Fred Upton’s Bid at Protecting Automotive Security Negligence [Updated]

I’ve written about Ed Markey’s SPY Act, one of several efforts to respond to network insecurity in cars. Fred Upton, who represents Kalamazoo, MI, is pushing an alternative version as part of larger reform to the National Highway Traffic Safety Administration. It appears to be an attempt to forestall regulation from other directions. Update: Here’s a draft of the bill.

Take, for example, its call for a privacy policy. Whereas Markey’s bill requires manufacturers to provide a dashboard informing customers about their privacy policy (after all, all cars have an EPA report), Upton’s only requires it to be posted … somewhere.

More importantly, though, the bill establishes a $1 million cap on damages for manufacturers who refuse to have or violate their policy, and it pre-empts FTC action on unfair trade practices (of the sort that just got Wyndham Hotels in trouble).

This section provides that if a manufacturer does not file a privacy policy or violates any of the terms in its policy, the manufacturer is liable to the U.S. Government for a civil penalty of $5,000 per day, with a maximum penalty for a series of violations of $1,000,000. This section also provides that a manufacturer that submits a privacy policy identifying that it meets all seven of the privacy elements described in this section is not subject to civil penalties. It establishes a safe harbor from Section 5 of the Federal Trade Commission Act with respect to any unfair or deceptive act or practice relating to privacy for any manufacturer whose privacy policy and practices meet all seven of the privacy elements described in this section.

Car companies are going to opt to pay that $1M instead of telling their customers how they’re using their driving data.

The cybersecurity requirement likewise serves more to protect companies than to impose sound security on them. Whereas Markey’s bill would require certain things from a cybersecurity policy, Upton’s would let the industry to establish a standard, than permit manufacturers to submit their plans that would fulfill “some or all” standards. Once they submitted those plans they would disappear — they couldn’t be FOIAed, and couldn’t be sued by FTC if they violated those terms.

This section exempts vehicle security and integrity plans submitted by manufacturers from Freedom of Information Act requests.

This section provides that a manufacturer that violates its vehicle security and integrity plan is subject to civil penalties. A manufacturer is not subject to those civil penalties (but doesn’t get the liability protections) if it submits a vehicle security and integrity plan that is approved by the Administrator and implements and maintains the best practices identified in their plan. This section provides that the best practices issued by the Council may not provide a basis for or evidence of liability against a manufacturer whose cybersecurity practices are alleged to be inconsistent with the best practices if the manufacturer has not filed a vehicle security and integrity plan and if the plan does not include the cybersecurity practice at issue.

This section also establishes a safe harbor from Section 5 of the Federal Trade Commission Act with respect to the best practices identified and implemented and maintained in the vehicle security and integrity plan submitted by a manufacturer.

In other words, these plans don’t have to be sound if they can get NHTSA’s buy off on them (remember, NHTSA by it own admission doesn’t have software expertise, which was why Toyota got away with its acceleration problem for so long), and once they were in place if the company mostly fulfilled them they would be largely immune from regulation.

Which is why I believe this section does what I’m afraid it does: make it harder for independent researchers to review carmakers code.

This section establishes that it is unlawful for any person to access, without authorization, electronic control units or critical safety systems in a vehicle, or other systems containing driving data either wirelessly or through a wired connection. It establishes a civil penalty of $100,000 for a person who violates this section.

The actual language of the bill does not include a researcher’s exception.

(1) PROHIBITION.—It shall be unlawful for any person to access, without authorization, an electronic control unit or critical system of a motor vehicle, or other system containing driving data for such motor vehicle, either wirelessly or through a wired connection.

It also imposes a penalty for each thing hacked (so doing research would get really expensive quickly).

Update: NHTSA is no more impressed than I am.

The Committee’s discussion draft includes an important focus on cybersecurity, privacy and technology innovations, but the current proposals may have the opposite of their intended effect. By providing regulated entities majority representation on committees to establish appropriate practices and standards, then enshrining those practices as de facto regulations, the proposals could seriously undermine NHTSA’s efforts to ensure safety. Ultimately, the public expects NHTSA, not industry, to set safety standards.

Nor do the privacy people at FTC, which reads the privacy provisions to be even worse than I did.

Under this proposal, manufacturers can satisfy the requirements of this section without providing any substantive protections for consumer data. For example, a manufacturer’s policy could qualify for a safe harbor even if it states that the manufacturer collects numerous types of personal information, sells the information to third parties, and offers no choices to opt out of such collection or sale. Moreover, because the safe harbor exempts a manufacturer from FTC oversight, and Section 32402(d)(2) provides a separate exemption from civil penalties, a manufacturer that submits a privacy policy that meets the requirements of Section 32402(b) but does not follow it would not be subject to any enforcement mechanism.

Like me, it reads the hacking provision to prohibit research, thus leading to less cybersecurity.

By prohibiting such access even for research purposes, this provision would likely disincentivize such research, to the detriment of consumers’ privacy, security, and safety.

And it has the same concerns I do about providing immunity for crappy cybersecurity practices.

Finally, the proposed safe harbor is so broad that it would immunize manufacturers from liability even as to deceptive statements made by manufacturers relating to the best practices that they implement and maintain. For example, false claims on a manufacturer’s website about its use of firewalls, encryption, or other specific security features would not be actionable if these subjects were also covered by the best practices.

In sum, the Commission understands the desire to provide businesses with certainty and incentives, in the form of safe harbors, to implement best practices. However, the security provisions of the discussion draft would allow manufacturers to receive substantial liability protections in exchange for potentially weak best practices instituted by a Council that they control. The proposed legislation, as drafted, could substantially weaken the security and privacy protections that consumers have today.

image_print
16 replies
  1. scribe says:

    Well, you just explained why VW stock went up 15% in one day a couple Fridays ago. I thought the fix was in, and now I’m sure.

  2. P J Evans says:

    NHTSA needs to get people who can deal with software – vehicles aren’t going to go back to not having computers, at least not in the foreseeable future.

    I wonder who bought Upton.

  3. orionATL says:

    this kind of legislation, no doubt modeled after the cisa acountability heist sponsored by senator feinstein and the senate’s ssci, shows what happens when

    – legislators can be bought by any monied special interest (auto manufacturers)

    – there is no sense of obligation among many public officials to act in the public interest, in this case by protecting the government’s ability to investigate corporate conduct and impose proper penalities if appropriate.

    this section:

    […(1) PROHIBITION.—It shall be unlawful for any person to access, without authorization, an electronic control unit or critical system of a motor vehicle, or other system containing driving data for such motor vehicle, either wirelessly or through a wired connection.…]

    may fairly be called pork-barrel legislation given its antecedents in rightwing controlled state legislatures where journalist or citizen’s groups investigating how meat is grown and processed are now forbidden from investigating pig farm-factory conditions under penalty of law.

    in general, what we are seeing now is the increasing acceleration of the complete collapse of public interest legislation and governing, e.g., much earlier, the gramm-blyley act (bancorps) and (medical insurance corps) the affordable care act (valuable as it is).

    the u.s. now is governed by government (fbi, nsa, doj) special interest groups and by corporate special interest groups (chamber of commerce, bankers, kochsuckers, auto industry).

    this trend clearly will continue accelerating from those happy, happy usafreedom days forward.

  4. Rob McMillin says:

    remember, NHTSA by it own admission doesn’t have software expertise, which was why Toyota got away with its acceleration problem for so long

    Um, you got a cite for that? Because it seemed to me that there were multiple issues with the Toyota acceleration problems:

    1) Real software issues (in the case of Koua Fong Lee, this seems most likely), either known or unknown.

    2) User failure to RTFM, as with Steve Wozniak’s well-publicized issues.

    3) Outright fraud, as in the case of James Sikes.

    The costs of recall are staggering, $220 million per life saved (especially given the over-60 demographic that seems overwhelmingly afflicted by this problem, hmm), so I wonder if some alternate, coherent theory of this problem has materialized since last I looked at this in 2011.

      • SteveInNC says:

        Wow, that is one damning article. I think I’ll have my wife read it before she buys a new car.

        Also, UA is another good argument in favor of manual transmissions. Maybe your engine blows up, but with the engine disengaged from the drivetrain, at least the car stops and you can get out alive.

    • orionATL says:

      ” I wonder if some alternate, coherent theory of this problem has materialized since last I looked at this in 2011.”

      you are assuming:

      – an alternate coherent theory is needed

      – that you have the intellectual capacity and open-mindedness to recognize one were it available.

      as for blaming the driver, that could be true, but true or not is the most easy dodge for an auto manufacturer or supplier to make – hey, there couldn’tbe anything wrong with the workings of the very complicated machine we manufacture and sell.

      i’d bet you’re the kind of rightwing ideologue who thinks this is funny, too:

      https://en.m.wikipedia.org/wiki/Liebeck_v._McDonald%27s_Restaurants

    • orionATL says:

      of course, i should have guessed when you cited reason.com:

      https://reason.com/archives/2010/05/14/the-wrong-kind-of-toyotathon.

      you’re from the reason institute. ha,ha,ha,ha,ha – the home for rightwing idealogues who like to stencil “analytical thinker” on each other’s foreheads.

      you’re one of the kochsuckers:

      http://www.sourcewatch.org/index.php?title=Reason_Foundation

      “The Reason Foundation is funded, in part, by what are known as the “Koch Family Foundations,”[3] and David Koch serves as a Reason trustee. [4]

      what is most important for folks to know about the reason foundation is that it is allied with alec and functions to provide advisory committes hidden from public view who advise the nation’s many rightwing governors on matterslike transportation and

      • orionATL says:

        (continuing from botyom of #8)

        … who advise the nation’s many rightwing governors on matters like transportation and education.

        from sourcewatch:

        [… Koch Wiki
        The Koch brothers — David and Charles — are the right-wing billionaire co-owners of Koch Industries. As two of the richest people in the world, they are key funders of the right-wing infrastructure, including the American Legislative Exchange Council (ALEC) and the State Policy Network (SPN). In SourceWatch, key articles on the Kochs include: Koch Brothers, Koch Industries, Americans for Prosperity, American Encore, and Freedom Partners.…]

        the reason foundation is all about FREE MINDS AND FREE MARKETS .

        it publishes reason magazine and reason.com.

        misswiki provides some intellectual history for this ernest propaganda machine:

        https://en.m.wikipedia.org/wiki/Reason_(magazine)

        [… History

        Reason was founded in 1968 by Lanny Friedlander (1947–2011)[2][5] as a more-or-less monthly mimeographed publication. In 1970 it was purchased by Robert W. Poole, Jr., Manuel S. Klausner, and Tibor R. Machan, who set it on a more regular publishing schedule.[5] As the monthly print magazine of “free minds and free markets”, it covers politics, culture, and ideas with a mix of news, analysis, commentary, and reviews.

        During the 1970s, the magazine’s contributors included Milton Friedman, Friedrich Hayek, Thomas Szasz and Thomas Sowell.[6]

        In 1978, Poole, Klausner, and Machan created the associated Reason Foundation, in order to expand the magazine’s ideas into policy research.[5] …]

        i don’t know exactly why, but to me the reason foundation has always carried the odor of scientology cultism.

        • orionATL says:

          ah, yes. the old rightwing ad hominem dodge. it’s a standard dodge of their intellectual genesis.

          in my view any time a rightwinger engages in a political debate on line their intellectual genesis should be identified. so doing cuts thru a lot of intellectual bullshit.

          the obvious flaw in your reasoning is that dividing total dollars by cases yields a number that is great for propaganda, but not at all effective in evaluating the public policy implications.

          so, let me repeat, the reason foundation is one of the kochsuckers groups. its covert political activity thru “advisory committee” to governors frequently causes substanstial misalignment of public law and public needs and well-being- all in a rightwing direction, curiously enough.

        • orionATL says:

          let me provide you with a little info about “ad hominem”. it is not an incantation you can use to be dismissive of an arguer or her argument, as your usage suggests you believe,

          dismissive like this bit of intellectual arrogance:

          “given the over-60 demographic that seems overwhelmingly afflicted by this problem, hmm), so I wonder if some alternate, coherent theory of this problem has materialized since last I looked at this…”

          reason.

          pure reason.

          sweet reason.

          like i said, smells like scientology somehow :)

  5. orionATL says:

    rarely have i moved a response down (though some would agree “way, deep down” would be better) but:

    [ orionATL … on October 20, 2015 at 9:25 pm

    so what will cisa be once enacted…

    question: where is the legislation to study, to discuss communally, and to recommend reasonable preventive measures, which is the traditional american approach to final federal legislation?

    at this moment in our history, all the legislation is top-down, hurry-up-the-house-is-burning legislation.
    foolish, and highly likely to be ineffective.

    but what the hell, it takes political pressure, e.g., chamber of commerce dollars-donar pressure, and media pressure off of congressgoober…]

Comments are closed.