It was the cheat heard round the world: last week, the Environmental Protection Agency (EPA) accused Volkswagen of gaming emissions testing. The German automaker programmed millions of cars — sold worldwide — to release fewer emissions during the testing procedure, while projectile vomiting pollutants at up to 40 times the legal limit when the cars were on the road.
Interestingly, the EPA itself didn’t ferret out VW’s emissions ruse — which the carmaker started deploying in model year 2009 cars. Instead, it was researchers at the International Council on Clean Transportation and West Virginia University who first discovered the deception. Had it not been for the researchers, VW could have gone on blithely cheating for another seven years — or more.
So, I find it awfully ironic that the EPA just opposed rules that would make it easier for researchers to investigate the millions of lines of code in cars — independent probing that could have detected VW’s programmatic shenanigans sooner, and (more importantly) research that could uncover more cheating or vulnerabilities in other cars.
The researchers discovered the deception the hard way
The researchers discovered the deception the hard way, by developing a mobile emissions testing system. They hooked a grid of sensors up to the tailpipe of a VW Passat and a Jetta and drove them around West Virginia. Why didn’t someone catch this sooner? This kind of testing is so awkward that, evidently, no one has done it before.
The cheating "device," as the EPA calls it, isn’t actually a device: it’s code secreted inside VW’s electronic Engine Control Unit. It would have been much more straightforward to just examine the code. So why didn’t independent researchers do that?
I asked the EFF’s Kit Walsh, a legal expert on the Digital Millennium Copyright Act. "This code was shielded from watchdogs’ investigation by the anti-circumvention provision of the DMCA," he says. Okay, but isn’t there a pending exemption for vehicle research? Yes, there is, but "surprisingly, the EPA wrote to the Copyright Office to oppose the exemptions we’re seeking."
So, what does the EPA have to do with copyright? Weirdly, a lot.
Programming — like poetry and paintings — is creative content, which means it can be copyrighted. Back in the ’90s, movie and music distributors got really nervous about people copying their copyrighted DVDs and CDs. So, Hollywood slapped digital locks — or technological protection measures (TPMs) — over content to prevent people from making copies. When clever, computer-savvy people dug into the programming and defeated the locks, content lobbyists worked with lawmakers to make breaking the digital locks illegal as well — and thus the DMCA was born.
Everything is powered by code
Fast-forward about 20 years, and now everything — from tractors and refrigerators, to phones and (wait for it!) cars — is powered by software and code. The best way for enterprising corporations to keep control over their products (and to keep competitors and consumers from examining the proprietary code) is to put a digital lock on the software. The DMCA doesn’t care about intention. So, in the eyes of copyright law, a researcher who wants to reverse-engineer a device (like, say, a car) is the same kind of criminal as the guy who makes a living selling bootleg copies of Disney films.
Silly, right? But trust the process, friends. It’s government, so there’s always a fail safe — even if it’s a crappy one. Every three years, the Copyright Office considers if there should be any exemptions. Proposed exemptions are usually extremely specific in scope — and they aren’t often granted. For example, in the past the Copyright Office has approved exemptions for jailbreaking smartphones (but not tablets) and for blind readers to run ebooks through text-to-speech programs.
Even when successful, exemptions only last three years. So, every three years, advocates and consumers have to trudge back in front of the Copyright Office and ask permission to investigate the code of their devices again. Once the Copyright Office renders a decision, that decision is pretty much unassailable (as in, it takes a federal law to reverse it).
Now back to cars: earlier this year, digital rights advocates asked the Copyright Office for a number of exemptions — including one that would allow independent researchers to reverse engineer and investigate car code. Specifically, the exemption — which the Copyright Office dubbed "Proposed Class 22" — would "allow circumvention of TPMs [digital locks] protecting computer programs that control the functioning of a motorized land vehicle for the purpose of researching the security or safety of such vehicles." Under the exemption as proposed, "circumvention would be allowed when undertaken by or on behalf of the lawful owner of the vehicle."
This kind of research is critically important in exposing vulnerabilities
This kind of research is critically important in exposing vulnerabilities in modern, increasingly computerized cars. Back in 2012, independent researchers Dr. Charlie Miller and Chris Valasek discovered that certain Ford and Toyota models were vulnerable to hacking. They were able to inject messages via the car’s CAN Bus network, allowing them to meddle with the brakes, the speedometer, the locks, the horn, and even the steering. Then, this year, Miller and Valasek remotely hacked a Jeep, taking control of the car and disabling it while the car was on the highway. (The driver, by the way, was a willing participant. And the pair worked with Chrysler to patch the security issue before the releasing their findings — presumably in exchange for legal immunity.)
Of course, everything that Miller and Valasek did violated the DMCA. But they did it anyway — because they believed that figuring out which cars were vulnerable before criminals did was more important than following the letter of the law.
That’s why Miller testified in front of the Copyright Office earlier this year in support of the Proposed Class 22 exemption. "The vehicles being produced by manufacturers are not safe from remote exploitation. This scares me, but what really scares me are laws that won’t allow me to look at the codes in my automobile to determine whether it is safe, look for vulnerabilities, see how it is designed around safety or even build compatible devices to add safety features," Miller told the Copyright Office. "Hiding away the safety critical code from observation will not solve the problem. We cannot wait for the benevolent manufacturers to do the right thing to produce safe cars. They need help and the DMCA prevents people like me from helping them. I know many researchers who won’t participate in this field due to the legal murkiness around car safety research."
"I know many researchers who won’t participate in this field due to the legal murkiness around car safety research."
That’s the real crux of the matter: there are fewer researchers than there should be, because independent researchers face the risk of up to five years in jail and $500,000 in fines under the DMCA — simply for investigating the innards of a car. At the same time, there are more lines of code in a car than in a jet plane. Which means, there’s a lot of nooks and crannies where security vulnerabilities can hide — or where carmakers can hide malicious programming. The more researchers looking into the hidden code, the better.
So why on earth is the EPA blockading rules that would put more researchers into the field? The EPA, by the way, opposed two different exemptions concerning cars — one exemption for consumers to repair and improve the programming in their own cars and one exemption for researchers to conduct safety and security tests on their cars. Here’s the EPA’s reasoning:
Any benefit in exempting motor vehicle TPMs, allowing lawful owners to make non-infringing uses to the underlying software, is exceeded by the risk that lawful owners could, intentionally or not, modify that software in a way that would increase emissions regulated under the CAA [Clean Air Act]," the EPA wrote in its opposition comments to the Copyright Office.
Irony, thy name is EPA. Because subverting emissions and flouting the Clean Air Act is exactly what VW did — and they did it intentionally. A large corporation cheated, relying on secret code to protect its lies. And since independent research is effectively illegal under the DMCA — there aren’t enough people out there to catch those lies.
Is it possible that other manufacturers have deployed similar tricks?
What other secrets lie in the secret, legally locked-down code?
"Yes," says Sherwin Siy, vice president of legal affairs at Public Knowledge. "So long as the DMCA hinders or chills law-abiding researchers from casting their eyes on code, more bugs — and insidious code — will end up in the devices we trust our livelihoods and lives to."
How many other cars have security vulnerabilities just waiting to be exploited by malicious hackers? What other secrets lie in the secret, legally locked-down code?
If the Copyright Office listens to the EPA, we may never know.
Kyle Wiens is the co-founder of iFixit, the open-source repair community. He advocates for consumer rights and repairable hardware. iFixit’s ongoing Right to Repair campaign successfully fought for your right to unlock your cellphone.