Among the reasons for a Massachusetts district judge’s dismissal of the Alliance for Automotive Innovation (Auto Innovators)’s lawsuit against Attorney General Andrea Campbell is the “plain language” of the Data Access Law, and that options exist for automakers to grant or bar access to what’s necessary for repairs.

The suit was filed in 2020 after the passage of the state’s Data Access Law, which was approved by referendum on the state’s November 2020 ballot. The law expands the state’s right to repair law and requires OEMs to create and implement an onboard, standardized diagnostic system that would be accessible to everyone with or without OEM permission.

Auto Innovators argues that OEMs can’t safely and consistently comply with the legislation. A trial on the suit was held in 2021. U.S. District Judge Douglas P. Woodlock delayed ruling on the case several times before Judge Denise J. Casper took over in January.

In a memorandum outlining the reasons behind her ruling, Casper wrote, “[T]he plain language of the statute does not encompass data unrelated to diagnostics, maintenance, or repair.

“The current definition includes telematics and makes clear that it covers data used for or otherwise related to the ‘diagnosis, repair or maintenance of the vehicle.’ This construction is consistent with other provisions of Mass. Gen. L. c. 93K, which makes clear that it does not require independent repair shops to receive access to non-diagnostic and repair information.”

Casper continued that Section 2 of the Data Access Law doesn’t bar any authorization by the manufacturer directly or indirectly “‘unless the authorization system for access to vehicle networks and their onboard diagnostic systems is standardized across all makes and models sold in the Commonwealth and is administered by an entity unaffiliated with a manufacturer,” according to the language of the Data Access Law.

“Moreover, the language ‘an entity unaffiliated with a manufacturer’ means an entity not affiliated with an OEM but does not bar any role by an OEM in an authorization system,” Casper wrote.

“There is technology available that would allow compliance with Section 2’s requirement that a motor vehicle owner and independent repair shop’s access to a vehicle’s on-board diagnostics system be standardized and not require authorization by the OEM. One such method would be the use of public key infrastructure (PKI) technology and authentication techniques that authorize the requisite level of access necessary for independent repair shops to diagnose and make all necessary repairs.”

She added PKI technology could replace manufacturer authorization via a “secure authorization system administered by an entity unaffiliated with an OEM,” citing this use as “common and well-established in other industries, such as internet web browsers.”

Casper ruled that vehicle-to-anything (V2X) security is another method OEMs could use to comply with Section 2 of the law. She wrote that V2X has already been developed by some OEMs in collaboration with the U.S. Department of Transportation and other global regulatory bodies.

V2X is powered by a certificate authority infrastructure called the Security Credential Management System (SCMS), which is currently supported by the DOT, and could be expanded, according to Casper.

“Even if SCMS has not been implemented on a large scale… this infrastructure and authentication capability can be extended to support advanced authentication for vehicle diagnostics and repair,” she wrote.

“That Section 2 requires an authorization system administered by an entity unaffiliated with any OEM, Mass. Gen. L. c. 93K, § 2(d)(1), does not mean that OEMs would not be involved in development of such entity. There are past examples of cooperative efforts to create such programs, such as the OEMs’ involvement in the creation of the Secure Data Release Model (SDRM), a voluntary program developed by OEMs, new car dealers, independent repair shops and locksmiths, which is administered by the National Automotive Service Task Force (NASTF).”

Casper also ruled against Auto Innovators’ claim that the Data Access Law is preempted by the Motor Vehicle Safety Act (MVSA) and National Highway Traffic Safety Administration (NHTSA) federal motor vehicle safety standards (FMVSS) because no provision addresses motor vehicle cybersecurity or diagnostic data access.

“The stated purpose of the 2016 NHTSA guidance was to describe the agency’s ‘nonbinding guidance to the automotive industry for improving motor vehicle cybersecurity,’ the memorandum states. “[M]ore recent NHTSA guidance recommends that cybersecurity “should not become a reason to justify limiting serviceability” by independent repair shops.

“[N]either the MVSA nor the FMVSS address or regulate cybersecurity or access to vehicle data. Thus, it is not a physical impossibility for OEMs to comply with such federal laws and the Data Access Law since there are no applicable federal standards for same.”

In August 2023, NHTSA and newly-elected Massachusetts AG Andrea Campbell exchanged letters in which they agreed on a partial solution to the debate — local Bluetooth access to in-vehicle telematics.

Another alternative Casper suggested for OEMs to comply with Section 3 would be to equip its vehicles with a platform that builds off of the already existing J-1962 connector.

“Existing dongles can send and receive information through J-1962 connectors without manufacturer authorization so long as no gateway within the vehicle blocks the transmission of such information,” she wrote. “A dongle with telematic or wireless capabilities can enable a vehicle owner to use a mobile device to send and receive all mechanical data via a J-1962 connector.

“Access to such dongles could be granted to vehicle owners who could grant additional keys to an independent repair shop and the repair shop could have a tool that requires the vehicle owner to validate ownership for usage on the vehicle.”

Former Attorney General Maura Healey, who was AG when the suit was filed until Campbell took office in 2023, argued that trial evidence established a J-1962 connector could be one method to equip vehicles with an interoperable platform. The other, she noted, would be designing a fully telematic diagnostic platform contained on the vehicle, which Casper ruled as an alternative.

“Such a telematic platform would consist of an independent module or wireless capabilities embedded in the vehicle’s system that would utilize wireless communications,” she wrote. “Given the wireless nature of same, a fully telematic platform should be segmented and isolated from the majority of the vehicle and should use authentication and encryption… Such security protections are technologically feasible to implement (e.g., wireless systems like Bluetooth and WiFi use encryption and already are utilized by OEMs in some vehicles).”

Casper also ruled that, just as vehicles that don’t have a telematics system is not subject to the requirement of Section 3 of the law neither are vehicles that have the systems disabled.

Using testimony from Fiat and General Motors, Casper wrote that both companies allow customers to opt out of functioning telematics use, noting that is an option for all so-equipped vehicles to comply with the Data Access Law, regardless of make and model. Specific to Section 3 of the law she said…

She also noted that customers can order GM vehicles without telematics, or can disable them.

“Remote, over-the-air updates to vehicles would not be possible in the absence of telematics but as was true before the recent advent of telematics, such updates could be done physically in the vehicle.”

Casper said another option for automakers is the route Subaru and Kia took to comply with the new data law in Massachusetts. Certain model year 2022 Subaru vehicles that would normally be equipped with the OEM’s Starlink Safety and Security system aren’t available to Massachusetts residents, and Kia Connect isn’t available on 2022 and newer vehicles in the state.

“There is no suggestion in the record that the choice to comply with Section 3 in this way by reverting to a pre-telematics system is unsafe,” the memorandum states.

Concerning Auto Innovators’ claim that OEMs can’t comply with the federal Clean Air Act, Casper ruled that it also doesn’t preempt the Data Access Law because none of its provisions preclude compliance.

In response to the ruling, Auto Innovators said the decision “will introduce potential security risks to our customers and their vehicles” and that the new law is “at odds with the U.S. Constitution.”

Images

Featured image credit: nathaphat/iStock

More information

Maine group finalizes right to repair law recommendations; two states file similar bills

Maryland House committee members question necessity of proposed right to repair bill