SVI Spells Security in Right to Repair
The summer of 2023 was very consequential in the life of the Right-to-Repair initiative.
Days after the Massachusetts attorney general declared enforcement of the state’s Right-to-Repair law (the Data Access Law) would begin on June 1, the National Highway Traffic Safety Administration (NHTSA) directed the major car companies not to comply with the law. The NHTSA directive was based on the claim that compliance with the law would involve selling vehicles that were inherently unsafe and vulnerable to cyberattacks.
“Vehicle crashes, injuries or death are a foreseeable outcome of such a situation,” NHTSA explained. Since the Motor Vehicle Safety Act prohibits manufacturers from selling vehicles that they “know contain a safety defect, opening access to the vehicle’s telematics units…would conflict with your obligations under the Safety Act.”
There’s a lot to unpack here, and obviously, the Auto Care Association and other supporters of R2R do not agree with the interpretation of the law cited by NHTSA.
“NHTSA’s summary conclusion is based on its belief that the Data Access Law requires ‘open remote access to vehicle telematics,’ whereby vehicle data would be unencrypted and allow anyone to remotely send commands to a vehicle to manipulate safety-critical functions,” said Bill Hanvey, Auto Care Association president and CEO, in a letter to NHTSA. “This is not the case. NHTSA appears to have adopted the Alliance for Automotive Innovation’s overly broad interpretation of the Data Access Law that is belied by the Massachusetts Attorney General’s more reasonable interpretation and the language of the law itself.”
Let’s get something straight right from the top. The data-access law approved overwhelmingly by the voters of Massachusetts in 2020 does not prescribe how vehicle manufacturers shall make telematics data (repair and service information generated by the vehicle) available to parties other than the OEMs and their franchise dealers. The law states that car companies shall make the data available to the vehicle owners or the service provider of their choosing – full stop. Yes, it includes the words “open, remote access” only to ensure access is available on a level playing field with the vehicle manufacturer. Massachusetts voters were smart enough to know “open, remote access” did not mean their cars were going to be broadcasting vehicle and personal data to any device within range of
Compliance with Right to Repair does not make vehicles less safe and secure.
For one, the R2R Data Access Law limits access to the information needed to maintain, diagnose and repair the vehicle – no personal identification or driving behavior information. Further, diagnostic and repair procedures have required access and communication with vehicle systems ever since the introduction of on-board diagnostics (OBD) and software-controlled modules – this is not something new.
Greg Potter, chief technology officer of the Equipment and Tool Institute (ETI), explained to me that the protocols developed by the manufacturers themselves require that the vehicle must be in a “safe state” before it can respond to any potentially harmful diagnostic commands or inquiries. For example, engine speed = zero; vehicle speed = zero; transmission in park, etc. Further, the vehicle can give a “negative response” to any potentially harmful command or inquiry, in effect saying “No.” The parameters in this logic are defined by each vehicle manufacturer, and some are more rigorous than others.
“Car makers have ensured that the vehicle won’t allow you to do bad things at the wrong time,” explained Potter. A law requiring vehicle owners to have access to their telematics data makes a car no less safe than one without that requirement – the safeguards are already engineered into the vehicle.
Anticipating that a more rigorous framework for accessing vehicle data would be needed eventually, standards organizations set about defining the Secure Vehicle Interface (SVI).
To be clear, Right to Repair does not require or prescribe the SVI. But, as long as the law requires that access must be given to telematics data, it makes sense that a standardized method be adopted that reflects the best practices and tightest security protocols to protect everyone’s data and privacy. The SVI is the result of collaborative efforts by The European Committee for Standardization (CEN), International Organization for Standardization (ISO), SAE (Society of Automotive Engineers) and others. SVI is tested and proven in real-world applications. It was demonstrated at Joe’s Garage at AAPEX and is exercised in a video demonstration conducted by the European Standards Organization.
SVI is not the only method available to vehicle manufacturers to comply with R2R. They are each free to spend the time and money to develop their own. However, adoption of a standards-based solution that has already been defined and tested has the advantages of lowering development costs, speeding time to market and accelerating response to changing technology and threats through a global community approach.
What’s the next step for Right to Repair?
If Right to Repair and the standards-based architecture are such a good idea, why has there been so much pushback and opposition by the car companies? It is regrettable that manufacturers aren’t more focused on providing a good customer experience over the 20-to-25-year life of their vehicles. Ease of access and the availability of service, convenience and reasonable costs – these are the attributes of an ownership experience that would increase loyalty to a brand. Right to Repair and consumer freedom to choose service alternatives can be turned into a powerful brand-management strategy. But, until the OEMs see it that way, the aftermarket must fight this existential battle with every tool at our disposal.
Despite the temporary setback in Massachusetts, the Biden administration favoring the consumers’ right to choose repair services on their own terms (Executive Order) and the bi-partisan support of the federal REPAIR Act offer hope that Right to Repair may become the law of the land soon. The next best chance to make your voice heard on this critical subject is the Auto Care Legislative Summit, Sept. 21, in Washington D.C If you can’t be there in person, write to your representative and tell them “it’s your car, your data and your choice.”