With November 3 fast approaching, many of you are getting ready to vote. Either you’ve received a paper ballot at home and are filling it out – or you’re planning to vote early when that starts in the coming days. I’m not weighing in on individual races (though you can probably guess how I’ll vote). But to help Blogging Belmont readers understand the issues at stake, I’m going to blog on the ballot questions before voters.
And, given that most people will be reading this as they prepare to vote – if not when they’re waiting in line to do so – I’m formatting them as FAQs (frequently asked questions).
I’ll start with ballot Question 1, an effort to expand the State’s automobile Right to Repair law. This is a topic that is near and dear to my heart!
Frequently Asked Questions about Question 1
I’m in a hurry. Should I vote YES or NO on Question 1?
What does Question 1 say, exactly?
How is this different from the existing right to repair law?
Will my local mechanic be able to fix my car if Question 1 doesn’t pass?
Will my personal safety be at risk if Question 1 does pass?
If Question 1 passes, what changes?
What kind of data does my car collect and how is it used?
Can someone hack into my car now and get access to the data it collects?
What kind of data does Question 1 require automakers to share?
Will creating an app for me to access my car data make it more vulnerable to hackers?
Look, I’m in a hurry. Should I vote YES or NO on Question 1?
You should vote YES.
What does Question 1 do?
If passed, Question 1 would close a loophole in an existing Massachusetts law that requires automakers to make diagnostic and repair data accessible to vehicle owners and independent repair shops. That law, which was passed in 2013, failed to explicitly cover repair data that is transmitted wirelessly. But seven years later, many newer vehicles transmit maintenance data this way: car based cellular Internet connections bypass the repair shop and talk directly to “cloud servers” operated by the automakers.
Question 1 simply closes that loophole. It requires automakers to make wireless data “needed for purposes of maintenance, diagnostics and repair” – the same data that automakers give to their dealerships – available in a standard format to vehicle owners and independent repair shops.
What does Question 1 say?
The text of the ballot question is as follows:
QUESTION 1 LAW PROPOSED BY INITIATIVE PETITION
Do you approve of a law summarized below, on which no vote was taken by the Senate or the House of Representatives on or before May 5, 2020?
SUMMARY
This proposed law would require that motor vehicle owners and independent repair facilities be provided with expanded access to mechanical data related to vehicle maintenance and repair.Starting with model year 2022, the proposed law would require manufacturers of motor vehicles sold in Massachusetts to equip any such vehicles that use telematics systems –- systems that collect and wirelessly transmit mechanical data to a remote server –- with a standardized open access data platform. Owners of motor vehicles with telematics systems would get access to mechanical data through a mobile device application. With vehicle owner authorization, independent repair facilities (those not affiliated with a manufacturer) and independent dealerships would be able to retrieve mechanical data from, and send commands to, the vehicle for repair, maintenance, and diagnostic testing.
Under the proposed law, manufacturers would not be allowed to require authorization before owners or repair facilities could access mechanical data stored in a motor vehicle’s onboard diagnostic system, except through an authorization process standardized across all makes and models and administered by an entity unaffiliated with the manufacturer.
The proposed law would require the Attorney General to prepare a notice for prospective motor vehicle owners and lessees explaining telematics systems and the proposed law’s requirements concerning access to the vehicle’s mechanical data. Under the proposed law, dealers would have to provide prospective owners with, and prospective owners would have to acknowledge receipt of, the notice before buying or leasing a vehicle. Failure to comply with these notice requirements would subject motor vehicle dealers to sanctions by the applicable licensing authority.
Motor vehicle owners and independent repair facilities could enforce this law through state consumer protection laws and recover civil penalties of the greater of treble damages or $10,000 per violation.
(Source: Ballotpedia)
I thought we already passed Right to Repair? Is this different?
The 2013 Auto Right to Repair that Bay State lawmakers passed, after a successful ballot measure in 2012, was a landmark piece of legislation. It required automakers, for the first time ever, to make repair and diagnostic information and software available to owners and independent repair shops. Thanks to this law, Detroit and other automakers agreed to recognize a “right to repair” nationally in the U.S., allowing competition for aftermarket repairs and service to continue. Unfortunately, that law excluded so-called “telematics data.” At the time, it didn’t matter, because telematics systems didn’t transmit repair data. Seven years later, however, most late model vehicles use the car’s built in telematics system to transmit the repair and maintenance data directly to cloud computers run by the automakers. Without access to the wireless repair data, owners and independent repair shops could soon be blocked from being able to access the information needed to do even the simplest repairs.
Will my local mechanic be able to fix my car if Right to Repair does not pass?
In the short term, “yes.” In the medium term “maybe not.” In the long term “probably not.”
Right now, and as a result of the 2013 law passed in Massachusetts, automakers make a vehicle’s maintenance and service information available via a physical connection to a data port under the dashboard called the OBD2 port. This port is standard on all vehicles manufactured in the US. Your repair shop plugs a dongle into that, connects it to their repair computer and downloads the codes and information they need to diagnose problems with your car and fix them.
On November 4, nothing much will have changed in terms of your ability to get your car fixed. However, the existing 2013 right to repair law has a specific carve out for telematics data – automakers are not required to share that with owners and independent repair shops. It is unclear whether repair and maintenance data sent over telematics systems might be covered by that carve out, also.
As more, new cars are produced that make use of their proprietary telematics systems, owners and independent repair shops may find themselves shut out of accessing a wealth of maintenance and repair data transmitted via those systems. At the very least, independent repair shops would be at a competitive disadvantage in offering “preventative maintenance” (So: “your car tells us your oil filter is ready for a replacement. Come on by and we’ll change it for you!” )
Over time, that would drive independent service stations out of business as the population of cars they could work on shrinks with each new model year. At the same time, vehicle owners would find it harder to get an independent shop to service their car. The cost of service and repair would increase while quality and availability plummet, as automakers ease into a dealership-based monopoly on aftermarket repair and service.
Will my personal safety be put at risk if Right to Repair passes?
No. The data covered by Question 1 is the same data that repair shops can already access from your car using a physical connection. This includes diagnostic codes, performance data and the like. Nothing about that is revealing of your identity or behaviors. It will tell a repair pro why the “Check Engine” light is on, not where you live and work out. Automakers know this. They’re misrepresenting what data Question 1 covers in order to scare voters into rejecting it.
If the ballot question passes, what changes?
In the immediate aftermath of a passage of Question 1, not much changes. Automakers have two years to create a standard interface for owners and independent repair shops to wirelessly access repair and maintenance data from late model vehicles. So in that time period, things will be the same.
There’s also reason to believe that the Massachusetts Legislature may take the passed ballot measure and modify it, as they did after the original automobile right to repair ballot measure passed in 2012. The Boston Globe, in its editorial endorsing the Yes on Question 1 vote, called on the legislature to fix some of the problem areas in the law, like the time given to automakers to comply.
Should Question 1 pass, car owners likely won’t notice much. If you’re a gear head or married to one, you might find that your spouse is nerd-ing out over the mobile application that gives him (or her) access to a wide range of vehicle performance data. The corner repair shop that has always worked on your car will be able to continue working on it without interruption and you’ll continue to benefit from the competition (lower prices for service and parts).
Over time, you might see AAA and other organizations start to introduce new services for members that build on the access to the wireless maintenance and repair data the law gives them. You definitely will not have strangers stalking you or burglars springing your garage door. That kind of data is not covered by Ballot Question 1.
What kind of data does my car collect and how is it currently used?
Good question. The short answer is both “nobody knows” and “it depends.”
It’s “nobody knows” because automakers are very secretive about what data they’re collecting from connected cars and what they do with it. The answer is “it depends” because every automaker does things a bit different and collects different types of data.
What we do know is that cars generate and transmit a lot of data – up to 25 Gigabits per hour of operation. Much of that is transmitted to automakers including GPS/geolocation data, performance data for the vehicle, information on the conditions on the interior of the vehicle (climate settings, seat position), vehicle identifiers (VINs), fluid levels, etc. Beyond that, automakers have already provided mobile application access to the data they collect. Ford and most other automakers provide mobile applications to owners that can help them “manage” their connected vehicle and also (not coincidentally) share a lot of data from their mobile device with the automakers, as well!
Can someone currently hack into the system and get access to my data being shared now?
That’s unclear, but the smart answer is that a determined and skilled hacker probably could, yes. We know that because teams of academics and security researchers have demonstrated remote, software based attacks on vehicles while in use. Those included not just accessing driver data, but altering the behavior of the car: stereo volume and channel, windshield wiper operation, as well as steering, braking and acceleration. The most notable of these was on a Jeep Cherokee in 2015, as reported by Wired’s Andy Greenberg. Automakers have paid more attention to cyber security since then and even hired top security pros onto their staff. Still: the basic conditions for the Jeep Cherokee hack remain: vehicles with an always on cellular Internet connection, the presence of automaker and third party software containing exploitable security holes and (finally) a logical connection between the Internet, the car’s Infotainment system and the car’s network (or CAN) which is used to control critical mechanical systems. Given that all those conditions are unchanged, the possibility of a hack into a connected car that results in the theft of data or the manipulation of the vehicle itself can’t be ruled out.
What kind of data does Question 1 require the auto manufacturers to share?
The language of the ballot question is clear. It covers wireless data “needed for purposes of maintenance, diagnostics and repair.” This is the same data that automakers already make available to both their dealerships and owners and independent repair shops via the physical OBD2 port.
Will creating an app for me to access my data make it more vulnerable?
No. Securing data doesn’t require automakers to “hide” it from the public. In fact, among cyber security professionals, there is a popular saying: “there is no security in obscurity.” Securing data from a vehicle, or a bank or a doctor’s office requires the organization holding it to put proper controls on access to it, design a robust application to serve the data and for customers to interact with, and to make sure that the data is stored in an unreadable (encrypted) format when it is at rest and in transit. It is an absurd notion that, in 2020, multi-billion dollar car companies that pay their chief executives tens- and hundreds of millions of dollars a year can’t find the talent and resources to develop a secure, web based platform to transmit data like vehicle VIN numbers and engine fluid measurements. This, even as millions of us connect and transact securely via mobile apps to Amazon, our doctor’s offices, our banks and send and receive money via apps like PayPal and Venmo. This is one of those situations where they say “we can’t,” but mean “we won’t.”