A bill being debated on Capitol Hill would levy hefty penalties against people who break into a car's computer system. But in testimony today, the Federal Trade Commission warned that could actually leave consumers less safe.
"We support the goal of deterring criminals from accessing vehicle data. Security researchers have, however, uncovered security vulnerabilities in connected cars by accessing such systems," Maneesha Mithal, associate director of the FTC’s Division of Privacy and Identity Protection, told a House subcommittee considering the bill Wednesday. "By prohibiting such access even for research purposes, this provision would likely disincentivize such research, to the detriment of consumers’ privacy, security, and safety."
FTC Commissioner Terrell McSweeny made a similar argument in a column published by Wired today. "Moreover, tying the hands of white hat researchers will do nothing to prevent bad actors from finding the same vulnerabilities and exploiting them in potentially harmful ways," she said.
But other parts of the government appear less sure about the value of independent research.
In a letter sent to copyright regulators earlier this fall, the Department of Transportation said that publication of "good faith research" was an opportunity to promote collaboration between auto-makers and third party researchers. But the agency also said it is "concerned that there may be circumstances in which security researchers may not fully appreciate the potential safety ramifications of their security circumvention acts and may not fully understand the logistical and practical limitations associated with potential remedial actions that may become necessary."
Under the Digital Millennium Copyright Act, people are generally prevented from getting around "technological protection measures" to access copyrighted material -- a provision automakers have argued should limit researchers and everyday people's ability to review the software in their cars since it is typically protected via digital means.
Those restrictions, some digital advocates like the Electronic Frontier Foundation, argue have chilled research.
The U.S. Copyright Office is currently considering two proposed exemptions to the law: One for vehicle owners who want to be able to tinker with or repair them and another for security research.
General Motors, one of the world's largest auto makers, opposed the research exemption last year: "Even when such efforts are undertaken by well-intentioned researchers, wider distribution of such information provides third parties, both those with ill will and those with more benign interests, access to vehicles in a way that implicates safety and security concerns. Thus, if granted, the proposed exemption will likely result in significant safety and security challenges."
However, GM now says its working on a formal process to work with third-party researchers who find digital flaws in their vehicles.
And the Transportation Department noted its fears might be allayed if disclosure was limited to regulators and affected parties or if they could ensure automakers had "adequate time for responsive actions" -- presumably, figuring out and distributing a fix.
In practice, that's what researchers who hack cars have done. For instance, when researchers Charlie Miller and Chris Valasek discovered major problems that could allow hackers to basically take over driving of Jeep Cherokees, they shared information about it with the car's manufacturer for nearly nine months while the automaker worked on a fix and didn't go public until that fix had been released.
But there have also been cases when auto-makers have tried to keep researchers quiet.
In 2013, a British court put a gag order on researchers who planned to publish research on a problems with the tech some luxury car-makers used to unlock and start vehicles. Volkswagen, which brought the case against the researchers, didn't come to a settlement agreement that let the research publish their work until earlier this year.
While the researchers couldn't talk, London police said more than 40 percent of car and van thefts in the city last year were carried out without the owner's keys being present -- the vast majority apparently "the result of organised criminals using key-programming devices to create duplicate keys for vehicles."
That's the big problem: Even if researchers don't have the freedom to investigate or disclose them, cybersecurity flaws in cars will continue to exist — and malicious hackers might be the first ones to find them.