Repairer Driven News
« Back « PREV Article  |  NEXT Article »

Automakers say two-way Mass. ‘right to repair’ telematics carries cybersecurity risk, call for halt

By on
Associations | Business Practices | Insurance | Legal | Market Trends | Repair Operations | Technology
Share This:

In the state that pioneered the “right to repair” concept that became a national agreement between shops and automakers, advocates seek to expand independent Massachusetts shops’ access to vehicle information with a new “right to repair” ballot initiative.

But the OEM trade group Alliance for Automotive Innovation warned the U.S. House and Energy Committee last month that the new Massachusetts right to repair effort went too far, as it “is not just about getting data from a vehicle; it is about mandating real-time, two-way access.”

Auto Innovators called instead for a temporary federal “five-year preemption regarding access to telematics data that could compromise vehicle safety due to actions at the state level.” (Emphasis Auto Innovators’.)

“Proponents of the initiative not only want to receive data from a vehicle, but also want to be able to send data, including software, to uniquely designed critical vehicle systems – even while a car, or tractor trailer, is driving down the roadway,” the OEM trade group wrote to House Energy and Commerce Committee Chair Frank Pallone, D-N.J., and ranking member Rep. Greg Walden, R-Ore., on June 3. “Not only does this initiative pose cybersecurity, personal safety, and privacy risks to the owner of the vehicle, but it also endangers others on the nation’s roadways.

“The ballot initiative has been disingenuously presented to voters as a solution for fixing cars. However, this initiative is really about third parties seeking bi-directional remote access to a consumer’s driving habits, patterns, and location in real-time. Such a far-reaching mandate risks making personal data readily available to third parties and creates absolutely no safeguards for how consumer information is stored, protected, or used afterwards. Simply put, while manufacturers remain committed to allowing consumers to decide where to take their vehicle for repair and maintenance needs, there is no scenario in which real-time, remote access by third parties would be necessary to diagnose or repair a vehicle.” (Emphasis Auto Innovators’.)

The Right to Repair proposal demands OEMs with a telematics system by the 2022 model year create an “inter-operable, standardized and open access platform.”

“Such platform shall be directly accessible by the owner of the vehicle through a mobile-based application and, upon the authorization of the vehicle owner, all mechanical data shall be directly accessible by an independent repair facility or a class 1 dealer licensed pursuant to section 58 of chapter 140 limited to the time to complete the repair or for a period of time agreed to by the vehicle owner for the purposes of maintaining, diagnosing and repairing the motor vehicle,” the associated House Bill 4302 states. “Access shall include the ability to send commands to in-vehicle components if needed for purposes of maintenance, diagnostics and repair.”

The Massachusetts effort would conflict with NHTSA’s demand that OEMs provide cybersecurity, the OEMs said an a file attached to their letter.

With respect to serviceability, NHTSA noted the need for third party repair services to be able to have access to certain vehicle systems to provide service, but cautioned that such access must be balanced with strong cybersecurity protections to ensure public safety.

In the context of the rapidly emerging market for automated driving systems in vehicles, which are particularly vulnerable to cybersecurity risks, NHTSA addressed the need for designing components to minimize safety risks from cybersecurity threats and vulnerabilities. A year later, the Department of Transportation reiterated that it is the responsibility of vehicle manufacturers and other stakeholders to manage cyber risks in designing automated driving systems in vehicles. More recently, DOT announced that NHTSA is conducting research to promote a layered approach to cybersecurity by focusing on a vehicle’s entry points, both wireless and wired, which could be potentially vulnerable to a cyber-attack, in anticipation of updating its 2016 Cybersecurity best practices. (Emphasis Auto Innovators’.)

Auto Innovators on Thursday said the “right to repair” memorandum of understanding put independent repairers on par with dealerships, rendering the need for remote access moot.

“Under a Memorandum of Understanding (MOU) signed in 2014, automakers agreed to provide the same diagnostic and repair data to independent repair facilities that is provided to dealers,” Auto Innovators CEO John Bozzella said in a statement. “Our members remain committed to the MOU, and to ensuring that independent repair facilities have the information that they need to diagnose and repair vehicles, while also taking necessary steps to protect the privacy of our customers and the safety and security of their vehicles.  Because of the MOU, there is no scenario in which a third party would need real-time, remote access to diagnose or repair a vehicle.”

The “Consumer Access to Repair Coalition,” a new group comprised of Allstate, LKQ, the Automotive Body Parts Association and the Certified Automotive Parts Association, alleged Wednesday OEMs were using telematics diagnostics data to favor their own shops.

“Consumers can also see tremendous cost-savings through choosing real-time data sharing,” the coalition wrote to Pallone and Walden. “While independent repair shops and parts manufacturers routinely access vehicle data during a repair or claim, the data being generated in real-time has enormous consumer benefits if it can be shared with these entities in the same way it is being shared with the OEM. Relaying real-time diagnostics and operational data to a repair shop will allow a consumer to be alerted that a vehicle is in need of a checkup or replacement parts before it suffers a breakdown or malfunction. By blocking consumers from sharing this real-time data, OEMs force consumers to rely on their own repair shop networks, limiting consumer choice and perpetuating the OEMs’ profit cycle.”

We asked Auto Innovators on Thursday to clarify how access stood today. Under “right to repair,” a shop can buy all the same repair information and equipment as a dealer and equip J-2534 devices with OEM diagnostic software. But was a dealership obtaining telematics information not available to an independent?

Auto Innovators said Thursday it wouldn’t be able to produce a response in time for this article.

The coalition also argued that customers should manage their own data, and insurers shouldn’t have to go through an OEM to obtain the information needed to write consumers usage-based policies. Insurers can use driving behavior and miles driven data to price risk and offer customers a better and fairer deal. (Though technically, the proposed new “right to repair” language doesn’t give access to insurers, just to body shops.)

“Real consumer choice starts with transparency and allowing consumers to actually choose what happens to their data, not with OEMs serving as gatekeepers with consumers forced to seek their permission. Manufacturers should offer consumers clear and easy-to-use tools for authorizing data access, which could include notifications of persistent third-party access,” the coalition wrote. “Such safeguards would dramatically reduce the opportunity for any malicious third-party actions as would requiring OEMs to support their stated priority of protecting system integrity through vigorous cybersecurity protocols. If OEM-developed vehicle systems are adequately protected, as OEMs claim they will be, then malicious activity would not be the dire concern the Alliance is making it out to be.”

Of course nothing’s stopping insurers from using data from an OBD-II dongle or even a smartphone’s sensors to study driving behavior and price premiums accordingly. The same devices also permit carriers to detect crashes and recommend their own network of shops. The data from the vehicle itself is said to be more accurate. However, insurers have shown confidence in the smartphone’s results with products like Allstate’s Milewise, and roadside assistance company Agero in 2018 said its smartphone app rarely got false positives about crashes.

We’d also asked Auto Innovators why customers shouldn’t be able to send their vehicle’s data to whoever they want, similar to how smartphones and their operating systems allow customers to take the risk of permitting apps functional and feature access. Auto Innovators said Thursday it wouldn’t be able to produce a response in time for this inquiry either.

The OEM trade group called on Congress to give automakers and NHTSA five years to work out the details.

“Due to the unique conflicts that automakers are faced with, Congress should act to reaffirm NHTSA’s statutory authority and enforcement guidance to protect the motoring public by temporarily establishing a limited five-year preemption regarding access to telematics data that could compromise vehicle safety due to actions at the state level. A five-year preemption provision would enable Congress and NHTSA to work on a longer term solution to ensure that new cybersecurity, privacy and public safety risks are not created.”

Ironically, this is sort of what the CAR Coalition requested, just without the federal moratorium.

“We understand that vehicle safety regulation is controlled by the Department of Transportation (‘DOT’), but Congress and the DOT should work together to examine this issue closely through official hearings and stakeholder input,” the coalition wrote. “Accordingly, we recommend that the Committee hold an appropriate hearing on the matter before considering any new federal laws. The CAR Coalition stands ready to aid Congress as it examines these important issues.”

Be heard: Congressional contact information can be found here.

More information:

Consumer Access to Repair Coalition letter to House Energy and Commerce Committee

CAR Coalition, July 1, 2020


CAR Coalition, July 1, 2020

Auto Innovators letter to House Energy and Commerce Committee

Alliance for Automotive Innovation, June 3, 2020


Automaker trade group Alliance for Automotive Innovation called for a five-year federal ban on state telematics mandates. (4X-image/iStock)

Allstate, LKQ, the Certified Automotive Parts Association and the Automotive Body Parts Association have formed the Consumer Access to Repair Coalition. (Provided by CAR Coalition)

The Alliance for Automotive Innovation represents nearly all major U.S. automakers. (Provided by Auto Innovators)

A Milewise screenshot shows a trip with hard braking incidents. (Provided by Allstate)

Share This: