A camera slowly stalks a woman walking to her SUV in a desolate, empty parking garage. “If question 1 passes in Massachusetts, anyone could access the most personal data stored in your vehicle,” a narrator says. “Domestic violence advocates say a sexual predator could use the data to stalk their victims. Pinpoint exactly where you are. Whether you are alone …” The woman’s keys jingle as she approaches her car. The camera gets closer. The woman whips her head around. The stalker has found her. The screen flashes to black. “Vote NO on 1,” the narrator says.
The Alliance for Automotive Innovation, which represents nearly every major auto manufacturer in the United States, is funding this and a series of other TV ads like it to scare Massachusetts residents into voting against a ballot measure that would expand the state’s already existing right to repair law to ensure that you can continue to get your car fixed by anyone you want. The ads heavily imply—and at times state outright—that the legislation would somehow lead women to be stalked and sexually assaulted, a charge that cybersecurity experts say has no grounding in reality. Instead, the auto industry wants to ensure that when your car breaks, you have to take it to a manufacturer “authorized” mechanic or the dealer itself.
The legislation is an update to an already-existing law passed by Massachusetts voters in 2012 that has become a national standard for auto repair and a model piece of legislation for other right to repair bills that would make it easier to fix all sorts of electronics. The 2012 law enshrines the ability for independent mechanics (meaning, anyone who is not a car dealer) to repair the vast majority of cars, because it requires manufacturers to use a nonproprietary diagnostic interface to diagnose problems. This means that anyone can buy an OBD reader (called a "scanner," a "dongle," a "computer"), hook it up to a port beneath their steering wheel, and determine what's wrong with their car. The law also makes repair information available to independent repair professionals.
Question 1 seeks to close a loophole in that earlier law, which exempted cars that transmitted this data wirelessly. As cars become even more computerized, independent repair shops are worried that manufacturers will do away with the OBD port and will store this data wirelessly, exempting them from the earlier law. The new initiative simply guarantees that car owners and independent repair companies can access this data wirelessly without "authorization by the manufacturer," and requires car manufacturers to store this data in a secure, "standardized, open-access platform."
The organization running the fearmongering ads, called the "Coalition for Safe and Secure Data," is funded by The Alliance for Automotive Innovation, which represents every major car manufacturer except Tesla (which has its own problems with right to repair). Coalition for Safe and Secure Data also stressed that Question 1 is funded by big money interests. “It’s important to note that 99.9% of Question 1’s funding comes from the Auto Care Association (ACA),” the group told Motherboard in an email. ACA is a trade organization that represents 150,000 different businesses in the market of manufacturing spare parts and repairing cars.
But Coalition for Safe and Secure Data is backed by big money interests too, ones far bigger than ACA. The Alliance for Automotive Innovation, a lobbying group that represents care manufacturers such as Honda, Ford, and General Motors, has donated almost $2 million to the Coalition for Safe and Secure Data. Its name is on the ads. The auto manufacturers are quite literally trying to scare Massachusetts out of easy access to their own data.
The three ads released so far imply that passing Question 1 would allow villains and hackers of all kinds easy access to people’s data. “If Question 1 passes in Massachuests, anyone could access the most personal information stored in your vehicle,” one commercial said over footage of a faceless man wandering up a suburban street. “The Federal Trade Commission warns: your address could be paired with your garage codes to get easy access to your home.” The man clicked a button on a garage door opener and walked through the garage and into the house.
WCVB5, an ABC news affiliate in Massachusetts, thoroughly debunked the anti-Question 1 advertisement’s claims. First, the suggested change to the law doesn’t mention personal data. It refers only to mechanical data needed to diagnose and repair the car. The FTC warning referred to a public notice urging owners to delete personal information from their car before trading it in, the same way you would a phone. It’s unrelated to Question 1.
The ads are frightening, but they also raise the question: how much data is my car collecting? Coalition for Safe and Secure Data’s narrative seems to be that passing Question 1 would allow more people access to people’s data. But as cars become internet-connected, the issue isn't just data security but the fact that car manufacturers are collecting so much data in the first place.
“My guess is what automakers really don't want to talk about is all of the data that they are collecting from connected vehicles that they're not telling us about,” Paul F Roberts, founder of Securerepairs—a group of security and repair professionals who advocate for security and repair issues—told Motherboard on the phone.
“The backup safety cameras that go on every time you put your car in reverse, are those on all the time and are they observing your surroundings and inferring data about your whereabouts and preferences?” Roberts said. “The in-cabin cameras that we know Tesla has on their cars, are those just monitoring you all the time… are they monitoring your GPS data and mining that or selling that? We don’t know.”
To be clear, cars aren’t yet manufactured without an OBD, but repair advocates such as Roberts believe that in the near future, manufacturers could remove the OBD and move to exclusive wireless interfaces as a way to cut out independent repair stores. “That’s what this question is about,” Roberts said. “It’s about pre-empting that and trying to get in front of that.”
A representative from Coalition for Safe and Secure Data acknowledged that this data is already available to consumers and independent companies (OBD dongles are sold, for example, at every auto parts store). “Yes, this information is mostly available to repair shops now when they plug into customers’ vehicles, and there is already plenty of risk there,” the representative told Motherboard in an email. “But they would be enormously magnified if Question 1 passes, as it would make all that information accessible remotely and in real time, without ever having to plug into a vehicle.”
For Roberts, that argument doesn’t make sense. “If there are already bridges between the telematic data and the CAN Network and the onboard systems [the electronic systems that control a cars physical functioning, such as steering and cruise control], then that vulnerability already exists today,” Robert said. “And the only firewall between a hacker being able to [take control of your car] is the security of your average automobile dealership.”
“How strongly do you feel about the cybersecurity of your auto-dealership?” Roberts said.