Far too often Congress proposes tech legislation that is either poorly researched or poorly drafted (or both). Fortunately, most of the bills don't advance. Unfortunately, this doesn’t seem to dissuade Congress from constantly writing these types of bills. The House Energy and Commerce Committee released such a bill last week. It's only a discussion draft and hasn't been introduced as a formal bill yet, but its provisions would not only effectively put the brakes on car security research, but also immunize auto manufactures from FTC privacy enforcement when (not if) they fail to secure our cars. It's a classic one-two punch from Congress: not understanding something and then deciding to draft a bill about it anyway.
Bad Law Already on the Books
Today's cars are computers with wheels. And the provisions of this bill would effectively shut down the incredibly young area of automobile computer security research. The first provision allows the government to fine users $100,000 every time they gain access to the car's data and computer code "without authorization." The "without authorization" language begs the question of whose authorization is required. Similar language is in the Computer Fraud and Abuse Act and three different Circuit courts have struggled with what the term exactly means. Do car owners ever exceed authorized access on their own cars? Under the CFAA the answer is almost certainly “no,” but a recent filing in the DMCA rulemaking process by car companies says "yes," under copyright law.
It would be bad policy to prohibit vehicle owners from studying and tinkering with their own vehicle computers. Many innovations and repairs require access to the Electronic Control Unit (ECU) code. Errors in ECU code can cause braking systems to malfunction, create security vulnerabilities, and—as seen in the Volkswagen scandal—can also increase pollution. The provision’s vague language about authorization might implicate all of these activities. We would certainly argue that the language shouldn’t be read so expansively, but people shouldn't have to hire a lawyer before repairing their cars or inspecting code to make sure they are safe. And they certainly shouldn't have to fear a $100,000 penalty.
We can only wonder what would've happened with the recent Tesla hack at DEF CON if the company were not as friendly to security researchers. Or if the researches who hacked a Jeep would have been willing to do it had the provision been law. Their discoveries helped make Jeeps and Tesla cars safer. Of course, it’s already illegal to hack into someone else’s car without authorization; the CFAA clearly covers Internet-connected automotive computers. With two vague and overly broad laws already chilling vehicle research in this area, there’s no justification for adding a third.
Privacy Exemptions
Unsurprisingly the bill gets worse. The second provision makes car manufactures immune to FTC enforcement around privacy issues so long as they publish a bare-bones privacy policy saying the manufacture will provide the owner with certain information. Why the House and Energy Commerce committee decided to only exempt the FTC's enforcement authority relating to privacy is confusing. The House should look towards the Senate for a good start regarding privacy and automobiles. For instance, Senators Ed Markey and Dick Blumenthal's SPY Act, would initiate more transparency around data collection, allow users to opt-out of certain collection, and also prohibit car manufactures from certain marketing practices.
We Don't Need More Bad Law
The bill is more of the same from Congress. The provisions will be discussed this Wednesday at a hearing in front of the House's Energy and Commerce Committee where we're hoping they will be dropped from the discussion draft. Congress should be encouraging security research and consumer innovation, not hindering it with undue and unneeded legislation.