In light of the Volkswagen scandal, the US should revise copyright laws so that people can legally tinker with automotive software, a majority of Passcode Influencers said.
Volkswagen admitted last month that it intentionally cheated US environmental tests on its diesel vehicles using on-board software. A group of West Virginia University researchers who test automakers’ environmental claims for diesel vehicles initially discovered the company’s cheating through field tests. Yet auditing the car’s software to expose the deliberately faulty software would have been against US law, which prohibits researchers from circumventing copyright protections to tinker with cars — even cars they own.
The Volkswagen incident and other vehicle security weaknesses recently uncovered by researchers, 64 percent of Passcode Influencers said in a survey, highlight a need to change laws such as the Digital Millennium Copyright Act so researchers can legally conduct much-needed research to find and fix connected vehicle vulnerabilities.
“Copyright law in the US is in dire need of reform,” said Yan Zhu, security researcher at Yahoo. “The Volkswagen scandal is just another example of how the costs outweigh the benefits. Section 1201 of the DMCA is overly broad and has a history of stifling legitimate security research. If tampering with [digital rights management] systems wasn’t a felony, independent researchers would be more likely to discover manufacturer fraud.”
Passcode’s Influencers Poll is a regular survey of more than 120 experts (listed below) in digital security and privacy, from across government and the private sector. To preserve the candor of their responses, Influencers have the option to comment on the record or anonymously.
If researchers are stymied by copyright laws, said Cindy Cohn, executive director of digital rights nonprofit the Electronic Frontier Foundation, people’s safety could be at risk.
“People should be able to tinker, but more importantly, people should be able to see the code, test it themselves or with help from others, and in general understand how the code works,” she said. “This requires changes to the Computer Fraud and Abuse Act, the Digital Millennium Copyright Act, and reasonable public interest limits on trade secrecy and contractual limitations. This time it was emissions; next time our lives could be on the line. Black box code is dangerous.”
Even the Federal Trade Commission’s chief technologist, Ashkan Soltani, agreed changes should be made. “The ability to investigate and interrogate the software embedded in Internet of Things devices, including cars,” he said, “is critical for ensuring that the algorithms individuals interact with on a daily basis is secure and operates fairly.”
As technology is increasingly embedded in daily life, people’s safety relies on the security of the software that runs it — and the researchers who can expose weaknesses, some experts said.
“Security researchers protect public safety by discovering and reporting ways to bypass security controls so the technology can be made safer sooner,” said HackerOne’s chief policy officer Katie Moussouris. “It falls to us to ensure that the ability for security research and reverse engineering of technology in cars and other critical components of The Internet of Everything become accepted as the norm in the overall fabric of defense.”
This issue also comes down to the definition of ownership, several Influencers said, and what rights people have to fiddle with machinery they buy. “If I purchase something (a vehicle, a computer, etc), I own it,” said Charlie Miller, currently at Uber’s Advanced Technology Center — and also one of the two researchers who wirelessly hacked a Jeep Cherokee, exposing a security weakness that ultimately forced a recall of some 1.4 million vehicles. “I should be able to look at how it works and I should be able to tinker with it to make it better or different.”
However, some Influencers who support changes to the laws also insisted that the right to tinker should not be universal. Cofounder of security company Sqrrl, Ely Kahn, said it should be restricted to researchers. “Opening up ‘tinkering’ generally may result in people bypassing environmental laws, as EPA has mentioned (among various other issues).”
Still, a 36 percent minority of Influencers said copyright law should not be changed for the sake of research for similar reasons. “No question that copyright laws around software are dysfunctional and need fixing for lots of reasons,” said Steve Weber, professor at the School of Information at the University of California, Berkeley. “But not so that people can ‘tinker’ with the software that runs their cars. Do you want to be driving 65 miles an hour behind a ‘hobbyist’ who has done that?”
Others, such as Chris Finan, chief executive of Manifold Security, said changing the law isn’t the best starting place. “A better approach would be to incentivize open sourcing of software components with vehicle safety implications.”
What do you think? VOTE in the readers’ version of the Passcode Influencers Poll.
Passcode gathered more than 120 high-profile security and privacy experts for the Influencers Poll. Click their names below to learn more about them.
Lorrie Faith Cranor
Angela L. Heise
Jane Holl Lute
“Third-party vulnerability assessment should not simply be permitted, it should be encouraged.” – Influencer
“A great deal of innovation, improvement, and after-market services can come from the freedom to tinker. With that said, it likely makes sense to be stricter about tinkering with health and safety features, such as emissions controls.” – Peter Swire, Georgia Tech
“Regardless of the Volkswagen emissions scandal the “anti-circumvention” provisions of the Digital Millennium Copyright Act (DMCA) absolutely need to be rescinded. There are numerous problems codified in Section 1201 of the DMCA. The law is supposed to be about copyright infringement but it is woefully ineffective for this purpose. The DMCA is mostly used to block aftermarket competition and consumer choice. Due to those abuses Section 1201 should be eliminated entirely or at the very least the language should be reformed so that it is limited to actual copyright infringement. The DMCA was designed to stop piracy of digital media by preventing the defeat of anti-piracy measures. Instead corporations have been abusing Section 1201 to hide their misdeeds, mistakes, and outright fraud. The issue is much larger than just Volkswagen emissions.” – Space Rogue, Tenable Security
“‘Tinker’ is not the right word. We do want security researchers to have the ability to read, analyze, and test automotive software to root out bugs and vulnerabilities. However, opening up the software to ‘tinkering’ implies that end-users should be able to make unauthorized modifications. I’m not sure that is a desirable outcome in a product that is so closely regulated for safety purposes.” – Influencer
“The software that runs hardware we purchase should be included in the sale. Clearly, as we enter an era of increasing hybridization between bits and atoms, it’s crucial that we own both facets of the devices we bring into our lives, homes, and bodies.” – Sascha Meinrath, X-Lab
“I will say ‘yes’ with zero interest in any way in the Volkswagen matter which, I very much suspect, will be subsequently shown to not be as the press is now presenting it. I am a fan of an ownership society, not a rental society, whether in regard to one’s bedroom or one’s software. GM & John Deere are far better topics of discussion than Volkswagen – I can buy a $250K tractor from the latter but not without a software license agreement. Even if you don’t mind renting that which you depend on, when the rental agreement requires auto-update you are now permanently at the mercy of whether said auto-update mechanism is used competently and solely in your interest, which is laughably unlikely.” – Dan Geer, In-Q-Tel
“This issue is not about tinkering, this is about the ability for citizens to be able to inspect the software for products they legally own. They may do this to identify critical cybersecurity issues, to change the functionality of their property (within legal limits), or simply to make a repair.” – Kevin Mahaffey, Lookout
“This is obviously a religious issue that really comes down to the very concept of ownership. My feeling is that when you purchase something it is yours to do what you will with it. The only thing you should not be able to do is re-distribute it without authorization from the original manufacturer. Copyright holders necessarily will void warrantees but they shouldn’t limit people’s rights to modify things that they have purchased.” – Robert Hansen, WhiteHat Labs
“Like anything, it’s about getting the balance right. Allowing researchers to see the code could have uncovered VW’s alleged fraud, but automobiles are unlike other consumer goods because they are so tied to public health and safety. Tinkering with software could have effects on a vehicle’s safety that impacts others on the road. The car industry and the software research community have to be very careful and deliberate in how they approach this issue.” – Influencer
“It probably already is legal. There are exemptions to the DMCA for security research as well as other legitimate uses. Copyright is not a cover for law-breaking. However, both the copyright law as well as the EPA and FTC rules should *encourage* people to vet manufacturers.” – Jon Callas, Silent Circle
“‘Tinker’ is a tricky word -- automobiles are kinetic creatures, and no one wants to have even well-intentioned hackers applying patches that would lead to safety issues. But there’s not much security through obscurity, and it’s important and helpful for technically-inclined people to be able to review and understand the code on which their cars run, just as they’re entitled to try to take apart the physical pieces. In the longer term, we can devise ways to allow tinkerers to modify the code on their automobiles while being accountable should something go terribly awry.” – Jonathan Zittrain, Harvard Law School
“Copyright law - Sec. 1201 of DMCA - prohibits circumventing technological measures protecting copyrighted works, like software. This prohibition was originally intended to head off copyright violations. But there are many beneficial reasons to unlock software that are unrelated to copyright infringement – such as repairing a car, customizing a hearing aid, switching cell phone carriers, and more. Section 1201 inhibits these otherwise lawful uses of copyrighted works by prohibiting access to them. Sec. 1201 is much broader than preventing copyright violation and is instead used as a blunt means of controlling information. For example, the EPA issued a letter opposing an exemption to Sec. 1201’s prohibition for vehicle software because, the EPA argued, it would allow people to modify car software to bypass pollution controls - yet modifying vehicle software in this way is already illegal under the Clean Air Act. The law should focus on actual crimes, such as software piracy or creating pollution, rather than levying penalties on otherwise lawful and potentially beneficial uses of software and other copyrighted works. Rep. Zoe Lofgren’s Unlocking Technology Act is one of few bills in Congress that takes this problem head on.” – Harley Geiger, Center for Democracy and Technology
“Liability for circumventing technological prevention measures should focus on deterring copyright infringement rather than deterring modification or research of devices when that modification or research does not implicate copyright interests and may in fact benefit device owners, the research community, and the public.” – Nuala O’Connor, Center for Democracy and Technology
“Wording of question maybe suggests a particular answer...There’s value in exploring a more open-sourced approach to parts of coding process for cars (and perhaps Internet of Things more generally) in order to balance public safety and necessary incentives for innovation in code for cars (in this case). Some of that may require a review of IP protections that tip too far in one direction.” – Michael Samway, Georgetown University
“Creative mechanically inclined have tinkered with automobiles since their inception, in a constant cat and mouse game of tweaks and changes vs. manufacturer warranty coverage. As we move into an era of electric vehicles that are more computer than car, those creative and curious types won’t just give up. An entire new ecosystem of enhancing and modifying the software of cars will emerge. Performance features, security and privacy, and patches tweaks as well as malcode with affective automotive software. Should it be illegal to modify the firmware on your car? Of course not. If you “brick it”, should the automaker be on the hook to fix it for free? No.” – Chris Rouland, Bastille Networks
“It is important to protect the rights of software developers and product vendors. It is also important to allow people to use the products they purchase as they see fit. Few consumer products are as subject to post-purchase modification as motor vehicles. There is an entire trade association for manufacturers of after-market enhancements, additions and modifications of motor vehicles. We are increasingly seeing unintended consequences from intellectual property legislation on other fields, including cybersecurity. Some prohibitions on reverse engineering that were intended to deter piracy now deter security research. Some companies have attempted to use proprietary technology and copyright law to “lock-in” mechanics or customers to manufacturer-preferred maintenance products & services. Neither of these cases may have all of the interests of the customer at heart when considered as a whole. The “first sale doctrine (17 U.S.C. § 109) provides that an individual who knowingly purchases a copy of a copyrighted work receives certain rights, including the right to sell, display, or otherwise dispose of that particular copy, notwithstanding the interests of the copyright owner. We would do well to look carefully at the degree to which this doctrine has been eroded in practice in recent years.” – Bob Stratton, MACH37
“There are plenty of ways for researchers to look at auto software today. The National Highway Traffic Safety Administration should require testing of all automotive software. Letting car owners legally hack their car software is *not* going to improve safety or prevent future car manufacturer cheating.” – John Pescatore, SANS Institute
“No question that copyright laws around software are dysfunctional and need fixing for lots of reasons... but not so that people can ‘tinker’ with the software that runs their cars. Do you want to be driving 65 miles an hour behind a ‘hobbyist’ who has done that?” – Steve Weber, UC Berkeley
“A better approach would be to incentivize open sourcing of software components with vehicle safety implications.” – Chris Finan, Manifold Security
“Copyright law is in need of review and modernization - a need that goes beyond any single incident. But I get nervous about making significant changes in law in a reactionary manner.” – Jeff Greene, Symantec