court find the Data Law unenforceable because it is unconstitutional, and because it conflicts with Federal laws.”

The AAI sought and obtained support from the U.S. DOT’s National Highway Traffic Safety Administration (NHTSA) which supplied a letter (prior to the November vote) stating: “the terms of the ballot initiative would prohibit manufacturers from complying with both existing Federal guidance and cybersecurity hygiene best practices. NHTSA is also concerned about the increased safety-related cybersecurity risks of a requirement for remote, real-time, bi-directional (i.e., read/write capability) access to safety-critical vehicular systems... Further, the requirement to establish universal and standardized access requirements increases the scale of risks of any potentially successful cybersecurity attack.”

Given the fact that NHTSA still lacks a full-time administrator, it is hardly shocking that the organization would so blindly support the AAI. This blatant example of agency capture by the automotive industry in opposition to the public interest is a predictable coda to the do-nothing status of NHTSA under the Trump Administration.

Of course, this is worse than doing nothing. NHTSA’s endorsement of the AAI stance in the interest of preserving cybersecurity is not only misguided it, too, is disingenuous as the U.S. has yet to publish any specific automotive cybersecurity regulations. The agency’s avowed concerns regarding privacy are irrelevant in the context of mechanical data. And the claim of “bi-directional” data access implicating remote vehicle control is exaggeration at best and fear-mongering at worst.

It is likely that the AAI has spun up enough confusion and “concern” to at least temporarily delay the implementation of Massachusett’s extension of its existing Right to Repair law. In the end, though, that extension is likely to stand with an impact on all cars sold in the U.S. starting sometime in 2022 or beyond.

The reality of existing connected car implementations is that most cars sold in the U.S. come with a built-in wireless connection and a growing number of those vehicles regularly communicate the status of vehicle mechanical functions to the makers of those cars and their dealers. The Right to Repair legislation is intended to grant access to that same data to third-party repair shops – including the ability to update software codes as required or necessary.

Just as most cars sold in the U.S. come with wireless connections, a growing number are also equipped to communicate vehicle diagnostic information in a generic fashion using APIs – application programming interfaces. These APIs have been introduced while preserving appropriate cybersecurity measures and protections and without violating customer privacy.

That being said, the legislation requires additional layers of disclosure regarding privacy and implying customer data ownership – elements that align with both California’s Consumer Privacy Act (which also has nationwide implications and affect) and Europe’s General Data Protection Regulation. In essence, the Massachusetts legislation ought to be perceived for what it is: No big deal.

Instead, the auto industry wants to block consumer access to and control of vehicle diagnostic data and mechanical systems in the interest of false claims of privacy violations and cybersecurity vulnerabilities. It’s sad to see the auto industry fall victim to the fake news virus sweeping the country and the world but with a President falsely claiming election fraud it is hardly surprising that auto makers would seek to perpetuate their own fraud on consumers. Car makers ought to be embracing, not fighting, safe and secure data sharing.