In one television ad, a woman walks alone in a deserted parking garage, the camera menacingly following as a narrator warns of predators using a car’s data to “stalk their victims, pinpoint exactly where you are" — if Question 1 passes.
Another commercial says automakers could use your sedan’s technology to “gain a monopoly on car repairs" and undercut businesses and thousands of jobs in Massachusetts. That is, if Question 1 doesn’t pass.
This November, Massachusetts voters are being asked to weigh not only whether to expand the state’s “Right to Repair” law, which gives independent mechanics access to vehicle diagnostic codes, but, seemingly, which dystopian future they most want to avoid.
Fueled by a multimillion-dollar battle between car companies like General Motors and aftermarket chains like AutoZone, the 30-second spots pummeling local airwaves offer what experts say are inflated versions of the ballot question’s potential impact.
The dueling caricatures, they say, are propped up in part by the initiative’s sometimes broad language and the challenge for voters to grasp the intricacies of vehicle cybersecurity. Even the state’s leading advocacy group against domestic violence has bristled at the opponents' use of a survivor’s experience to “polarize a particular issue.”
“All the arguments I’ve heard — pro and con — are fairly accurate, but they’re being exaggerated,” said Raymond Albert, an Assumption University professor and director of the Worcester school’s cybersecurity program. “They’re trying to sway the populace’s opinion and take advantage of the fact they don’t understand the underlying issue."
Question 1 asks voters to return to a debate they considered eight years ago: giving repair shops access to the data from a car’s computer system. The 2012 question that voters approved, and the Legislature tweaked, allowed independent repair shops to plug into a car to help diagnose problems and effectively gave owners more choices of where to get their cars fixed.
Now, a coalition that includes aftermarket businesses — think AutoZone and Advance Auto Parts — has so far raised $15.7 million as part of the campaign. asking voters to also open access to the mechanical data transmitted wirelessly from a car, known as telematics. That system, often found in late-model cars, monitors and remits real-time readings on the vehicle back to the manufacturer.
Should the question pass, manufacturers would be required to equip vehicles starting with 2022 models with an open-access platform for that data. Owners could then retrieve the mechanical readings through an undefined mobile app, and grant a local repair shop access to help in repairs.
One TV spot in the Massachusetts Right to Repair Coalition’s $5.5 million advertising campaign posits a future in which, without allowing that broader access, dealerships would have “no competition” in repairing vehicles. Yet even its leaders acknowledge the dire situation it warns of could be a decade away, while opponents say it’s a wildly misleading characterization of the auto repair market, in which owners would still have choices for finding fixes.
But the debate has bled well beyond questions of who gets to repair your rattling muffler and into a complicated world of data privacy and how best to protect it.
The Coalition for Safe and Secure Data, backed by nearly $26 million in contributions from General Motors, Toyota, and other automakers, has mounted a furious opposition campaign, pouring even more money into advertising — $9 million to date — and running a commercial featuring a shop owner who claims that “anyone could get your personal data."
Other spots have offered more specific, and sinister, situations, including insinuating that the garage codes to your home could be at risk.
The commercial cites a warning from the Federal Trade Commission, but it’s from an FTC press release from 2018 — well before the ballot question was proposed. The release advised owners to wipe their personal data — such as any stored garage codes — from their cars before selling or donating them and does not cite any “right to repair” proposal.
Another ad, featuring the woman alone at night in the parking garage, tells viewers that “domestic violence advocates" say predators could use your car’s data to track their victim’s location.
That claim, however, is from testimony the California Coalition Against Sexual Assault submitted on failed legislation in that state from 2014. The California bill, while similar in allowing access to a car’s data, specifically included geolocation information, which the Massachusetts proposal does not.
In an official voter guide the state is sending to millions of voters, the Coalition for Safe and Secure Data cites a line from January testimony submitted to lawmakers by Jane Doe Inc., a Massachusetts domestic violence survivor advocacy group, raising concerns about GPS data being accessed. The coalition said that such groups “urge you to vote NO.”
But Jane Doe’s leadership, acknowledging automotive cybersecurity is not its expertise, said that its thinking on the issue has since “evolved,” and that it has not taken a definitive stance on the question.
“Whether or not this initiative passes, those concerns still exist,” Hema Sarang-Sieminski, the group’s policy director, said of a survivor’s vehicle data falling into the wrong hands. “There’s a discomfort for us in having the experience of survivors being highlighted in the way the commercial does.”
Conor Yunits, a spokesman for the coalition, said the concerns it raises in its ads are valid. While the ballot question specifies that it’s mechanical data to which owners will have access, it would allow for data “related to” the diagnosis, repair, or maintenance of cars — a phrase, Yunits argued, that could open a door to debate of whether location or other personal data could help in diagnosing a car’s problems.
“Our concern is not what local repair shops do with this information. It’s this platform that this law would create,” Yunits said. “There’s nothing in there about cybersecurity. . . . It’s a single open data platform accessible by an app, and there’s not one app that exists now.”
How much jeopardy a person’s data could face should the question pass, however, is subject to disagreement even among cybersecurity experts.
Bryan Reimer, a research scientist in the MIT Center for Transportation and Logistics, warned that the question’s wording could be an “accelerant” for fraud in a highly complicated telematics system. “Cars are not as case-hardened as they should be,” Reimer said. “The more you open [access], the more vulnerabilities there are.”
The National Highway Traffic Safety Administration, too, has said it has broad concerns that the ballot question could create vulnerabilities, citing the possibility of “malicious actors" being able to cause a crash. (The Right to Repair Committee has dismissed the NHTSA’s comments, suggesting the agency is “erroneously” weighing in.)
“The ballot language proposes the best possible scenarios,” said Jennifer Tisdale, a principal at the cybersecurity consulting firm Grimm, “without including language to protect all involved from the worst-case scenarios.”
The concerns about the initiative’s unintended consequences — and the vast possibilities of allowing increased access — shouldn’t be dismissed, other data privacy scholars say, even if the types of scenarios described in the opponents’ ads are extreme.
“In theory, the fears that are being articulated could come true — if you build this platform with no security. But that would be really stupid,” said Jennifer King, the director of consumer privacy for the Center for Internet and Society at Stanford Law School. “It sounds a bit like security fearmongering.”
The question’s proponents lean into those worries, too, featuring in one ad former Boston police commissioner Edward F. Davis, who calls the opponents’ attacks “dishonest." It doesn’t disclose, however, that the committee has paid him nearly $70,000 as a consultant.
And on that other dour future, where you can only get your car fixed at the dealership?
Tommy Hickey, director of the Massachusetts Right to Repair committee, acknowledged the 1,600 independent shops backing the ballot question may not be immediately pushed out of business should the question fail. But he argued that in the “next five or 10 years, you’ll see independent repair shops going under” should mechanical data be transmitted completely wirelessly.
“They’re trying to get in front of a train that’s coming down the tracks,” said Paul Roberts, a Belmont resident and founder of Secure Repairs, which supports a wider digital “right to repair” law.
“If there were some way to ensure that physical access [to a car’s data] never went away, then maybe you don’t need this."