I access car computers for research and development. In addition to being what is called a "white hat hacker," I am also a lawyer working to influence law and policy regarding technology, and that lawyerly side of me wonders how law and legislation will answer this question. More often than not, technology outpaces the law. Additionally, this automotive technological revolution is a global phenomenon, and some countries have stronger privacy protection of personally identifiable information (PII) than the US. Will the US auto manufactures lead this revolution or follow? Will too strict policy and legislation weigh down innovation in the US?
The federal government is making progress to answer these questions. In September, the Obama administration announced the Federal Automated Vehicles Policy to help introduce automated vehicles to roads in way that promotes safety, accessibility, and efficiency. Earlier this year, President Obama proposed a $4 billion investment in automotive vehicle deployments via real-world pilots. As part of this, the administration awarded the Smart City Challenge to Columbus, OH. It includes a $40-million grant from the Department of Transportation and $20 million from private partners to develop and test technologies such as self-driving cars, smart traffic lights, and V2V (vehicle-to-vehicle) communications. Integrating these technologies into Columbus' infrastructure and vehicles on the road will allow the Department of Transportation to see what works and what lessons can be learned from this program.
In addition to autonomous driving there may also be some vehicle cyber security and safety legislation on the horizon. On September 19, the administration released a fact sheet that highlighted four of the most important attributes needed for autonomous vehicles:
- Increase Safety by reducing human error or judgment;
- Increase Personal Mobility, especially for the elderly or those with disabilities;
- Productivity by reducing the cost of transportation while also allowing for working while commuting; and
- Sustainability by increasing the efficiency of vehicles on the road by re-routing around areas of congestion.
But what happens to the data your car generates? In particular, what about data that was collected around the time of a crash? Unless your car is ancient, most cars on the road have event data recorders which collect and store data for some amount of time prior to an "event" and for a bit of time afterwards. In vehicles with an uplink, there is an opportunity to collect and transmit data back to the vehicle manufacturer, perhaps even faster than manual extraction from the car's black box by first responders or law enforcement who arrive at the crash site. NHTSA's report recognizes this cornucopia of data could be shared easier and quicker with connected vehicles. Thankfully, they are also recommending security to protect this data.
The following statement is in the report, "Vehicles should record, at a minimum, all information relevant to the event and the performance of the system, so that the circumstances of the event can be reconstructed." A real-world example of this was a recent crash involving a Tesla using Autopilot that resulted in the driver's death. Not long after the accident, the company released a statement and determined why Autopilot failed (and underscored the need for drivers to pay attention even with semi-autonomous systems running). Tesla Motors CEO Elon Musk, wrote on Twitter that the car's radar, "tunes out what looks like an overhead road sign to avoid false braking events."
In addition to having one of the most connected vehicles on the market and one the first to implement over-the-air updates to the car's computer systems, Tesla was the first to publicly hire car hackers for their vehicle cyber security team. It had a bug bounty program before other manufacturers in the US realized that there are benefits to having security researchers (a.k.a., "white hat hackers") inform the company of vulnerabilities while, in return, receiving financial remuneration and, if desired, public recognition of the hacker's discovery. Disclosure of vulnerabilities gives the car manufacturer time to make a patch and push updates over the air.
Nevertheless, most car hackers know that there is federal legislation called the Digital Millennium Copyright Act (DMCA) that prevents people from circumventing a technological measure to access parts of computer systems. Congress initially intended for this legislation to curb intellectual property theft, but it has instead been utilized to prevent access to computer systems. In the US, we already have the Computer Fraud and Abuse Act (CFAA) - albeit it is fraught with some of its own issues - to cover "unauthorized access." Unfortunately, some companies have skimped on computer security measures and instead lean on the DMCA to threaten computer security researchers.
Indeed, this is what the Register of Copyrights and the Librarian of Congress determined after a period of time for which they solicited public comments. The resulting decision allows vehicle security researchers (and others wanting to open computer systems to determine how they function or make repairs) to work on vehicles for a period of two years, starting at the end of this month. There are some caveats, including restrictions against testing vehicle "hacks" on public roadways. Other limitations have also been published.
Without fear of legal repercussion for security research on vehicles, the hope is that vulnerabilities discovered will be shared with the vehicle manufacturers thus improving safety of vehicles. The theory is that if there are more eyes on the vehicle computer systems, issues are more likely to be found, and that's a benefit to public safety. An added value is that car hackers may be looking at the systems from a "break-it" perspective instead of a "build-it" mentality; the latter is more common for software development engineers. A different perspective may provide a refreshing look at vehicle computer systems, but not when they are under a digital lock and key with the DMCA.
This month, the Copyright Office is soliciting more comments on this topic. It reopened the issue in regard to a proposition that perhaps the 2-year exception from the DMCA is not enough and the exception should be permanent. There is also concern that the existing exemptions do not adequately accommodate good-faith research on malfunctions, security flaws, and vulnerabilities in computer programs. Instead of requiring security researchers to return every three years to renew the exemption, would it be beneficial for this to be permanently exempted from the DMCA? Additionally, should there be a permanent exemption that allows you to circumvent a technological measure that prevents you from repairing your car, truck, or farm tractor? You can influence the decision by commenting before the deadline of October 27.
This fall is shaping up to be an exciting time for the future of the automobile. Legislators and the Obama Administration are gearing up for connected cars while consumers are learning the differences between driver assist, semi-autonomous, and fully-autonomous vehicles. DOT and NHTSA are watching these developments and declared they will remove "unsafe autonomous vehicles" from the roads. You have an opportunity to contribute to the legislation that will either foster growth in this industry or will retard the speed at which vehicle technologies are implemented on our streets in the US.
From my perspective we are accelerating the implementation of new technologies in and around the car. At the same time, legislators are eager and willing to work with car hackers, automotive engineers, and gearheads to help establish new frameworks for vehicle security and safety. The question is: Will they listen to the opinions from this diverse group? The only way to find out is if we all speak up. Make your opinion heard and tell NHTSA,DOT, and the US Copyright Office what you think is important for the future of autonomous vehicles. Your background may contribute a perspective the lawmakers have not yet considered.
Tiffany Rad, BS, MBA, JD is the CEO and founder of Anatrope which develops wireless automotive technologies for the cyber security and data analytics industries. She works in the Washington, D.C. area and spends time in Maine teaching at the state university, surfing, and snowboarding.