Hey, there! Log in / Register

Question 1 isn't really about letting violent men stalk and rape women

WBUR explains Question 1 is about access to engine and mechanical data that newer cars store - not location data, despite claims by its opponents, who have put up that ad about how its passage will let sexual predators hunt you down in a deserted parking garage and then lock your car so they can have their way with you.


Do you like how UHub is doing? Consider a contribution. Thanks!


If car manufacturers are that scared of hackers exploiting the wireless access to car computers, they should stop including it as a feature. Or allow the customer to opt in or out, which would be part of opening up the standard.


A law should mandate opt in only with no hidden agreement in the paperwork you sign when you get the car.

There is no reason for any car to be sending data back to the manufacture or dealer without the car's owner active consent.

And irrespective, the idea that some local car dealer is able and willing to safeguard your personal data is laughable. These guys get hacked all the time. You think the "Rt. 1 automall" employs the brightest minds in data security?


Question 1 would require them to start from scratch, and create one single standardized open platform that connects to every vehicle and a single app.

Question 1 creates no safeguards for this platform or app. It has no language on who creates it, maintains it, pays for it or protects it, other than to say manufacturers cannot be involved with it.

The National Highway Traffic Safety Administration (NHTSA) wrote to MA legislators in July that is the exact wrong way to go:

“A non-standardized approach provides cybersecurity benefits such that the scale and potential consequence of any specific cyberattack is inherently reduced. Having more vehicles with a common architecture—especially if that architecture provides a link between external connections and in-vehicle components—means that a single successful malicious cyberattack could have much wider scale of consequences because it can affect a larger number of vehicles.”


Why is all this okay when car dealers do it already?

After all, car dealers have this ... issue ... with trust as it is.


Any information necessary to diagnose and repair a vehicle that is only available through telematics and is made available to dealer repair shops MUST be made available to independent repair shops. That is specifically addressed and required by the existing law:

(f) With the exception of telematics diagnostic and repair information that is provided to dealers, necessary to diagnose and repair a customer's vehicle and not otherwise available to an independent repair facility via the tools specified in paragraph (1) of subsection (c) and paragraph (1) of subsection (d), nothing in this chapter shall apply to telematics services or any other remote or information service, diagnostic or otherwise, delivered to or derived from a motor vehicle by mobile communications; provided, however, that nothing in this chapter shall be construed to abrogate a telematics services contract or other contract that exists between a manufacturer or service provider, an owner or a dealer. For the purposes of this chapter, telematics services shall include, but not be limited to, automatic airbag deployment and crash notification, remote diagnostics, navigation, stolen vehicle location, remote door unlock, transmitting emergency and vehicle location information to public safety answering points and any other service integrating vehicle location technology and wireless communications. Nothing in this chapter shall require a manufacturer or a dealer to disclose to any person the identity of existing customers or customer lists.

As you can see, telematics information NOT necessary to diagnose and repair a vehicle, such as navigation, are explicitly prohibited by existing law. Question 1 would change that.

This is good:

Question 1 creates no safeguards for this platform or app.

The MA legislature shouldn't be in charge of determining security processes. There's no reason that the system can't be encrypted and only accessible to the vehicle owner. At this time, most vehicles are not encrypted and the only security is that it's annoying to figure out what message means what.

Despite that, there is a community of people that decodes the messages anyway. You can find tons of information posted on GitHub.

I haven't read through the whole question, so I haven't made up my mind, but "security by obscurity" is the absolute worst method.

would require them to start from scratch, and create one single standardized open platform that connects to every vehicle and a single app.

This is just not true. It requires only

the prospective owner’s ability to access the vehicle’s mechanical data through a mobile device

I'm not sure I like that particular requirement, but that does not require the underlying system to be rewritten from scratch, nor does it require a single app. A simple interface could access the important information and relay that to the user.

Personally, I think the mobile requirement is a bad idea. It's hard to hack things to do what you want, but it's relatively easy to hack things to not do what they are meant to do. I'm not worried about somebody gaining access to my car and driving it all around town, but DoS'ing it so there's lag in my control could still kill me. I'd prefer hardwired access in a clearly visible place.

The NHTSA's comment isn't wrong, but it's silly to deny people the ability to maintain their cars only so that auto manufactures can use security protocols that are less than the web browser you are currently using to view UHub.


I'm a software architect with over twenty years of experience developing enterprise software, with many years in the financial sector and several researching malicious software. This is a ridiculous argument that a single standard is less safe and is patently false. You're talking about security by obscurity which is seldom a good strategy.

Most of the world runs on common standards, if you log into a website or pay with a credit card, use an atm etc. you're relying on a common standard. The mass adoption and openness is exactly why these standards are safer. When you have a group of 5 engineers writing proprietary software against thousands of malicious actors trying find flaws in it they're vastly outnumbered. An open and common standard levels that playing field as thousands of experts review and address flaws on a continuous basis. There is an incentive for everyone to find and fix flaws.

In a closed system you risk a company ignoring a fix to a known flaw due to the cost of implementation and patching it. Other times they don't want the bad PR that comes with acknowledging it in the first place. This is why we see so many data leaks uncovered by third parties, in many cases the companies knew about them for months but did nothing.

That's assuming the people at these car companies are concerned with or care about security in the first place. In the many many years I've spent working in the industry I can assure you this most product owners don't want to spend time on fixing security and tech debt at the cost of time lines shifting. There is constant and enormous pressure to cut corners. I can promise you That Ford or GM aren't going to delay the launch of thier new car because they're waiting on the software team to fix all their bugs.


From NHTSA: "Look, we tried using a common national standard for roads, and look how dangerous driving turned out to be!"


Quite honestly the statement from the NHTSA is akin to your financial advisor recommending that you bury your life savings in a random spot in the woods rather than trusting a bank because it's public knowledge that banks store your money in vaults.

Connor - Would you please mind disclosing your lobbying ties to this question? Thanks.


That is in the very first sentence of my response post.

Identify which response post you mean.


It's his top level post below this one.

Here to respond as the spokesperson for No on 1/the Campaign for Safe and Secure Data, which, yes, is funded by automakers.

I'm not sure I agree with the representation and analysis of the question, but he did state that he's here as an official spokesperson.

Who are also software engineers and architects, why are you making completely wrong and factually incorrect claims in your opposition? Why don't you answer any of the criticism and questions asked of you?


I am responding to as many issues and questions as I can.

Hi Conor,

Can you please list where your funding comes from?

It is major automobile manufacturers, correct?


Concerned citizen

Some bean counter heard about 256 bit encryption and likely said "WOW. That's a lot of bits. Must be 256 better times 1 bit encryption.".

Vice has a great video of some guys hacking a Jeep as it's driving down a highway:

Other reports have also shown thieves exploiting RF keys:

Pols thinking that they can deter, or even stop this by creating laws, are wasting tax payer money.

This is my final post on this topic. Question 1 opposition by vehicle manufacturers is dumb.

It's also about being able to fix other electronics such as computers and cell phones more easily. For example, Mac laptop batteries are designed not user replaceable, but with this new law, I believe they would be. So instead of having to send out your laptop and spending $300, Apple would have to redesign it so that you'd be able to buy a new battery and just pop it in yourself.


Of just not buying Apple products, we're going to voluntarily involve government force in the transaction?


Picture in this scenario government as a body with arms and legs. It is simply pushing its arms open to keep space open for you and keep companies from encroaching on your rights.

I get the disdain for government control but in this case "government force in the transaction" is an emotional distortion.


don't you think that a company's ability to control your use/repair of a product should end when they sell it to you?


We need to defend the right to repair or corporations will use government forces to eliminate it.

Vote YES on question 1.


For smartphones you have three choices: Be submissive to Apple, be submissive to Google, or don't own a smartphone.

Boycotts don't work when there are no alternatives. They are monopolies.

Voting with your wallet is not a replacement for voting with a ballot.


Google phones provide me the same services as the Apple phones, but for cheaper.

Apple is a business only because status consumerism is a thing.

I have no love for either company. Google is "cheaper" because they are selling your personal data to everyone. You are not their customer, advertisers are.

Apple is a bit better about keeping personal data personal but in exchange they want full control over your device. They demand to be the gatekeeper and sole decider of what you can and can't do with your phone.

If the people writing the laws had any spine they'd prohibit Google from collecting data unchecked. Meanwhile, Apple should be prohibited from being the sole middleman between the phone and developers.


You are google's product, not their customer.


There is a third option that does exist, and takes owner privacy serious. Made by Purism.


"Librem 5" phone is popular with privacy enthusiasts. Supply can't keep up with the amount of sales that this phone is getting.

I've almost eliminated Apple and Google products from my life. Some sites, and services make it nearly impossible to get away from either one of them.

I love the concept but that phone is not a viable option. It's not even shipping according to the website. It also won't work with Verizon (my carrier) and lacks a number of features. Since it won't run iOS or Android applications, it can't be used in place of any service which requires a smartphone app.

The quickest way to get phones like that to be mainstream is to support laws that regulate Apple and Google.


Owners do have them in-hand now, and they're being used. Going extreme privacy requires somewhat of a life change. You're right, many people won't do it. I've managed to wean many of my daily tasks off of Google. It's an ongoing effort.

It's a nice idea.

But in the direction our society is heading, where you can't even get food at Herb's Burritos without installing the Herb's Burritos app, how will it work for a phone OS that isn't widely supported?

I'm guessing you don't remember when you couldn't buy a phone or service from anyone but AT&T...

You can now. Hint: This isn't because there was a boycott.


That's not analogous to this.

You couldn't buy a phone from AT&T either. You had to rent it.

That would be nice. But this ballot question is very clearly about vehicle telematics systems, so it would not affect laptop batteries.


"Right to repair" as a general concept is about any sort of manufactured product and in general it is a good idea, but this ballot question (and for that matter the one from 2012 that is currently law) is specifically about motor vehicle diagnostic data.


No other electronics are covered under Question 1. That is a completely separate issue.

Question 1 is NOT about Right to Repair. Right to Repair for vehicles is already law in Massachusetts, and has been since 2013.

Question 1 only covers vehicle telematics systems. It does not cover any other electronics.


Oh, bummer.

I replaced the battery in my Mac. Micro Center in Cambridge sells them.

Do you have an older Mac? I replaced the one in mine from 2011 and it was like doing surgery: 25 steps to take the computer apart and 25 steps to put it back together, and I needed some specialized tools to do it.

I was leaning toward "yes" anyhow, but that sort of fear-mongering by people who want me to vote "no" clinches it.


The people already expressed their will on this issue several years ago.

The legislature should have fixed any issues with the law instead of kicking this back to Referendum2. But because they were too cowardly to do so, we are left with this campaign full of lies. What a disgrace. I can't believe we pay these people to write and pass laws.


Well, they hardly pass laws. See this 2020 session with multiple bills just stuck in committee. They need lots of time to campaign, you know.

The people behind Question 1 filed for a ballot question before their legislation even had a hearing.

They never had any intention of letting the legislature work through this.

on that basis alone.

How stupid do they think we are, that all these stalker resources are an integral part of maintaining our cars. If my safety is at risk, it is because of the car maker, not a local mechanic.

The funny thing that they don't put in the commercials is the black box aspect. If there is a crash, your car knows how fast it was going and what you were doing.


Per post above, this is about the open access platform that would be created by Question 1.

I trust my local mechanic a hell of a lot more than the car dealer who lost my registration and lied about it.


And nothing in Question 1 would change your ability to get your car fixed by your local mechanic.

A NO vote on Question 1 keeps the Right to Repair law the same. The existing law already ensures that independent repair shops have access to all the information they need to diagnose and repair your vehicle.

dealer who wouldn’t allow my mechanic access to the computer on my 535. The HID articulating headlight that repeatedly died during the warranty suddenly needed to be replaced by a dealer only for $5,000 once warranty expired. They’re behaving like thugs. (BTW, didn’t Brockton used to have a politician named Yunits?)

BMW of America. Ever replaced a $5,000 headlight? Quite the experience.

The two campaigns have made for a great point/counterpoint.

Point: It's your car, you should be able to decide who repairs it.
Counterpoint: Why would you want to be stalked and raped?


Should be played by Herb Chambers.


That is covered under the existing Massachusetts Right to Repair law, which has been settled in Massachusetts since 2013.

A NO vote on Question 1 makes no changes to the law.

without fully understanding the issue, which is that car manufacturers are using a LOOPHOLE in the existing law to get around it, that being wireless information transfer and an app one must use to get that wirelessly transmitted information. The eight year old law you cite only deals with OBDII compliant vehicles that extract codes with a WIRED DEVICE you PLUG into the car under the dash. Since then companies have come up with this wireless bullshit and hold the keys to the apps to get that information.
If people are worried about getting their cars wirelessly hacked they should seek to BAN that technology altogether. There is absolutely no reason for it, other than skirting the current right-to-repair laws. To retrieve ANY info from a vehicle you SHOULD need access to the inside of the vehicle, meaning the keys from the owner whose property the vehicle is. The entire argument over the wireless transmission of this information is a problem created by manufacturers hell bent on keeping you at their mercy until the car is over 10 years old.
So NOT changing the exiting laws means all cars newer than say 2013 will be particularly hard to find an honest place to repair it at (hint: NO car dealership on the face of the planet operates honestly).

I have no skin in this game since the newest car I have ever owned was a 1997 model. Modern cars are rubbish. For all the advanced tech they offer, all the "safety" features and cameras and self-braking and lane assistance....aka making humans LAZIER and less aware of their surroundings...they cost a fortune to fix when some un-necessary system failure makes the entire thing inoperable or unable to get a safety inspection sticker.

On a much simpler base level a YES vote helps small independent business and a NO vote helps big corporations with trade groups and lobbyists paying for scare-mongering ads about rape and stalking when we are talking about NOX emissions readings from a fucking vehicle CPU.
The choice is pretty clear if you're not a capitalist bootlicker.


Thank you, Marco, for pointing this out. The "No On 1" contingent wants us to believe that car manufacturers will continue to use the OBDII port for all information, despite the prevalence of wireless options now. A shift to wireless transmission of this type of data would exclude local shops from being able to diagnose problems.

That is why I'm voting Yes on 1.


Conor, if you had led with ads that made THAT argument, I'd be more willing to listen. When you scare people, or try to, you are going to get a fight or flight response. Unfortunately for you, it isn't always flight.

I like facts, I like data, I like references. A good argument lets me prove to myself you are right. A bad argument makes me not want to listen at all.


Adam may I ask you be more thoughtful about what language like "have their way with you" implies, even if such people doing such things is not something you would ever support. It is reinforcing the sexualization of predation of women. Thanks

And then I watched the video again, and, really, it's pretty much that cliche: Young woman, alone, defenseless, in a deserted parking garage at night. Whoever's behind it is the one that should answer for it, and I'm not sure how I could write about it without pointing out what the ad explicitly says (which is nothing at all to do with "telematics").



Did you watch the ad linked in the original post?



Thank you for taking time out of your busy schedule to serve as arbiter of the culture on these comment pages. I'm sure that we all have much to learn from you.


To be fair, the No on Question 1 people are not singling out "violent men", but sexual predators of all genders.

Funny how a simple initiative about plugging a loophole in a car repair law got morphed into OMG STALKERS!

I keep waiting for an ad with children tied up in the basement of the local pizza joint, because Question 1!


The auto makers know that if this passes in Massachusetts, it basically opens up the technology for all car owners NATIONWIDE. They can't engineer the software to say "you're in MA so it's open to you" and stop it in the other 49 (and DC). Interstate commerce and all....

The original ballot measure on open access, it opened the door to all car owners to get the benefit of seeing the OBD codes to anyone with the scanning equipment.

If it were an innocuous measure, they would not be pouring $ millions into trying to defeat the bill.


But perhaps there are other ways to make that argument than with an offensive, lying ad.


From Domestic Violence and Sexual Assault prevention advocates in both California and Massachusetts.

Wow, then I guess the whole thing is completely beyond reproach--my bad.


This is an attempt at fear mongering. Best thing to do is take down an add this dumb. Way to target less educated voters. Congratulations.

Here to respond as the spokesperson for No on 1/the Campaign for Safe and Secure Data, which, yes, is funded by automakers.

First, on the location data - it is absolutely included, and the best source for that information is the main group behind Question 1.

Question 1 requires the creation of a mobile app that links to an open access platform connected to all connected vehicles in Massachusetts (beginning with model year 2022).

The Auto Care Association, one of the lead funders of Question 1 and the group who has been pushing this idea nationally, has been presenting at trade shows and showing exactly what they want the app to look like. Their app includes location and behavior data. The Yes on 1 group is flat out lying when they say they do not want location data.

Second, on the risk of sexual assault/domestic violence. This is not about local repair shops. Again, Question 1 creates an open access platform that can be accessed through a mobile app. It will present an easy, high level target.

Here is what Jane Doe Inc, the Massachusetts Coalition Against Sexual Assault and Domestic Violence told the legislature in January about Question 1:

These proposed changes to the 2013 Motor Vehicle Repair Law raise serious safety and privacy concerns for victims and survivors of sexual and domestic violence.
1. Although the bill language states that the information will be stored “securely,” it is not clear what cybersecurity measures will be put in place to protect an individuals data on the open access platform.
2. Vehicle data is currently is stored with the vehicle manufacturer using computer code that is not readily readable. An open access platform where vehicle data is stored in a readable format raises concerns over who can access the information and how that information might be used.

JDI raises specific concerns regarding the potential for abuse to be perpetuated through the availability of readable vehicle data through a phone application and the ability to send in-vehicle commands. Technology is increasingly used to perpetrate sexual and domestic violence. Access to vehicle data, particularly call logs and GPS location, enables persons who perpetrate abuse to possess the tools necessary to track and monitor their victim. Additionally, the ability to send commands to the vehicle raises concerns about the ability of persons to shut down vehicles while in use.

I mean, seriously. You think we all suck q-vapors and are going to believe that Q1 is just a front for the adenachrome industry?

You sound reasonable here - way off base IMHO because dealers can already get this information, but reasonable. But your organization's ads are sexist, stupid, patronizing, and pissing off a lot of people.


We have to make a number of different points. This is a complex proposal that the other side has not been honest about.

For example, 99.99% of funding for Question 1 comes from $35 billion Missouri-based O’Reilly Automotive, $27 billion Tennessee-based Autozone, $10 billion North Carolina-based Advance Auto Parts, the Auto Care Association (ACA) and the Coalition for Auto Repair Equality (CARE).

Both ACA and CARE are led and funded by the retail auto parts industry and aftermarket parts manufacturers. ACA’s Chairman is the CEO of a private equity-owned auto parts supplier, and CARE’s Chairman and President are the CEO of NAPA Auto Parts and the VP of Government Relations for AutoZone, respectively.

This is not about local repair shops, and it is not about Right to Repair. This is about major national retail chains that want access to your vehicle information.

100% of the funding for your cause comes from automakers and their chief lobbying organization.

Ballotpedia link

Source: https://www.ocpf.us/Filers/Index , search for "Coalition for Safe and Secure Data"


The retail auto parts industry and aftermarket parts manufacturers are exactly the people I would expect to have an interest in car owners and independent mechanics being able to fix cars. There is nothing the least bit shady about their spending money to advance that ability. The 'No' campaign's innuendo-dripping ad campaign, on the other hand, is really sleazy.


You're asking us to trust local car dealerships and not trust national autoparts companies. Why?

This is about money, not safety. If this passes it's bad for automakers bottom line. Don't pretend they have any other motivation.


Yes, our organization is funded by automakers. That has always been clear. The other side has consistently tried to hide their funding. Their original campaign finance report hid $3 million in funding from O'Reilly, Autozone, etc. They only updated with the correct information after we called attention to it in the press.

I like being able to buy parts at O'Reilly, Autozone, etc. for my vehicles. Pointing this out is pointless.


Yes, as you've said. But why should automakers "win" and autoparts dealers loose? Are you honestly suggesting Ford cares deeply about my personal safety and finances. (And that Autozone wants me stalked?)

Given that you're saying women will be raped if autoparts dealers are able to access car information it's cute how you're accusing them of being deceitful.


And hiding their true funding source. We are asking to keep the law the same. The burden of proof is on the side trying to change the law. They have yet to provide an example of why it needs to be changed.

Burden of proof? This isn't a criminal case.

Autozone obviously wants to be able to sell repair services and parts. Your side wants to lock them out of that market. It's that simple.

For MY car I want full control over where and how the diagnostic data gets sent. You are arguing that you, not me, should have that authority.


The burden of proof is on the side trying to change the law.

Whatever you say, counselor.

It reminds me a lot of this hilarious ad put out by the No on Question 4 folks in 2016, when question to legalize recreational cannabis was on the ballot. I'm pretty sure it backfired and helped the Yes on Question 4 side. Scare tactics like this usually make vote against whoever puts them out. They treat voters like idiots.

These stalker ads are practically the only ads I have seen in months. I have never watched one past the "skip ad" trigger. It took me all of five seconds to get suspicious: who is paying for ALL THESE ADS, and why do they want so badly for me to fear for my safety while going about my normal life as a woman?

When I finally saw an article explaining what they were about it was almost beside the point. Offensive, misogynistic scaremongering will never get my vote.

Now watch the shill come back with "well we expect other women to be stupid enough to fall for it, don't get so offended. You just haven't seen the ads for smart people!"

If this tech is dangerous, leave it out of my car. Some of the creepiest creepertons I've ever encountered have worked at dealerships and would still have easy access to my info, so giving dealers a theoretical monopoly on stalking and assault does not make anyone safer.

There is no good argument for opposing Question 1. Every consumer needs to have the right to do as they so please with a product that they purchase. To lock consumers into system that favors a manufacturer is unfair. If a consumer wants to give up their privacy, which many willfully do on a daily basis, then that's their right to choose. This idea that privacy exists, and can be protected by larger corporations is entirely false, and misleads the public. It took me all of a couple of minutes to learn that Conor has declared a homestead somewhere in MA (I will not provide the address, and I have never met Conor), with the numbers 307 being a part of it. The number only added here for Conor to realize how much he doesn't know about privacy. If he can't protect his own, what can he do for ours?

Yes on Question 1 will be my vote.


Question 1 allows for two-way access to vehicles. It's not just about gathering information. It also allows for pushing information to vehicles.

A NO vote on Question 1 keeps the Right to Repair law the same. The law already guarantees you can get your car fixed wherever you want and local repair shops get the same information as dealer repair shops.

That won't change no matter what happens with Question 1. According Bill Hanvey, President & CEO of ACA, the main funder of Question 1, there are 15 times more local repair shops than dealer repair shops in the U.S., and his colleague, Paul McCarthy, President and COO of the Automotive Aftermarket Suppliers Association, also a major supporter of Question 1, says: “There’s simply not enough capacity in the automaker system to repair these vehicles.”

The best part of this is here

In an interview, Coalition for Safe and Secure Data spokesman Conor Yunits contended that the "sexual predator" threat raised in his group's ad remains valid. He said the "mechanical data" language in Question 1 could be interpreted to include location information because driving in certain environments — the salty sea air of Cape Cod, for example — may corrode parts of a vehicle.

So, he's basically saying that mechanical data counts as location data because the imaginary stalker/hacker could infer location from the corrosion. So, the stalker has now pinpointed the location of the car to... a coastal area?



Of how the case could be made that location data is related to mechanical data one time. Once that door is opened, it is impossible to close.

I'm not sure that speaks very highly of your point. What practical or useful knowledge does a malicious entity gain from maybe being able to infer that someone who owns a car has maybe driven it in a coastal area? (on the East Coast especially!)

If this is really private information that needs to be protected, I'm wondering why we don't have a campaign out to protect us from the dangers of parking stickers, town beach permits, or decals for ski resorts, all of which I see regularly on cars and immediately give much more detailed information about places where those cars regularly drive to much more than the mechanical data would.


Of how one could argue that location data is relevant to repair, not an example of how the information could be used maliciously.

Isn't the whole "sexual predator threat" thing based on someone using this information maliciously? Why is that part of your ad campaign if you're not actually willing to make this argument?


You are specifically asking me about the example I gave to WBUR, which was in response to a question unrelated to the ad or that argument.

"Scouts honor, I was doing 200MPH across the Bonneville salt flats all last month. That Yunits guy said I was on the Cape, but I was at the salt flats...".

I understand many of you disagree with us. I appreciate you letting me make the case.

At least, some of us do. For the record, I now have all my car service done at the dealer. It usually costs more, but sometimes they give me a really good deal. For years, I went to an independent, but he sold the shop, and the new owners pulled some questionable crap that made me not want to go back. Finding an honest mechanic can be difficult. I know there are also dealers who cheat customers, but the one I go to has always been good.

All that said, I'm going to vote 'Yes.' People who've managed to find a good independent should be able to have that garage do all the work on their car.

All that said, I'm going to vote 'Yes.' People who've managed to find a good independent should be able to have that garage do all the work on their car.

Is that not true today?

Has anyone ever taken their car to a independent mechanic who said "sorry, but I don't have any way to talk to your car's computer so I won't work on it"?

yes. Even before 2012 there are mechanics with shops that didn't have expensive diagnostic equipment.
You understand there was a time when cars were repaired with basic hand tools,a light bulb with a couple lengths of wire, and good hearing right?
In over a hundred years of internal combustion engines' existence not much has changed except the bells, whistles, and electrical sensors tied into a "brain" that controls timing/fuel delivery. You used to adjust that all with a flat head screwdriver.

Working in software and having a minor interest in cars, I spent some time looking into the aspects of this referendum. The conclusion I reached is that I'm voting No, despite that putting me in the same boat as the "beware! rapists!" ads and car manufacturers.

The outlined software and access requirements detailed in the referendum are not realistic nor secure. And if the car manufacturers rushed the work to meet the nearly impossible deadline, then the system would be even less secure. Furthermore, once you have thousands of cars on the road with these less secure systems, when patches came out later to fix the insecurities, nobody would take their car to the dealership to get the patches. People barely update their laptops on time and that just means restarting it once in a while and waiting a few minutes.

So, while I am completely for improving customer access to detailed information in the computer that drives them around sometimes and I'm all for making it universal and easy for any mechanic to use such an interface to diagnose your car's problems rather than requiring them to have multiple different tools for multiple different brands for multiple different models and years, etc., this is not the way to do it as described in this referendum.

It was well intentioned, but badly drawn up. Federally, we should mandate some key parameters and define the framework and everything and then enforce it in a time frame reasonable enough to get it into future cars.

The outlined software and access requirements detailed in the referendum are not realistic nor secure.

The requirements don't reference anything that is inherently insecure. Open standard doesn't mean open access to the information for everyone.

And if the car manufacturers rushed the work to meet the nearly impossible deadline, then the system would be even less secure.

This is the key point (IMO). If they try to do this in less than one year (which is basically what's required for 2022 model year) then it will not be done safely.

It was well intentioned, but badly drawn up. Federally, we should mandate some key parameters and define the framework and everything and then enforce it in a time frame reasonable enough to get it into future cars.

I couldn't agree more with this. I wish I could believe that it would happen.

Wireless access is unnecessary and insecure inherently in comparison to a wired connection.

If you have a wireless access point in your car, I can access it as long as I'm anywhere within range. If you're talking to your car's wireless access point, I can copy whatever is going between you two. If you're trying to connect to your car wirelessly, I can pretend to be your car and lie to you. You can put encryption and security in place, but those can be beaten or backdoors found. Furthermore, neither encryption nor firewalling nor other security options are mandated in the referendum (which goes back to my point of well-intentioned but totally inadequately drafted).

There's absolutely no reason your mechanic would need a wireless solution. It adds tons of unnecessary risk while providing a very mild convenience considering if your mechanic is working on your car, he can open the hood and plug into an outlet. It could even be a physically locked-alike location that requires the car key to unlock it. People can't even properly lock or hide their WiFi at home and you want them to manage their car's WiFi better than that just so the mechanic doesn't have to bend over to learn why the motor warning light is on?


First of all, I have not said I think this a good measure, just that your claim that open standards are insecure.

At least for high-end cars, most already have wireless connections, so this isn't going to change that at all, just require an open standard for that connection.

People can't even properly lock or hide their WiFi at home and you want them to manage their car's WiFi

No, I don't. With my wifi, I can choose from multiple security options (including none) and any password. There's no reason that every wireless connection should allow that. Personally, I'm not a fan of allowing any wireless connection to vehicles. I would prefer that be made completely illegal. Again, wireless connections are already being used.

Furthermore, neither encryption nor firewalling nor other security options are mandated in the referendum

Good. Since that technology will always be changing, it shouldn't be legislated. I suppose they should add the word "secured" in front of the requirement for a wireless connection so that a jackass lawyer doesn't argue that the car manufacturers had no idea that they should think about security.

If you're talking to your car's wireless access point, I can copy whatever is going between you two. If you're trying to connect to your car wirelessly, I can pretend to be your car and lie to you. You can put encryption and security in place, but those can be beaten or backdoors found.

Can you? If it's encrypted it will be meaningless. I agree that any connected device (connected to the internet or any wireless system) is less secure than one that isn't, but (again), cars are already connected devices.

Backdoors don't get "found", they are built. Using Elliptic Curve Cryptography, certain parameters can be chosen so that any group knowing about those parameters could break the encryption. However, most encryption standards are open standards which means it's hard to get away with that. The NSA did it about a decade ago and people found out and started switching to a new standard. I want to emphasize that the NSA didn't find a way to break the encryption, they helped create a standard that they knew they could break and thought would look hard to break to everyone else.

I want to preface this next statement by saying that A) I agree NO wireless access is best and B) the time frame in the ballot question is too short.

It would be a trivial task to design a system that uses extremely strong ECC to encrypt all transmission of data, require physical connection for sharing of all keys*, and completely lock off two way communication for critical systems. It won't be 100% secure, but we are not currently working in a world where your vehicle is anywhere near 100% secure.

* Technically, you could probably get around this, but you would need to convince users to install hardware... which will always be a way around physical connections.

I work in software too, but I don't really follow your point. There's nothing inherently unreasonable about the proposal. It will be expensive for car manufacturers to implement correctly, but that doesn't strike me as a good reason not to mandate it.

I haven't seen anything that suggests to me the current state is more secure, especially if your contention is that the manufacturers lack the will or ability to do it right. I think these companies tried to create an anti-competitive system to corner the repair market, and the high cost penalty on them of disallowing that shouldn't be a consideration when I vote.

Sure, a perfect federal system to handle all of this would be great, but that's not the decision in front of us. I'll always vote against allowing these companies to hold their products hostage with proprietary software or by limiting data access.

It will be expensive for car manufacturers to implement correctly, but that doesn't strike me as a good reason not to mandate it

If it's expensive to do, they won't do it. They'll meet your mandate but not do it correctly. The end result will be a disaster. Additionally, any future patches to match any future laws you put in place to fix all the ways they attempted to skirt the "true intent" of your mandate (but would have cost them more money initially) will require people to update their car's computer...which won't happen except for the super-vigilant (or the ones going to the dealership every time anyways). Compare this to how many people drive around with 10 year old maps in their car's computer.

So, if you're going to mandate it, you should craft a law. You should get a consumer protection committee to define the requirements to meet the law. You should do this on a national level with industry group involvement and realistic timelines.

Half-assing it in a MA referendum is not going to accomplish anything but a disastrous landscape of barely acceptable results with the DA and advocacy groups wasting time chasing down every manufacturer flaw and most mechanics being no better off wading through all the bugs/problems while hackers find ways to extract data left and right through security holes that never get patched, and an app landscape that will lie about what it's doing to tell you what your warning lights mean (while secretly uploading the rest of your data to the app creator).

A post about a ballot question about auto manufacturer / personal data rights gets up to 75+ comments.


This is one of the most informative threads I've ever seen here.

I am nervous about the "internet of things", but I distrust ads that go straight for the lizard brain with threats of murder, stalking and sexual assault. The apparent threat to independent repair shops is a convincing argument for the bill, but the expansion of availability of one's data is a concern.

The many posters who took the time to present facts and technical data in support of their opinions have been extremely helpful. Thanks.

The No campaign might have been able to run with their scary ads a little better if there wasn't also an incumbent presidential candidate running American hellscape campaign ads at the same time. Sometimes they run in the same commercial break.

I did see a fairly unscary No ad tonight, but it may be too little, too late at this point.

But if no location data is stored how can a stalker track you with the data?

There’s a new anti-question 1 ad featuring a repair guy named Santos, who says he doesn’t need the data. Am I correct that he runs an auto body shop and not an full car repair shop?