Hacker News new | past | comments | ask | show | jobs | submit login
EFF Wins Petition to Inspect and Modify Car Software (eff.org)
730 points by paulmlewis on Oct 27, 2015 | hide | past | web | favorite | 107 comments

“It’s absurd that we have to spend so much time, every three years, filing and defending these petitions to the copyright office. Technologists, artists, and fans should not have to get permission from the government—and rely on the contradictory and often nonsensical rulings—before investigating whether their car is lying to them or using their phone however they want,” said EFF Legal Director Corynne McSherry. “But despite this ridiculous system, we are glad for our victories here, and that basic rights to modify, research, and tinker have been protected.”

The system sucks, but it's the system we have, and it costs money to fight these battles. If you like the result here, consider setting up a recurring donation to the EFF.

My "recurring donation" is to buy every humblebundle and give everything to the EFF.

I should do that. It would probably surpass whatever contribution I would end up giving them directly byquite a bit. I do want to support the developers though, so maybe I'll do 70% EFF, 25% devs, 5% humble tip (gotta keep the lights on).

By the time a game hits a bundle the impact on the developer's bottom line is almost negligible. If you want to support developers, buy their games when they come out. Doing otherwise is "nice," but ineffective.

Here is some hard evidence to the contrary:



This isn't an exception, either. This is the norm.

It does help more than you think, being in a bundle is a big chunk of revenue for a smaller developer. While the sales do dwindle really fast after the launch, the long tail is still significant.

$5 is still $5 if you buy a game after the fact. I don't see how joining early purchasers helps game developers more than otherwise.

If games sell well early into their release, the devs would be elated and motivated. Also they would get more money at the time they are hoping to get it.

The vast majority of the games in the humble bundles would never get any money from me. It's some or nothing, and I assume they would prefer "some".

Also, when you buy a game on the Humble Store you can select which charity gets 10% of the purchase price. It gets set to some default, and it took me a long time to realise that you can change it. I have mine set to the EFF, but there are hundreds of options. The Humble Store is incidentally a great place to buy games.

Yep. This is a great reminder why we should all donate to EFF [and that I haven't renewed my membership since a few months ago]

Edit: membership now renewed

Also, if you shop at Amazon, use smile.amazon.com for purchases, after hooking it up to EFF.

It's the "Give % of sales to non-profit of your choice" option in Amazon.

And consider installing the Amazon Smile Redirect browser extension.

Are you sure Amazon is not using smile as a pricing indicator? I.e., people who want to donate to charity maybe less price-conscious?

That's the reason I've not started using it. Online stores use all kinds of indicators (user agent, OS, number of searches for similar items, etc) to jack up prices when they think they can get away with it, and I suspect this metric is very relevant in that context.

I just donate to EFF and others directly.

Or Project Smile. I realize this has nothing to do with the EFF, it's just a project that should get a lot more press and support.

It should be noted that this is a very limited ruling. Only the owner can modify the car, and you can't go to a mechanic or third party to modify it (or inspect it), which will greatly restrict the application.

Also this doesn't apply to Entertainment or Telemetrics portions. So your car could be straight up spying on you, or your manufacturer can leave unpatched security holes in your "Entertainment" system (which has already been used ( http://spectrum.ieee.org/cars-that-think/transportation/syst...) to remotely hack your car), and there is nothing you can legally do. You can't even deeply look into the system to find such vulnerabilities.

I mean a win is a win, but this isn't as big as one would hope.

Fortunateyly the software in your 2015 honda civic is nearly or completely identical to all other 2015 honda civics, though.

I agree that its unfortunate, but being able to inspect the software in your car is nearly as good as being able to inspect other's or have other's inspect yours if you have the same make and year.

Well there is probably a pretty big difference between the normal civic, the hybrid civic, and the natural gas civic, but I don't think there will be lots of per car model/line differences, just that the inability to contract out things means that modification is limited to technical minded people (and no, artful dodges like "The mechanic will set it up, and the owner can push the button" are unlikely to fly).

Also it throws hassles at researchers, some cars have a lot of different combinations of things that might change the ECU software from engine choices to different model lines (Sport models often have different tunings) to even the type of gearbox (Manuals have different tuning than automatics which are different than CVTs, and advanced CVTs actually communicate with the ECU in complex ways that are only activated on the higher trims). No one is going to actually own 8 different Honda Accords just to legally work on all the firmwares. While I have no doubt that a lot of shortcutting will occur (i.e. people will dump the firmware and post it, and if and only if an issue is found will researchers bother to become nominal "owner" of a particular model) it adds a hassle, and a tinge of illegality which is completely unwarranted.

> and no, artful dodges like "The mechanic will set it up, and the owner can push the button" are unlikely to fly

What about selling/renting devices that the owner connects in some obvious way and pushes a button?

ECU tweakers are already very popular with diesel vehicles. Something like that seems legal even under these restrictions.

Buy/rent a device to mod your own vehicle.

Huh, I've never seen those before, and I own a diesel car. Are they worth it? What do the tweakers do that the entire Mercedes crew couldn't?

> What do the tweakers do that the entire Mercedes crew couldn't?

Openly flout emissions standards.

I'm sure there's some irony in that sentiment ;-) Aside from the VW thing I think pretty much all diesels are above emissions standards in open road testing.


Popular among a subset of diesel pickup truck owners.

Interesting, thanks.

"Malone" is a popular tune brand

I wonder if you could sell your car to the inspector, let them inspect it, and then buy it back.

Maybe a "Mechanic's Lien" could work for that[1]?

[1] https://en.wikipedia.org/wiki/Mechanic%27s_lien

It would be an important case. As you note it's on the same bus and meaningless to "be able" to inspect the car control system without looking at it.

The solution is for people to vote with their buys.

> EFF also won an exemption for users who want to play video games after the publisher cuts off support. For example, some players may need to modify an old video game so it doesn’t perform a check with an authentication server that has since been shut down

I think this is the real story for many HN readers.

Yep. I can answer questions on this if you'd like. I also clarified what's legal in a comment below.

Snarky, but, does "shut down" include when big launch games are overwhelmed or said systems suffer other availability events?

For legal purposes, I think it would apply when the official servers are shut down and there are reason to believe they will not be restarted.

For example if the company is out of business, or they announced they'll close it permanently, it got effectively abandoned and there's been a very long time without any official statement on if/when they'll bring it back up, etc...

No. Either the company has to announce the shutdown and actually shutdown the servers or the servers have been down for six months

I recently put a turbo on my van since I live high in the mountains where the atmospheric pressure is low and the performance loss is noticeable.

Of course the ECU needs adjustments to the fuelling tables (you need to run rich under boost to prevent detonation), spark timing tables, as well as a patch to the OS to allow the use of a different manifold pressure sensor (default OS doesn't recognise press above 100kpa).

I guess this was illegal.

I have heard rumblings from the professional engine tuners that the OEMs are already starting to lock down ECUs. Not only via DRM, but by having enough checks in the code that modifying parameters to up performance results in error codes and limp home mode. They expect to be having to go to after market ECUs soon.

Some of them would have cost more than my whole project:


Fortunately there are more DIY friendly set ups:


But it seems a waste to have to throw away a perfectly good ECU because the OEM (or gov) decided to lock it down.

I'm a dealer for Holley ECU products. They're fantastic! But you are correct, people in my industry are now forced to tell the modern hot rodder that step one (for the most part) is purchasing a $1200+ computer replacement plus rewiring their car in order to do anything.

You can modify your ECU all you want so long as it doesn't have any DRM-like protections.

They also got an exemption for modifying of abandoned games whose activation systems are long since gone, as well as extending/clarifying the jailbreaking exemption.

I actually worked on this part of the exemption. It was granted in two parts. First, fans may now reverse engineer and host servers for games that are no longer hosted online. Metal Gear Solid 4 is a perfect example, but there are plenty of others. This is now legal, and considered fair use. MMO's are exempted, and defined as games where the world is persistent reguardless of number of players connected (IE, is the game played in rounds, or is state reset in the world often... more than once a month, for example). It was a crude way to define the differences, but MMO's were a sticking point, so we have to come back to them later.

Second, museums and archives are now permitted to circumvent copy protection in the pursuit of preservation. This means that huge stores of old games that are otherwise unavailable are now legally preservable by institutions like Stanford, The Museum of Art and Digital Entertainment, and Archive.org. Of note is the fact that the Atari ST catalog of software was preserved on pirate disks, and we've yet to find any other way to save some of those pieces of software, aside from just preserving the pirate disks. This does not mean these titles can be redistributed, only that they can be modified for the sake of preservation.

Additionally, this means museums can preserve devices that circumvent copy protection, such as floppy-to-SNES devices, which we have a few of at the MADE. Modded XBoxes can now also be preserved in an institution.

The bits that help museums means a great deal for preservation of digital assets as a whole. This was a lot of work to get done, so a huge thanks goes out to the EFF, Stanford, MIT, Harvard and Archive.org for all their hard work to get this done!

Hi VonGuard,

> and considered fair use

The 1201 exemption process doesn't adjudicate whether things are fair use in a way that's binding on courts, although the Copyright Office does believe that it has to express some opinion about that the uses it approves are noninfringing. But a court doesn't have to agree with that substantive question: if someone sued you for running the server they could argue that it's not a fair use, and the court that they sue you in isn't bound to agree that the Copyright Office was right to view it as noninfringing (or that this is true in the particular circumstances).

Thanks for the clarification Schoen.

> This does not mean these titles can be redistributed, only that they can be modified for the sake of preservation.

But once the copyright expires on the disks, they may then be redistributed?

Then they would enter public domain. Copyright, however, lasts a very, very long time. Longer than the history of computing.

It sounds like archivists could image the disks and transport those across mediums, in the interest of archival, as long as they didn't distribute them, though. Am I mistaken?

You are correct. We can now do just about anything we want short of redistribution or commercialization.

Nearly nothing has entered the public domain in the U.S. in decades, and likely nearly nothing ever will again.

There was that time in the 70's when you had to re-up your Copyright, and a lot of stuff fell out, like Night of the Living Dead.

Night of the Living Dead failed to ever have copyright protection due to lack of a copyright notice or registration, not from a need for renewal. Renewal became automatic in 1964, and registration or notice became optional in 1989. (And in 1976 it became possible to register for up to 5 years after publication, to allow for fixing mistakes like with Night of the Living Dead.)

Theoretically yes, but I don't really expect to see copyright on any, even the oldest, software expiring during my lifetime.

If I understood the ruling correctly, all exemptions are technically only binding for three years, after which they have to be renewed. So in the (hopefully) hypothetical case that the librarian would not renew the excemption for archives, would that make all exibits stored on grounds of the exemption suddenly illegal? If yes, this doesn't seem like a very practical solution to me.

I get that MMOs are very different to regular games, but I wonder how that applies in this context - why would an MMO company strongly object to their abandonware being revived while a regular multiplayer company tolerates it?

this is huge! thanks for all the hard work to everyone involved.

That seems like great news for GOG.

GOG buys rights to distribute the original works for pennies on the dollar, the exemption EFF got is that you are allowed to reverse engineer and distribute software which can be used to run games that you own for systems that are no longer available, as well as transfer the games from their original media to modern ones in order to preserve them.

It doesn't not however give people the license to sell those games commercially doesn't matter if they are "abandonware" or not.

>> They also got an exemption for modifying of abandoned games whose activation systems are long since gone

That sounds to me like it would allow you to patch a game you already owned, but not to copy and sell that game. How does it help GOG?

The only thing that comes to my mind is that now it may make commercial sense for GOG to ask publishers for rights to sell games that require activation systems / servers that are no longer maintained.

But if you're selling it with the blessing of the owner, what was stopping you from asking "oh, we also need to patch the game so it will run - I assume you don't mind?"

For GOG to sell a game at all already requires that they explicitly cut a deal with the game owner. Fixing the game to run on a modern computer is a trivial part of that deal (and something they already do with their whole inventory).

It could however mean that GOG doesn't need any terms for how to achieve it, allowing them to have patches created and updated for use on arbitary systems without asking for permission, once they already have permission for redistribution.

So if they got permission to sell a version that can run on Windows, then they could later on patch it to make it run on Linux and other systems as well.

You're right.

Not enough coffee this morning.

When will DMCA-1201 be repealed for good? This unconstitutional garbage should be abolished.

An interesting read on this: https://web.archive.org/web/20120220014712/http://www.macfer...

Three interesting tidbits from the Wikipedia article about the Librarian of Congress:

> There is no official term limit for the Librarian of Congress, but in the 20th century a precedent was established that Librarians of Congress are appointed for life.

> There is very little legislation for the Librarian of Congress or rules regarding who should be selected for the position. In 1989, Representative Major R Owens (D–NY) proposed a bill in Congress that would set stricter requirements for who may be appointed. (...) This bill did not pass.

> James H. Billington has served as Librarian of Congress since 1987, and announced plans to retire from that post in 2015.

This sounds to me as if the position hadn't really been designed for the amount of power that it has been given now by the DMCA. With a vacancy apparently right ahead, wouldn't that make it the next prime target for lobby efforts or corruption?

I was initially happy about this until I saw that the primary reason was the VW scandal. Why are our laws only ever put into check when a controversy like this breaks out? We have to wait for the really bad abuses before anyone ever dials back the bullshit.

I wouldn't say that this was the primary reason, as the EFF has lobbied for this before and set the process in motion before that became public. It just provides a well-known recent example.

Thanks, first time submitting, I didn't spot those ones.

Welcome to HN submitting! We hope you'll submit as many intellectually interesting stories as you can find.

The links in my comment above were just to point out related links of interest, not at all to suggest that you shouldn't have posted this one.

Don't get me wrong, I'm pleased with the progress - but doesn't this just mean they'll make it harder to crack?

This is just the same old issue of DRM as before: create a system that works when the user is running it like they're supposed to, but doesn't reveal anything when they're not. And it's never worked. Probably can never work. Cory Doctorow talks about it in his talks on eliminating DRM. Basically, at the end of the day, the only real means we have of making DRM "work" is using laws (which, of course, doesn't stop criminals, only people who are trying to do things legally).

> doesn't stop criminals

Or it allows criminals to hide behind the DRM and laws to prevent a 3rd party from discovering their crimes (ala VW).

It worked pretty well for DirecTV, which is a more analogous scenario than normal computer software.

>It worked pretty well for DirecTV

You're going to have to explain what you mean by that, is there some story of DirecTV successfully preventing people from analyzing firmware?

Yes, famously. Google "DirecTV black sunday". DirecTV successfully killed off the (huge) DirecTV piracy community, not just by frying the old hacked cards, but by deploying new cards that have mostly withstood more than a decade of intense analysis.

Ahhh memories. What started as a "write a byte now put the card in any box for TV" escalated into complicated custom electronics, MITMing the stream, with a computer required to sit in the middle to lend its processing power. All the while, some unsung heroes out of the Matrix able to look in realtime at the DV-S stream flowing across their screen, able to spot a new Agent Smith barreling at the card and alert the world via IRC.

Harder DRM? They've tried that already

DRM can be totally baller, but if it has to be shown on a screen and played through speakers you're going to have an awfully hard time stopping anybody from making a DRM-free copy it.

Shouldn't this be mandatory and be part of the overall safety audition of the car? They have physical crash tests of cars to assess the robustness that match certain criteria.

While I agree with the idea that you should be able to inspect most anything, and not be prohibited from fiddling with anything thats yours, I don't understand how security would be handled?

The software of the car is a component of the car just like any other, and while I can certainly mechanically disable the brakes on my car, it won't be safe for road use if I do (It would never pass an inspection). Since no one could be expected to debug/inspect my software modifications for errors, one would have to assume that any car whose software doesn't match the official one, may be unsafe for road use, and thus can't be allowed on the road?

Also: isn't firmware of this kind pretty hard to read without having access to encryption keys? The petition just wants it to be legal not for the manufacturers to be forced to make it easy?

Well, you can repair your car's mechanical brakes yourself now. If you disable them (accidentally or otherwise) and render the car unsafe, the results of that are your responsibility. Is there a reason why software modifications can't be handled the same way?

Well, the whole point of car inspections is that "your responsibility" is not enough. It's possible that you as the owner of a modded vehicle are perfectly fine with the risk of an accident, but the other potential participants of such an accident might not.

I think the question has a point: Modified ECUs are different from modified brakes, because the modifications could likely not be found in an inspection - in fact, according to the exemption, it would be illegal for inspectors to check the ECU. So I wonder how that problem is handled.

The simple solution for safety I think is to just include the software checksum/signature in the approval documents for a car model.

At an interval check, the inspector does the usual sampling tests (brake effect, emissions, looks for rusty brake lines etc), and then validates that all critical computers (ECU's and other systems such as computers related to brakes etc) run software that match the signature of the manufacturer, and that it is the latest version of the sowftare. After a recall such as the VW case, the inspector could fail cars that haven't upgraded to the latest version (which would be required since the original one is known to be cheating on emissions).

This is a bit harsh compared to other modifications: an owner can put on a set of extra lights or cool wheels without necessarily failing an inspection, whereas even changing a single bit of the software would immediately fail it in this case.

I can't see any way around this though, apart from separating programs into critical (brakes, ECU) /non-critical (Media, nav,...) software, where only the critical software would be checked.

It some states it is your responsibility. Inspections (for emissions or safety) are not required everywhere. This is part of the reason that generally, the owner of the car is liable for damage it causes, whatever the reason or whoever is driving.

The point of having cars inspected for safety every year or every other year is that their saftey can't be the individuals responsibility only. If you drive without brakes you are dangerous to others.

The simple ocular/mechanical inspection that is used in most places catch obvious problems like rusty brake pipes or bad brake effect. They don't test software issues like whether the stability system is disabled in fifth gear over 50mph due to a buffer overflow.

So while there are similarities between me trying to fix my brakes and me trying to hack the software (Make a change to a car component, if it passes the yearly safety tests it's OK) the software is much harder, or impossible, to test by "external" black box testing that needs to be completed in say 30 minutes by a non software expert.

I think the majority of modifications are simply adjusting the calibration or lookup tables for things like fuel maps, enabling / disabling things like key left in ignition buzzers and the like, mostly data items rather than code modifications. There may be more adventurous modifications like adding launch control to a performance cars, but that may just be enabling existing code rather than adding new code.

My cars are old (1998) Nissan Skylines, who's ECUs are pretty basic, asides from killing the engine there's not much you can do to cause more issue than a mechanical modification like adding a larger turbo, or maintenance neglect. The ABS and traction control are handled by physically separate ECUs, though I imagine things are more integrated in the main drive train ECU in modern cars.

While I haven't modified the existing or written my own firmware to load on the ECU that mostly due to lack of time, one of them came from Japan with a Piggy Back ECU installed which intercepts the inputs / outputs to override the mapping of the OEM ECU to tune for other mechanical modifications. An alternative is to buy an aftermarket ECU or build a custom one, those tend to have less integrated safety features (stability control, etc.) than the OEM ones and integrate less well with the car's other systems, I'd expect them to cause more issues overall than relatively simple modifications of the OEM firmware.

I'm sure there are extremes where people may cause problems, but this kind of thing has been happening since cars have had computers so I doubt there's any great calamity around the corner.

I think there are still issues with even otherwise "safe" modifications. The road tax for a specific car model is (or should) be set based on emissions. Just like you would be fined if you were pulled over and had left your catalytic converter at home, it could be considered illegal to modify the fuel maps of a car to a higher power one, for example (At least if it hadn't been inspected and its tax adjusted after the modification).

That's a fair point, my cars are old enough to come under the older UK road tax rules so are not taxed based on emissions, but their emissions are better than the requirements for their age.

Still it would be nice if there were inexpensive ways to check emissions for your self while tinkering.

However, I think fuel maps vs. catalyst removal are largely similar, it'll either be picked up on the next inspection or VOSA can do spot checks if they think something is up. I don't think DRM / technical measures for locking the ECU are appropriate much like I wouldn't be happy if the catalyst and exhaust system were installed such that only the manufacturer could replace them.

Perhaps one would only use a performance map when using the car on a race track, it'd be a shame to replace all the electronics just for that.

I'm also not a fan of things like geo-fenced speed limiters, and replacement components that have to be coded to the car by the dealer.

It seems insane to me that we could allow private corporations to buy and sell data that our government would require a warrant or court order to obtain.

If cell phone service were free that would be one thing, but for these companies to be "double dipping" like this is pretty disgusting.

It seems insane to me that we could allow private corporations to buy and sell data that our government would require a warrant or court order to obtain.

You're not seeing what is going on behind the scenes... they are all in cahoots the money is just a bonus.

You're not seeing what's going down behind the scenes - the spying is for us.

On the NSA/spying...

The (mass surveillance) by the NSA and abuse by law enforcement is just more part and parcel of state suppression of dissent against corporate interests. They're worried that the more people are going to wake up and corporate centers like the US and canada may be among those who also awaken. See this vid with Zbigniew Brzezinski, former United States National Security Advisor.


Brezinski at a press conference


Wow. I didn't expect the Librarian OF Congress would have a say in this case, but he/she does: https://en.wikipedia.org/wiki/Librarian_of_Congress

Copyright works in mysterious ways...

This is the sixth time this has process has taken place in its current form -- it's not exactly something new.


I thought you where going with a Matrix joke for a second there.

Will this have any effect on the John Deer issue?

I'm not a lawyer, but the EFF mentions tractors in their press release:

> We are pleased that analysts will now be able to examine the software in the cars we drive without facing legal threats from car manufacturers, and that the Librarian has acted to promote competition in the vehicle aftermarket and protect the long tradition of vehicle owners tinkering with their cars and tractors.

Indeed, this is the issue on which John Deere weighed in on the other side (trying to prevent this decision from coming out this way).

man, this would be great. my dad is a huge car guy (type of guy that parks way in the back of the parkinglot) I wanted to get him a new key fob for his bday next week, $300 bucks.

now I am trying to mod an old key fob to work with the new one and have no idea how. it would be nice to encourage this sort of thing so there is more info out there. i am not even sure if it is possible to use an mk4 or mk5 key with my mk6 style one. why? no info.

I found a youtube video with the taredown which only exists because a modder sacrificed his $300 key to figure out how to do it properly.

i wish there was more info on how the software worked both for security and modification.

Has there been an analysis done as to how the LOC exemptions with interplay with the TPP anti-circumvention requirements?

Will the LOC still be able to grant these? If not, the year-long delay may be just long enough that there is actually never an open window.

While I agree with the premise of all of this, when it comes to modifying car software, who now maintains the liability? If a hobbyist were to modify something incorrectly and cause a malfunction of the car which in turn injured another, or damaged property, who is liable?

Surely it cannot be the automaker, they did not intend for that. Insurance companies are going to fight it, maintaining that unauthorized changes were made which would release their liability.

Inspecting auto software for problems is great, allowing hobbyists to tinker with their software seems problematic.

Insurance policies already cover this as "after-market modifications" (the terminology I've generally seen used already).

There really is no cause for concern; things that used to be purely mechanical are now electric. Any modifications made mechanically before could be equally disastrous.

Yes, software modifications are easier to hide, but that it is a price worth paying for the greater general freedom of everyone.

> Yes, software modifications are easier to hide

Not if you hash the software and find its been adjusted. In that sense it is easier to detect.

What happens if the user modifies the software, the modified software causes a malfunction, the user resets the software to the factory version, then takes it in to a shop while claiming they never modified the software in the first place?

> If a hobbyist were to modify something incorrectly and cause a malfunction of the car which in turn injured another, or damaged property, who is liable?

The hobbyist. Why would anyone else be liable for something a person did that then failed and caused harm?

> Insurance companies are going to fight it, maintaining that unauthorized changes were made which would release their liability.

The insurance company covers the car so you'd have to consult what their terms are in regards to modifications as plenty of people modify their cars today just not the software. I can't imagine a software change would be radically different to a hardware change in the insurance's eyes unless it's something incredible like an autopilot.

>The hobbyist. Why would anyone else be liable for something a person did that then failed and caused harm?

The hobbyist isn't the one with money. The manufacturer will be sued, and they usually settle because there is probably something they could have done that would have made the failure less likely, injury trials are bad press, and jury sympathy is always on the injured little guy's side.

This is how it plays out with physical products, I don't see why it would be any different with code.

That's not what happens if a hobbyist modifies e.g. the brakes, then the brakes break and the car crashes - if you modified the thing, you're responsible for the issues your modifications cause.

This is really good news. Wow.

Excellent development!

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact