Senate bill 927 says that "a person shall not intentionally access or cause access to be made to an electronic system of a motor vehicle to willfully destroy, damage, impair, alter or gain unauthorized control of the motor vehicle." Offenders will be deemed guilty of a felony, and may be imprisoned for any number of years up to life in prison.
The proposed legislation is one of the first attempts nationally to address the consequences for car hacking, which has become a top concern throughout the auto industry. Critics have accused executives of being slow to respond to the threats, which were first known as long as six years ago but gained attention last July when a pair of researchers remotely controlled a Jeep Cherokee. In January, the industry established an Information Sharing and Analysis Center to collectively evaluate security measures and counter breaches.
But the Michigan bill isn't noteworthy only because of the life penalty prescribed; it's noteworthy for what's missing in its details.
Language in the bill doesn't delineate between independent cyber-security researchers and criminals who intend to inflict harm or havoc. Under its provisions, it's possible Charlie Miller, pictured below, and Chris Valasek, the researchers who demonstrated last summer that the Cherokee could be remotely commandeered and controlled, could face life behind bars. Provisions of the legislation that prevent a person from "altering" the motor vehicle could ensnare car enthusiasts or gearheads who tinker with electronic systems to boost performance, increase fuel efficiency or add aftermarket features.
In that context, Senate Bill 927 seems like the latest measure in a running feud between independent researchers, gearheads and big automakers. Car companies don't like third parties poking around their electronic systems and would prefer the researchers not reveal security weaknesses. Researchers, on the other hand, say many carmakers are either slow to fix or unwilling to repair security holes unless they're able to publish their findings. To that point, public documents showed Chrysler knew of security weaknesses in its products as early as 2014, but the company didn't issue a recall to fix them in 1.4 million cars until the day after the Jeep hack became public knowledge last July.
Last year, automakers fought a proposed exemption in copyright law that preserved the rights of independent researchers to examine vehicles in the cyber-security realm. Their arguments then – that "unauthorized access" to the software infringes upon their proprietary systems – sounds similar to the access restrictions being proposed in Michigan.
Gearheads and security researchers mostly won that argument. The Copyright Office issued exemptions for their work under the Digital Millennium Copyright Act's Section 1201, which governs access to technical works, though their protections don't kick in until October 2016 and must be reviewed and renewed in 2018.
In the meantime, it appears the auto industry might go state by state to establish a new battlefront in the fight over who gets to repair or examine cars. What better place to start than on its friendly home turf?