Neither the Environmental Protection Agency nor the Department of Transportation expressed support for the third-party researchers in documents filed with the US Copyright Office, which will soon decide whether their work merits protection from copyright law.
The EPA has urged the Copyright Office to reject a proposed exemption that would protect the right of researchers to examine vehicles – a counter-intuitive stance well documented in the days since independent academics from West Virginia University discovered the first hints of Volkswagen's flouting of emissions standards. By contrast, the Department of Transportation's position has received no scrutiny and offers a more nuanced approach.
Unlike the EPA, a lawyer from the DOT doesn't explicitly recommend the Copyright Office scuttle the vehicle-security exemption. In a letter dated September 9, Kathryn B. Thomson, general counsel for the DOT instead floats a compromise, writing a list of concerns "potentially could be addressed with appropriate limitations on disclosures."
She suggests findings from security research might only be disclosed to regulators or potentially affected parties, such as OEMs whose vehicles contain security holes. Alternately, she writes "adequate time" be given for software patches to be developed before wider disclosures are made.
"The Department is concerned that there may be circumstances in which security researchers may not fully appreciate the potential safety ramifications of their security circumvention acts."
Those scenarios are similar to the ones hinted at by Copyright Office officials during a May hearing that addressed several exemptions proposed for the Digital Millennium Copyright Act, a 17-year-old law that prohibits circumvention of technological measures that control access to copyrighted works, in this case, the millions of lines of code that control dozens of car components. Every three years, Copyright Office officials decide whether exemptions in that law are warranted, and most recent process is expected to wrap up by the end of October.
During the May hearings, Jacqueline Charlesworth, general counsel for the Copyright Office, asked whether a 90-day waiting period would allow sufficient time for responses to be formulated before independent cyber-security experts could share details of their work.
In practice, third-party security researchers, who have discovered a frightening array of vehicle security lapses in millions of American cars, have operated with such self-restraint. When Charlie Miller, above, and Chris Valasek discovered multiple cyber vulnerabilities in a Jeep Cherokee, they notified FCA of the holes and worked with them for nine months before announcing the remote breach in July. Chrysler mailed flash drives with software repairs to customers within days. When researchers at Argus Cyber Security found a security hole in the popular Progressive Insurance "Snapshot" dongle, they notified the company a month in advance of releasing the news. In the landmark 2010 study that first demonstrated cars could be hacked, researchers at California-San Diego and University of Washington didn't even divulge the makes and models of the cars they infiltrated.
But on principle, researchers and advocates fear such restrictions will have a chilling effect on their work – or make it irrelevant. The right to disclose their results is "an essential element to making sure vulnerabilities do get fixed," says Kit Walsh, staff attorney with the Electronic Frontier Foundation. Case in point: Chrysler planned only to issue a technical service bulletin after the Jeep Cherokee hack, but the publicity surrounding it forced the company to recall more than 1.4 million vehicles. It was the first cyber-security related recall in US automotive history.
Even though the National Highway Traffic Safety Administration, the agency within the Transportation Department responsible for vehicle safety, used Valasek and Miller's work to press for that recall, the DOT remains ambivalent about the role independents will play in addressing future security lapses.
"The Department recognizes that enabling publication of good faith research efforts in this area presents the potential benefits of promoting collaboration in identifying security vulnerabilities or other problems," Thomson wrote. "However, the Department is concerned that there may be circumstances in which security researchers may not fully appreciate the potential safety ramifications of their security circumvention acts and may not fully understand the logistical and practical limitations associated with potential remedial actions that may become necessary."
If the DOT hedged its bet on the exemption that concerned security research – known as Class 22 – it showed no such subtlety regarding its position on a separate proposed exemption which would allow ordinary gearheads, hobbyists and home mechanics to continue repairing and tinkering with their cars in their homes or independent garages.
On principle, researchers and advocates fear such restrictions will have a chilling effect on their work – or make it irrelevant.
In crafting a position on that exemption, Class 21, Thomson writes, "Given this Department's statutory safety responsibilities, and given the increasing importance of the continued integrity of motor vehicle software to driving safety, we would be remiss if we did not note for the record that modifying motor vehicle software can create safety and cyber security risks. Modification creating these risks is contrary to the purposes of the National Traffic and Motor Vehicle Safety Act."
The DOT's sent its comments to the Copyright Office on September 9, nearly two months after Valasek and Miller unveiled the Jeep hack, the latest in a line of nearly a dozen vehicle vulnerabilities detected and disclosed by third-party researchers.
By contrast, the EPA filed its comments with the Copyright Office in July, two months before it knew that independent researchers would play a role in nabbing Volkswagen in what's likely the most pervasive emissions-cheating scheme in US history. Since that discovery, EPA officials haven't returned requests for comment on whether the agency may reconsider its opposition to the DMCA exemption for security researchers.