In the new matter of Volkswagen rigging millions of cars to outsmart emissions tests, researchers at West Virginia University and the International Council on Clean Transportation first spotted irregularities. In the hacking of a Jeep Cherokee, it was independent cyber-security researchers Chris Valasek and Charlie Miller who found and reported cellular vulnerabilities that allowed them to control a car from halfway across the country.
And lest we forget in the case of General Motors, it was a Mississippi mechanic and Florida engineer who first made connections between non-deploying airbags and faulty GM ignition switches that had been altered over time. They worked on behalf of Brooke Melton, a 29-year-old Georgia woman killed in a Chevy Cobalt.
Amid the Volkswagen scandal, the role these independent third parties played in unearthing life-threatening problems is important to highlight, not only because it shines a light on the ethical indifference corporations paid to life-and-death problems of their creation. The role of the independents is noteworthy because, just as their contributions never been more relevant in protecting the driving public, they could soon be barred from the automotive landscape.
"That argument is built on a whole string of trusts, and now it is clear that we should absolutely not be trusting." - Kyle Wiens
Since May, a little-known but critically important process has been playing out before an office within the Library of Congress, which will soon decide whether independent researchers and mechanics can continue to access vehicle software or whether that software, which runs dozens of vehicle components, is protected by copyright law.
The Digital Millennium Copyright Act criminalizes measures taken to circumvent security devices that protect copyrighted works. When the DMCA was signed into law in 1998, it was intended to protect the likes of movies from being pirated and companies from ripping off software. At the time, few had a clue that some 17 years later cars would essentially be mobile software platforms run by millions of lines of code that potentially fall under the law's jurisdiction. But that's exactly where we find ourselves in 2015, and automakers have spent the past five months asserting the DMCA prohibits third-party researchers from accessing this software without permission.
However, the DMCA contains provisions that ensure the public might continue to make fair use of these copyrighted works. Every three years, the U.S. Copyright Office determines whether exemptions in the law are needed to protect particular activities, such as vehicle research, that fall under that fair-use umbrella. That process is unfolding now.
More than two dozens of exemptions have been proposed this year, and for the first time, a half dozen pertain to the automotive world. Rulings on whether they're valid could impact the legal rights of everyone from cyber-security researchers to everyday gearheads to access and tinker under the hoods of cars. The Copyright Office is scheduled to issue its determinations by the end of October.
Secret code protected cheating
OEMs have argued that the electronic control units that run vehicle components have become too complex and dangerous for outsiders to understand, so they must be protected. (A General Motors attorney even argued that GM customers merely license the software that runs their cars; they don't actually own it). But the burgeoning Volkswagen cheating scandal provides a greater glimpse as to why automakers may want to keep this software away from further purview.
"A large corporation cheated, relying on secret code to protect its lies," said Kyle Wiens, founder of ifixit.com, a website that provides do-it-yourself directions for people looking to repair their own appliances and devices. "And this code is pretty simple. It's all an equation. How is the engine going to perform? On a cheating device, it's pretty darn straightforward. 'If this, then this. If that, then that.' It's three lines of code."
Without investigation of that code, the cheating could have gone undiscovered. Curiously, the Environmental Protection Agency, which required the help of the West Virginia, ICCT researchers and the California Air Resources Board to expose Volkswagen's cheating in the first place, opposes an exemption that would protect exactly that research. In comments filed with the Copyright Office, the EPA said the exemptions seemed "reasonable – at least in the abstract." But the agency wrote it worried the majority of modifications to engine software would be used to increase power or fuel economy, both of which would likely increase emissions.
What the EPA didn't acknowledge is a potential exemption in the DMCA wouldn't absolve anyone from complying with other existing laws. Gearheads, car enthusiasts and everybody else, in the EPA's example, still would be responsible for adhering to emissions standards. More broadly the agency's comments acknowledge the potential downside of exemptions. Absent is any reflection on whether the agency ever considered the potential upside – that without the help of those researchers, the world may never have known that at least 11 million cars were spewing their poisons at as much as 40 times allowable thresholds.
A precarious legal footing
Despite the importance of such independent research, a lot of the people behind it are scared about being sued by automakers. "I know a lot of researchers who won't participate in this field, because of the legal murkiness," Miller told Copyright Office officials during May hearings.
His Jeep Cherokee hack illustrates another aspect of why exemptions are desperately needed – his ability to research the vulnerabilities and publicize findings pressed Chrysler into action. The company knew about multiple cyber holes in its software for 18 months, according to documents, yet it wasn't until the day after Miller and Valasek announced their findings that the company sent software repair kits to customers in the mail, and days later announced the first cyber-security related recall in U.S. history.
For better or worse, that legal murkiness will be cleared by the end of next month. The gray area developed over the past few years in large part because the Copyright Office had never directly addressed this intersection of copyright law and ever-evolving vehicles. But that's about to change, and the implications are clear.
"I know a lot of researchers who won't participate in this field, because of the legal murkiness." - Charlie Miller
The automakers argued in the DMCA hearings that outsiders couldn't be trusted to tinker with this complex safety software, that it would be too dangerous. In practice, the opposite has been true. The automakers have demonstrated they can't be relied upon to police themselves on safety and emissions matters that place Americans' health and lives in danger. "There's that perspective that 'we have the best engineers in the world and consumers should take what they get,'" Wiens said. "But that argument is built on a whole string of trusts, and now it is clear that we should absolutely not be trusting."
With agencies like the National Highway Traffic Safety Administration and EPA too underfunded and too lacking in manpower and expertise to examine these safety threats, independents and outsiders have filled the gaps and protected the American public. Without these independent watchdogs, the future Volkswagens of the world will proliferate.