This originally appeared on Patch by Conor Yunits.
Before you vote on Question 1, understand that the question is about data, not about repair.
Beyond the race for President and a number of local races for congress, state representative, county commissioner, etc., Massachusetts voters this year will vote on two ballot questions. The first of these, Question 1, pertains to vehicle telematics systems. If that seems like an strange issue for a ballot question, that’s because it is. Question 1 asks voters to parse dense technical language and try to identify the real goal behind the initiative. The Boston Globe editorial board this morning wrote that, “issues like this one are far too complex to deal with on a ballot,” and, the fact that this question was put to voters as opposed to lawmakers is a failure.”
As the spokesperson for the Coalition for Safe and Secure Data, the leading opponent to Question 1 (and full disclosure, a group funded by automakers), I have spent the past 18 months discussing this issue with voters, and it is clear that people remain confused about what this question is about and what it would do. That’s exactly what the national retail parts companies behind Question 1 are hoping for, and it’s exactly why you should vote NO on Question 1.
So, what is Question 1? Well, for starters, it is NOT Right to Repair. Right to Repair is already the law in Massachusetts. Passed by the legislature in 2012 and again in 2013, the Massachusetts Right to Repair law ensures that you can get your car fixed wherever you want. It requires that independent repair shops have access to all the information they need to diagnose and repair your car when you bring it into the shop of your choice. The Right to Repair law also specifically addresses vehicle telematics systems (Section 2 paragraph f) and ensures that independent repair shops have access to that information if it is needed to diagnose or repair a vehicle.
Question 1 goes far beyond the scope of any information needed to repair your vehicle. It would create an “open access data platform” that connects to every single car or truck in Massachusetts. Instead of repair shops only being able to access your car when it is in the shop, Question 1 would allow anyone to access your vehicle from a mobile app or computer, anytime, anywhere. There is absolutely no reason that repair shops would need this kind of access to fix your car. But granting this access to repair shops is not the real danger of Question 1.
The danger of Question 1 is that the question is intentionally broad would allow anyone with remote, real-time access to your vehicle to see where you are, follow where you are going, even potentially take control of your vehicle.
As New England Law professor Lawrence Friedman wrote yesterday in Commonwealth Magazine:
…it is true that the proposed law does not concern personal information only to the extent that you do not consider a record of every place you visited, and how quickly or slowly you got there, and what streaming media you consumed along the way, to contain personal information. If someone reviewing a vehicle’s telematics data is able to connect that data to the vehicle’s owner or driver, a good deal about the latter’s personal choices and preferences could be learned.
Proponents of Question 1 say that’s not true, but in today’s Boston Globe, reporter Hiawatha Bray outlines a scenario that highlights how Question 1 would work:
“But a fascinating video produced for automotive regulators in the European Union shows what’s really at stake.
A couple driving through the French countryside notices that a tire is going flat. Like many late-model vehicles, this car announces the bad news on a dashboard video screen. But we also see an icon that lets the passenger instantly phone a nearby repair shop, and then tap another to instantly relay the relevant information.
Miles away, the mechanic says, “Ah, I see you drive a Ford Mondeo equipped with Michelin tires, size 255 70R18. Yes, we’ve got them in stock. Come on by.” Or words to that effect.”
In this scenario, the mobile app absolutely has access to the car’s location. As we have been saying all along, the risk here isn’t that the local repair shop knows this information, but that the app does, because the app is what’s at most risk of being compromised.
The team over at Karamba Security wrote a white paper on the security issues with Question 1, which highlights how malicious actors could exploit this:
Opening OEMs’ telematics, wireless protocols and communication credentials will make it
possible for malicious actors to exploit the open protocols, take over vehicles’ telematics
and other units and, as outlined above, cause damage ranging from information theft to
Moreover, as the bill requires a standardized access across all vehicle makes and models,
any vulnerability that is identified by a hacker in one model, inherently puts all other cars at the similar safety risk. In other words, the suggested wordings significantly multiplies the potential victims of cyberattacks.
The creation of a single, standardized cloud-based data system that connects to and can monitor and control every vehicle in Massachusetts presents an enormous and enticing target, at the personal or even fleet-wide level. In July, the National Highway Traffic Safety Administration, the federal agency charged with keeping Americans safe on the roads, wrote that Question 1 “increases the risk of cybersecurity attacks” and “would raise substantial safety risks for American families.”
Question 1 was not written by local repair shops. It was written by the $200 billion aftermarket auto parts supply companies like $35 billion Missouri-based O’Reilly Automotive and $27 billion Tennessee-based Autozone. It has nothing to do with repairing your vehicle, but it has everything to do with expanding access to your data.
On November 3, vote no on Question 1. Repair shops don’t need it; you shouldn’t risk it.