1

Stopping Virtual Carjackings: The Threat of Cyber Terrorism in

Automobiles and the Security and Privacy in Your Car Act (SPYCA)

By Tyler E. Cragg

Abstract

Automobiles, like other modern technologies are becoming increasingly integrated with the

internet. Although this integration provides increased functionality that is desirable to

consumers, it also increased the threats posed by automobiles. With increased connectivity,

hackers possess more avenues to access a car and can now remotely control the car. Despite the

possible consequences of automotive hackings manufacturers remained silent on the problem.

Senators Ed Markey (D-Mass) and Richard Blumenthal (D-Conn) proposed legislation, however,

that seeks to create security standards for internet connected automobiles. Entitled the Security

and Privacy in Your Car Act (SPYCA), this proposed legislation would require manufacturers to

include minimum security standards in their automobiles and test them for vulnerabilities.

SPYCA is not without its flaws, however, as it may conflict with the Digital Millennium

Copyright Act (DMCA), frustrating its purpose. To prevent this conflict, the final form of

SPYCA must require automotive manufacturers to provide their software to independent security

analysts for review before they can comply with the act.

Introduction

Recent changes to the automotive industry provide numerous new options when the

consumer purchases a car. No longer is the consumer limited to choices of which seating

material they desire, or which exterior trim package they would like to purchase. One major

option available to the automotive consumer relates to a vehicle’s so-called “infotainment”

systems. Infotainment systems provide a mix of information and entertainment to passengers

2

through services like Bluetooth connectivity, satellite radio, navigation systems, and streaming of

online content like Pandora Radio or even fully independent internet browsers. These

infotainment systems have progressed to such a point that they can independently access the

internet, rather than relying on a cell phone’s connection.1

Automakers, however, largely ignored the need for these protections to infotainment

systems, namely by failing to protect a consumer’s personal information and preventing hackers

from accessing a car’s driving controls. This is predominantly because automakers have denied

the existence of the problem. Until recently, Congress was also silent on the issue of consumer

protections for connected vehicles. This changed with the proposed Security and Privacy in Your

Car Act (SPYCA).2 Although well intentioned, SPYCA fails to provide adequate enforcement

mechanisms for its requirements, relying entirely on self-enforcement by automakers, who have

proven to be self-interested and dismissive of the threats to consumers.

This paper provides a framework for the government regulation of cybersecurity

practices by automotive manufacturers who must develop ECUs in automobiles that are not

vulnerable to hacking. Part I begins by describing the evolution of Internet connectivity in

automobiles and how this advancement has allowed for the external control of vehicles, thus

making them susceptible to hackers. Part II introduces and analyzes SPYCA, the first legislation

proposed to regulate the security practices of automotive manufacturers. In particular, it focuses

on SPYCA’s requirement that the security measures implemented by manufacturers be proven

through penetration testing. This requirement creates tension between SPYCA and the Digital

Millennium Copyright Act (DMCA) because independent security consultants are barred by

1 See Christopher Hill, Module 13: Connected Vehicles 4 (2013), available at https://www.pcb.its.dot.gov/eprimer/documents/module13.pdf (describing how connected cars started as an extension of cellular devices). 2 S. 1806, 114th Congress (2015) (as proposed to Senate, July 21, 2015).

3

DMCA from fulfilling this requirement.3 Specifically, it argues that automotive cybersecurity

legislation must allow for independent testing of automotive source code for vulnerability to

hackers without the prior approval of manufacturers. By requiring the source code of

automobiles be made available to independent analysts, cars will be safer to the consumer and

the industry as a whole will be able to develop towards even more advanced applications of

automotive internet connectivity, autonomous cars, while staying ahead of hackers who would

exploit this technology. This paper asserts that by adopting a version of SPYCA that explicitly

requires source code checking, the American automotive industry will provide consumers with

the greatest degree of automotive safety and internet connectivity based driving functionality.

I. The Vulnerabilities of Modern Automobiles to Hacking.

A. Connected Vehicles

Connected vehicles are largely a new phenomenon, and thus their vulnerabilities are just

becoming widely known.4 In the first generation of automotive infotainment systems the

functionality was limited by a passenger’s cell phone.5 At this stage of technology, the

automobile itself was not an internet enabled device. Rather, the automobile was only able to

access internet content through a passenger’s phone. This severely limited the risk of individuals

gaining unauthorized access to the vehicle because the cell phone’s security programs could

prevent access.6 Relying upon the security of cell phones, automakers invested few resources in

3 DMCA is found at 17 U.S.C. § 1201 (2012). 4 See Hill, supra note 1, at 1-2 (2013), (describing how the FCC originally allocated bandwidth for connected vehicle functions in 1999). 5 See id at 4 (continuing a discussion of the evolution of connected vehicles with the inclusion of cellular connections as a permitted medium by the FCC in 2008); Elliot Katz, The Internet of Automobiles, 34 WL J. Automotive 1 (2015) (“Because almost 90 percent of new cars sold today are equipped with Bluetooth, most cars already have some element of connectivity to them”). 6 See Katz, supra note 5, at 2 (“If the connected car is merely a computer and cellphone on wheels, then many of the privacy and security issues being posed by critics of connected cars have already been encountered).

4

developing systems to prevent unauthorized access to automobile’s systems because they could

rely on the protections provided by cell phone manufacturers.7

Recent advancements changed the situation, however, such that automakers can no

longer ignore the problem. Automobiles are now capable of directly accessing the internet in the

same manner as a smartphone or a laptop.8 They are now considered a “connected device” and a

component of the internet of things.9 As a component of the internet of things, automobiles are in

constant communication with all other connected devices and report information such as GPS

data.10 This communication allows automobiles to give user specific information by interacting

with other nearby devices.11 The automotive industry adopted this technology quickly because of

the potential application to autonomous driving.12 For this technology to facilitate autonomous

driving each car must learn where it is in relation to every other car through the internet of

things.13

This level of connectivity is also not limited to cars with advanced infotainment systems

or cars that claim to drive themselves.14 Most modern cars communicate over the internet,

7 See Andy Greenberg, Hackers Remotely Kill a Jeep on the Highway – With me in it, WIRED (July 21, 2015), https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/ (summarizing prior hacks of automobiles that have been made public and automakers continued assertion that the methods behind these hacks are not publicly available and therefore not a credible threat). 8 See Katz, supra note 5, at 1 (describing the variety of features offered by manufacturers including the reading of Twitter and Facebook posts by the infotainment system of Wi-Fi hotspot functionality). 9 See id at 1; see also Peter Lefkowitz, Making Sense of the Internet of Things, 59 Boston Bar J. 23 (2015). 10 See id. 11 See Hill, supra note 1, at 1, 5 (describing vehicle to vehicle (V2V) communication infrastructure allowing cars to “talk” to each other or infrastructure and how it is prevalent in the automotive industry such that NHTSA proposed rulemaking that would require V2V in all cars after 2017). 12 See Dorothy Glancy, Autonomous and Automated and Connected Cars—Oh My First Generation Autonomous Cars in the Legal Ecosystem, 16 Minn. J.L. Sci. & Tech. 619, 646-648 (2015) (explaining the different communication infrastructures available to automakers for application in autonomous vehicles and their respective advantages). 13 Id at 641, 646. 14 See Katz, supra note 5 at 1.

5

whether the driver is aware of it or not, to exchange information with the vehicle manufacturer.15

Manufacturers communicate with vehicles to continually update the various electronic systems.16

These updates come in the form of software patches and can improve performance or fix errors

in the original operating system code.17 As a result, cars are much like a traditional computer

with an operating system that is regularly updated.

Computers are not only included as an option for convenience or entertainment in the

form of infotainment systems, but they are also necessary for modern cars to operate.18 These

computers are referred to as Electronic Control Units (ECUs).19 Unlike cars of twenty years ago,

cars today cannot function without the aid of computers.20 For example, engines today are

largely computer controlled, meaning functions like valve timing are electronically, not

mechanically controlled.21 The benefit is timing can now be variable resulting in great fuel

efficiency.22 In other words, today’s engines can better adapt to current conditions, rather than

being locked in the same parameters as were installed in the factory, a limitation of mechanical

controls.23 The same is true of transmissions; with the aid of ECUs an automatic transmission

can operate as effectively as a manual transmission because the computer can vary at what RPM

a gear is swapped. ECUs allow for the modification of every aspect of a car. They can in real

15 See Glancy, supra note 12 at 647. 16 Id. 17 Id. 18 See National Instruments, ECU Design and Testing Using National Instruments Products (Nov. 7, 2009), http://www.ni.com/white-paper/3312/en/#top (describing the various types of ECUs present in modern automobiles and the general function of each ECU). 19 Id. 20 Id. 21 See KSR International v. Teleflex Inc, 127 S.Ct. 1727, 1729 (2007) (describing how electronic signals, not mechanical linkages are responsible for translating driver inputs in modern automobiles). 22 See National Instruments, supra note 18, at 1 (explaining how ECUs allow for constant inputs from various sensors throughout the automobile to allow for adjustments to maintain performance in differing conditions). 23 Id.

6

time adjust the efficiency of a car’s engine, increase or decrease the response of the accelerator,

or even control the brakes on a car.

What is a boon to manufacturers in terms of the extent of control they can offer a driver

through ECUs is also a nightmare for potential electronic intrusion. If a hacker is able to access

an ECU, then they could gain control of any system that ECU regulates.24 For example, with

access to the correct ECU, a hacker could control whether or not pushing the brake pedal

engages the brakes on a car, or cause the car to think the accelerator pedal is fully depressed,

leading to a new wave of unintended acceleration concerns.25 In other words, a hacker could for

all intents and purposes drive a car remotely, despite the driver being physically behind the

wheel.

B. Automotive Manufacturer’s Responses

Initially, the concern regarding hackers being able to remotely control a vehicle was

largely discredited by major manufacturers.26 The main line of argument by the manufacturers

was that it was impossible to access an ECU remotely over the internet and physical access to the

vehicle would be required for this to be a possibility.27 Assuming that a vehicle could not be

controlled without physical access to the vehicle, manufacturers concluded that the cyber-

security concerns were minimal as any hacking attempt would be preceded by other criminal

24 See Cheryl Balough & Richard Balough, Cyberterrorism on Wheels: Are Today’s Cars Vulnerable to Attack?, Bus. L. Today, Oct. 2013. 25 See id (describing how a hacker who has gained access to an automobile via an ECU can control every feature of a car both at rest and at high speed). 26 Id (“One security expert estimates that the average auto maker is about 20 years behind software companies in understanding how to prevent cyberattacks). 27 See Greenberg, supra note 7 (explain how previous hacks were only possible through a wired connection to the vehicle and thus automakers such as Toyota and Ford dismissed the threat).

7

activity such as trespass to the vehicle.28 They reasoned therefore, that traditional anti-theft

systems would be sufficient to prevent hackers from controlling consumer’s cars.29

Two cyber-security researchers shattered the assumption of a minimal cyber-security

threat to automobiles in October of 2014. Charlie Miller and Chris Valasek successfully hacked

into a Jeep Cherokee over the internet, realizing many experts worst–case scenario.30 To

compound the problem for automotive manufacturers, they were able to do so while not in close

proximity to the vehicle and while the vehicle was being driven.31 While the driver of the car was

on the interstate outside of St. Louis the researchers were able to gain access to the car’s control

systems through its infotainment system while they sat in an office in Pittsburgh.32 Once they

had accessed the systems they were able to exercise control that ranged from an inconvenience,

such as adjusting the air conditioning or changing the radio station, to acts of cyber-terrorism.

Specifically, these experts were able to hack their way to controlling everything from the radio

initially, to the car’s accelerator, transmission and brakes individually, to complete control of all

of these systems. With control of every system the researchers could effectively drive the car. To

cement their point, they were able to cause the car to stop in the middle of the highway.33

What the cyber-security researchers succeeded in doing was the first virtual carjacking.

Once they hacked into the car’s systems, they were in control of the driving functions and the

driver was left without any control of the vehicle. Contrary to intuition, any action taken by the

driver does not override the commands sent over the internet to the ECU by a hacker.34 Instead,

28 See Balough, supra note 24. 29 Id. 30 See Greenberg, supra note 7. 31 Id. 32 Id. 33 Id. 34 Id.

8

it is as if the driver has given no command to the car at all. The only commands recognized by

the ECU of the vehicle are the commands issued by the hackers over the internet because the

ECU is tricked into thinking the hacker’s commands are the sensors that rely driver inputs.35

Additionally, there is no noticeable indication that a hacker has taken over the vehicles control

until they cease to respond to the inputs of a driver.

This is also not the first time this particular team of cyber-security researchers was able to

take control of a vehicle. For several years, these researchers took control of vehicles; however,

all of these past incidents required direct access to the vehicle through the diagnostic connection.

Direct access and control was always through the OBD-II port, a connection service personnel at

a dealership use to diagnose problems with a car.36 Use of this port requires a physical

connection to the vehicle through a cable. Manufacturers therefore, gave little attention to the

findings of these and other researchers regarding cyber-security, returning to their standard

response that the physical access requirement was a sufficient deterrent. Prior to the hacking of

the Jeep Cherokee, there had never been a wireless hacking of a vehicle, let alone through an

infotainment system to gain control of the driving functions of the vehicle.

A further complication in convincing manufacturers of the dangers posed by their finding

are the manufacturers’ belief that the solution to the problem is a quick fix.37 This belief is based

on the same technology that has led to the problem itself. The connectivity that automakers

included so they could update vehicles after they have been sold and allows hackers to remotely

35 Id. 36 See Balough, supra note 24; Jeffrey Gurney, Driving into the Unknown: Examining the Crossroads of Criminal Law and Autonomous Vehicles, 439. 37 The quick fix automotive manufacturers rely upon is denial of the problem and repairing any flaw in the security of the vehicle’s computers before the public at large becomes aware. See Greenberg, supra note 5 (“Owners of [vulnerable] vehicles . . . were notified of the patch in a post on Chrysler’s website that didn’t offer any details or acknowledge Miller and Valasek’s research”).

9

access vehicles was also the solution in the eyes of manufacturers. They believed that any threat

could be corrected with a software patch, thus preventing the threat in future situations. This,

however, is a retroactive response to the problem and ignores that this situation should never

arise, as one incident of virtual carjacking is too many.

II. Legislative Responses; Proactive and Reactive Approaches

In the wake of Miller and Valasek’s demonstration that cars could be remotely hacked,

some Members of Congress proposed a legislative response. In particular, Senators Ed Markey

(D-Mass) and Richard Blumenthal (D-Conn) proposed legislation entitled the Security and

Privacy in Your Car Act (SPYCA), which would institute various standards and require

manufacturers to adopt consumer protection for their products.38

SPYCA standards were spurned by a growing concern that manufacturers are responding

to cyber-security threats only retroactively and are taking no proactive steps to prevent hacking

of automobiles. Rather than accepting that cars have become analogous with computers and that

manufacturers must approach the problem in the same vein as has been taking in the computing

industry, manufactures continue to insist that hacking is not a threat to cars. This, however, is

only a fiction and the two Senators who proposed this legislation are listening to consumers at

large. The proposal of SPYCA then, is an indication from the legislature that the Computer

Fraud and Abuse Act (CFAA) is insufficient.39

It is not enough to only respond to hackings after the damage has occurred, especially

when lives are on the line as is the case with cars. There must be a legal approach that will

prevent this damage from ever happening. Prior to the proposal of SPYCA, however, the CFAA

38 S. 1806. 39 18 U.S.C. § 1030 (2012).

10

and possibly DMCA are the only federal statutes that would allow for the prosecution of hackers

who conduct virtual carjackings. Both of these statutes provide for prosecution only after harm

has occurred.

A. Computer Fraud and Abuse Act (CFAA)

The most applicable federal statute for any cyber-crime is the CFAA. Although the

CFAA’s primary purpose is to allow for prosecution of hackers of governmental or financial

computers, not automobiles, it can be utilized in this manner.40 The CFAA is a dual use statute,

having both a criminal and a civil component.41 Law enforcement or a private party may bring a

claim under the CFAA for any unauthorized access to a protected computer. If the claim is

brought by law enforcement criminal liability may be imposed, however, claims brought by a

private party can be awarded monetary damages. The criminal aspect of the CFAA is more

relevant to the concept of virtual carjacking, but the civil component could be used by victims

for compensating damage that results from a virtual carjacking. For the CFAA to apply,

however, certain jurisdictional elements must first be met.

Before any of the penalties proscribed by the CFAA can be enforced, the cyber-crime

must affect a protected computer.42 Protected computers under the CFAA are those operated by

the federal government, banking institutions or those involved in interstate commerce.43 A

private consumer’s vehicle would not qualify as a government or banking institutions computer

and therefore can only qualify under the CFAA if interstate commerce is concerned. This can be

achieved in one of two ways with modern connected vehicles. The first method for

40 See id at § 1030(a)(2). 41 See Gurney, supra note 36, at 438,439. 42 18 U.S.C. § 1030(a)(4) (2012). 43 See Gurney, supra note 36, at 439; 18 U.S.C. § 1030(e)(2) (2012).

11

demonstrating interstate commerce is concerned is that the computers subject to hacking are a

component of the car and cars are capable of traveling in interstate commerce.44 If the car did not

travel in interstate commerce, the computers in the vehicle could still qualify for protection under

the CFAA using the second method for demonstrating interstate commerce is concerned. That is

a showing that the car is capable of accessing the internet.45

The argument that if a computer can access the internet it sufficiently satisfies the

requirements of the CFAA stems from how the internet is used. Because the internet permits you

to access computers that are not in the same state, accessing out of state computers would qualify

as interstate commerce. Therefore, in the example given by the cyber-security researchers a hack

of a car in St. Louis that originated in Pittsburgh would satisfy the interstate commerce

requirement.

The next requirement for the CFAA to apply is that the access to the protected computer

be unauthorized or exceeding of authorization given.46 The unauthorized access aspect of the

CFAA is more applicable to cars in their current use because the intended access to the

infotainment system is limited to the driver while using the vehicle. There are not currently

degrees of access to a car such as with computers where multiple users can have access to

varying degrees. Currently there is only one level of access with a car and it is limited to the

consumer driver and possibly the manufacturer. Therefore, the unauthorized access portion of the

CFAA is most applicable to automobiles.47

44 See Gurney, supra note 33, at 439. 45 Id. 46 18 U.S.C. §1030(a)(2)(C) (2012). 47 See Balough, supra note 22.

12

The CFAA can be used to prosecute hackers who virtually carjack modern cars that are

equipped with internet connected infotainment systems in a situation similar to the test

performed by the cyber-security researchers. Because the ECU of these infotainment systems are

capable of accessing the internet in order to contact a manufacturer for software updates or

stream music on an app such as Pandora, they can be considered a protected computer under the

CFAA. All that need be shown for automobiles to receive protected computer status is that the

internet communication are not restrained to only one state.48 Additionally, once a hacker sends

commands to a car that alter the driver’s ability to control the car they are accessing the ECU of

the automobile without authorization because access for a vehicle is limited to the driver.

Technical barriers must be overcome for a hacker to send these commands to the ECU and

therefore the access by a hacker would be unauthorized.

B. Analysis of SPYCA

Although there are few limitations to the application of the CFAA for the prosecution of

hackers who could engage in virtual carjacking, additional legislation is required to provide

consumer protections to drivers of connected vehicles. This legislation is SPYCA and it is

focused less on hackers and more on manufacturers in its requirements.49 The goal in imposing

these requirements on manufacturers is to bring the computer protections for automobiles in line

with the protections of other computer based industries. The concern is great enough to warrant

government intervention because experts have estimated that auto makers are “20 years behind

software companies in understanding how to prevent cyberattacks.”50 The Senators that proposed

48 See Gurney, supra note 36, at 439. 49 S. 1806. 50 See Balough, supra note 24.

13

this legislation then, have made a policy decision that the criminal penalty deterrent of the CFAA

is insufficient.

SPYCA provides consumer protection in two different forms. The first form of consumer

protection provided is protection of driver’s personal data. This protection of a driver’s personal

data applies not only to unauthorized access from hackers, but also protection from collection by

the manufacturers themselves. The intent of the act for the protection of driver data from hackers

is an off-shoot of the measures necessary to prevent unauthorized access. In other words, if the

hacker cannot gain access to the ECU in the car, they cannot use a driver’s personal data.

SPYCA is much more explicit, however, when it comes to how automotive

manufacturers are allowed to access a driver’s data. The first provision of SPYCA for protecting

consumer data from manufacturers is that they must give the driver clear notice that their driving

data can be collected.51 SPYCA also provides that consumers are capable of taking an

affirmative action to cancel the collection and use of their driving data by manufacturers and that

the manufacturers cannot retaliate against this by limiting the use of navigation features in

infotainment systems.52 Finally, the act also provides that automakers are not allowed to use any

of the data they do receive for advertising or marketing purposes without first gaining the

consent of the drivers whose data they are using.53

Protection of a driver’s personal data is only half of the consumer protections

contemplated by SPYCA. The other and arguably more important protections of SPYCA are

requirements for manufacturers to prevent the unauthorized access to a connected vehicle. The

main requirement of SPYCA is that “all entry points to the electronic systems of each motor

51 S. 1806 §30127(b) 52 Id §30127(c)(1)-(2). 53 Id §30127(d)(1).

14

vehicle manufactured for sale in the United States shall be equipped with reasonable measures to

protect against hacking attacks.”54 Although contained in only one relatively short sentence, this

requirement is quite broad in its application. This is because several points of entry are covered

by the statement that “all entry points” be protected against hacking.

The entry points that are included in this requirement are both the direct and indirect

entry points to the electronic systems. The direct points of entry to an automobile’s electronic

system include the OBD-II port.55 The indirect method of entry is any wireless access to the

electronic systems of an automobile.56

The direct method of entry to a vehicle’s electronic system is the traditional method of

hacking that manufacturers have disregarded.57 It is necessary to include direct modes of entry in

SPYCA’s consumer protections, however, because hackers can still access a vehicle’s ECU over

the internet by routing through the dealership service computers that are connected to the

internet.58 Therefore, although the direct method of entry does not allow for real-time

interference with an automobile while it is driven, hackers can still install malicious software that

causes loss to the consumer.59

The indirect method of entry to a vehicle’s electronic system is via a car’s infotainment

system, where a wireless connection is established that allows access to the internet as a whole.60

Although a hacker is only able to initially gain entry through the infotainment system, their

control of the vehicle is not limited to your choice of music. Hackers are able to control the

54 Id §30129(a)(2)(A). 55 Id. 56 Id at 3. 57 Id. 58 Id. 59 Id. 60 Id at 3.

15

driving functions of an automobile because all of the ECU in a vehicle are interconnected.61

Because the ECU are interconnected a breach of one allows the hacker to infect every other ECU

in the vehicle and control them. Therefore, it is necessary to protect every point of entry from

hackers and SPYCA requires just this.62

SPYCA requires not only that reasonable security measures be taken to prevent hackers

from gaining entry to a vehicle, but also further precautions from a hacker gaining complete

control of a vehicle. SPYCA requires that critical systems be separated from non-critical systems

in an automobile.63 This method of isolating a vital computer from other forms of access is

known as “air-gapping” and is an effective means to prevent hacking. This was the primary

means vehicles were protected from unauthorized access prior to becoming connected

devices.64Although SPYCA does not require than manufacturers disconnect their consumer

products, it does require that they disconnect the vital systems of a vehicle from the internet to

prevent intrusion. In other words, engine management and steering ECUs must be air-gapped

from those that access the internet.

Finally, SPYCA has evaluation procedures built into the statute to ensure manufacturers

comply with the act.65 The evaluation procedures are not review by a federal agency, however,

but are tested for security vulnerabilities using the “industry standard” practices for hackers,

including penetration testing.66 Penetration testing is when a security expert intentionally

attempts to gain access to the protected system in order to determine security weaknesses.

Manufacturers are then required to adjust their protections and isolation measures based on the

61 Id. 62 S. 1806 §30129(a)(2)(A). 63 Id §30129(a)(2)(B). 64 See Balough, supra note 24. 65 S. 1806 §30129(a)(2)(C). 66 Id.

16

results of the evaluation testing.67 Failure to meet these requirements is met with a civil penalty

of $5,000 as a further incentive to manufacturers.68

SPYCA then provides a proactive, rather than reactive framework for the protection of

consumer data and their welfare from hackers. It also seeks to develop an evolving framework

that will stay ahead of hackers through the evaluation process required under the act. This is

similar to the methods used by technology companies such as Google for protection of their

systems and is an acknowledgment by Congress that automotive manufacturers have expanded

their businesses to more than just cars.69

C. Conflicts Between SPYCA and DMCA

Although it is still only proposed legislation, if SPYCA is enacted in its current form it

will likely not be applied as intended by the writers of the Act. Unlike cyber-crime statutes such

as the CFAA, however, the problems with SPYCA do not stem from an ambiguous definition

within the statute.70 Rather, SPYCA’s issues stem from its regulation of identical content as the

Digital Millennium Copyright Act (DMCA) and its failure to address conflicts between the two

statutes.71

The conflict that arises from SPYCA overlapping with DMCA is that DMCA prohibits

circumventing protections on copyrighted material.72 Specifically, DMCA states “No person

shall circumvent a technological measure that effectively controls access to a work protected

67 Id §30129(a)(2)(D). 68 Id §30129(b). 69 See Andy Greenberg, Google Offers $3.14159 Million in Total Rewards for Chrome OS Hacking Contest, FORBES (Jan. 28, 2013), http://www.forbes.com/sites/andygreenberg/2013/01/28/google-offers-3-14159-million-in-total-rewards-for-chrome-os-hacking-contest/#37bc69113abd. 70 18 U.S.C. § 1030(a)(1) (determining what constitutes exceeding authorized access has led to different holdings by courts). 71 17 U.S.C. § 1201. 72 Id.

17

under this title.”73 For security analysts to conduct the analysis required by SPYCA they must

look at the underlying copyrighted software, the very software these technological measures are

intended to prevent access to.74 Not only must security analysts examine the underlying code,

they must also attempt to break through the protections for the copyrighted material, protected by

DMCA, to perform a penetration test required by SPYCA.75

Enacted in 1999, DMCA was originally intended to protect copyrighted material on

physical media such as DVDs, but it does not protect the copyrighted material itself.76 Rather,

DMCA protects the measures utilized to protect the copyrighted material. These technological

measures are broadly defined and inclusive.77 The definition of circumvention of a technological

measure given in the statute is “to descramble a scrambled work, to decrypt an encrypted work,

or otherwise to avoid, bypass, remove, deactivate, or impair a technological measure, without the

authority of the copyright owner.”78 Under this definition any protection of the software in an

automobile, from a passcode to a proprietary program to read encrypted code, will create liability

under DMCA. The only means to avoid liability under DMCA is to be granted access to the

copyrighted material by the owner.79 Therefore, analysts hired by the automaker may evaluate

the software without violating DMCA, but any independent analyst could not.

In the case of DVD’s the intended technological measures are the encryptions used to

prevent access to films stored on the DVD itself. Given that DMCA was intended to protect

copyrighted movies and music, it seems odd that automotive manufacturers would invoke the

73 Id. 74 Id. 75 S. 1806 §30129(a)(2)(C). 76 17 U.S.C. §1201. 77 Id (defining technological measure as anything “that effectively controls access to a work protected under this title). 78 17 U.S.C. § 1201(a)(3)(A). 79 Id.

18

Act to prevent researchers from accessing the code in automobiles. DMCA, however, applies

whenever there is copyrighted material protected by any technological measure.80 Therefore,

because the code is protected under Title 17 of the U.S. Code and there are measures in place to

restrict access to it DMCA applies.81

Additionally, it is not necessary for the code to be used for personal gain to result in a

cause of action under DMCA.82 The protection provided in DMCA is not conditioned on any

loss resulting from unauthorized access to the copyrighted material. Unlike most copyright law,

which requires a showing that the copying of an original work occurred, DMCA prohibits access

to a copyrighted work.83 To give a real world comparison to the protection provided in DMCA, it

is analogous to a picture behind a locked door. DMCA does not prohibit re-photographing the

picture, which would be a violation of copyright law. DMCA rather, prohibits opening the door

without authorization, or more specifically undertaking any technological means to circumvent

the lock that is protecting the copyrighted material.

Any security expert who attempted to evaluate the protections created by manufacturers

pursuant to SPYCA would expose themselves to liability under DMCA. This is because the

software code that is contained in each ECU in an automobile is encrypted. Unlike a Microsoft

Word document which is readily readable with several programs, the software in automobiles is

only viewable through the use of proprietary programs created by manufacturers. These special

programs function as a cypher to allow the encrypted code to be readable. Because security

analysts must be able to read the code before they can evaluate it for compliance with SPYCA

80 17 U.S.C. § 1201 81 See Balough, supra note 24. 82 See MDY Industries, LLC v. Blizzard Entertainment Inc., 629 F.3d 928 (9th Cir. 2010) (creating a separate cause of action merely for violating §1201 DMCA). 83 17 U.S.C. § 1201.

19

and they lack the proprietary programs utilized by manufacturers they would have to circumvent

the encryptions to the code. It is this circumvention that constitutes the violation of DMCA.

It should also be noted that the protections provided by DMCA that create liability for

security analysts would also create liability for hackers and cyber-terrorists. Unfortunately, this

creates the same problem as the CFAA. There are legal remedies against hackers, but little

consumer protections to prevent the dangerous activity in the first place. This is the very issue

SPYCA attempts to correct.

This does not mean that SPYCA cannot operate at all. SPYCA still requires that

manufacturers incorporate means to protect consumers. Additionally, SPYCA requires that each

of these protections, particularly the code based protections, be tested for security

vulnerabilities.84 Therefore, the protections that are incorporated to comply with SPYCA will be

tested. Additionally, these tests must be conducted using the best security practices. This

requirement for best security practices could very well include independent outside testing.

Manufacturers could still hire outside consulting firms to test their code and avoid DMCA issue

by granting the outside firm access to the code. DMCA provides exemptions for those

individuals who have authorized access to the copyrighted material even if they circumvent

protections. Another possibility is the manufacturer grants the outside consultant the proprietary

decryption programs, in which case there is no circumvention of security measures. Therefore, if

this is the case, the outside consultant would not be in violation of DMCA § 1201. This is not in

the best interest of consumer protection, however, which is the main focus of SPYCA.

84 S. 1806 §30129(a)(2)(C)

20

III. Possible Solutions to Ensure the Legislative Intents of SPYCA and DMCA are

Maintained

DMCA is not wholly without protections from liability for parties other than the

copyright holder.85 The Librarian of Congress is empowered to create an exemption to liability

under DMCA every three years for parties that would be adversely affected by its protections of

copyrighted material.86 Recently, the Librarian of Congress included an exception to DMCA for

circumvention of technological measures when done for the purpose of security testing of a

motorized land vehicle.87 This exception, however, will not take effect for another year from the

time it was announced; therefore, security analysts cannot currently seek its protection.88 This

exception is also not permanent; it is subject to review every three years and therefore could be

abandoned.89 A permanent exception to DMCA for security analysts should be included in

SPYCA to ensure there is never a conflict with the goals of DMCA and SPYCA in the future.

A. Consumer protection and manufacturer transparency are the motivations behind

SPYCA.

The goal of SPYCA is to provide proactive measures for the prevention of hackers

gaining control of automobiles in order to protect consumers.90 Although automakers testing

themselves and with the help of the consultants they choose would satisfy the requirements of

the Act, it would not be in the best interest of consumers. The example presented at the outset of

85 17 U.S.C. § 1201(a)(1)(B). 86 Id § 1201(a)(1)(C). 87 37 Fed. Reg. § 201.40(b)(7)(i)(B) (2016). 88 Id. 89 17 U.S.C. § 1201(a)(1)(C). 90 S. 1806.

21

this paper is a perfect example of manufacturers not being the best advocates for consumer

protection.

Prior to the finding and demonstration by Miller and Valasek that a Jeep Cherokee could

be hacked and its systems controlled by an individual not in proximity to the vehicle, Chrysler

had vehemently denied the possibility of this occurrence. Their stance along with every other

manufacturer has been that their current security provisions are sufficient and it is unnecessary

for third party analysts to probe their systems. Despite this, third party analysts continually find

vulnerabilities that can be exploited in their code.

This is also not a case that will be resolved by manufacturers choosing not to exercise

their rights under DMCA. It is much more likely that manufacturers will continue to pursue third

party analysts who attempt to circumvent code protections, even if their goal is consumer

protection. As recently as this year, General Motors Corp. (GM) lobbied before Congress that no

current consumers owned their cars, rather every consumer had a license to their car, but the car

itself was owned by GM.91 The basis for this argument was that a car does not function without

the code in its ECU and as this code is copyrighted material, GM in effect owns the car.92

Although Congress rejected this argument, the fact remains that manufacturers are highly

protective of their software and it is not realistic to expect manufacturers to allow third party

analysts to conduct the evaluation testing proscribed by SPYCA. In order to gain the best

consumer protections, the most analysts possible must be allowed to test the software protections

provided by manufacturers in order to stay ahead of those hackers who would seek to do harm.

91 See Kyle Wiens, We Can’t Let John Deere Destroy the Very Idea of Ownership, WIRED (Apr. 21, 2015), http://www.wired.com/2015/04/dmca-ownership-john-deere/. 92 Id.

22

B. Changes to SPYCA as proposed will resolve the conflict with DMCA.

To resolve the issues presented by the conflict between SPYCA and DMCA it is

necessary that the final form of SPYCA that is passed by Congress include a clear statutory

exemption to DMCA §1201 or require manufacturers to provide their code to third party

researchers. This must be done to fulfill the purpose of SPYCA of protecting consumers. These

methods, however, would need to be sufficiently narrow so as to avoid making DMCA moot on

this issue.

1. Statutory Exemption to DMCA for SPYCA Purposes

An exemption to DMCA §1201 must allow third party analysts, those who are not

employed by manufactures for SPYCA mandated testing, to avoid liability for circumventing

copyrighted code protections. One method to do this is to provide a bar on liability for analysts

who privately report their findings to manufacturers and do not seek to profit from these

findings. In other words, any individual could seek protection from DMCA liability using this

system if they are able to show they do not intend to personally profit from the circumvention of

measures meant to protect copyrighted material. This then, would expand the concept of “fair

use” to not only the eventual use of copyrighted material, but also to include fair use in

circumventing measures meant to protect copyrighted material.

It is important to remember that § 1201 of DMCA deals with circumvention of protective

measures, not the copyrighted material itself so any exemption to § 1201 must refer to the

circumvention of these measures. Using this system, only analysts who have consumer

protection in mind would be protected from liability under DMCA §1201. By necessitating that

23

the analysts not seek profit for their findings, the purpose of DMCA would not be frustrated, that

is the guarantee of profits from copyrighted material to the holders only.

Additionally, by requiring that any findings be transmitted directly to the manufacturer

and in a private matter ensures that the research is being done only for consumer protection. To

allow the findings to be posted publicly, hackers could conduct research into how to break the

protections created under SPYCA, yet shielded from DMCA without ever reporting their

findings to the manufacturers. They therefore, could have legal protection to continue their

hacking activities. Thus, to ensure the purpose of SPYCA is not frustrated, any exemption to

DMCA must require that manufacturers be informed of any findings for the shield from liability

to apply.

The other method that could be enacted by Congress to resolve the issue of SPYCA

conflicting with DMCA is to clarify the language in SPYCA to require manufacturers to use

third party analysts and that they use multiple outside analysts to confirm their results. This

clarification could be used instead of the language that requires testing use the “best security

practices.”93 Although an argument could be made that using outside analysts is implicit in the

language “best security practices” it is an ambiguous term. Clarifying this language would

encourage manufacturers to utilize a “bounty competition” approach that is already

commonplace for the computer data industry. The benefit of using this approach, encouraging

manufacturers to bring in third party analysts, is that it avoids the need to write a comprehensive

statutory exemption to DMCA. This result occurs because DMCA creates liability only for

unauthorized circumvention of protective measures, but no liability is created when the

manufacturer grants access to a third party analyst.

93 S. 1806 §30129(a)(2)(C)

24

One of these methods must be added to SPYCA to exempt third party analysts from

liability under DMCA and ensure that parties other than the manufacturers are probing the

effectiveness of the measures undertaken to prevent hacking. Whichever method is implemented,

however, it must be narrowly tailored. Narrow tailoring is needed to ensure that the goals of both

SPYCA and DMCA are not frustrated.

For a solution to the problems presented in SPYCA to be narrowly tailored so as to not

undermine the purpose of DMCA, the exemption must not permit all circumvention of security

measures. To include this broad of an exemption in SPYCA would be equivalent to the repeal of

DMCA as it is applied to automobiles. As mentioned previously, DMCA can serve as another

means to pursue hackers in the court in addition to the CFAA. Therefore, there is a legitimate

reason to maintain DMCA in its current form, if it can be modified to advance the consumer

protectionist goals of SPYCA. Thus, an exemption to the liability of DMCA must allow for third

party analysts who pursue consumer protectionist goals to circumvent the protections placed on

automobile software, while still providing penalties for those individuals who do not have these

goals in mind, nor are they authorized to access the code.

2. Requirement for Manufacturers to Allow Access to Source Code of Third Party

Analysts

The latter solution, the inclusion of a requirement for third party testing explicitly, rather

than the amendment of DMCA itself or through SPYCA is less ambiguous and will more readily

address the problem at hand. The problem with writing a blanket exemption to DMCA’s liability,

which any party can use for shelter is that it is a highly fact based legal analysis that is prone to

litigation. To prevent hackers from sheltering in this exemption to DMCA, manufacturers will

have to prosecute every individual who is attempting to circumvent measures to prevent access

25

to the copyrighted material. Whether an exemption to DMCA applies can only be based on the

end result of circumventing protective measures. That is, whether the analyst publishes their

findings, either publicly or to the manufacturer. There is no distinction between what a hacker

does and what a consumer protection minded security expert engaging in penetration testing does

prior to publication of their findings. Therefore, manufacturers would have to prosecute everyone

and let litigation decide the intentions of the parties violating DMCA and whether they should

avoid liability.

As a result of the need for the exemption to liability under DMCA included in SPYCA to

be narrowly tailored, a requirement in SPYCA that manufacturers utilize third party testing is the

best option. This solution is the closest to the current language of the law, that manufacturers

conduct testing under the “best security practices,” yet limits the application of the exemption so

as not to neuter the applicability of DMCA. Additionally, this solution facilitates the adoption of

methods utilized in other industries, such as the computer data industry, that automotive

manufacturers would be wise to emulate.

a. The parallels between the problems faced by the automotive industry and the

computer data industry.

The current level of technology in a connected car available to the average consumer is

predominantly another access point to the internet.94 Connected cars are only able to read

information from the internet when directed by the driver.95 The goal of many automotive

manufacturers, however, is to create autonomous cars.96 Manufacturers such as Tesla already

94 See Katz, supra note 5, at 2. 95 Id. 96 See Glancy, supra note 12, at 640.

26

offer features that are capable of independently controlling a car in a limited fashion.97

Autonomous driving of vehicles will present an even greater concern to consumer safety than

automobiles simply being a connected device.

When an automobile is capable of autonomous driving it is necessary that the computers

in the automobiles make decisions about their environment.98 Currently the computers in a car

only respond to inputs by a driver. When functioning autonomously, they will not have these

inputs and must make decisions about direction and speed on their own.99 The car’s software is

functioning as one form of Artificial Intelligence (AI) because it is making driving decisions all

on its own.100 This additional application in automobiles of software creates new and even

greater consumer protection concerns.101 Currently, a hacker must interact in real time with a

connected vehicle to drive it. If the vehicle is capable of autonomous driving, however, a hacker

could implant a virus that would alter the AI and lead to either poor performance, or driving in a

manner that is dangerous to passengers or nearby pedestrians.102

The problem with AI based driving is that the software responsible for it must be able to

interact with and learn from its environment. This is a problem because the traditional method of

isolating a system to protect it does not allow for AI’s interacting with their environment.

Automakers then must develop a system that allows for access, but restricts it in such a way that

false inputs, such as those given by a hacker, cannot influence the AI. The computer data

industry is a valuable parallel because it is also pursuing AI’s and the methods necessary to

97 Tesla has implemented the Summon feature in its current Model S line which allows the car to park itself in a garage after the driver has pulled into the driveway and exited the vehicle. See Tesla Motors Team, Summon Your Tesla from Your Phone, TESLA (Jan. 10, 2016), https://www.teslamotors.com/blog/summon-your-tesla-your-phone. 98 See Glancy, supra note 12, at 636,637. 99 Id at 638,639. 100 Id. 101 Id at 664,665. 102 Id.

27

protect these systems. By looking to those methods already used to protect software that is

capable of learning, the automotive industry will be able to stay ahead of hackers for all of the

new features they implement in a vehicle. The main method utilized by the consumer data

industry for testing protections of their systems, including AI’s, is penetration testing by third

party analysts.

C. Best Practices for Protecting Consumer Have Already Been Determined

Instituting a clear requirement in SPYCA that independent third party testing be used

would be the best method to ensure consumer protection because it is the method that best

mirrors the techniques used in the computer data industry. SPYCA should implement a solution

that is more similar to that utilized in this industry because the problems encountered when

securing connected vehicles are identical to those faced when securing servers or personal

computers. Although the outcomes can be different, in the present case the taking control of a

vehicle, in the other case a loss of data, the methods of entry for hackers are identical. In either

case, hackers must circumvent measures designed to limit access to the software that operates

these systems. Although the identical solutions used in the computer data industry will not work

because the base systems are not the same, much like a solution for Windows will not work on a

Mac, the process used to create these solutions is translatable. This is why the solution required

by SPYCA should mirror the solutions used in the industry that continues to deal with these

problems on a daily basis.

Rather than attempt to re-invent the wheel, the major automotive manufacturers should

look to the computer data industry in Silicon Valley for a roadmap of how to conduct proper

security penetration tests. In this industry the main method for testing system security is to allow

28

third party analysts access to the system.103 In fact, the computer data industry incentivizes these

analysts to attempt to breach the protections created by the manufacturer.104 This is done after the

manufacture has concluded internally that their system’s protections are sufficient. For example,

major companies in this industry, such as Google, use a bounty based hacking competition to

guarantee their systems are hacker proof.105

The benefit of these competitions is it allows third party analysts to conduct penetration

testing of Google’s security in an environment controlled by Google. The goal of these

competitions is to simulate the real world, where hackers attempt to breach the security

implemented by the manufacturer. The benefit here, however, is that no damage occurs because

the “hackers” in this case have no malicious motivations. Instead the company conducting the

test stands to learn the weaknesses of their system and can patch any weaknesses discovered

before the product gets to the market. In the case of Google’s competitions, Google gets the

benefit of more people, who can think outside the box, approaching the problem, while also

gaining the benefit of ensuring these analysts are not attempting to hack Google to its detriment.

The benefit of this system speaks for itself. Namely that flaws in security are found much

more quickly. To assume any security system is “hacker-proof” is a fallacy. By admitting to this

problem, in contradiction to what automotive manufacturers have done, Google is able to ensure

they find problems before hackers find and exploit these flaws. This is all done in the interest of

consumer protection.106 The fact that this process is focused on consumer protection is another

correlation that makes it amenable to application in SPYCA. As an act of Congress focused

103 See Greenberg, supra note 69. 104 Id. 105 Id. 106 Because hackers are required to turn over the technique used to complete a successful hack before they can earn the prize money, Google gains the benefit of learning how its security vulnerabilities occur and can fix the problem for consumers. See id.

29

primarily on consumer protection, SPYCA would do best to look to the most relatable industry to

the current problem and pick a method from that industry which best address the concerns

advanced in SPYCA. Therefore, it would be best to also use a crowd-sourcing penetration test

method with automotive technology security testing.

A further benefit to these systems, as opposed to an automotive manufacturer simply

hiring a consultant company to evaluate their protections is that it avoids cronyism. Although

SPYCA proscribes standards for how manufacturer’s security systems should be evaluated, the

standards are vague. Not only are the standards vague, there is no governmental agency to

provide oversight. Therefore, there is little incentive for outside consultants to do any more than

“rubber stamp” the systems developed by manufacturers.

This is not to malign the efficacy of outside security consultants, but simply a recognition

of the realities of the market. Consultants who provide more favorable reports to the

manufacturers, who have already given a low priority to consumer protection, will be favored

and receive a greater market share of the evaluation business. If manufacturers were genuinely

concerned about consumer protection, then there would be no need for SPYCA to require them

to take the concern into consideration. An effective application of SPYCA then incentivizes

more individuals to evaluate the effectiveness of manufacturer’s security systems, meaning more

vulnerabilities will be detected and consumers can be ensured that they are actually protected

from cyber-security threats to their vehicles.

The concern of automakers having outside consultants simply rubber stamp their efforts

is more than just a cynical concern as well. The recent Volkswagen Emissions scandal is

30

evidence of this.107 In the Volkswagen case, the automaker was able to deceive tests conducted

by an independent government agency (the EPA) whose job was to ensure the enforcement of

emissions regulations.108 Volkswagen was able to misrepresent the capabilities of their vehicles

during testing through the use of a “defeat device.” Describing it as a defeat device though is a

misnomer, as no additional device was installed on these cars. Rather, Volkswagen engineers

include software in the vehicles that would detect if current driving conditions matched those the

EPA used to test a vehicle’s efficiency.109 If the software made this determination, it would then

force the car into an eco-friendly mode that ensured the vehicle met all the emissions

requirements of the EPA.110 This mode was only accessible, however, during testing and did not

reflect the actual emissions of the vehicle in any way. Volkswagen was able to create a defeat

device then, because only one outside group, the EPA, was testing their vehicles and they used

the same test every time for consistency across manufacturers. A similar situation could apply to

hacking, an automaker could create a special mode that was only active during testing to pass the

evaluation, but not apply this mode during normal operation.

Despite this important role and the lack of incentive to give Volkswagen a good report

the process still failed. Volkswagen was able to misrepresent the capabilities of its vehicles, a

concern raised in SPYCA, and consumers have not received the protections they are guaranteed

by law. In fact, it was not until third-party researchers examined Volkswagen’s vehicles that the

107 Chris Bruce, VW Developed 4 Separate Defeat Devices Over 7 Years, AUTOBLOG (Oct. 19, 2015), http://www.autoblog.com/2015/10/19/vw-developed-4-separate-defeat-devices-over-7-years/. 108 See Julia P. Valentine, EPA, California Notify Volkswagen of Clean Air Act Violations / Carmaker allegedly used

software that circumvents emissions testing for certain air pollutants, EPA (Sep. 18, 2015),

https://yosemite.epa.gov/opa/admpress.nsf/6424ac1caa800aab85257359003f5337/dfc8e33b5ab162b985257ec4

0057813b!OpenDocument (summarizing the EPA’s initial finding in the notice of violation letter sent to

Volkswagen).

109 Id. 110 Id.

31

defeat devices that allowed them to mislead the EPA’s tests were discovered.111 This is further

proof that to ensure manufacturers are complying with consumer protection standards when

software is involved, multiple evaluators, whose methods are unknown to the manufacturers

prior to testing, must be involved.

Worse still, there have been recent suggestions that other major automakers have

participated in the same kind of activities to circumvent regulations.112 Rather than what many

thought, that Volkswagen was simply a rotten egg, it is more likely that automakers are

incentivized to avoid government imposed regulations in the operation of their businesses. If this

is the case, a self-enforced regulation as is suggested in SPYCA will never work. The incentive

to avoid regulation would encourage the growth of consultants who always gave passing marks

to the efforts of automakers.

To avoid this SPYCA must utilize third-party analysts who can serve as a valid

enforcement mechanism, at no cost to the government. The benefit of these researchers is that

they provide more approaches to the problem, achieving the first goal of better simulating real

world conditions. This is why bounty based hacking competitions are utilized in the computer

data industry by leaders such as Google. SPYCA then, should encourage automotive

manufacturers to engage in the same behavior by clarifying the language of the act to explicitly

describe this system, rather than simply referring to the best security practices. To fail to do so

would show ignorance to the realities of today and SPYCA would be wise to learn from past

mistakes.

111 See Pete Bigelow, West Virginia Researcher Describes How Volkswagen Got Caught, AUTOBLOG (Sep. 23, 2015), http://www.autoblog.com/2015/09/23/researcher-how-vw-got-caught/. 112 See Noah Joseph, Renault Implicated in Diesel Emissions Cheating, Autoblog (Nov. 24, 2015), http://www.autoblog.com/2015/11/24/renault-diesel-emissions-cheating-report/.