Last month, the National Highway and Traffic Safety Administration (NHTSA) issued new guidance on the Massachusetts Data Access Law right-to-repair legislation. A letter issued by Kerry Kolodziej, assistant chief counsel for litigation and enforcement at NHTSA, said that automakers can comply with the Data Access Law if they are willing to allow shops access using Bluetooth or other “geographically limited” wireless standards.
That sounds like a win for right to repair, but is it? The letter to the Assistant Attorney General of Massachusetts is not law. It is just an opinion on future regulatory actions. Initially, NHTSA said automakers should ignore the Massachusetts Data Access Law because it conflicted with Federal safety standards.
NHTSA did not completely reverse its original statement in telling OEMs to abide by the new Massachusetts law. NHTSA said automakers should allow access through a secure wireless connection for independent repair facilities, DIYers and consumers.
From the letter:
“…one way that vehicle manufacturers can comply with the Data Access Law is by providing independent repair facilities wireless access to a vehicle from within close physical proximity to the vehicle, without providing long-range remote access.”
“Based on our discussions to date, it appears that the Massachusetts Attorney General and NHTSA also share a common understanding that implementing this compliance option with the secure “open access platform,” as required in the Law, is not immediately available and that vehicle manufacturers may require a reasonable period of time to securely develop, test and implement this technology.”
806 words can’t cover how this physical proximity wireless access would work or the obligations of the OEM to make mechanical information available. People forget that the first discussions about OBDII started in 1988, and the first production vehicles took six years to be available to the public. It was not until the 1996 model year that OBDII was mandated for all light vehicles.
The NHTSA issues “technology-neutral” regulations. These standards do not mandate a technology, only a result of a standardized test. For example, the OEMs are given a stopping distance they must meet to sell cars in the U.S. They are not told the brakes must use disc brakes or hydraulics. If a vehicle with drum brakes and mechanical linkages can stop within the mandated distance, it passes the test.
What would a “technology neutral” standard look like for right-to-repair or the Data Access Law? It might be a series of tests to access critical special tests and bi-directional controls using various scan tools and online interfaces.
Enforcement of the access regulations might be problematic. While NHTSA can document motorist complaints, they do not have the capacity to capture calls from technicians to file a complaint about being locked out of a vehicle. Also, it would require more staff to execute a vehicle access complaint.
We already have the safest possible way to connect to a vehicle. This connection is hacker-proof and can only be accessed in person. It is called the OBDII port and has been around for almost 30 years. For a hacker to access the data in the vehicle, they would have to have access to the OBDII port on the vehicle.
Shops and technicians are not making vehicles less secure. It is the automakers adding telematic systems to the vehicle that makes them vulnerable to hacking, not when a technician is trying to diagnose a vehicle.
Lawyers, lawmakers and OEMs are obsessed with a terrorist attack using hacked vehicles. Several scenarios have been discussed, such as disabling many vehicles in an area of a high-value individual or a massive breach of customer data through a telematics exploit. While these theoretical events would impact the safety of the public, the economic implications are temporary and geographically limited. What would dwarf the economic impact of a vehicle terrorist attack is if consumers could not get their vehicles repaired.