Influencers: Revise copyright law so researchers can tinker with car software
In light of the Volkswagen scandal, the US should revise copyright laws so that people can legally tinker with automotive software, a majority of Passcode Influencers听said.
痴辞濒办蝉飞补驳别苍听听that it intentionally cheated US environmental tests on its diesel vehicles using听on-board software. A group of听听researchers who test automakers鈥 environmental claims for diesel vehicles initially discovered the company鈥檚 cheating through field tests. Yet auditing the car鈥檚 software to expose the deliberately faulty software would have been against US law, which prohibits researchers from circumventing copyright protections to tinker with cars 鈥 even cars they听own.
The Volkswagen incident and other听听recently uncovered by researchers, 64 percent of Passcode Influencers said in a survey, highlight a need to change laws such as the Digital Millennium Copyright Act so researchers can legally conduct much-needed research to find and fix connected vehicle vulnerabilities.
鈥淐opyright law in the US is in dire need of reform,鈥 said Yan Zhu, security researcher at Yahoo. 鈥淭he Volkswagen scandal is just another example of how the costs outweigh the benefits. Section 1201 of the DMCA is overly broad and has a history of stifling legitimate security research. If tampering with [digital rights management] systems wasn鈥檛 a felony, independent researchers would be more likely to discover manufacturer听fraud.鈥
Passcode鈥檚 Influencers Poll is听听of more than 120 experts in digital security and privacy, from across government and the private sector. To preserve the candor of their responses, Influencers have the option to comment on the record or anonymously.听
If researchers are stymied by copyright laws, said Cindy Cohn, executive director of digital rights nonprofit the Electronic Frontier Foundation, people鈥檚 safety could be at听risk.
鈥淧eople should be able to tinker, but more importantly, people should be able to see the code, test it themselves or with help from others, and in general understand how the code works,鈥 she said. 鈥淭his requires changes to the Computer Fraud and Abuse Act, the Digital Millennium Copyright Act, and reasonable public interest limits on trade secrecy and contractual limitations. This time it was emissions; next time our lives could be on the line. Black box code is dangerous.鈥
Even the Federal Trade Commission鈥檚 chief technologist, Ashkan Soltani, agreed changes should be made. 鈥淭he ability to investigate and interrogate the software embedded in Internet of Things devices, including cars,鈥 he said, 鈥渋s critical for ensuring that the algorithms individuals interact with on a daily basis is secure and operates听fairly.鈥
As technology is increasingly embedded in daily life, people鈥檚 safety relies on the security of the software that runs it 鈥 and the researchers who can expose weaknesses, some experts听said.
听
鈥淪ecurity researchers protect public safety by discovering and reporting ways to bypass security controls so the technology can be made safer sooner,鈥 said HackerOne鈥檚 chief policy officer Katie Moussouris. 鈥淚t falls to us to ensure that the ability for security research and reverse engineering of technology in cars and other critical components of The Internet of Everything become accepted as the norm in the overall fabric of defense.鈥
This issue also comes down to the definition of ownership, several Influencers said, and what rights people have to fiddle with machinery they buy. 鈥淚f I purchase something (a vehicle, a computer, etc), I own it,鈥 said Charlie Miller, currently at Uber鈥檚 Advanced Technology Center 鈥 and also one of the two researchers who wirelessly hacked a Jeep Cherokee, exposing a security weakness that ultimately forced a recall of some 1.4 million vehicles. 鈥淚 should be able to look at how it works and I should be able to tinker with it to make it better or different.鈥
However, some Influencers who support changes to the laws also insisted that the right to tinker should not be universal. Cofounder of security company Sqrrl, Ely Kahn, said it should be restricted to researchers. 鈥淥pening up 鈥榯inkering鈥 generally may result in people bypassing environmental laws, as EPA has mentioned (among various other issues).鈥
Still, a 36 percent minority of Influencers said copyright law should not be changed for the sake of research for similar reasons. 鈥淣o question that copyright laws around software are dysfunctional and need fixing for lots of reasons,鈥 said Steve Weber, professor at the School of Information at the University of California, Berkeley. 鈥淏ut not so that people can 鈥榯inker鈥 with the software that runs their cars. Do you want to be driving 65 miles an hour behind a 鈥榟obbyist鈥 who has done听that?鈥
Others, such as Chris Finan, chief executive of Manifold Security, said changing the law isn鈥檛 the best starting place. 鈥淎 better approach would be to incentivize open sourcing of software components with vehicle safety implications.鈥
What do you think?听听of the Passcode Influencers Poll.
听
Comments:听
YES:
鈥淭hird-party vulnerability assessment should not simply be permitted, it should be encouraged.鈥 鈥撎Influencer
鈥淎 great deal of innovation, improvement, and after-market services can come from the freedom to tinker. With that said, it likely makes sense to be stricter about tinkering with health and safety features, such as emissions controls.鈥 鈥撎Peter Swire, Georgia Tech
鈥淩egardless of the Volkswagen emissions scandal the 鈥渁nti-circumvention鈥 provisions of the Digital Millennium Copyright Act (DMCA) absolutely need to be rescinded. There are numerous problems codified in Section 1201 of the DMCA. The law is supposed to be about copyright infringement but it is woefully ineffective for this purpose. The DMCA is mostly used to block aftermarket competition and consumer choice. Due to those abuses Section 1201 should be eliminated entirely or at the very least the language should be reformed so that it is limited to actual copyright infringement. The DMCA was designed to stop piracy of digital media by preventing the defeat of anti-piracy measures. Instead corporations have been abusing Section 1201 to hide their misdeeds, mistakes, and outright fraud. The issue is much larger than just Volkswagen emissions.鈥 鈥撎Space Rogue, Tenable Security
鈥溾楾inker鈥 is not the right word. We do want security researchers to have the ability to read, analyze, and test automotive software to root out bugs and vulnerabilities. However, opening up the software to 鈥榯inkering鈥 implies that end-users should be able to make unauthorized modifications. I鈥檓 not sure that is a desirable outcome in a product that is so closely regulated for safety purposes.鈥 鈥撎Influencer
鈥淭he software that runs hardware we purchase should be included in the sale. Clearly, as we enter an era of increasing hybridization between bits and atoms, it鈥檚 crucial that we own both facets of the devices we bring into our lives, homes, and bodies.鈥 鈥撎Sascha Meinrath, X-Lab
鈥淚 will say 鈥榶es鈥 with zero interest in any way in the Volkswagen matter which, I very much suspect, will be subsequently shown to not be as the press is now presenting it. 听I am a fan of an ownership society, not a rental society, whether in regard to one鈥檚 bedroom or one鈥檚 software. GM & John Deere are far better topics of discussion than Volkswagen 鈥 I can buy a $250K tractor from the latter but not without a software license agreement. 听Even if you don鈥檛 mind renting that which you depend on, when the rental agreement requires auto-update you are now permanently at the mercy of whether said auto-update mechanism is used competently and solely in your interest, which is laughably unlikely.鈥 鈥撎Dan Geer, In-Q-Tel
鈥淭his issue is not about tinkering, this is about the ability for citizens to be able to inspect the software for products they legally own. They may do this to identify critical cybersecurity issues, to change the functionality of their property (within legal limits), or simply to make a repair.鈥 鈥撎Kevin Mahaffey, Lookout
鈥淭his is obviously a religious issue that really comes down to the very concept of ownership. My feeling is that when you purchase something it is yours to do what you will with it. The only thing you should not be able to do is re-distribute it without authorization from the original manufacturer. Copyright holders necessarily will void warrantees but they shouldn鈥檛 limit people鈥檚 rights to modify things that they have purchased.鈥 鈥撎Robert Hansen, WhiteHat Labs
鈥淟ike anything, it鈥檚 about getting the balance right. Allowing researchers to see the code could have uncovered VW鈥檚 alleged fraud, but automobiles are unlike other consumer goods because they are so tied to public health and safety. Tinkering with software could have effects on a vehicle鈥檚 safety that impacts others on the road. The car industry and the software research community have to be very careful and deliberate in how they approach this issue.鈥 鈥撎Influencer
鈥淚t probably already is legal. There are exemptions to the DMCA for security research as well as other legitimate uses. Copyright is not a cover for law-breaking. However, both the copyright law as well as the EPA and FTC rules should *encourage* people to vet manufacturers.鈥 鈥撎Jon Callas, Silent Circle
鈥溾楾inker鈥 is a tricky word -- automobiles are kinetic creatures, and no one wants to have even well-intentioned hackers applying patches that would lead to safety issues. But there鈥檚 not much security through obscurity, and it鈥檚 important and helpful for technically-inclined people to be able to review and understand the code on which their cars run, just as they鈥檙e entitled to try to take apart the physical pieces. In the longer term, we can devise ways to allow tinkerers to modify the code on their automobiles while being accountable should something go terribly awry.鈥 鈥撎Jonathan Zittrain, Harvard Law School
鈥淐opyright law - Sec. 1201 of DMCA - prohibits circumventing technological measures protecting copyrighted works, like software. This prohibition was originally intended to head off copyright violations. But there are many beneficial reasons to unlock software that are unrelated to copyright infringement 鈥 such as repairing a car, customizing a hearing aid, switching cell phone carriers, and more. Section 1201 inhibits these otherwise lawful uses of copyrighted works by prohibiting access to them. Sec. 1201 is much broader than preventing copyright violation and is instead used as a blunt means of controlling information. For example, the EPA issued a letter opposing an exemption to Sec. 1201鈥檚 prohibition for vehicle software because, the EPA argued, it would allow people to modify car software to bypass pollution controls - yet modifying vehicle software in this way is already illegal under the Clean Air Act. The law should focus on actual crimes, such as software piracy or creating pollution, rather than levying penalties on otherwise lawful and potentially beneficial uses of software and other copyrighted works. Rep. Zoe Lofgren鈥檚 Unlocking Technology Act is one of few bills in Congress that takes this problem head on.鈥 鈥撎Harley Geiger, Center for Democracy and Technology
鈥淟iability for circumventing technological prevention measures should focus on deterring copyright infringement rather than deterring modification or research of devices when that modification or research does not implicate copyright interests and may in fact benefit device owners, the research community, and the public.鈥 鈥撎Nuala O鈥機onnor, Center for Democracy and Technology
鈥淲ording of question maybe suggests a particular answer...There鈥檚 value in exploring a more open-sourced approach to parts of coding process for cars (and perhaps Internet of Things more generally) in order to balance public safety and necessary incentives for innovation in code for cars (in this case). Some of that may require a review of IP protections that tip too far in one direction.鈥 鈥撎Michael Samway, Georgetown University
鈥淐reative mechanically inclined have tinkered with automobiles since their inception, in a constant cat and mouse game of tweaks and changes vs. manufacturer warranty coverage. As we move into an era of electric vehicles that are more computer than car, those creative and curious types won鈥檛 just give up. An entire new ecosystem of enhancing and modifying the software of cars will emerge. Performance features, security and privacy, and patches tweaks as well as malcode with affective automotive software. Should it be illegal to modify the firmware on your car? Of course not. If you 鈥渂rick it鈥, should the automaker be on the hook to fix it for free? No.鈥 鈥撎Chris Rouland, Bastille Networks
鈥淚t is important to protect the rights of software developers and product vendors. It is also important to allow people to use the products they purchase as they see fit. Few consumer products are as subject to post-purchase modification as motor vehicles. There is an entire trade association for manufacturers of after-market enhancements, additions and modifications of motor vehicles. We are increasingly seeing unintended consequences from intellectual property legislation on other fields, including cybersecurity. Some prohibitions on reverse engineering that were intended to deter piracy now deter security research. Some companies have attempted to use proprietary technology and copyright law to 鈥渓ock-in鈥 mechanics or customers to manufacturer-preferred maintenance products & services. Neither of these cases may have all of the interests of the customer at heart when considered as a whole. The 鈥渇irst sale doctrine (17 U.S.C. 搂 109) provides that an individual who knowingly purchases a copy of a copyrighted work receives certain rights, including the right to sell, display, or otherwise dispose of that particular copy, notwithstanding the interests of the copyright owner. We would do well to look carefully at the degree to which this doctrine has been eroded in practice in recent years.鈥 鈥撎Bob Stratton, MACH37
NO:
鈥淭here are plenty of ways for researchers to look at auto software today. The National Highway Traffic Safety Administration should require testing of all automotive software. Letting car owners legally hack their car software is *not* going to improve safety or prevent future car manufacturer cheating.鈥 鈥撎John Pescatore, SANS Institute
鈥淣o question that copyright laws around software are dysfunctional and need fixing for lots of reasons... but not so that people can 鈥榯inker鈥 with the software that runs their cars. Do you want to be driving 65 miles an hour behind a 鈥榟obbyist鈥 who has done that?鈥 鈥撎Steve Weber, UC Berkeley
鈥淎 better approach would be to incentivize open sourcing of software components with vehicle safety implications.鈥 鈥撎Chris Finan, Manifold Security
鈥淐opyright law is in need of review and modernization - a need that goes beyond any single incident. But I get nervous about making significant changes in law in a reactionary manner.鈥 鈥撎Jeff Greene, Symantec
What do you think?听听of the Passcode Influencers Poll.
听
