Why Biden Admin’s Corrupt NHTSA Told Car Makers To Ignore Right To Repair Law
Massachusetts passed the Data Access Law, also known as "Ballot Question 1" and often simply referred to as the "Right to Repair" law, back in 2020. At that time, a group of automakers filed suit to stop the law, and its enforcement was delayed until this year so that trial could play out. Back in March, the state's attorney general filed "notice of intent to terminate non-enforcement" with a start date of June 1st. That means that the law actually went into effect at the beginning of the month.
Well, the NHTSA has now sent out a letter to automakers that advises them to simply ignore the law and its requirements altogether. The NHTSA, which is the National Highway Traffic Safety Administration, is the government agency in charge of regulating vehicle safety, and the letter to automakers stresses that the Massachusetts law could endanger the state's citizens, or at least their data.
This is in stark contrast to the Biden administration and Democrat party's previous stances on Right to Repair, which have traditionally been "evocative support." The letter says that the "Data Access Law conflicts with and therefore is preempted by the Safety Act." The NHTSA letter is not completely and utterly without rational justification; the idea is that by making vehicle telemetry data available to mom & pop repair shops, that data could be stolen or modified by bad actors. The fear is that it will make vehicles' cybersecurity weaker.
The NHTSA's letter implies vehicles compliant with the legislation should be recalled!
Massachusetts is the battleground for right-to-repair legislation in the United States because in 2013 the state passed a law requiring vehicle manufacturers to make parts and diagnostic tools available to the general public. To avoid having to deal with myriad measures in other states, manufacturers signed a memorandum that they would comply with the MA rules in every state.
However, the 2013 law was too specific, and it doesn't include any provisions for vehicles that don't include an OBD2 port. If the vehicle has no such port and transmits its telemetry and diagnostic data wirelessly, manufacturers are largely excluded from the law. That's a nifty little loophole that allows car companies to weasel out of allowing third-party (i.e. non-dealership) repairs to their vehicles.
This new law from 2020 that closes that loophole was passed by voters almost unanimously, and it was supposed to go into effect this month, but this letter from the NHTSA complicates everything. It's particularly frustrating considering that the Federal Trade Commission prepared a report for congress in 2021 that analyzed all of the manufacturers' arguments against this right to repair legislation and said that none of them make any sense. To quote:
"The record contains no empirical evidence to suggest that independent repair shops are more or less likely than authorized repair shops to compromise or misuse customer data. The record supports arguments that consumers and independent repair shops would be equally capable of minimizing cybersecurity risks, as are authorized repairers."Vice Motherboard quotes a prominent right to repair lobbyist who states that "if it is impossible to provide secure access to me, the car owner, for the data transmitted by my car, then the care is insecure." Indeed, 'security through obscurity' is a widely-disparaged practice among cybersecurity experts.
The real irony to the NHTSA's concerns is that modern cars are so insecure that it is darkly hilarious. Last year, it was the Replay attack that let hackers remotely unlock and start certain Honda and Acura vehicles, and then earlier this year, some Hyundai and Kia cars were so comically-easy to steal that they became the subject of a Tiktok challenge. If this is the best automakers can do for security, why would we allow them a monopoly on repairs in the interests of security?
