Massachusetts votes ‘yes’ on Question 1, expanding 2013 right-to-repair law
November 5, 2020
Question 1 on this year’s Massachusetts ballot passed with 75% voter approval after a contentious debate this campaign season, with issues of access to vehicle repair services meeting concerns about cybersecurity threats.
This will amend the Massachusetts “right-to-repair” law that was signed in 2013 following a corresponding ballot question the year prior, which passed with 86 percent approval. The 2013 law mandates that vehicle owners and independent repair shops have the same access as manufacturers to diagnostic and repair information, but it currently exempts any data transmitted through wireless communications systems, or telematics systems.
Proponents said the initiative benefits vehicle owners and independent repair shops. These shops, they said, are currently at a disadvantage compared to car manufacturers when it comes to newer vehicles that use telematics systems to collect necessary diagnostic and repair information. Because only manufacturers can access data collected by telematics systems, vehicle owners have only one choice of where to go when they need a repair.
“In this year, 2020, 90 percent of new cars have this wireless communication system, meaning that they’re generating real-time wireless diagnostic and repair information,” said Tommy Hickey, director of the Massachusetts Right to Repair Coalition. “And it’s carved out of the law, giving [manufacturers] a monopoly on this wireless information.”
The reason for the exemption of this wireless data from the law, Hickey said, is that it wasn’t possible in 2013 to predict how technology would develop.
“I get the question all the time, ‘Why did you guys allow the 2013 law to not have this?’” Hickey said. “It would be like someone in 2005 saying you can’t have an iPhone in 15 years, when you didn’t even know what an iPhone was.”
The solution voters approved with Question 1 requires manufacturers to equip vehicles that have telematics systems with a standardized open data platform, beginning with model year 2022, so that owners can access their mechanical data through a mobile app and then share that information with independent repair shops. The intention is to put independent shops and manufacturers back on the level playing field that the 2013 law established.
But the voices who led the opposing campaign, primarily funded by leading automakers like General Motors and Ford Motor Company, said the initiative is not only unnecessary — independent repair shops can already access all necessary information, they said — but also dangerous.
“Question 1 has nothing to do with repair. It is a data grab that is funded by national auto parts chains from around the country like AutoZone, O’Reilly and [the National Automotive Parts Association],” said Conor Yunits, spokesperson for the Coalition for Safe and Secure Data. “No matter what happens with Question 1, [the 2013] law is not going to change. And people’s right to get their cars fixed where they want and mechanics’ ability to get that information will not change.”
What will change, Yunits said, is the security of the data collected through telematics systems — most notably, drivers’ real-time GPS location data.
The measure will only allocate expanded access by vehicle owners to mechanical information, which is defined as any data “used for or otherwise related to the diagnosis, repair or maintenance of the vehicle.” However, opponents argued that it’s too rushed and too vague to protect this and any other vehicle data from cyber attacks by bad actors. “No on 1” ads conjured images of vulnerable drivers falling victim to software-hacking predators.
“Even if you were to argue that an open data platform makes sense, it would take several years in any considerable amount of effort to ensure that that platform is case hardened to the risks of cybersecurity,” said Bryan Reimer, a research scientist at the MIT Center for Transportation and Logistics. “This ballot initiative is a vaguely written invitation for both cyberterrorism risks as well as other misuses of data.”
In an article he wrote for Forbes, Reimer posed a scenario as grim as a “9/11 type event” in which an intentionally delivered virus would cause brake failure of thousands of vehicles on the highway all at once.
But cybersecurity expert Bruce Schneier said these arguments are intentionally misleading and that opponents’ only goal is to maintain the manufacturer monopoly, similar to the fear-mongering tactics that computer manufacturers employed in the 1990s to avoid improving security. The central question of “right to repair,” Schneier said, is simple: Who should have access to your vehicle’s data — you or the manufacturer?
“The effect [of passing Question 1] is that you will be in charge of your data, and you can go to repair shops that you want,” Schneier said. “That is what this is about. This is not about security.”
In fact, Schneier said this measure will actually benefit security. The cyberterrorism threats are real, he said, but they already exist now, and a standardized open data platform would diminish their likelihood — not the other way around.
“There’s this weird industry story that it’s bad for security, which is the opposite of what’s true. It’s good for security,” Schneier said. “The way your phones and your computers get more secure is that people do research, find vulnerabilities, and they get fixed. The auto manufacturers actually want to hide your data so they don’t have to make it better.”