As I wrote about previously on our blog, the Massachusetts Right to Repair amendment passed in November is up against a lawsuit from auto manufacturers. Now, the Massachusetts’ Attorney General’s office has responded stating that the state law does not conflict with any federal statute and that voters already rejected all of the lawsuits allegations. The Attorney General’s office further argues that the primary claim of this lawsuit relies on non-binding agency guidance, which is simply not enough to preempt the amendment. There is a heavy burden for facial, pre-enforcement challenges established by the Supreme Court and the First Circuit. At this point, the Attorney General has agreed not to enforce the law until the litigation has concluded. Massachusetts argues that rejecting the law before it takes effect is subversive to the democratic process. The case is set for a bench trial in June 2021. We’ll follow the case as it makes its way into the new year.
A group of automakers through the Alliance for Automotive Innovation is suing Massachusetts in federal court to block the new ‘Right to Repair’ law that passed on November 3rd. This law was known as “Question 1” to Massachusetts residents hitting the polls earlier this month. As we discussed in our prior blog post, the new state law expands access to certain diagnostic and repair data collected by onboard computer systems that is currently only accessible in ‘real-time’ by the manufacturers (and in turn, their dealers). The lawsuit argues that it will impose a financial burden on auto manufacturers and threatens the privacy of car owners by exposing data from their vehicles. We discussed many of these privacy and security concerns in our post back in October when consumers were still contemplating whether they wanted their small autobody shops to have more access to their data or to prevent more sharing of their vehicle’s data.
The lawsuit asks the court to declare the new Right to Repair expansion to be legally unenforceable. It claims that this new law violates numerous federal laws related to cybersecurity and intellectual property. The lawsuit also poses the arguments that auto manufacturers made during the ballot campaign: that independent autobody shops already have access to the data they need to fix consumers’ vehicles under the existing Right to Repair law.
Moreover, manufacturers say the requirement that they install a standardized “platform” on all cars equipped with telematic technology sold in Massachusetts by model year 2022 forces them to implement the requirement immediately because the first production of 2022 models are already getting ready to hit the market.
Finally, the lawsuit relies heavily on the testimonial letter that the National Highway Traffic Safety Administration (NHTSA) sent to a committee of the state legislature back in July that stated that Question 1 posed new cyber risks by compromising the integrity of a vehicles functions such as steering, acceleration and braking. However, the NHTSA also stated in its letter that manufacturers should continue to control those vehicle functions, which, on its face, the new Right to Repair Law also seems to support (i.e., the new system in 2022 models will communicate “mechanical data,” and the proposed definition of “mechanical data” states that it includes information that is “related to the diagnosis, repair or maintenance of the vehicle.” This would NOT include telematics data collected related to an immobilizer system or security-related electronic modules. That exception is not being stricken by these proposed revisions).
We will follow this lawsuit to see how it shapes access to vehicle data not only in Massachusetts but across the country as a whole as more and more cars are equipped with real-time telematics data collection and transmission.
Thirty eight years after it was founded, RSA Security is embarking on what may be its most challenging journey yet: cybersecurity startup. In this Spotlight Podcast, sponsored by RSA, we’re joined by Chief Digital Officer Dr. Zulfikar Ramzan about the company’s path forward as an independent company.
The company which was acquired by storage giant EMC back in 2006 and then became a part of Dell when that company acquired EMC in 2015 re-emerges as an independent company this week, more than six months after it was acquired by a group of investors led by Symphony Technology Group.
What does independence looks like? What will RSA do with its newfound freedoms? And how does the challenging business environment created the ongoing COVID pandemic figure into the company’s plans?
To find out, we invited Dr. Zulfikar Ramzan, RSA’s CTO into the Security Ledger studio. In this conversation, Zulli talks about how RSA’s path forward is informed by the company’s pioneering past, starting all the way in 1977, when three MIT researchers Ron Rivest Adi Shamir and Len Adleman published research on a novel public key cryptosystem that took their name.
The Past Informing the Future
As Ramzan sees it: the daring and persistence of the founders – whose work helped create the modern Internet, but who initially had to contend with the limitations of contemporary hardware and software, not to mention Cold War era restrictions on the sale of cryptography technology outside the US. That perseverance will serve as an inspiration to RSA as it looks to re-establish its leadership in vastly altered technology and security landscape.
To start off I asked Zulli to talk about RSA’s earliest days and what messages he and other company executives take from the company’s origins almost 4 decades ago.
(*) Disclosure: This podcast and blog post were sponsored by RSA Security for more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations.
As always, you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and check us out on SoundCloud, Stitcher, Radio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.com/subscribe to get notified whenever a new podcast is posted.