Paul Roberts remembers when a friend in the technical repair community sent him a link to the ad. It was late July, and he was working on his laptop in Belmont, Massachusetts. The video, put out by the Coalition for Safe and Secure Data, showed a man walking through a suburban neighborhood and, with a click of a garage door opener, easily entering a home that was not his own. “Your address could be paired with your garage codes to get easy access to your home,” the ad warned.
Roberts’ first thought was that the street looked just like the one his wife grew up on in Sudbury, just a few towns over. It was creepy. But that initial reaction was quickly overtaken by a sense of confusion: “My thought was actually, 'I don’t get it. What’s with the garage door opener?'”
The ad centered on Massachusetts Question 1 on the ballot this fall, a proposed update to an existing automobile-repair law. The measure is meant to address how data sharing will work as cars start to suck in and share more wireless data. The Coalition for Safe and Secure Data, backed by giant automakers, is urging state residents to vote No, arguing that easier access to this data poses security risks.
Roberts is not a luddite. He runs an online publication about infosec and a nonprofit repair organization called Securepairs.org. But he thought that even for a political ad, the connection from wireless car data to one-click breaking and entering was a stretch. Others have accused the coalition of fearmongering and, in one instance, using a support group for domestic violence survivors as a pawn in its campaign against Question 1.
At the core of the issue is the not-insignificant question of what expanded access to wireless car data might look like and how secure that is. It’s not just a question of who can repair a car and access the data, but who owns the data in the first place. The answer could ripple across the industry for years to come, which is why both sides of Question 1 have poured millions of dollars into the fight. And because the US has been slower to address these issues in federal legislation, Question 1 could have impact beyond Massachusetts state lines. Ultimately, the measure “could set the national standard for cars,” according to Kyle Wiens, the founder of California-based iFixit and a vocal right-to-repair advocate.
Right to Repair
Whether it’s an iPhone, a tractor, a medical device, or a car, right-to-repair proponents believe that when someone purchases a product, they should be able to choose who repairs it, or tinker with it themselves. In the digital age it’s become a fraught issue that veers into copyright law, but there is legislation that suggests these are reasonable expectations for consumers. Under the Magnuson-Moss Warranty Act, passed in 1975, manufacturers can’t void a product warranty just because someone used a service provider other than the original manufacturer.
And then there is Chapter 93J of the Massachusetts general law. Back in 2012, the state voted 87 percent in favor of a right-to-repair law that would establish new requirements for auto makers: A car’s physical, onboard diagnostics port would have to use a nonproprietary standard, making mechanical information more accessible, which meant people would no longer be forced to go to dealerships to diagnose car problems. It was the first law of its kind in the US and was seen as a win for consumers and independent repair shops.
(When I asked sources for this story how Massachusetts became the vanguard state for repair reform, I heard a wide range of responses. Some suggested the state’s penchant for progressivism and consumer protections played a factor, while others cited constituents’ close-knit relationships with auto shop owners. Roberts gave a simpler explanation: “Because Massachusetts is awesome.”)
A lot of manufacturers aren’t keen on the idea of people having the tools and guides to crack open their smartphones or fix their own cars. There’s big business in requiring consumers to send their products back to the original manufacturer, who may charge a fee to fix a product in a way that only it knows how. And manufacturers often insist that there are inherent security and safety risks in designing products to be more open and fixable.
Batteries do catch fire. Jeeps can be hacked. The question isn’t whether these things are technically possible. It’s how overblown they are. How do you measure the risk of expanding what security experts call the “attack surface” against the idea that once a person purchases a product they should have ownership over repairs—and the information that flows in and out of that product? As cars have become computers on wheels, the information that they collect has become more extensive and more sophisticated. Question 1 on the 2020 ballot is an attempt to keep up with the digital times.
When Massachusetts’ right-to-repair initiative was signed into law in 2013, cars that transmitted mechanical information wirelessly were exempt. Now, seven years later, an estimated 90 percent of new cars are being built with telematics systems, which the proposed amendment defines as any system that “collects information generated by the operation of the vehicle” and transmits it wirelessly to a remote server. Broadly, this encompasses data about mileage and driving habits, but it can get unnervingly specific; US wireless provider Verizon says telematics can include “location, speed, idling time, harsh acceleration or braking, fuel consumption, vehicle faults, and more.”
If a majority of Massachusetts residents vote Yes on Question 1 this fall, carmakers would have to install standardized, open data-sharing platforms on any cars with telematics systems starting with model year 2022. “Owners of motor vehicles with telematics systems would get access to mechanical data through a mobile device application,” the ballot summary reads.
Aaron Lowe, senior vice president of the Auto Care Association, which represents auto parts suppliers and supports Question 1, emphasized that the ballot question is focused on mechanical data. “It does not go into the reams of data that the car can transmit to the manufacturer. The only data we’re discussing or interested in is the mechanical data that would be assisting an independent repair shop on diagnosing or repairing that vehicle,” Lowe told WIRED.
But even those in support of Question 1 have said it lacks important technical details, like defining explicitly what “mechanical data” means. And opponents of the initiative bristle at the idea that automakers would have less control over their in-car systems. “It’s specifically excluding automakers from protecting their own systems, and as a result it’s creating huge amounts of risk,” says Conor Yunits, a spokesperson for the Coalition for Safe and Secure Data. “It’s opening a gateway into vehicle systems wirelessly that can be exploited by anyone with malicious intent.”
Mudslinging
After Question 1 landed on the ballot this year, the Coalition for Safe and Secure data sprang into action. The group is backed by major car brands—GM, Ford, Honda, BMW, Subaru, Nissan, VW/Audi, and others. The coalition released an ad showing a woman being stalked as she approached her car in a dark parking garage. It included a strong “Vote NO on 1” message. “Domestic violence advocates say a sexual predator could use the data to stalk their victims,” the narrator read. Another ad from the coalition was the video that came across Roberts’ desk in late July, depicting a man entering a home by wirelessly opening the garage door. (Vice criticized the ads in a report this summer; the videos have since been listed as private on YouTube.)
Yunits told WIRED, “All of our ads have been based on public testimony. And if there’s been fearmongering, it’s come from the other side, who from day one have said if Question 1 doesn’t pass then all local repair shops are going to go out of business and consumers aren’t going to have any choice where to take their car.”
“It’s complete nonsense,” Yunits added.
But the Coalition for Safe and Secure Data misstepped when it included a quote from Jane Doe Inc., a nonprofit that advocates for sexual assault and domestic violence survivors, in a Massachusetts guide for voters. Jane Doe Inc. hadn’t been consulted about appearing in the voting guide and took issue with the coalition’s representation of the group as a “No” on Question 1. “While JDI is not taking a public stand on this ballot question, at this time, we do not believe that a YES vote on 1 would uniquely compromise survivor safety in the manner portrayed by opponents,” JDI wrote in a statement. “We do not support the use of survivor fears or needs as pawns in a debate that is not ultimately about the needs of survivors.” (Representatives from JDI declined to be interviewed for this article.)
Yunits said the voter guide included a direct quote that JDI had submitted to the legislature back in January, and that the Coalition for Safe and Secure Data had no chance to change the language in the voter guide once it was out.
“I don’t want to say this is disinformation, but it’s been incredibly misleading,” says Brianna Wu, a Massachusetts-based software developer who ran for Congress in 2018 and now runs a political action committee. Wu is a car aficionado and supports Question 1. She says she was angry when she first saw the coalition’s ads. “I thought [they] really smeared the issue around.”
>
Roberts, from Securepairs.org, is unsurprisingly in favor of Question 1. But in early October he decided to participate in a virtual debate hosted by the Boston Network Users Group, a 30-year-old networking forum for tech professionals in the area. There were “folks for both the Yes and No camps there,” Roberts said, and he was keen to hear arguments from both sides. “It was a group of fiftyish white guys with IT backgrounds,” he said. Roberts offered to connect me with BNUG’s president, Adam Frost, a fiftyish white guy with an IT background. Frost was eager to chat. He told me via email that he’d recently had a change of heart on Question 1.
I called Frost at his home in Jamaica Plain eight days before Election Day. By this point several local papers, including The Boston Globe, had published editorials in support of Question 1. When Frost first read the ballot measure, he called up Yunits and Tommy Hickey, who leads the Massachusetts Right to Repair Coalition, trying to better understand both arguments. (Frost says he didn't get to talk to Yunits at length, but did invite him to the BNUG meetup, where Yunits spoke.) Frost had seen the alarmist ads and was aware that Jane Doe Inc. had been misrepresented. Part of Frost’s day job involves refurbishing computers for families that can’t afford them. And he is generally skeeved by the amount of data that is flowing to car manufacturers.
“If you lived in Massachusetts, I would recommend that you vote yes,” Frost told me.
But Frost voted no. He had been swayed by a letter put out by the National Highway Traffic Safety Administration, raising concerns about the vagueness of the ballot initiative’s language and warning that it would “prohibit manufacturers from complying with … cybersecurity hygiene best practices.” And some of the technical folks who had shown up to Frost’s BNUG meeting on October 6 rang similar warning bells.
“I thought I had a professional obligation to vote against the law,” Frost said. “If the agency we’re employing to protect us says ‘this isn’t the right way to solve this problem,’ I have to listen to that.”
The Road Ahead
Early polling suggests the state of Massachusetts will vote overwhelmingly in favor Question 1, as it did in 2012. This time, however, consumer advocacy groups are in less agreement about how a victory advances the right-to-repair movement. “This measure isn't about right to repair,” said Janet Domenitz, the executive director of the Massachusetts chapter of the US Public Interest Research Group. “And the tens of millions of dollars being spent on the question by both corporate opponents and proponents should disabuse any voter of the notion that this is being fought for, or against, by the little guys.”
“On a high level we’re excited about this, but the legislature is going to need to make some tweaks to it,” says Wiens, the iFixit founder who has previously tried to get the state of California to pass legislation similar to the Massachusetts law. “Hopefully this means we have an open-standard development process, with all cars in the US using the same standard, and a new world of innovation around mobile apps.”
Roberts sees this fight as foundational to the whole right-to-repair argument. It’s not just about access to telematics data in cars. It applies to all other kinds of product categories too, he says. “I think it’s really important to slap down bogus arguments about cybersecurity and privacy.”
Roberts also acknowledges that 20 other states have considered right-to-repair legislation in recent years, and that there’s a chance it may someday come to pass at the federal level. Question 1 could pave the way for other laws involving wireless data, but it could also end up being a skirmish in a much larger battle over repairs. “There’s a sense of keep your powder dry, and let’s save our resources and political capital for the fight we have to have,” Roberts says.
Updated November 2, 5:35PM ET: This story has been updated to reflect that Adam Frost and Conor Yunits had been in contact, not that Frost was unable to reach Yunits as originally stated.