Federal Regulator Throws Wrench Into Massachusetts Right-to-Repair Plans

A right-to-repair motor vehicle law in Massachusetts that was passed by voters two years ago but been held up in court has hit what could be a major roadblock.

A federal regulator says car manufacturers cannot obey the law, which grants car and light truck owners and their designated service firms access to the telematics data collected in vehicles.

The National Highway Traffic Safety Administration (NHTSA) in a June 13 letter advised motor vehicle manufacturers that the new state law conflicts with federal safety laws by creating cybersecurity risks. NHTSA told the manufacturers it expects them to “fully comply with their federal safety obligations” over the state law.

The NHTSA position is a boost for auto manufacturers that have been in court trying to block enforcement of the new law since voters approved it overwhelmingly on a ballot measure in 2020.

But the NHTSA opinion appears to put it at odds with voters, elected officials, consumer groups, independent auto service and parts businesses, and even the Biden Administration’s own policies aimed at promoting competition.

Massachusetts Attorney General Andrea Joy Campbell decided in March that she would soon begin enforcing the law despite the ongoing litigation, prompting manufacturers to ask the court for a restraining order against enforcement. On May 30, the federal court denied the restraining order request. Campbell began enforcing the law on June 1.

The new law — referred to as the Data Law — requires auto manufacturers selling cars in Massachusetts to equip them with a standardized open data platform so that vehicle owners can access their telematics system data through a mobile device and give consent for independent repair facilities to access that data and to send commands to the system for repair, maintenance and diagnostic testing.

The new law builds on an existing state right-to-repair law requiring manufacturers to provide independent shops with the non-proprietary diagnostics information and instructions needed to repair cars.

NHTSA’s Concerns

NHTSA is concerned that if it is enforced, the Data Law would prohibit manufacturers from complying with federal guidance and cybersecurity best practices, putting the public at risk by compromising the integrity of critical vehicle functions. According to the federal regulator, the state law’s open remote access to vehicle telematics including the ability to send commands “would allow for manipulation of systems on a vehicle,” including safety-critical functions such as steering, acceleration, braking, air bags and electronic stability control.

NHTSA said it is also concerned that some manufacturers intend to disable vehicle telematics, presumably to avoid the application of the law, which the agency said “has its own adverse impacts on safety.” Telematics-based safety features aid in emergency response in the event of a vehicle crash and manufacturers and NHTSA itself use telematics data in safety oversight and investigations. In addition, some vehicle manufacturers have the ability to fix safety problems through vehicle telematics, which will be lost if those systems are disabled, NHTSA points out.

The coalition of car and light truck manufacturers, the Alliance for Automotive Innovation, which sued to block enforcement of the law, agrees with NHTSA that the law represents a security risk and is pre-empted by federal law. “Far from protecting consumers, the law puts consumer safety at risk by allowing third parties to access, and modify, that data on auto manufacturers’ systems without the manufacturers’ authorization,” their complaint argues.

The opponents of the law also contend it represents an unconstitutional “data grab” of their intellectual property by aftermarket parts and service firms that are interested in it for marketing to consumers. The law “sweeps broadly to allow third-party access to nearly all data generated by vehicles,” which the alliance argues will have negative consequences for consumer privacy, public safety, and manufacturers’ property rights.

The manufacturers further contend that the new data law is not necessary because existing law gives owners and all repair shops, including independents, access to the vehicle diagnostics necessary to make repairs.

Senators React

NHTSA has drawn criticism from the state’s two Democratic U.S. senators, Ed Markey and Elizabeth Warren, who sent a joint letter to Secretary of Transportation Pete Buttigieg and the NHTSA, calling on NHTSA to reverse course.

“NHTSA’s decision to give auto manufacturers a green light to ignore state law appears to favor Big Auto, undermine the will of Massachusetts voters and the Biden Administration’s competition policy, and raise questions about both the decision process and the substance of the decision by NHTSA’s leadership. We are asking NHTSA to explain its rationale for its harmful actions and respect Massachusetts state law by reversing course,” wrote the senators.

Warren and Markey also note that NHTSA’s position appears to be inconsistent with an executive order by President Joe Biden stating that it is the policy of the Administration to combat the “harmful effects of monopoly and monopsony . . . (in) repair markets” and encouraging the Federal Trade Commission to draft new regulations limiting “manufacturers from restricting people’s ability to use independent repair shops or do DIY repairs.”

“It is disappointing that NHTSA’s letter relies on the argument pushed by major automobile manufacturers that there is, in this case, an irresolvable conflict between maintaining data security and providing independent repair shops with the data they need to conduct repairs. Auto manufacturers have routinely raised safety concerns as a way to ‘change the subject’ and distract consumers from the fact that vehicle repair and maintenance services from independent repair shops keeps the cost of service and repair down,” continued the senators.

NHTSA said that while it is important for consumers to continue to have the ability to choose where to have their vehicles serviced, consumers must be afforded “choice in a manner that does not pose an unreasonable risk to motor vehicle safety.”

“A malicious actor here or abroad could utilize such open access to remotely command vehicles to operate dangerously, including attacking multiple vehicles concurrently. Vehicle crashes, injuries, or deaths are foreseeable outcomes of such a situation,” NHTSA warned.

Proponents of Law

In an amicus brief, consumer, repair and open source advocates including U.S.PIRG Education Fund, the Electronic Frontier Foundation (EFF) and Harvard Professor Jonathan Askin have pushed back on the cybersecurity risk claims by NHTSA and the manufacturers.

They state their belief that protection of consumers’ expectations of repair rights gives rise to a range of other benefits, chief among being greater competition. They also believe repair rights strengthen small businesses, as independent repair shops are often small firms.

“Insofar as product manufacturers seek to subvert that expectation by monopolizing aftermarket repair industries, states may legitimately act to protect consumers from such anticompetitive behavior,” the brief argues.

The proponents maintain that the law is not incompatible with regulatory obligations related to cybersecurity and product safety. On the contrary, the Data Law “complements, rather than conflicts,” with federal laws to the benefit of car owners, repair shops, and the public interest, they argue.

“In fact, federal regulations regularly accommodate cybersecurity, data safety, and consumer access, in fields such as electronic health records, credit reports, and telephone call logs. These examples show that cybersecurity can coexist with data access, contrary to plaintiff’s theory of the case that compliance with both is impossible,” the brief notes.

According to these supporters of the law, the argument for federal preemption rests on a “flawed cybersecurity theory” that assumes that restricting access to telematics data is necessary to prevent malicious intrusions into cars and to comply with safety regulations. But, they argue, cybersecurity experts regularly disfavor “security through obscurity”—systems that rely primarily on secrecy to prevent illicit access —because of the risks of data breaches.

“Rather than making sensitive software more secure by protecting it from unwanted attention, security through obscurity allows flaws and insecurity in technology to flourish by decreasing the likelihood that they will be identified and repaired,” while “increasing the likelihood that flaws can and will be exploited by evil-doers,” the brief continues.

They further contend that automobile manufacturers and dealers are not all that skilled at securing data, having suffered their fair share of data breaches. They cite a Federal Trade Commission report that said there is no empirical evidence to suggest that independent repair shops are more or less likely than authorized repair shops to compromise or misuse customer data.

“What automakers are likely to do, absent legal requirements like those in the Right to Repair Act, is to further constrain the market for automotive service and repair,” the proponents conclude.

Proponents of the law have been discouraged by the court delays. The Massachusetts Right to Repair Coalition, representing independent repair shops, has called for a “prompt decision” in the case and accused automakers of using “delay tactics in order to avoid and prevent the implementation of right to repair laws.”

“The current situation is not serving consumers,” The Boston Globe wrote in a June 20 editorial. The newspaper offered its solution to breaking the impasse: “The best way forward would be if the Legislature can find a way to rewrite the law to address cybersecurity fears while keeping the basic policy intact.”

State Senator Michael Moore, who co-chairs the Joint Committee on Advanced Information Technology, the Internet, and Cybersecurity, said lawmakers only recently learned about the NHTSA opinion that the state law conflicts with federal law. He told the Boston Globe that lawmakers are consulting House and Senate counsel and considering ways to amend the law.

“We will explore all available options to make sure Bay Staters get the results they voted for,” Moore stated.