The National Highway Traffic Safety Administration (NHTSA) and the Massachusetts Attorney General’s Office have exchanged letters pertaining to an in-vehicle data access lawsuit against AG Andrea Campbell that suggests at least a partial solution to the debate — local Bluetooth access to in-vehicle telematics.

The lawsuit was filed by the Alliance for Automotive Innovation (Auto Innovators) in 2020 over the Data Access Law that was approved by Massachusetts voters by referendum on the state’s 2020 ballot.

The law requires OEMs to create and implement an onboard, standardized diagnostic system that would be accessible to everyone with or without OEM permission. Auto Innovators argues that OEMs can’t safely and consistently comply with the legislation because federal law preempts it. The Massachusetts Attorney General’s Office contends there isn’t any conflict between federal law and the new state law.

Campbell began enforcement of the law on June 1 of this year.

Letters between NHTSA and the AG’s Office were written and filed in court on Tuesday.

NHTSA wrote that it “strongly supports the right to repair” and is pleased to have worked with Assistant Attorney General Eric A. Haskell on a way that the state law can be followed “promoting consumers’ ability to choose independent or do-it-yourself repairs — without compromising safety.”

“Based on our further conversations, NHTSA understands that, according to the Massachusetts Attorney General, one way that vehicle manufacturers can comply with the Data Access Law is by providing independent repair facilities wireless access to a vehicle from within close physical proximity to the vehicle, without providing long-range remote access,” NHTSA wrote.

The suggested route by the AG is “short-range wireless protocols” such as Bluetooth, NHTSA said, to provide access to the mechanical data outlined under the new state law.

“In NHTSA’s view, a solution like this one, if implemented with appropriate care, would significantly reduce the cybersecurity risks —and therefore the safety risks — associated with remote access,” NHTSA wrote. “Limiting the geographical range of access would significantly reduce the risk that malicious actors could exploit vulnerabilities at scale to access multiple vehicles, including, importantly, when vehicles are driven on a roadway. Such a short-range wireless compliance approach, implemented appropriately, therefore would not be preempted.”

In June, NHTSA sent a letter sent to 22 automakers warning them that federal law preempts the Data Access Law and laid out safety concerns if the state law is followed. NHTSA reiterated those points in its Aug. 22 letter to Haskell.

The lawsuit between Auto Innovators and AG Campbell centers mostly on vehicle owner safety and cybersecurity issues. Auto Innovators argues that the state law creates risks for both. Supporters of the law back an ongoing “right to repair” movement that is taking place across the country and in Canada and Europe. An R2R referendum question will be on the Nov. 7 ballot in Maine.

Proponents of “right to repair” — comprised mostly of aftermarket parts manufacturers, suppliers, and insurers — have claimed that OEMs limit access to their repair procedures, tools, and equipment so that independent repair shops and vehicle owners aren’t able to work on cars without OEM involvement.

Auto Innovators, the Society of Collision Repair Specialists (SCRS), and the Automotive Service Association (ASA) say that’s not the case and is actually the opposite: that OEMs do grant access to everything independent repairers and vehicle owners need to make repairs. 

Auto Innovators contends that opening up in-vehicle data and telematics, called “mechanical data” in the law, to anyone at any time opens up the door to “broad swaths of sensitive data that is not actually necessary for diagnosis, repair, or maintenance purposes.”

Campbell has previously pointed to Section 3 of the law in answer to that criticism, which requires that an open access platform be limited to the “secure” communication of mechanical data, authorization of the vehicle owner, and the period of time needed “to complete the repair or for a period of time agreed to by the vehicle owner for the purposes of maintaining, diagnosing, and repairing the motor vehicle.”

Mechanical data isn’t expressly defined in the law but specifies direct access by an independent repair facility or a class 1 licensed dealer “limited to the time to complete the repair or for a period of time agreed to by the vehicle owner for the purposes of maintaining, diagnosing and repairing the motor vehicle.”

Haskell notes in his letter that mechanical data is defined in Massachusetts General Laws as, “any vehicle-specific data, including telematics system data, generated, stored in or transmitted by a motor vehicle used for or otherwise related to the diagnosis, repair or maintenance of the vehicle.”

NHTSA asked in its letter whether the AG’s Office agrees that a secure open access platform wouldn’t immediately come to fruition but would require giving automakers time to securely develop, test, and implement the technology. Haskell didn’t respond to that question in his letter. He did address the ways in which OEMs can comply with the Data Access Law without preemption of federal law.

“Under the Data Access Law, the types of wireless communication technology that such a platform might utilize include, but are not limited to, cellular, Wi-Fi, and Bluetooth,” Haskell wrote. “Consistent with this evidence, and with the Attorney General’s interpretation of the Data Access Law as presented in U.S. District Court, we can confirm NHTSA’s understanding that a platform that provides the required features, capabilities, and access using a short-range wireless protocol such as Bluetooth is one approach that a vehicle manufacturer might use to achieve compliance with the Data Access Law.”

Campbell wrote in a May opposition memorandum that “…the evidence at trial showed that OEMs can securely comply with the Data Access Law without violating federal law. Some OEMs are already in compliance, and others can comply with the law if they devote the resources and time to make appropriate changes to their vehicles’ architectures.”

When weighing potential public hardship, U.S. District Judge Douglas P. Woodlock said, “a vote is a vote is a vote,” pointing at the decision by Massachusetts voters to approve the Data Access Law.

Although Woodlock recognized it’s “fair to say that it’s demanding” and is “likely unattainable, at least for the foreseeable future” because of the effects the law would have on OEM equipment. That includes possible degradation of vehicle safety features in a way that hasn’t been resolved, partially because no action for or against the law has been taken by OEMs, he said.

Images

Featured image credit: nathaphat/iStock

More information

Congressional committee holds R2R hearing, ASA testifies federal law unnecessary

R2R agreement spurs criticism, ‘falls short’ of enforcement & equal access