Congress's Car Hacking Bill Is a Complete Mess

Three high-profile incidents this year have made it patently clear that our cars are now computers: Security researcher Charlie Miller hacked and shut down a Jeep Cherokee while it was going 70 mph on the highway, Volkswagen was caught tampering with its emissions test software to make its cars look more efficient than they are, and Tesla pushed out an "autopilot" mode via an over-the-air software update.

So if cars are computers, should it be illegal to hack or repair them? The House Energy and Commerce Committee believes so, and has published a draft of legislation that would make it illegal for anyone to hack a car, even if they owned it or were conducting research on it.

The legislation the committee has proposed is a complete mess that would make cars less safe and has serious privacy problems if it were to pass as currently constructed, experts say.

The bill doesn't have a name yet, and it hasn't been introduced, so it may be a little early to grab the pitchforks. That doesn't mean we can't point out its many flaws.

First, and most importantly, the bill would make it illegal for any "unauthorized" person to hack a car for any purpose: "It shall be unlawful for any person to access, without authorization, an electronic control unit or critical system of a motor vehicle, or other system containing driving data for such motor vehicle, either wirelessly or through a wired connection." Anyone violating the statute would be subject to fines of up to $100,000 per violation.

As Harley Geiger of the Center for Democracy and Technology explained in a blog post, by not defining who has the ability to grant "authorization," the wording leaves much to interpretation. The bill can be partially fixed, he wrote, by "clarifying that the vehicle owner can provide authorization for access to the software, even if the manufacturer does not provide authorization."

That sounds like a simple change, but any attempt to define that term may be met with resistance by vehicle manufacturers, who have used copyright law to restrict who can tinker with and repair a car for years now.

If we agree that cars are now computers, the future of car repair probably lies in its software. And if altering the software is "hacking," then, as Geiger mentions later on in his post, this bill could more strictly narrow who is able to work on cars or point out their security flaws.

The question this bill is asking, then, is who owns your car? Increasingly, manufacturers are arguing that while you may use their vehicles, the software that makes it run is theirs, and you are merely using it with their permission. As John Deere argued in a widely-discussed letter to the copyright office earlier this year, granting unlimited access to a vehicle's code allows "less innovative competitors to free-ride off the creativity, unique expression and ingenuity of vehicle software." As manufacturers bring more repairs in-house, the "less innovative competitors" are you or your mechanic, whether you wield a wrench or a working knowledge of vehicle software architecture. This bill could further entrench and codify the ideas initially laid out in the Digital Millennium Copyright Act.

"The idea of 'If you buy it, you should own it,' is something that keeps on coming up time and time again in our tech law. You're going to want to tinker with it, edit the software, and that sort of thing," Mark Jaycox, a lawyer at the Electronic Frontier Foundation, told me. "These types of laws are hindering innovation and this type of important research into the internet of things."

It's not just repairmen, of course. "Hackers" are often the people keeping our data, devices, and software more secure. That's been the case in the brief history of car hacking, perhaps to an even greater extent than in any other industry. Every major car hack has been performed by a security researcher and has been patched before a malicious actor could use it.

Charlie Miller exposed the flaw in Chrysler's software systems. Earlier this year, Kevin Mahaffey and Marc Rogers demonstrated that it was possible to hack a Tesla. Researchers profiled by Motherboard have also exposed vulnerabilities in car software systems.

When these researchers published their hacks, Teslas and Chryslers didn't immediately get less safe; they got much safer. Tesla and Chrysler both quickly released patches that closed the vulnerabilities revealed by the researchers. Allowing researchers and the general public to (safely) attack code is how security development works in every sector of the software industry, and that's how it'll need to work with cars.

"In today's world, where everything is code and network based, you need outside computer scientists and technicians to review code and exploit and hack systems and responsibly disclose any problems they find," Jaycox said.

The Federal Trade Commission said that, as currently constructed, the law could make all of that research illegal. "Responsible researchers often contact companies to inform them of these vulnerabilities so that the companies can voluntarily make their cars safer. By prohibiting such access even for research purposes, this provision would likely disincentivize such research, to the detriment of consumers' privacy, security, and safety," the commission wrote in a statement to Congress Wednesday.

Matt Clemens of Arxan Technologies, a firm that specializes in cybersecurity, told me the bill could be fixed, if the entire premise were to be revisited. "The hacking prohibition needs to be yanked, or at the very least an exception added so very important security research can continue without fear of prosecution and bankruptcy," he said.

But then why bother with the legislation at all? That brings us to the second major problem with the bill. As cars become more software- and sensor-intensive, car manufacturers are beginning to collect more and more data. The bill also contains a provision that exempts manufacturers from having to report that data to the FTC as long as it provides consumers and the FTC with a copy of its privacy policy.

"A manufacturer's policy could qualify for a safe harbor even if it states that the manufacturer collects numerous types of personal information, sells the information to third parties, and offers no choices to opt out of such collection or sale," the FTC wrote in its statement to Congress.

Legislating technology is something Congress typically hasn't done very well in the past. As Geiger argues in his blog post, the Computer Fraud and Abuse Act already could be used to go after a malicious car hacker. Similarly, the DMCA may already allow manufacturers to restrict independent mechanics and consumers from repairing their vehicles.

The car hacking bill, then, is both unnecessary and could be even more restricting on consumers and researchers than current law. Whether that's an intentional move by Congress or merely a misstep by lawmakers who don't understand technology, it's hard to say.

The bill was published just weeks after the VW scandal was made public; VW's hard-to-believe defense is that rogue software engineers tinkered with the car's code. Under this bill, the engineers' actions could be illegal. Lawmakers may find it prudent, Jaycox says, to have the legal framework to go after anyone who hacks a car.

"I think it's coming from the VW scandal, but it's poorly drafted so that it implicates any person, even if it's not malicious manipulation," he said. "It's a good example of one of those bills with huge, unintended consequences."