The EPA Opposes Rules That Could’ve Exposed VW’s Cheating
Today, the EPA accused Volkswagen of illegally using software to cheat emissions standards. The agency alleges that the German automaker’s vehicles have a sophisticated algorithm that was designed to undermine official emissions testing by engaging full emissions controls only during testing and disabling them afterward. As a result, the car maker was able to sell half a million diesel-powered vehicles that produce nitrogen oxide, which creates smog, at up to 40 times the legal limit during normal driving situations.
The EPA learned about the issue only last year after researchers at West Virginia University published a study revealing that VW cars had emissions higher than expected. The agency has now accused VW of violating the federal Clean Air Act.
But two months ago, the EPA opposed some proposed measures that would help potentially expose subversive code like the so-called “defeat device” software VW allegedly used by allowing consumers and researchers to legally reverse-engineer the code used in vehicles. EPA opposed this, ironically, because the agency felt that allowing people to examine the software code in vehicles would potentially allow car owners to alter the software in ways that would produce more emissions in violation of the Clean Air Act.
The issue involves the 1998 Digital Millennium Copyright Act (DCMA), which prohibits anyone from working around “technological protection measures” that limit access to copyrighted works. The Library of Congress, which oversees copyrights, can issue exemptions to those prohibitions that would make it legal, for example, for researchers to examine the code to uncover security vulnerabilities.
In December of 2014, a group of proponents suggested to do exactly this by seeking to add computer programs used in cars, trucks, and agricultural machinery to the list of DMCA exemptions. Having access to car controls would allow for “good-faith testing, identifying, disclosing, and fixing of malfunctions, security flaws, or vulnerabilities,” they argued, according to comments they submitted to the Federal Register.
Various parties submitted three classes of proposed exemptions that would have potentially assisted in uncovering this type of software—the proposals have been categorized by the Copyright Office as Class 21, Class 22, and Class 25. The EPA opposed Class 21 and Class 22 but stayed silent on Class 25. Class 21 argued for the ability of owners to examine software for purposes of modifying their vehicle. Class 22 argued not only for owners to be able to modify their vehicle but also to allow researchers to examine the software for security vulnerabilities and safety issues. Class 25 proposed only to allow reverse-engineering code for security and safety purposes.
In opposing the exemption for individual car owners to examine the software, the EPA would close an important avenue for uncovering security and safety issues in vehicle software, because often these kinds of issues are uncovered by individual researchers while simply examining their own product or vehicle for fun or curiosity, not during formal research. Of course, examining software in this way can potentially uncover other things a car maker wouldn’t want anyone to see, such as code designed to circumvent emissions testing.
The Alliance of Automobile Manufacturers, an advocacy group that represents most of the world’s major automakers, including Volkswagen, opposed the DMCA exemption (.pdf), arguing it would create or exacerbate “serious threats to safety and security.”
The EPA, surprisingly, also argued against the research exemptions, saying it was concerned drivers might hack their own cars to improve performance in ways that would violate federal controls.
In a letter (.pdf) sent by the EPA’s assistant general counsel to the Copyright Office on July 17, the EPA wrote that the proposed exemptions “would allow users to modify that software for purposes other than those the proponents envision” in a way that “could slow or reverse gains made under the Clean Air Act.”
Computer programs that control engine operation “have been critical to achieving the reduction” in vehicle emissions, EPA Assistant General Counsel Geoff Cooper wrote. Consumers allowed to “tinker with” that software could boost performance, and thus increase emissions, Cooper argued. The Copyright Office’s decision on the exemption is still pending.
Andrea Matwyshyn, law professor at Northeastern and Princeton Universities, says it’s not a done deal that the Copyright Office will oppose the proposed exemptions and that the office has been coming around recently to recognizing the need to examine code for safety purposes.
“Historically the Copyright Office has been conservative about granting requests that involve any form of [exemptions] for reverse engineering or for research,” she notes. “However, because our whole economy now relies on the integrity of code, the Copyright Office in our hearing with them expressed a recognition of changed circumstances and did not adopt an inherently hostile position to [this kind of exemption].”
The irony of the EPA”s concern over owners altering their vehicle code in a way that would violate the Clean Air Act is that VW was allegedly using its surreptitious algorithm to do exactly this—that is, to favor performance over fuel economy in a way that violated the Clean Air Act. And legalizing public access to the software used in the 482,000 VW cars now being recalled could possibly have revealed the alleged “defeat device” code earlier. As noted on Twitter by Thomas Dullien, a prominent security researcher and reverse engineer who goes by the handle Halvar Flake: “The VW case is an example why we need more liberal reverse engineering regulation. In a world controlled by code, RE creates transparency.”
The VW case is an example why we need more liberal reverse engineering regulation. In a world controlled by code, RE creates transparency.
— halvarflake (@halvarflake) September 18, 2015
“It’s possible” a researcher with legal access to Volkswagen’s software could have discovered the code that changed how the cars behave in testing, says Matt Blaze, a professor in computer information science at the University of Pennsylvania. Blaze was among those who petitioned for a wide range of DMCA exemptions, though he does not specifically work on automotive research.
Third party reverse engineering is a powerful tool, says Blaze, and could have turned up the “defeat device,” even if whoever found it didn’t know what they were looking at, or that it was deliberate. If someone suspected something fishy with VW’s engine software, they would have had a good chance of discovering it.
The EPA’s “concern was about retail hacking,” says Blaze, that individual consumers would increase emissions. But “the actual threat” was “a much more wholesale problem.”
Senior staff writer Kim Zetter contributed to this piece.