State of Repair is Motherboard’s exploration of DIY culture, device repair, ownership, and the forces fighting to lock down access to the things you own.
The Biden administration has warned car manufacturers that they should not comply with a Massachusetts law that makes it easier for consumers and independent auto shops to repair cars, citing concerns with hacking.
The National Highway Traffic Safety Administration’s letter is a huge blow to consumers’ rights and is a puzzling move considering that President Biden and his administration have repeatedly championed the right to repair and have specifically stated that they do not believe that right to repair laws pose cybersecurity concerns.
“The Data Access Law conflicts with and therefore is preempted by the Safety Act,” the letter, which was sent to manufacturers and filed with a federal court, said. “While NHTSA has stressed that it is important for consumers to continue to have the ability to choose where to have their vehicles serviced and repaired, consumers must be afforded choice in a manner that does not pose an unreasonable risk to motor vehicle safety.”
The letter was sent to dozens of car manufacturers (Ford, GM, Hyundai, Kia, Toyota, Honda, etc.) to tell them of their “obligations” under federal law, which “conflict” with a new Massachusetts law that makes it easier for independent auto shops to continue fixing cars. “Because the Safety Act conflicts with and therefore preempts the Data Access Law, NHTSA expects vehicle manufacturers to fully comply with their Federal safety obligations,” NHTSA continued.
The NHTSA letter is the latest chapter in a decade-long saga in which automotive manufacturers have spent tens of millions of dollars attempting to kill right to repair legislation in Massachusetts. In 2013, Massachusetts passed a law requiring car manufacturers to make parts and diagnostic tools available to independent auto shops and consumers.
That was a watershed moment for consumers because, rather than face a variety of different rules in different states, manufacturers signed a “memorandum of understanding” in which they agreed to comply with a version of the Massachusetts law in every state, effectively creating nationwide access to parts and diagnostics.
Crucially, however, that 2013 law wasn’t forward-thinking enough to consider the digitization of many parts of a car. It required manufacturers to let consumers access diagnostic information through the ODB2 port, which is usually located under the steering wheel and can be read with a “code reader,” which can be purchased for a few bucks from most auto parts stores. Increasingly, car manufacturers have simply been getting rid of those ports altogether and have started making cars that require wireless diagnostic tools, which are not covered by the 2013 law.
The 2020 Massachusetts law, which updated the 2013 law, closed that loophole to require manufacturers to make diagnostic data available wirelessly; essentially, they need to sell consumers and independent repair techs the same diagnostic tools their own dealers use. The law was overwhelmingly passed by voters in a ballot initiative despite tens of millions of dollars of car industry lobbying which included commercials in which a ‘sexual predator’ attacks a woman in a dark parking garage seemingly because of the legislation; it has been mired in legal hell since its passage.
Manufacturers were supposed to begin complying with the law in June of 2023, but they sued Massachusetts in 2021 in an attempt to stop it. Part of their argument was that the law would violate the Safety Act. NHTSA provided written testimony as part of that lawsuit, which it cited in its letter telling the manufacturers not to comply with state law.
“It is our view that the terms of the ballot initiative would prohibit manufacturers from complying with both existing Federal guidance and cybersecurity hygiene best practices,” NHTSA said in 2021 testimony with the court. “Given the multi-year automotive product development cycle, the deadline for compliance appears impossible for manufacturers to meet in a responsible manner, risking removal of existing cybersecurity controls over wireless access into vehicles as the ballot initiative directs, which increases the risk of cybersecurity attacks that could jeopardize public safety.”
The NHTSA did not immediately respond to a request for comment. The Alliance for Automotive Innovation, a lobby group which has been fighting the law, declined to comment on ongoing litigation.
President Biden and his administration have repeatedly said that they support the right to repair, and that they will penalize manufacturers who do things like violate warranties illegally. In 2021, the Federal Trade Commission sent a report to Congress in which it analyzed manufacturer arguments against right to repair broadly, and found that they have been unable to prove that providing repair access to the owner of a car makes them less safe: “The record contains no empirical evidence to suggest that independent repair shops are more or less likely than authorized repair shops to compromise or misuse customer data,” the FTC wrote. “The record supports arguments that consumers and independent repair shops would be equally capable of minimizing cybersecurity risks, as are authorized repairers.”
In testimony in April, an FTC expert stated manufacturers’ “claimed justification [to oppose repair] is that repair restrictions protect consumers from cybersecurity risks. In the Report, the Commission found no empirical evidence to suggest that independent repair shops are more or less likely than authorized repair shops to compromise or misuse customer data. Nor did the Commission find any evidence that providing independent repairers with access to diagnostics and firmware patches would introduce cybersecurity risks.”
Nathan Proctor, Senior Director, U.S. PIRG Campaign for the Right to Repair, which pushes for right to repair legislation around the country, told Motherboard that the NHTSA’s letter is “incredibly frustrating.”
“The Department of Transportation had years to clarify their position around the car data rules in Massachusetts, which they seemed concerned about, but made no clear claim around preemption,” he said. “Now, after the law is taking effect, they step in.”
“If it is impossible to provide secure access to me, the car owner, for the data transmitted by my car, then the car is insecure,” he added. “It is absurd to concede the manufacturers’ self-serving argument that monopoly access is secure, but any other sharing of data is dangerous. Security experts have told us time and time again that there is no security through obscurity, and I had hoped regulators would understand that.”
“On behalf of two million voters and thousands of independent auto repair shops across Massachusetts, we are outraged by the unsolicited, unwarranted, and counterproductive letter from NHTSA that conflicts with the Department of Justice’s statement submitted two years ago in federal court stating that there was no federal preemption,” Tommy Hickey, executive director of the Right to Repair coalition, said. “NHTSA’s letter is irresponsible, having been transmitted without any new evidence and after the conclusion of the federal trial, despite having been asked by the
judge to participate in the court proceeding and declining.”
Numerous cybersecurity officials have also vetted the Massachusetts law and have suggested that it does not meaningfully make consumers less safe.
“Plaintiff’s preemption argument amounts to a claim that any sufficiently complex regulatory system is a free pass to monopolize the market for repair services and deny consumers full enjoyment of the things that they own,” a series of nonprofits, security experts, and repair advocates told the court in a 2021 brief obtained by Motherboard. “There is no principled reason to give manufacturers this dead-hand control that could extend to numerous industries far afield from automobiles, and particularly in a manner of questionable cybersecurity. To give manufacturers this control would do a disservice to the electorate of Massachusetts that voted to protect their right to repair.”
A group of cybersecurity professionals who advocate for the right to repair have also repeatedly said that the law does not meaningfully impact cybersecurity. Last summer, Congress asked the Government Accountability Office to investigate the issue. The NHTSA letter seemingly puts the agency at odds with the rest of the Biden administration and many cybersecurity experts.
“A malicious actor here or abroad could utilize such open access to remotely command vehicles to operate dangerously, including attacking multiple vehicles concurrently. Vehicle crashes, injuries, or deaths are foreseeable outcomes of such a situation,” it said in its letter to manufacturers.
What the NHTSA doesn’t mention is that determined hackers have been breaking into cars for years. Many cars are already insecure, and hackers are selling wireless devices disguised in old Nokia cell phones and Bluetooth speakers that can unlock and start cars, often wirelessly. Some cars are so easy to steal that it became a viral social media trend, resulting in surging car theft rates in many U.S. cities and multiple lawsuits.