Letter: Please Join Me In Voting Yes On Question 1.
Voters may have been confused by the campaign by monopolist car dealers. Don’t be! Question 1 is a definite win for consumers.
The problem that this Ballot Question 1 fixes is that businesses have used copyright and contracts to create a monopoly — a kind of antitrust problem — where dealers can lock out independent, competitive service providers for car repair.
The manufacturers’ argument that “this is a security issue” is the classic response from any monopolist to opening up competition.
In the software world, though, it’s particularly wrong. Open source software is widely understood to create higher security software, because people can actually see the code and see what’s happening. “Many eyes make all bugs shallow,” as software folks say. Closed, proprietary software, on the other hand, has fewer eyes looking at it — only the company that made it! — and that company has a financial interest in not sharing or publicizing problems with the software. In other words, if you are looking for neutral diagnostics of the proprietary software, you’re out of luck, because the proprietor is not neutral — they have a financial conflict of interest.
That is basically the situation here — when it is only a single set of proprietary controllers (the dealer & their licensed repairers) you have no option to “get a second opinion”, and the “first opinion” has a financial interest in the answer they give you.
This problem, of manufacturers locking up basic information about the products they sell us, is a problem around the country and in products beyond cars. The Right to Repair program has been working hard in every state to deal with this, starting with cars — one of the most expensive and widespread consumer products. You can read more about it at the Massachusetts Secretary of State’s “ballot question information” , read the Massachusetts petition information at https://www.righttorepairpetition.org/ , and learn more about the movement overall here: https://repair.org/stand-up/ .
Please join me in voting YES on Question 1. Let’s pass this important consumer protection measure in a landslide!
Laura Quilter is a militant librarian, attorney, teacher, and resident of Amherst.
In the state’s Voter Information booklet opponents of this ballot question made a point that wasn’t addressed in the statement in favor of the question in the same booklet, and your letter also didn’t address the point. The argument was that the change would potentially make personal information available to be exploited, e.g. “Access to vehicle data, particularly call logs and GPS location, enables persons who perpetrate abuse to possess the tools necessary to track and monitor their victim.” I’m very inclined to support Question 1 for exactly the reasons you gave, but I wonder whether there is a response to this – is it simply invalid, or is it valid but considered unimportant?
Hi Steve —
This is an excellent point, and I fear that it will be compelling to folks.
Short-ish answer:
From my perspective (having worked on privacy & security in various tech law matters, from electronic voting machines, RFID tagging in libraries, EBT cards, etc), this argument is deceptive. They are basically arguing that security is coming by obscuring the security measures embedded in the software. But actually, data security comes from the strength of the encryption and from not having exploits in the software — not from simply obscuring the software from the *consumer* and third party services. The strength of the encryption is irrelevant to whether the software is proprietary/closed or open source, but consumer access to knowing security measures, and third-party security / service agents having access to the code, make it much easier to assess the code for weaknesses and apply pressure to upgrade security measures.
Abusers and harassers, for instance, have been using all sorts of Internet-of-things home devices to harass their victims — despite these things being proprietary / closed software — because of the lack of security in too many of those systems. The answer to these security risks is encryption of data and having the code reviewed to be sure that it is not vulnerable. If a system is transmitting data in the clear, it is vulnerable, regardless of whether the code is open or closed.
At greater length:
The distinction between closed and open souce software applies to the *software*, not the data. If the data is not encrypted, or encrypted with a weak standard, then it is vulnerable, regardless of whether the software is open or closed. (And in fact, proprietary systems in cars and other home appliances often have very little or no security and encryption built in, so the proprietary systems are quite easily hacked by anybody who wants to & has a little bit of know-how.) But the data’s vulnerability is really based on the protection of the data — 128-bit encryption is vastly weaker than 256-bit encryption, for instance, and the strength or weakness is not really based on whether they know it’s 128-bit or 256-bit encryption. (And in closed software that is easy to discern in any case.)
So what’s the difference between proprietary/closed and open source? Open source software allows third parties to review the *code* to ensure that there is in fact protection and to assess it — see if there are bugs in the software, critique it for being crappy encryption. We can apply consumer pressure to get manufacturers to increase the data protection code — for instance, to encrypt data or increase the strength of the encryption from 128-bit encryption to 256-bit encryption.
In the proprietary/closed system, consumers, tech activists, and ordinary car repair people cannot actually look to see if the software is compromised, buggy,, or what the problem is; we have to rely on the word of the company that created it. (And there have been many, many scandals with companies trying to hide security vulnerabilities rather than ‘fessing up to them.) The tools to assess the software — to know what kind of encryption it is using, for instance, or to bug-check it — are not available to the consumer or third party services; just to licensed/authorized dealers and to threats.