Should research on vehicle software be hidden from the public?

The US Department of Transportation (DOT) says security researchers tinkering with vehicle software shouldn't be allowed to go public with their findings. The agency "is concerned that there may be circumstances in which security researchers may not fully appreciate the potential safety ramifications" if their findings are released in the wild.

That's according to a DOT letter (PDF) to federal IP regulators who are considering a proposal to allow the public to circumvent copyright protection measures attached to vehicle software. Known as "technological protection measures" (TPMs), automakers employ this type of copyright scheme in a bid to make it a Digital Millennium Copyright Act (DMCA) violation to examine or tinker with the code in onboard vehicle software.

The debate over whether vehicle owners have a right to tinker with the software on their vehicles—just like they have the right to change their own oil—comes amid a growing and global in-vehicle software scandal at Volkswagen. And it comes as the US Copyright Office is considering a proposal from the Electronic Frontier Foundation and others that would authorize such tinkering without chilling researchers' speech.

The VW scandal was revealed on September 18, days after the DOT's letter to copyright regulators. As many as 11 million VW diesel vehicles are packaged with so-called "defeat device" software, which senses when a car is undergoing emissions testing and allows the vehicle's emissions control to work. However, when the car is operating under normal driving conditions, emissions control systems would not work properly. The car would spew 10 to 40 times more nitrogen oxide (NOx) into the air than is allowed by US federal regulations.

According to the DOT's letter to copyright regulators:

With respect to an exemption for circumvention of TPMs in software embedded in vehicles, for the purposes of research regarding security or safety of such vehicles, this Department has concerns over the timing and nature of the potential public disclosure of such research. The Department recognizes that enabling publication of good faith research efforts in this area presents the potential benefit of promoting collaboration in identifying security vulnerabilities or other problems. However, the Department is concerned that there may be circumstances in which security researchers may not fully appreciate the potential safety ramifications of their security circumvention acts and may not fully understand the logistical and practical limitations associated with potential remedial actions that may become necessary. The Department's concerns potentially could be addressed with appropriate limitations on disclosures of such TPM circumvention and of the manner in which they are accomplished (e.g., limiting disclosure of circumvention and its potential effects to regulators or potentially affected parties) or with the provision of adequate time for responsive actions to be formulated and executed before broader disclosures are made."

Setting aside the First Amendment and DOT's lack in trust of researchers, the agency's position on the topic is much more measured than the ones taken by the automakers and even the Environmental Protection Agency. The EPA, which VW had hoodwinked for years with its "defeat device" software, trusts automakers over the public.

The EPA told copyright regulators that the public should not be allowed to tinker with onboard vehicle software because tinkerers might increase a vehicle's performance and cause it to pollute more. Or, in the EPA's own words, an exemption would "enable actions that could slow or reverse gains (PDF) made under the Clean Air Act." The Alliance of Automobile Manufacturers, which includes VW, opposes the EFF's vehicle software exemption proposal, too. The alliance told the US Copyright Office that such an exemption would "create or exacerbate" (PDF) "serious threats to safety and security."