New DMCA exemption opens doors to jailbreaking cars, detecting Dieselgate-like problems, etc

An issue raised our investigation of the Dieselgate scandal is whether independent researchers are allowed to investigate the inner workings of our cars.  The Digital Millennium Copyright Act (DMCA) was originally enacted to protect the music industry from wholesale copying of digital media, but its application was broadened to protect software especially in embedded devices like cell phones — or cars.  The law, the DMCA that is, would prevent a researcher looking into why a car would emit far more pollution than allowed.  Such a researcher would want to not just measure pollution at the tailpipe, but look into the emissions control software and detect problems in the software.  But the DMCA labels that as illegal, and subject to huge fines.

Every three years the US Librarian of Congress considers proposed exemptions to the DMCA.  This time around two proposals were made which would allow people, including researchers, to delve into on-board control software in cars.  The EPA came out against this exemption because it would hinder EPA’s efforts to ensure that all cars complied with air pollution laws.  The US Congress also proposed a law which would not only weaken air pollution laws, but throw up more roadblocks to people who’d study the innards of cars.

Today we can celebrate because the US Librarian of Congress decided to grant DMCA exemptions to tinker with the innards of tablet computers and on-board software in cars.  I’ve embedded the decision document below, as retrieved from: http://copyright.gov/1201/2015/fedreg-publicinspectionFR.pdf

The rulemaking released today covers a lot of territory, from DVD’s to electronic books to smart phones to tablet computers and automotive on-board computers.  Generally the US Librarian of Congress adopted the proposals supporting circumvention of software protection for certain purposes with a sound purpose.  For example, they announced support for jailbreaking smart phones or tablet computers in order to install lawfully acquired software which the device maker prevents from being installed — for example, the only software that can be installed on Apple’s iOS devices must be approved by Apple for sale through the iTunes store.  With this decision the opportunity now exists for third party app stores to sell software which Apple does not approve.

There’s a lot of cool new possibilities enacted by this ruling, but we need to focus on the impacts on the automotive market.

The relevant proposals are:

  • Proposed Class 21: This proposed class would allow circumvention of TPMs protecting computer programs that control the functioning of a motorized land vehicle, including personal automobiles, commercial motor vehicles, and agricultural machinery, for purposes of lawful diagnosis and repair, or aftermarket personalization, modification, or other improvement. Under the exemption as proposed, circumvention would be allowed when undertaken by or on behalf of the lawful owner of the vehicle.
  • Proposed Class 25: This proposed class would allow researchers to circumvent access controls in relation to computer programs, databases, and devices for purposes of good-faith testing, identifying, disclosing, and fixing of malfunctions, security flaws, or vulnerabilities.
  • Proposed Class 22: This proposed class would allow circumvention of TPMs protecting computer programs that control the functioning of a motorized land vehicle for the purpose of researching the security or safety of such vehicles. Under the exemption as proposed, circumvention would be allowed when undertaken by or on behalf of the lawful owner of the vehicle.

The first is essentially the “right to repair”.  As the document notes, there is a long history of people working on their own vehicles.  Modern vehicles present a huge challenge because of protected on-board computer systems.

One particular use case is farming machinery.  When it breaks down there can be a long wait before an authorized technician can repair the machine, affecting the farmers livelihood.  In general, however, there is a strong desire among people to personalize or repair their vehicles, and there is a long long long history of people doing so in the comfort of their own garage or under the shade of a nearby tree.

Here’s a few examples in the electric vehicle field:

  • IMG_0017-6001DIY Electric Vehicle Conversion: I’ve taken a 1971 Karmann Ghia and replaced the gasoline nonsense with an electric drive train.  Lots of others have done so as well.  Tesla Motors was started by people, especially JB Straubl, who were building EV’s in their garage.  Zero Motorcycles started from the same ethic.  In a sense the current electric vehicle market might not exist if it weren’t for the decades of people building their own EV’s — the Electric Auto Association is about 50 years old, for example, indicating just how long a history there is of home built EV conversions.
  • LeafSpy et al: The individual owners of modern day OEM electric vehicles are learning the innards of CANBUS driven equipment, decoding the CAN messages flying around inside their cars, and developing diagnosis tools.  This has been especially crucial for the Leaf market because of the rapid battery capacity degradation issue.  If the Leaf owners community had not developed LeafSpy, they might have had a harder time proving to Nissan there was a problem.
  • Vectrix: This is an electric scooter that had been sold commercially until 2010 or so, and over on the forum site I own, VisForVoltage, is the largest community of Vectrix owners on the planet.  Because the Vectrix corporation went out of existence, and it was since abandoned by the company that bought the assets, Vectrix owners do not have a corporation backing them up with software support.  They have no choice but to delve into the machines and even develop new firmware that fixes problems.
  • Fast charging adapters: Not all manufacturers see the wisdom of fast charging.  A couple enterprising companies have developed add-on equipment to retrofit fast charging support on OEM vehicles.  DigiNow collaborated with Electric Motor Werks to develop a high speed charger for Zero Motorcycles.  QuickChargePower has developed a CHAdeMO adapter for the Gen2 Toyota RAV4 EV.
  • Repurposing the innards of OEM vehicles for other purposes:  People are tearing apart components from wrecked Leaf’s, Volts, Model S’s and more to build other vehicles.  Otmar Ebenhoech for example had been rehabilitating a wreched Model S to transplant the chassis into his stretched Vanagon. He had to stop when Tesla Motors sent him a cease and desist letter.  In general Tesla Motors has heavy-handidly worked to prevent 3rd parties from working on the Model S.   That hasn’t stopped people from determining how to spin a Tesla motor using a non-Tesla controller.  Others are taking Leaf or Volt battery packs and repurposing the cells for other purposes, for example some Vectrix owners have replaced their NiMH battery packs with ones made of Leaf cells.

As I noted earlier the EPA came out against this exemption, stating a concern over enforcement of Clean Air Act rules.  The EPA is of course worried that this also opens the door to devices to subvert emissions control devices so that people can make hotrods out of engines whose power is held back by those devices.

We understand that concern — but — really, there’s such a long history of people working on their own cars.  We need to support this, not prevent it.

This is what was adopted for Class 21:

Computer programs that are contained in and control the functioning of a motorized land vehicle such as a personal automobile, commercial motor vehicle or mechanized agricultural vehicle, except for computer programs primarily designed for the control of telematics or entertainment systems for such vehicle, when circumvention is a necessary step undertaken by the authorized owner of the vehicle to allow the diagnosis, repair or lawful modification of a vehicle function; and where such circumvention does not constitute a violation of applicable law, including without limitation regulations promulgated by the Department of Transportation or the Environmental Protection Agency; and provided, however, that such circumvention is initiated no earlier 44 than 12 months after the effective date of this regulation.

The Class 22 exemption applies to identifying security vulnerabilities in automobiles, especially with the rise of remotely accessed telematics doohickey’s.  I’m very worried over this issue and while I’m sure the automakers are doing a competent job at securing the on-board computers, there are plenty of counter examples that should make us all worry.

Last summer some security researchers demonstrated through Wired Magazine a significant security vulnerability in certain Jeep models.  They showed capability to remotely control the infotainment system, environment controls, speed, braking, steering, etc, basically everything that can be controlled through the CAN bus.

Any car with a similar vulnerability is open to all kinds of nefarious results.  This includes computer assisted carjacking or kidnapping.  The Big Brother aspects are also chilling.  Imagine if the Police had the capability to issue a city-wide STOP ALL VEHICLES command?  While this might be useful in lawfully stopping a high speed chase, imagine the potential for misuse.

Here’s what was adopted to cover Class 22 and Class 25:

(i) Computer programs, where the circumvention is undertaken on a lawfully acquired device or machine on which the computer program operates solely for the purpose of good-faith security research and does not violate any applicable law, including without limitation the Computer Fraud and Abuse Act of 1986, as amended and codified in title 18, United States Code; and provided, however, that, except as to voting machines, such circumvention is initiated no earlier than 12 months after the effective date of this regulation, and the device or machine is one of the following:

  • (A) A device or machine primarily designed for use by individual consumers (including voting machines);
  • (B) A motorized land vehicle; or
  • (C) A medical device designed for whole or partial implantation in patients or a corresponding personal monitoring system, that is not and will not be used by patients or for patient care.

(ii) For purposes of this exemption, “good-faith security research” means accessing a computer program solely for purposes of goodfaith testing, investigation and/or correction of a security flaw or vulnerability, where such activity is carried out in a controlled environment designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices or machines on which the computer program operates, or those who use such devices or machines, and is not used or maintained in a manner that facilitates copyright infringement.

I think it’s clear that “we” won.  That is, we now have the right to jailbreak our cars – for lawful purposes and not to violate other laws.  A very important thing is that researchers can now freely delve into vehicle innards and detect any manner of problem, whether it’s security vulnerabilities or incorrect emissions controls.

fedreg-publicinspectionFR

About David Herron

David Herron is a writer and software engineer living in Silicon Valley. He primarily writes about electric vehicles, clean energy systems, climate change, peak oil and related issues. When not writing he indulges in software projects and is sometimes employed as a software engineer. David has written for sites like PlugInCars and TorqueNews, and worked for companies like Sun Microsystems and Yahoo.

About David Herron

David Herron is a writer and software engineer living in Silicon Valley. He primarily writes about electric vehicles, clean energy systems, climate change, peak oil and related issues. When not writing he indulges in software projects and is sometimes employed as a software engineer. David has written for sites like PlugInCars and TorqueNews, and worked for companies like Sun Microsystems and Yahoo.

Leave a Reply