Yes you should own, and control, the data your car generates

Taylor Armerding
7 min readNov 16, 2020


Photo by Erik Mclean on Unsplash

Information is power, the saying goes. These days, information is also money.

So perhaps after hearing that “if you’re not paying for the product, you are the product” for a decade or more, consumers are starting to get more savvy about the reality of Big Data — that the data they generate in their increasingly connected lives is, collectively, worth very big bucks. Also that it can be very invasive to their personal privacy.

Which could explain, at least in part, why Massachusetts voters went 3–1 on Election Day in favor of an expanded “Right to Repair” law that will give them ownership and at least a measure of control over the streams of data they generate every time they use their car.

The hundreds of sensors and millions of lines of code in modern vehicles don’t just let you know if your tire pressure is low, if you’re drifting out of your lane, about to back into a hydrant, or your brakes need fixing. They also collect data on how fast you go (and whether that’s more than the speed limit), how far you go, where you go, how hard you hit the brakes, how fast you accelerate, and a host of other things that insurance companies have been monetizing for years by offering discounts to customers who let them monitor their driving.

And now, starting with model year 2022, vehicle manufacturers that sell products with telematics (wireless, real-time) systems in Massachusetts will be required to provide an open platform that gives owners and independent repair shops access to that data through a mobile-based application.

The state’s 2013 Right to Repair law required automakers and dealers to allow owners and independent repair shops access to diagnostics data, but it exempted wirelessly transmitted data. The new law includes it, and will also require that owners and their designated repair shops be enabled to send commands to the system for maintenance, repair and diagnostics.

The point/counterpoint in the multimillion-dollar advertising battle over access to that data didn’t focus directly on its monetary value.

Not just about the money

Opponents, funded largely by major auto manufacturers, raised the privacy specter. If the data ended up on an open platform, it could be accessible to anyone, they said, including criminals and stalkers. “Vote no. Keep your data safe,” was their tagline.

The pro side’s major argument was that if owners and independent repair shops didn’t have access to a vehicle’s mechanical and diagnostic data, owners would eventually be forced to take them only to dealers for repairs. And more than 1,500 independent repair shops could go belly up. Nobody needs to be told what happens to prices when there is less competition.

“It’s your car. You should decide where to fix it,” was the tagline for most of their ads.

Kyle Wiens, founder of California-based iFixit told TechCrunch, “If you can’t fix it, you don’t really own it. As manufacturers add more and more technology to vehicles, they need to take care to protect owner’s right to tinker and local mechanic’s ability to perform repairs.”

The Massachusetts vote could have national implications, since if auto manufacturers have to create a platform to allow owners and repair shops in one state to access the telematics data from vehicles, car owners in other states are likely to want the same thing, especially since the infrastructure will be in place to provide it.

Opponents of the law, including the Coalition for Safe and Secure Data, are already saying the deadline for compliance needs to be extended, since the 2022 model cars come out next year. The Electronic Frontier Foundation (EFF), a privacy advocacy group, calls any delay in the deadline “simply unacceptable” since automakers have known for some time that the referendum was likely to pass. “If automakers were taken by surprise, it’s simply because they weren’t paying attention,” EFF said.

Meanwhile, the debate over security and privacy goes on. Does an open platform, accessible through a mobile app, really create added security risks to consumers?

Most experts don’t think so.

As one comment from “jhodge” about a post in Ars Technica on the topic put it, “Some of our best security standards and protocols are open. TLS, SSH, PGP, AES, S/MIME: all open with widely scrutinized standards and implementations.”

“While they have all had vulnerabilities, there is absolutely no reason to think that proprietary standards would be BETTER, and without the scrutiny of being openly available, it is reasonable to assume that vulnerabilities would be less likely to be found and fixed.”

Indeed, if telematics data remained only in the hands of automakers, and in some cases insurance companies, that doesn’t guarantee its safety. Dr. Dennis Kengo Oka, principal automotive security strategist at Synopsys, noted that five years ago researchers reported that an onboard diagnostics (OBD) dongle from Progressive Insurance that monitored the driving of participating customers had “no security features. It’s a house that has no doors, no windows and no fences, with valuables inside,” Dale Peterson of Digital Bond said.

Improved security, but …

Cyber security in the automotive industry has improved since then. Oka said there are “numerous cyber security-related activities ongoing for automakers including establishing processes and deploying appropriate tools in the development lifecycle to fulfill new cybersecurity standards” such as ISO (International Organization for Standardization)/SAE (Society of Automotive Engineers) DIS 21434.

“There are more requirements and recommendations on secure software development that can be fulfilled by using static code analysis tools, and performing vulnerability scanning, fuzz testing, and penetration testing. There are also activities for postproduction such as cybersecurity monitoring for new threats and vulnerabilities,” Oka said.

But he added that the new law doesn’t specify how authentication and authorization to access vehicle data should be implemented. It only requires that access to data must not require authorization from the original equipment manufacturer (OEM).

“While this data typically only was stored and accessible through a single OEM, the open-access platform may contain more data from multiple OEMs and may have less stringent requirements on who can access this data. Therefore it will be a lucrative target for cyber attackers,” he said.

Still, there is general agreement that an open platform won’t undermine security, and could make it more robust.

Cory Doctorow, author, blogger and a special consultant to the EFF wrote earlier this year on the EFF blog that “security is weakened by secrecy and strengthened by independent testing and scrutiny.”

“Allowing car manufacturers to monopolize service — and thus scrutiny — over their products ensures that the defects in these fast-moving, heavy machines will primarily become generally known after they are exploited to the potentially lethal detriment of drivers and the pedestrians around them,” he wrote.

Aaron Jacoby, managing partner at ArentFox and chair of its automotive industry practice group said open platform software “is the norm.” And he said most hackers and criminals are looking to steal money, “not information about vehicle mechanics.”

The new Massachusetts law, he said, won’t make vehicles more or less secure. “If it’s vulnerable to hacking now, it will continue to be vulnerable. If it’s not vulnerable to hacking now, it won’t be vulnerable in the future.”

The privacy problem

And on the privacy front? That’s in the “time will tell” category. Clearly, the new law doesn’t curb access to data. It expands it. The manufacturers and dealers, and as noted earlier, some insurance companies, have had access to it all along. Now the owners and their designated repair shops will have it as well.

Jacoby doesn’t think it’s a major risk. “The information at the heart of the amendment is related to the mechanics of the vehicle,” he said. “It has no connection to the consumer’s private and confidential information. So even if it got into the hands of a marketer or other nonmechanic-related third party, it would not be useful.”

He acknowledges that some systems, such as navigation, would track the location of the vehicle. But he notes that people share their personal information all the time with social media and other online services.

“Under most laws, data belongs to the person that produces it unless an agreement permits use or different ownership of the data,” he said. “We all share our personal data with social media, Google, etc., that’s pursuant to their user agreements, not the law.”

Lee Tien, legislative director at EFF, agrees that ownership shouldn’t be a factor in data privacy — but he says privacy should be a given whether a user owns a product or not.

“We (EFF) do not tie privacy to ownership of either the thing or the data,” he said. “Americans in general don’t, I think. Most states protect the privacy of library reading records, even though the library borrower owns nothing. The federal Video Privacy Protection Act is about video rental records, again, not about owned stuff.”

“And think of phones. No one owned their phones back in the day. Or the wires. The whole notion of a reasonable expectation of privacy, which originated in Katz (Katz v. United States, the landmark 1967 Supreme Court decision on search and seizure without a warrant), had nothing to do with ownership of the product.”

Clearly there are market incentives to guard the data generated by vehicles. If a brand’s data collection system is hacked and information on millions of drivers is compromised, the cost of the “cleanup” — not to mention potential legal liability and reputation damage — could be enormous.

So even if automakers don’t want to build an open platform, now that they must, it’s in their economic interests to make it secure.

We can only hope.



Taylor Armerding

I’m a security advocate at the Synopsys Software Integrity Group. I write mainly about software security, data security and privacy.