
EFF Wins Petition to Inspect and Modify Car Software - paulmlewis
https://supporters.eff.org/civicrm/mailing/view?reset=1&id=1234
======
Isamu
“It’s absurd that we have to spend so much time, every three years, filing and
defending these petitions to the copyright office. Technologists, artists, and
fans should not have to get permission from the government—and rely on the
contradictory and often nonsensical rulings—before investigating whether their
car is lying to them or using their phone however they want,” said EFF Legal
Director Corynne McSherry. “But despite this ridiculous system, we are glad
for our victories here, and that basic rights to modify, research, and tinker
have been protected.”

~~~
coldpie
The system sucks, but it's the system we have, and it costs money to fight
these battles. If you like the result here, consider setting up a recurring
donation to the EFF.

~~~
shkkmo
My "recurring donation" is to buy every humblebundle and give everything to
the EFF.

~~~
kbenson
I should do that. It would probably surpass whatever contribution I would end
up giving them directly byquite a bit. I do want to support the developers
though, so maybe I'll do 70% EFF, 25% devs, 5% humble tip (gotta keep the
lights on).

~~~
eropple
By the time a game hits a bundle the impact on the developer's bottom line is
almost negligible. If you want to support developers, buy their games when
they come out. Doing otherwise is "nice," but ineffective.

~~~
chadzawistowski
$5 is still $5 if you buy a game after the fact. I don't see how joining early
purchasers helps game developers more than otherwise.

~~~
notfoss
If games sell well early into their release, the devs would be elated and
motivated. Also they would get more money at the time they are hoping to get
it.

~~~
kbenson
The vast majority of the games in the humble bundles would never get _any_
money from me. It's some or nothing, and I assume they would prefer "some".

------
yasth
It should be noted that this is a very limited ruling. Only the owner can
modify the car, and you can't go to a mechanic or third party to modify it (or
inspect it), which will greatly restrict the application.

Also this doesn't apply to Entertainment or Telemetrics portions. So your car
could be straight up spying on you, or your manufacturer can leave unpatched
security holes in your "Entertainment" system (which has already been used (
[http://spectrum.ieee.org/cars-that-
think/transportation/syst...](http://spectrum.ieee.org/cars-that-
think/transportation/systems/jeep-hacking-101)) to remotely hack your car),
and there is nothing you can legally do. You can't even deeply look into the
system to find such vulnerabilities.

I mean a win is a win, but this isn't as big as one would hope.

~~~
randyrand
Fortunateyly the software in your 2015 honda civic is nearly or completely
identical to all other 2015 honda civics, though.

I agree that its unfortunate, but being able to inspect the software in your
car is nearly as good as being able to inspect other's or have other's inspect
yours if you have the same make and year.

~~~
yasth
Well there is probably a pretty big difference between the normal civic, the
hybrid civic, and the natural gas civic, but I don't think there will be lots
of per car model/line differences, just that the inability to contract out
things means that modification is limited to technical minded people (and no,
artful dodges like "The mechanic will set it up, and the owner can push the
button" are unlikely to fly).

Also it throws hassles at researchers, some cars have a lot of different
combinations of things that might change the ECU software from engine choices
to different model lines (Sport models often have different tunings) to even
the type of gearbox (Manuals have different tuning than automatics which are
different than CVTs, and advanced CVTs actually communicate with the ECU in
complex ways that are only activated on the higher trims). No one is going to
actually own 8 different Honda Accords just to legally work on all the
firmwares. While I have no doubt that a lot of shortcutting will occur (i.e.
people will dump the firmware and post it, and if and only if an issue is
found will researchers bother to become nominal "owner" of a particular model)
it adds a hassle, and a tinge of illegality which is completely unwarranted.

~~~
robryk
> and no, artful dodges like "The mechanic will set it up, and the owner can
> push the button" are unlikely to fly

What about selling/renting devices that the owner connects in some obvious way
and pushes a button?

------
csense
> EFF also won an exemption for users who want to play video games after the
> publisher cuts off support. For example, some players may need to modify an
> old video game so it doesn’t perform a check with an authentication server
> that has since been shut down

I think this is the real story for many HN readers.

~~~
VonGuard
Yep. I can answer questions on this if you'd like. I also clarified what's
legal in a comment below.

~~~
MichaelGG
Snarky, but, does "shut down" include when big launch games are overwhelmed or
said systems suffer other availability events?

~~~
Natanael_L
For legal purposes, I _think_ it would apply when the official servers are
shut down and there are reason to believe they will not be restarted.

For example if the company is out of business, or they announced they'll close
it permanently, it got effectively abandoned and there's been a very long time
without any official statement on if/when they'll bring it back up, etc...

------
Zizzle
I recently put a turbo on my van since I live high in the mountains where the
atmospheric pressure is low and the performance loss is noticeable.

Of course the ECU needs adjustments to the fuelling tables (you need to run
rich under boost to prevent detonation), spark timing tables, as well as a
patch to the OS to allow the use of a different manifold pressure sensor
(default OS doesn't recognise press above 100kpa).

I guess this was illegal.

I have heard rumblings from the professional engine tuners that the OEMs are
already starting to lock down ECUs. Not only via DRM, but by having enough
checks in the code that modifying parameters to up performance results in
error codes and limp home mode. They expect to be having to go to after market
ECUs soon.

Some of them would have cost more than my whole project:

[https://www.holley.com/products/fuel_systems/fuel_injection/...](https://www.holley.com/products/fuel_systems/fuel_injection/dominator_efi/dominator_ecu/parts/554-114)

Fortunately there are more DIY friendly set ups:

[http://megasquirt.info/products/diy-
kits/](http://megasquirt.info/products/diy-kits/)

But it seems a waste to have to throw away a perfectly good ECU because the
OEM (or gov) decided to lock it down.

~~~
crxgames
I'm a dealer for Holley ECU products. They're fantastic! But you are correct,
people in my industry are now forced to tell the modern hot rodder that step
one (for the most part) is purchasing a $1200+ computer replacement plus
rewiring their car in order to do anything.

------
Karunamon
They also got an exemption for modifying of abandoned games whose activation
systems are long since gone, as well as extending/clarifying the jailbreaking
exemption.

~~~
VonGuard
I actually worked on this part of the exemption. It was granted in two parts.
First, fans may now reverse engineer and host servers for games that are no
longer hosted online. Metal Gear Solid 4 is a perfect example, but there are
plenty of others. This is now legal, and considered fair use. MMO's are
exempted, and defined as games where the world is persistent reguardless of
number of players connected (IE, is the game played in rounds, or is state
reset in the world often... more than once a month, for example). It was a
crude way to define the differences, but MMO's were a sticking point, so we
have to come back to them later.

Second, museums and archives are now permitted to circumvent copy protection
in the pursuit of preservation. This means that huge stores of old games that
are otherwise unavailable are now legally preservable by institutions like
Stanford, The Museum of Art and Digital Entertainment, and Archive.org. Of
note is the fact that the Atari ST catalog of software was preserved on pirate
disks, and we've yet to find any other way to save some of those pieces of
software, aside from just preserving the pirate disks. This does not mean
these titles can be redistributed, only that they can be modified for the sake
of preservation.

Additionally, this means museums can preserve devices that circumvent copy
protection, such as floppy-to-SNES devices, which we have a few of at the
MADE. Modded XBoxes can now also be preserved in an institution.

The bits that help museums means a great deal for preservation of digital
assets as a whole. This was a lot of work to get done, so a huge thanks goes
out to the EFF, Stanford, MIT, Harvard and Archive.org for all their hard work
to get this done!

~~~
jxcl
> This does not mean these titles can be redistributed, only that they can be
> modified for the sake of preservation.

But once the copyright expires on the disks, they may then be redistributed?

~~~
VonGuard
Then they would enter public domain. Copyright, however, lasts a very, very
long time. Longer than the history of computing.

~~~
gknoy
It sounds like archivists could image the disks and transport those across
mediums, in the interest of archival, as long as they didn't distribute them,
though. Am I mistaken?

~~~
VonGuard
You are correct. We can now do just about anything we want short of
redistribution or commercialization.

------
shmerl
When will DMCA-1201 be repealed for good? This unconstitutional garbage should
be abolished.

An interesting read on this:
[https://web.archive.org/web/20120220014712/http://www.macfer...](https://web.archive.org/web/20120220014712/http://www.macfergus.com/niels/dmca/cia.html)

------
xg15
Three interesting tidbits from the Wikipedia article about the Librarian of
Congress:

> _There is no official term limit for the Librarian of Congress, but in the
> 20th century a precedent was established that Librarians of Congress are
> appointed for life._

> _There is very little legislation for the Librarian of Congress or rules
> regarding who should be selected for the position. In 1989, Representative
> Major R Owens (D–NY) proposed a bill in Congress that would set stricter
> requirements for who may be appointed. (...) This bill did not pass._

> _James H. Billington has served as Librarian of Congress since 1987, and
> announced plans to retire from that post in 2015._

This sounds to me as if the position hadn't really been designed for the
amount of power that it has been given now by the DMCA. With a vacancy
apparently right ahead, wouldn't that make it the next prime target for lobby
efforts or corruption?

------
c3534l
I was initially happy about this until I saw that the primary reason was the
VW scandal. Why are our laws only ever put into check when a controversy like
this breaks out? We have to wait for the really bad abuses before anyone ever
dials back the bullshit.

~~~
dtech
I wouldn't say that this was the primary reason, as the EFF has lobbied for
this before and set the process in motion before that became public. It just
provides a well-known recent example.

------
dang
Also
[https://news.ycombinator.com/item?id=10459316](https://news.ycombinator.com/item?id=10459316)
and
[https://news.ycombinator.com/item?id=10459113](https://news.ycombinator.com/item?id=10459113).

~~~
paulmlewis
Thanks, first time submitting, I didn't spot those ones.

~~~
dang
Welcome to HN submitting! We hope you'll submit as many intellectually
interesting stories as you can find.

The links in my comment above were just to point out related links of
interest, not at all to suggest that you shouldn't have posted this one.

------
r3n2o
[https://www.eff.org/press/releases/eff-wins-petition-
inspect...](https://www.eff.org/press/releases/eff-wins-petition-inspect-and-
modify-car-software)

------
jenscow
Don't get me wrong, I'm pleased with the progress - but doesn't this just mean
they'll make it harder to crack?

~~~
tga_d
This is just the same old issue of DRM as before: create a system that works
when the user is running it like they're supposed to, but doesn't reveal
anything when they're not. And it's never worked. Probably can never work.
Cory Doctorow talks about it in his talks on eliminating DRM. Basically, at
the end of the day, the only real means we have of making DRM "work" is using
laws (which, of course, doesn't stop criminals, only people who are trying to
do things legally).

~~~
tptacek
It worked pretty well for DirecTV, which is a more analogous scenario than
normal computer software.

~~~
tga_d
>It worked pretty well for DirecTV

You're going to have to explain what you mean by that, is there some story of
DirecTV successfully preventing people from analyzing firmware?

~~~
tptacek
Yes, famously. Google "DirecTV black sunday". DirecTV successfully killed off
the (huge) DirecTV piracy community, not just by frying the old hacked cards,
but by deploying new cards that have mostly withstood more than a decade of
intense analysis.

~~~
apaprocki
Ahhh memories. What started as a "write a byte now put the card in any box for
TV" escalated into complicated custom electronics, MITMing the stream, with a
computer required to sit in the middle to lend its processing power. All the
while, some unsung heroes out of the Matrix able to look in realtime at the
DV-S stream flowing across their screen, able to spot a new Agent Smith
barreling at the card and alert the world via IRC.

------
kelvin0
Shouldn't this be mandatory and be part of the overall safety audition of the
car? They have physical crash tests of cars to assess the robustness that
match certain criteria.

------
alkonaut
While I agree with the idea that you should be able to inspect most anything,
and not be prohibited from fiddling with anything thats yours, I don't
understand how security would be handled?

The software of the car is a component of the car just like any other, and
while I can certainly mechanically disable the brakes on my car, it won't be
safe for road use if I do (It would never pass an inspection). Since no one
could be expected to debug/inspect my software modifications for errors, one
would have to assume that any car whose software doesn't match the official
one, _may_ be unsafe for road use, and thus can't be allowed on the road?

Also: isn't firmware of this kind pretty hard to read without having access to
encryption keys? The petition just wants it to be _legal_ not for the
manufacturers to be forced to make it easy?

~~~
robryk
Well, you can repair your car's mechanical brakes yourself now. If you disable
them (accidentally or otherwise) and render the car unsafe, the results of
that are your responsibility. Is there a reason why software modifications
can't be handled the same way?

~~~
xg15
Well, the whole point of car inspections is that "your responsibility" is not
enough. It's possible that you as the owner of a modded vehicle are perfectly
fine with the risk of an accident, but the other potential participants of
such an accident might not.

I think the question has a point: Modified ECUs are different from modified
brakes, because the modifications could likely not be found in an inspection -
in fact, according to the exemption, it would be illegal for inspectors to
check the ECU. So I wonder how that problem is handled.

~~~
alkonaut
The simple solution for safety I think is to just include the software
checksum/signature in the approval documents for a car model.

At an interval check, the inspector does the usual sampling tests (brake
effect, emissions, looks for rusty brake lines etc), and then validates that
all critical computers (ECU's and other systems such as computers related to
brakes etc) run software that match the signature of the manufacturer, and
that it is the latest version of the sowftare. After a recall such as the VW
case, the inspector could fail cars that haven't upgraded to the latest
version (which would be required since the original one is known to be
cheating on emissions).

This _is_ a bit harsh compared to other modifications: an owner can put on a
set of extra lights or cool wheels without necessarily failing an inspection,
whereas even changing a single bit of the software would immediately fail it
in this case.

I can't see any way around this though, apart from separating programs into
critical (brakes, ECU) /non-critical (Media, nav,...) software, where only the
critical software would be checked.

------
abvdasker
It seems insane to me that we could allow private corporations to buy and sell
data that our government would require a warrant or court order to obtain.

If cell phone service were free that would be one thing, but for these
companies to be "double dipping" like this is pretty disgusting.

~~~
Umn55
It seems insane to me that we could allow private corporations to buy and sell
data that our government would require a warrant or court order to obtain.

You're not seeing what is going on behind the scenes... they are all in
cahoots the money is just a bonus.

You're not seeing what's going down behind the scenes - the spying is for us.

On the NSA/spying...

The (mass surveillance) by the NSA and abuse by law enforcement is just more
part and parcel of state suppression of dissent against corporate interests.
They're worried that the more people are going to wake up and corporate
centers like the US and canada may be among those who also awaken. See this
vid with Zbigniew Brzezinski, former United States National Security Advisor.

[https://www.youtube.com/watch?v=n7ZyJw_cHJY](https://www.youtube.com/watch?v=n7ZyJw_cHJY)

Brezinski at a press conference

[https://www.youtube.com/watch?v=VWTIZBCQ79g](https://www.youtube.com/watch?v=VWTIZBCQ79g)

------
yeukhon
Wow. I didn't expect the Librarian OF Congress would have a say in this case,
but he/she does:
[https://en.wikipedia.org/wiki/Librarian_of_Congress](https://en.wikipedia.org/wiki/Librarian_of_Congress)

~~~
Natanael_L
Copyright works in mysterious ways...

~~~
schoen
This is the sixth time this has process has taken place in its current form --
it's not exactly something new.

[https://en.wikipedia.org/wiki/Digital_Millennium_Copyright_A...](https://en.wikipedia.org/wiki/Digital_Millennium_Copyright_Act#Anti-
circumvention_exemptions)

~~~
have_faith
I thought you where going with a Matrix joke for a second there.

------
Overtonwindow
Will this have any effect on the John Deer issue?

~~~
wlesieutre
I'm not a lawyer, but the EFF mentions tractors in their press release:

> We are pleased that analysts will now be able to examine the software in the
> cars we drive without facing legal threats from car manufacturers, and that
> the Librarian has acted to promote competition in the vehicle aftermarket
> and protect the long tradition of vehicle owners tinkering with their cars
> and tractors.

~~~
schoen
Indeed, this is the issue on which John Deere weighed in on the other side
(trying to prevent this decision from coming out this way).

------
vonklaus
man, this would be great. my dad is a huge car guy (type of guy that parks way
in the back of the parkinglot) I wanted to get him a new key fob for his bday
next week, $300 bucks.

now I am trying to mod an old key fob to work with the new one and have no
idea how. it would be nice to encourage this sort of thing so there is more
info out there. i am not even sure if it is possible to use an mk4 or mk5 key
with my mk6 style one. why? no info.

I found a youtube video with the taredown which only exists because a modder
sacrificed his $300 key to figure out how to do it properly.

i wish there was more info on how the software worked both for security and
modification.

------
goorpyguy
Has there been an analysis done as to how the LOC exemptions with interplay
with the TPP anti-circumvention requirements?

Will the LOC still be able to grant these? If not, the year-long delay may be
just long enough that there is actually never an open window.

------
Azew
While I agree with the premise of all of this, when it comes to modifying car
software, who now maintains the liability? If a hobbyist were to modify
something incorrectly and cause a malfunction of the car which in turn injured
another, or damaged property, who is liable?

Surely it cannot be the automaker, they did not intend for that. Insurance
companies are going to fight it, maintaining that unauthorized changes were
made which would release their liability.

Inspecting auto software for problems is great, allowing hobbyists to tinker
with their software seems problematic.

~~~
BinaryIdiot
> If a hobbyist were to modify something incorrectly and cause a malfunction
> of the car which in turn injured another, or damaged property, who is
> liable?

The hobbyist. Why would anyone else be liable for something a person did that
then failed and caused harm?

> Insurance companies are going to fight it, maintaining that unauthorized
> changes were made which would release their liability.

The insurance company covers the car so you'd have to consult what their terms
are in regards to modifications as plenty of people modify their cars today
just not the software. I can't imagine a software change would be radically
different to a hardware change in the insurance's eyes unless it's something
incredible like an autopilot.

~~~
baobabaobab
>The hobbyist. Why would anyone else be liable for something a person did that
then failed and caused harm?

The hobbyist isn't the one with money. The manufacturer will be sued, and they
usually settle because there is probably something they could have done that
would have made the failure less likely, injury trials are bad press, and jury
sympathy is always on the injured little guy's side.

This is how it plays out with physical products, I don't see why it would be
any different with code.

~~~
Qwertious
That's not what happens if a hobbyist modifies e.g. the brakes, then the
brakes break and the car crashes - if you modified the thing, you're
responsible for the issues your modifications cause.

------
jgardner7289
This is really good news. Wow.

------
pjaikumar
Excellent development!

