Back in November, Apple — one of the tech industry’s leading adversaries of the right-to-repair movement — finally caved to pressure from regulators and consumers and announced it would make parts and tools for its products available to the general public. Several months earlier, the Federal Trade Commission vowed to take manufacturers across all industries to task for unlawful repair restrictions, while encouraging the public to reach out and inform it of any shady practices. That followed the European Union’s own similar initiative, taking aim at companies that aren’t incentivized “to make more sustainable products” at the present.
The global right-to-repair movement has been progressing from strength to strength. The world’s top tech companies are beginning to relent, and even campaigns against such practices in highly specialized industries, like agriculture, are getting mainstream attention. So why are automakers still insistent on be such trolls about it?
They’ll tell you it’s because they’re concerned about your safety. By now you may have heard about Massachusetts’ “Question 1” ballot initiative, passed in November 2020 by an overwhelming majority of voters, almost exactly three-to-one.
The law requires “manufacturers that sell vehicles with telematics systems in Massachusetts to equip them with a standardized open data platform beginning with model year 2022 that vehicle owners and independent repair facilities may access to retrieve mechanical data and run diagnostics through a mobile-based application.”
It is now undergoing a drawn-out legal challenge from the Alliance for Automotive Innovation, a consortium of 37 automakers and suppliers. The AAI has been using scare tactics to make voters think this is a safety issue. We spoke with a number of experts who point to a different motivation: these manufacturers stand to lose a tight grip on a lot of exclusive business. At stake is a lot of money. At stake is a lot of control.
AAI members — among whom include BMW, Stellantis, Ford, GM and Honda, in addition to many others — maintain that they couldn’t meet the law’s requirements without massively compromising the security of data collected by telematics platforms like GM’s OnStar and Subaru’s Starlink. As of 2019, more than half of all new cars sold in the United States were wired for telematics.
It’s Not About Your GPS History
The nature of what that eternally nebulous, catch-all term includes — data — is perpetually being manipulated to twist the narrative here. Note that the law, as quoted earlier, mentioned only “mechanical data” and “diagnostics.” “Mechanical data” — though admittedly vague in its own right — is defined as “any vehicle-specific data, including telematics system data…used for or otherwise related to the diagnosis, repair or maintenance of the vehicle.”
However, deceitful ads like the one AAI aired in Massachusetts to influence the 2020 vote would have you believe a sexual predator could exploit this open platform to view an unsuspecting driver’s location history and up-to-the-second GPS coordinates at any given moment.
Manufacturers’ real worry here, of course, is that the exclusive data their service centers benefit from to alert owners of maintenance concerns over the air will be available to independent shops, winning third parties more business and slashing diagnosis times. Customers won’t simply default to the garage where they bought their car; they’ll compare all their options and go where they get the most for their buck.
The average dealership makes 50 percent of its gross profits from parts and service, so you can imagine why automakers are fighting Question 1 tooth and nail.
“It is important to recognize, repair work is not an inconsequential revenue
stream for the automobile manufacturer,” Jon M. Quigley, Society of Automotive Engineers member and columnist at Automotive Industries, told me. “The OEM can monitor the historical state of the vehicle, including how the product may have been used or even abused. The combination of the self-diagnostics of the system along with the vehicle telemetry system makes it possible for the OEM to virtually explore the vehicle post-sale. This information is used to head off things that might be lead to a problem in the future.”
What’s more, carmakers spent years developing their own proprietary systems to collect, store and monetize all this data — and they don’t want to see their investments go up in smoke. “The algorithms that are used for diagnostics along with the software to perform this anticipatory diagnostics, are often considered to be proprietary products, and that is not entirely wrong,” Quigley said. “From experience, even some of the data bus communications reporting this diagnostics information may be proprietary.”
Eric McGee, a software and network engineer at TRG Datacenters, honed in on automakers’ desire to guard their technology — an issue less discussed in the right-to-repair debate, as most of the conversation has centered on where owners take their vehicles when something goes wrong.
“With this new law it becomes difficult for the manufacturers to protect their intellectual property rights,” McGee told me. “Protection of proprietary rights is the biggest concern for manufacturers, and they are likely using privacy and cyber security concerns to distract the public from this fact. They don’t want to come out as selfish, profit-centric companies, and are using a concern the public cares about as cover to get what they want. Furthermore, citing cyber and privacy risks offers a stronger legal and moral justification for their opposition to the imposition of the law than protection of IP rights.”
Why Shops Need This Data
To gain a deeper understanding of how critical access to safely guarded data is for third-party repairers, I went to someone in the field. Dylan Turriago, an automotive locksmith at The Key Man in South Carolina, walked me through what’s required for him to do his job. Key programming isn’t directly pertinent to the telematics issue, but the hoops technicians are required to jump through are nevertheless eye-opening.
“The way we access the data to program keys is extremely high security and
very well protected,” Turriago said. “One must be a member of the National Automotive Service Task Force. This requires a $400, two-year membership along with background checks, proof of business licensing and a one-million-dollar insurance policy. After that, we must pay for a subscription to each automotive manufacturer, sometimes per repair.”
Turriago said per-repair fees typically range from $15 to $30 for most automakers, though some also offer annual subscriptions. Those cost thousands but allow unlimited repairs for 12 months. Depending on how many cars of a particular brand The Key Man works on in a year, the annual route might save it more money, but Turriago told me the company often goes a-la-carte because those numbers often vary from one year to the next and are hard to predict.
“All of these auto manufactures have specific websites called tech info websites. This is the same way the dealer accesses the data. When accessing these tech info websites, I’m required to use my NASTF (National Automotive Service Task Force) Vehicle Security Professional ID along with a rolling authorization password to login. Then I must submit the customer’s documentation for proof of ownership of the vehicle.”
After all that and inputting another rolling password, Turriago says he’s able to view the key programming data for a minute. Then yet another rolling password is required, which changes every 20 seconds. Such work would be impossible if manufacturers didn’t provide a portal to independent shops like The Key Man, though the fact they’re allowed to charge — “sometimes per repair” — illuminates another opportunity at carmakers’ disposal to monetize information.
They’re not just making money off of owners and cutting out local shops; in some cases, they’re profiting off those businesses, too. And that’s just for those aspects of the vehicle they’ll let people touch. “Independent repair shops need this data to complete repairs for almost anything ECU related or car computer related,” Turriago explained.
This Won’t Be Solved Soon
We know car companies hold all this indeterminate “data” — quite possibly wider in scope than their customers would be comfortable knowing. We know they don’t want to give it up, because it makes them a lot of money. They’ve argued the “open platform” Question 1 mandates would risk drivers’ safety, even though the strength of that argument relies upon a complete misrepresentation of the data this law is actually meant to democratize.
They’ve also argued that such a system would be unconstitutional, because it would be impossible to design without compromising “the safe operation of vehicles within prescribed emissions limits” as required by the National Traffic and Motor Vehicle Safety Act and the Clean Air Act — both of which date back to the ’60s and are highly vulnerable to interpretation.
But the AAI hasn’t been arguing it’d be impossible to work together on a common system at all. These carmakers are just claiming they can’t do it now. (Pertinent comments bolded by author.)
During the hot tub, the Court asked each side’s experts whether OEMs could provide the inter-operable, standardized access platform required by the Data Access Law. Every expert agreed that OEMs could not. See June 16 Tr. at 41:21 (Smith) (“Definitely not right away.”); id. at 42:1-3 (Romansky) (“I think the elements of a solution are available, but they’re not assembled, and that has not been proven to all work together.”); June 15 Tr. at 198:24-199:2 (Romansky) (“I’m not aware of any [telematics systems] that fully comply with Section 3, correct.”); June 16 Tr. at 42:7-8 (Bort) (“I don’t think we can do that right now.”); id. at 42:10 (Garrie) (“I agree with my colleagues.”). Nothing in the documents changes the fact that OEMs cannot immediately comply with Section 3’s requirements.
Sure — they couldn’t immediately comply. Given mere months between the ballot measure being approved and 2022 model year vehicles going on sale, that’s hardly surprising. It was frankly unreasonable to expect automakers to cobble something together in the better part of a year even if they hadn’t been spending all their resources fighting the new law. In a perfect world where AAI members were approaching Question 1 with the purest of intentions, it’d still take far longer than the flip of a switch.
“Creating the type of open platform required to comply with this new law will be a significantly arduous task for most car makers,” McGee told me. “The platform will need to cover all the different cars and models that a particular manufacturer makes, and everything within this platform will need to be standardized. The duration for compliance is also quite short when you consider how much work each car manufacturer has to do on their platforms to make them compliant with the law.”
Mike Branch, data and analytics vice president at fleet telematics company Geotab, stressed that while all automakers don’t collect the same amount or type of data, they all collect it nonetheless. At that point, designing a secure app is “as challenging and time-consuming as the intended feature set.
“If one applies privacy-by-design principles to the application design, privacy concerns can easily be addressed,” Branch added. For instance, as a repair shop, they may want to evaluate the cranking voltage of a battery to determine if there is a battery health issue. An individual doesn’t need any access to location data in order to do so. How many times have you taken your vehicle into the auto shop and they’ve needed to know the full history of your vehicle’s location? When privacy-by-design is employed, these applications can be hugely beneficial to the consumer, decrease time-to-market and maintain privacy compliance.”
In other words, manufacturers can spare themselves these self-inflicted headaches if they stick to the data that actually matters here — just like the ballot question originally intended — and leave all the especially sensitive stuff out of it. The only way the worst-case scenario in the AAI’s ad is going to come true is if automakers go out of their way to design an easily-exploitable platform populated with sketchy stuff absolutely no one is asking it to account for, like your daily trips. If anyone gets stalked as a result of this, it’ll be the AAI’s own fault.
Where We’re At
Still, all this stonewalling has been effective for the alliance. A new bill proposed in Massachusetts legislature would push the compliance date to 2025 model year vehicles, to buy automakers more time to get the platform in order — or, just as likely, continue to fight the will of the public.
Jalopnik reached out to the AAI about its position on a MY2025 compliance date, and the group responded that it is “unable to comment on pending litigation.”
Meanwhile, Subaru and Kia have deactivated telematics for Massachusetts-registered cars only. The AAI is shrewdly using those moves to turn voters against the law, saying they “were never told that a vote for the ballot initiative was a vote to get rid of telematics” — even though Subaru and Kia could have just as easily worked to comply with the initiative, rather than avoid it. For what it’s worth, GM confirmed to Jalopnik that OnStar is still available on its latest Massachusetts-sold vehicles.
In short, whichever way this goes, it’s going to drag on for quite a while.
“I‘m honestly not certain that right-to-repair laws and telematic data can co-exist, with the way the laws are written at the moment,” Julie Bausch, managing editor of NPR’s Car Talk, told me. “The burden on the manufacturers to somehow standardize the offerings across all makes and models is not an easy fix. There will be a few more fights about this, in the future.”
In the meantime we’ll keep a close eye on Massachusetts, as it could very well inform the future of right-to-repair as it pertains to cars. It’s worth mentioning that the Bay State has led this fight before. Its 2013 right-to-repair law later formed the basis of a national “memorandum of understanding” that allowed repair shops to get access to the same tools and diagnostics as dealer service departments — provided manufacturers could keep the wireless stuff all to themselves. That’s where we’re at now, but at least history offers reason to be optimistic.