The Volkswagen Scandal Is Just the Beginning
The Environmental Protection Agency should have listened to Ron Weasley’s dad. In the Harry Potter books and films, Arthur Weasley is a bureaucrat in the British magical world’s chief regulatory agency, the Ministry of Magic, where his job is to protect people from dangerous devices. He is known for his unusual fascination with nonmagical technologies, and toward the end of the second book, he delivers a deep lesson in living safely with technology. “What have I always told you? Never trust anything that can think for itself if you can’t see where it keeps its brain.”
Last week, the EPA revealed that it had trusted Volkswagen’s diesel cars, without checking to see where they kept their brains. It sent a letter to the carmaker detailing how VW programmed about 500,000 cars over half a decade to cheat on its emissions tests. (The worldwide total, VW has revealed, is now 11 million.) It’s a story of massive corporate fraud but also an object lesson in everything that’s terrifying about a world in which cars and other things can think for themselves.
VW used software to put a new spin on an old scam. Wherever there is a test, someone will try to cheat on it. The EPA has banned emissions test “defeat devices“ for decades. In 1995, it fined GM $11 million for turning off carbon monoxide controls when the air conditioning was on. Some observers have defended GM, arguing that carbon monoxide pollution is primarily an issue in the winter. But the larger principle — truth in testing — is important. You don’t tell your kid to cheat on her math test, no matter what you think of the Common Core.
The car of the future is a computer with wheels. And wherever there’s software, you’ll also find bugs, hacks, and blue screens of death.
VW’s defeat devices were subtler and more insidious. Instead of just turning off and on with the air conditioner, they took into account “the position of the steering wheel, vehicle speed, the duration of the engine’s operation, and barometric pressure” — a list of criteria that precisely mirrors the conditions of the EPA’s required emissions testing.
This kind of sophisticated sneakery is only practical with software, and software also makes it possible to get away with (for a while). A dedicated circuit or a special valve would have been impossible for VW to hide. But it’s easy to conceal the scraps of code that check to see whether the car is being driven in a way that looks suspiciously like an emissions test. Modern cars already contain tens of millions of lines of code; what’s a few more between friends?
In theory, at least, software should also be easy to fix. VW’s engineers will write a replacement version of its emissions-control software, leaving out the defeat device this time. Installing that software on existing cars — “patching” them, in the language of software — is just a matter of taking them to a service center and plugging them in to a computer there.
It might not play out that way, though. A large fraction of recalled cars are never fixed, because owners never get the notice, don’t realize it was serious, or never get around to bringing their cars in. Even safety recalls — which you might think would get car owners to take action — have shockingly low completion rates. One-third of recalled cars are never fixed; there are an estimated 37 million cars on the road in the United States with unfixed safety recalls.
The VW recall is going to be an even harder sell: Bringing down the cars’ emissions will also bring down their performance and their mileage. A Jetta owner who takes her car in to get “fixed” will drive off the service center lot in a slower and thirstier car. Some conscientious owners will bite the bullet and do it; others will be tempted to keep putting off making that appointment.
Tech companies use copyright threats to keep the security community in the dark about vulnerabilities in the devices we use every day.
And that’s why emissions regulations are a government mandate, not something left up to individual car owners. A car isn’t done when its manufacturer certifies that it meets federal standards; the states also test cars’ emissions, in person, one at a time. If your car flunks, you can’t register it. The California Air Resources Board is already on the case, so California and other states with strict emissions rules may start refusing to recertify the affected VWs already on the road. Yes, those cars will “pass” emissions tests — but the EPA letter helpfully includes a chart of the VW models and years with software defeat devices. It’s easy to imagine a state department of motor vehicles issuing a flat rule that none of these cars will be allowed to take the emissions test without proof that they’ve been patched.
The car of the future is a computer with wheels. Apple is moving ahead with its own car. Traditional carmakers may scoff (just like Palm and BlackBerry scoffed at Apple’s plans to make a phone), but they’re also racing to computerize their cars, from entertainment consoles to automatic collision avoidance systems. Self-driving cars will even replace driver with software. And wherever there’s software, you’ll also find bugs, hacks, and blue screens of death. The stakes are high: If your car crashes, it crashes.
Tesla offers a glimpse of the future. Its software-heavy cars are Internet-connected, and Tesla routinely pushes out software updates over the air, the same way smartphone apps update themselves automatically. After one Tesla driver dented the car’s battery pack driving over debris, Tesla sent out an update that raised the cars’ suspension further off the road. Imagine VW doing that to disable the defeat device. Now imagine VW doing it to disable the car if you’re behind on your payments — or if it thinks you’re behind on your payments because of a computer glitch. Or imagine hackers remotely taking control of your car and stopping it in the middle of the highway. Actually, no imagination is required: It’s already happening. One of the most important reasons for software updates to cars will be fixing dangerous security vulnerabilities.
But security researchers have run into a surprising roadblock: copyright law. The Digital Millennium Copyright Act prohibits the “circumvention” of digital rights management software that locks down media. The DMCA was intended to keep digital movies and music safe from pirates who’d upload them onto the Internet (fat lot of good that has done), but it has been repurposed for some unintended consequences. Technology companies regularly threaten security researchers who try to look inside their products, arguing that these products contain copyrighted software that must be kept secret, because reasons. (Never mind that these reasons never have much to do with copyright; the resale value of the software inside a garage door opener is nil.)
The best way to defeat factory-set emissions controls is to own the factory.
Despite the fact that this kind of tinkering is explicitly legal under every states’ trade secret laws, tech companies try to use copyright threats under the DMCA to shut it down, keeping the security community in the dark about vulnerabilities in the devices we use every day. As more things have software inside them — from baby monitors to firearms — the risks to privacy and safety are mounting. Anything that can think for itself is also something that can be mind-controlled; looking inside its digital brain is the only way to be confident it hasn’t been hit with an Imperius curse. Welcome to the Internet of Things That Can Kill You.
With these concerns in mind, the Electronic Frontier Foundation asked for a pair of car-related exemptions from the DMCA. One would let security researchers investigate the software in cars; the other would let car owners tinker with and repair their cars. Unsurprisingly, the Auto Alliance — a trade group including VW’s North American unit — filed extensive comments against both, arguing in large part that the black boxes need to stay sealed to keep everyone safe. It asserted that “encouraging modification will lead to more, not fewer cars on the road that are out of compliance with federal emissions and fuel economy standards.” What’s more, carmakers persuaded the EPA to write a letter to the Copyright Office opposing the exemption. The EPA argued that being able to invoke copyright law would help it enforce environmental laws against mechanics who modify cars in ways that improve performance but increase emissions.
In hindsight, these sentiments are darkly ironic in the way that great corporate crimes always are. The best way to rob a bank is to own one; the best way to defeat factory-set emissions controls is to own the factory. A panic about individual mom-and-pop garages tampering with a few cars was used to justify laws that helped make it harder to detect the fact that one of the world’s largest automakers tampered with 11 million cars. The EPA has already shown that it doesn’t know when to look inside of software black boxes. Unless the rest of us are allowed to, who knows what other evil lurks in the hearts of cars?
This article is part of Future Tense, a collaboration among Arizona State University, New America, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, visit the Future Tense blog and the Future Tense home page. You can also follow us on Twitter.
This article is republished on Medium as part of Climate Desk, a collaboration between Slate, where it first appeared, The Atlantic,CityLab, Grist, The Guardian, The Huffington Post, Mother Jones, Reveal, and WIRED.