Smarter Copyright Laws Could Stop the Next VW Scandal

The VW scandal is the new normal. And it will remain that way until America’s overzealous copyright laws stop trampling research and innovation.
BRITAINGERMANYAUTOMOBILEVOLKSWAGENRECALL
This picture taken on October 15, 2015 in Cardiff shows a Volkswagen logo on the steering wheel of a car. The German authorities tightened the screws on Volkswagen today, saying they would order it to recall 2.4 million vehicles across the country that are fitted with pollution-cheating software. AFP PHOTO / DAMIEN MEYER (Photo credit should read DAMIEN MEYER/AFP/Getty Images)DAMIEN MEYER/Getty Images

When the Volkswagen scandal first broke, we all shook our heads in shocked disbelief. The trusted car company duped regulatory bodies around the world with just a few lines of code buried in the programming.

That bit of software is all it took to teach 10 million cars, nearly 500,000 of which were sold in the US, to cheat on emissions tests and produce far above the legal limit of NOx emissions during real world driving.

We live in a world of a Matrix-like imagining: Code is the rippling, unseen undercurrent that animates our lives. We could no more go a day without using something powered by software (from phones to coffeemakers) than we could go a day without breathing. But if code is omnipresent, it’s also a puppet king, passively carrying out someone else’s hidden commands. And we should live in perpetual skepticism of whomever’s fingers are upon the strings.

The VW scandal isn’t a freak event, it’s the new normal. And it will remain that way until America’s overzealous copyright laws stop trampling research and innovation.

It doesn’t surprise me that the German automaker was able to pull off a massive scam, right under the nose of a powerful US regulatory organization. There's a law banning you from looking for the kind of crap VW was pulling: the Digital Millennium Copyright Act, or DMCA.

Section 1201 of the DMCA makes it illegal to circumvent digital locks like the carrier lock on your phone or the password controlling access to the diagnostic system of your vehicle. The 1998 law was intended to stop people from breaking encryption over CDs and DVDs. But Section 1201 isn’t platform-specific. It applies to all programming with a lock on it.

The law enacted to stop piracy wound up giving manufacturers veto power over tinkering with code. You can’t even look at it without the manufacturer’s permission. How do you uncover corporate malfeasance when you’re legally mandated to wear blinders?

I’ve spent the last decade negotiating with manufacturers in courtrooms, at congressional briefings, as a part of standards organizations, and in state capitals. I’ve argued with electronics makers over open software and sustainable hardware. I’ve argued with John Deere about giving farmers wider ownership rights over tractors. I’ve argued with Apple over whether consumers have the right to jailbreak their tablets or repair their phones. I’ve learned manufacturers always default to ‘no.’ The larger the corporation, the more resounding the refusal.

Never mind that the moment that you purchase a product, it’s yours. Manufacturers act as though they get to control the products that we own. Consistently, their reasoning boils down to a dismissive palliative: Trust us, they say. We design these integrated systems, they say. Only we know how to open our hardware safely. Only we can manage the lifecycle of batteries. Only we should have the tools to repair the equipment. And only we should be able to see the code. Trust us, they say, because we know best.

Volkswagen made new inroads in the US with advanced, “clean diesel” engines for small cars. They traded upon the public trust—and they violated it. In May, (months before VW was exposed and years after the cheating started) I testified in front of the Copyright Office alongside a trade association representing Volkswagen and 11 other carmakers.

My organization, iFixit, partnered with the Electronic Frontier Foundation and others to ask the Copyright Office to make vehicles exempt from Section 1201, giving owners and independent researchers lawful access to a car’s software (the public is allowed to request such exemptions only once every three years, despite the rapid pace of technology). The Alliance of Automobile Manufacturers representative opposed the exemptions, saying locks over the car’s software brain—the engine control unit, or ECU—safeguard the emissions systems.

“The ECU's as they are manufactured, as they are designed, attempt to meet all the regulatory compliance,” the representative said. “These vehicles have to meet emission standards, they have to meet safety standards, they have to meet fuel efficiency standards. And the ECUs, the software we are talking about here, is one of the main means of doing that.”

But, of course, that’s based on the assumption that the ECUs themselves aren’t designed to cheat the very systems they implement. It’s based on the assumption that we can trust the manufacturers to do the right thing all the time. And it’s based on the assumption that the the locks manufacturers place over software are there for the common good. When it came to Volkswagen, that assumption proved false.

“Any time someone puts a lock on something that belongs to you, and won't give you a key, they're not doing it for your benefit,” says copyright expert Cory Doctorow.

VW didn’t invent cheating. Malicious, manufacturer-approved code isn’t new. Twice in the '90s, the EPA found automakers doing this kind of thing with diesels — Ford’s so-called Econovans integrated hardware defeat devices. Five years ago, LG got caught making refrigerators that rigged the results of their energy testing. In 2013, a handful of Android mobile phones were caught cheating on performance benchmarks tests.

More recently, researchers indicated that Samsung televisions might be cheating their European energy consumption tests. (Samsung has denied any wrongdoing; researchers are performing more tests to determine if Samsung programmed their sets to subvert the energy tests, à la Volkswagen.)

Ten years ago, Sony secretly infected 6,000,000 CDs with invisible malware designed to stop users from copying music. Coincidentally, that malware also left affected systems—including 200,000-300,000 US government and military networks—vulnerable to outside viruses. As with the Volkswagen case, it was a researcher, in this case Mark Russinovich, who exposed the company.

“Russinovich was not the first researcher to discover the Sony Rootkit, just the first researcher to blow the whistle on it,” explains Doctorow. “The other researchers were advised by their lawyers that any report on the rootkit would violate section 1201 of the DMCA ... The gap between discovery and reporting gave the infection a long time to spread.”

Who knows how many other companies are pulling a Volkswagen right now? While Section 1201 of the DMCA is blockading open investigations of source code, we may never really know.

“I want as many researchers as possible to be looking at this code finding flaws, suggesting patches and improving it,” says independent car security researcher Dr. Charlie Miller. “I want to be able to trust the safety of my vehicle. And the only way I can do that is to look at it myself.”

The Copyright Office will decide, likely this week, whether cars should be exempted from 1201. Historically, though, the Copyright Office turns down the majority of proposed exemptions. And even if they do grant an exemption for cars, that’s just one kind of software-enabled device in a world lousy with them. If we really want to shine a light on what’s happening in our own software, then it’s time to throw off the rock that everyone has been hiding under: Section 1201.

Right now, there are a couple of bills kicking around Congress could put an end to Section 1201’s reign of enforced secrecy. Senator Ron Wyden’s Breaking Down Barriers to Innovation Act would make it easier to get and keep exemptions to Section 1201; it emphasizes that exemptions should be granted for repair, recycling, and security research. And Representative Zoe Lofgren’s Unlocking Technology Act goes further, allowing users to break locks over copyrighted content as long as they aren’t pirating copies. Everything else—repair, modding, research—is fair game.

After nearly two decades under the DMCA, it’s clear that our copyright laws are out of control, that they restrict research rather than promote innovation. Something needs to change. Section 1201 is undemocratic. It’s anti-consumer. And it hands control of our things to corporate entities whose motivations may not be aligned with the public’s interest.

It’s your car. It’s your computer. It’s your stuff. Shouldn’t you have the right to look under the hood?

Update:Tuesday morning, the Copyright Office released its list of DMCA exemptions, including a limited exemption for automotive repair and security research that may not take effect until 2017. We’ll be reporting more on this soon.