1. 1
Stopping Virtual Carjackings: The Threat of Cyber Terrorism in
Automobiles and the Security and Privacy in Your Car Act (SPYCA)
By Tyler E. Cragg
Abstract
Automobiles, like other modern technologies are becoming increasingly integrated with the
internet. Although this integration provides increased functionality that is desirable to
consumers, it also increased the threats posed by automobiles. With increased connectivity,
hackers possess more avenues to access a car and can now remotely control the car. Despite the
possible consequences of automotive hackings manufacturers remained silent on the problem.
Senators Ed Markey (D-Mass) and Richard Blumenthal (D-Conn) proposed legislation, however,
that seeks to create security standards for internet connected automobiles. Entitled the Security
and Privacy in Your Car Act (SPYCA), this proposed legislation would require manufacturers to
include minimum security standards in their automobiles and test them for vulnerabilities.
SPYCA is not without its flaws, however, as it may conflict with the Digital Millennium
Copyright Act (DMCA), frustrating its purpose. To prevent this conflict, the final form of
SPYCA must require automotive manufacturers to provide their software to independent security
analysts for review before they can comply with the act.
Introduction
Recent changes to the automotive industry provide numerous new options when the
consumer purchases a car. No longer is the consumer limited to choices of which seating
material they desire, or which exterior trim package they would like to purchase. One major
option available to the automotive consumer relates to a vehicle’s so-called “infotainment”
systems. Infotainment systems provide a mix of information and entertainment to passengers

2. 2
through services like Bluetooth connectivity, satellite radio, navigation systems, and streaming of
online content like Pandora Radio or even fully independent internet browsers. These
infotainment systems have progressed to such a point that they can independently access the
internet, rather than relying on a cell phone’s connection.1
Automakers, however, largely ignored the need for these protections to infotainment
systems, namely by failing to protect a consumer’s personal information and preventing hackers
from accessing a car’s driving controls. This is predominantly because automakers have denied
the existence of the problem. Until recently, Congress was also silent on the issue of consumer
protections for connected vehicles. This changed with the proposed Security and Privacy in Your
Car Act (SPYCA).2
Although well intentioned, SPYCA fails to provide adequate enforcement
mechanisms for its requirements, relying entirely on self-enforcement by automakers, who have
proven to be self-interested and dismissive of the threats to consumers.
This paper provides a framework for the government regulation of cybersecurity
practices by automotive manufacturers who must develop ECUs in automobiles that are not
vulnerable to hacking. Part I begins by describing the evolution of Internet connectivity in
automobiles and how this advancement has allowed for the external control of vehicles, thus
making them susceptible to hackers. Part II introduces and analyzes SPYCA, the first legislation
proposed to regulate the security practices of automotive manufacturers. In particular, it focuses
on SPYCA’s requirement that the security measures implemented by manufacturers be proven
through penetration testing. This requirement creates tension between SPYCA and the Digital
Millennium Copyright Act (DMCA) because independent security consultants are barred by
1
See Christopher Hill, Module 13: Connected Vehicles 4 (2013), available at
https://www.pcb.its.dot.gov/eprimer/documents/module13.pdf (describing how connected cars started as an
extension of cellular devices).
2
S. 1806, 114th Congress (2015) (as proposed to Senate, July 21, 2015).

3. 3
DMCA from fulfilling this requirement.3
Specifically, it argues that automotive cybersecurity
legislation must allow for independent testing of automotive source code for vulnerability to
hackers without the prior approval of manufacturers. By requiring the source code of
automobiles be made available to independent analysts, cars will be safer to the consumer and
the industry as a whole will be able to develop towards even more advanced applications of
automotive internet connectivity, autonomous cars, while staying ahead of hackers who would
exploit this technology. This paper asserts that by adopting a version of SPYCA that explicitly
requires source code checking, the American automotive industry will provide consumers with
the greatest degree of automotive safety and internet connectivity based driving functionality.
I. The Vulnerabilities of Modern Automobiles to Hacking.
A. Connected Vehicles
Connected vehicles are largely a new phenomenon, and thus their vulnerabilities are just
becoming widely known.4
In the first generation of automotive infotainment systems the
functionality was limited by a passenger’s cell phone.5
At this stage of technology, the
automobile itself was not an internet enabled device. Rather, the automobile was only able to
access internet content through a passenger’s phone. This severely limited the risk of individuals
gaining unauthorized access to the vehicle because the cell phone’s security programs could
prevent access.6
Relying upon the security of cell phones, automakers invested few resources in
3
DMCA is found at 17 U.S.C. § 1201 (2012).
4
See Hill, supra note 1, at 1-2 (2013), (describing how the FCC originally allocated bandwidth for connected vehicle
functions in 1999).
5
See id at 4 (continuing a discussion of the evolution of connected vehicles with the inclusion of cellular
connections as a permitted medium by the FCC in 2008); Elliot Katz, The Internet of Automobiles, 34 WL J.
Automotive 1 (2015) (“Because almost 90 percent of new cars sold today are equipped with Bluetooth, most cars
already have some element of connectivity to them”).
6
See Katz, supra note 5, at 2 (“If the connected car is merely a computer and cellphone on wheels, then many of
the privacy and security issues being posed by critics of connected cars have already been encountered).

4. 4
developing systems to prevent unauthorized access to automobile’s systems because they could
rely on the protections provided by cell phone manufacturers.7
Recent advancements changed the situation, however, such that automakers can no
longer ignore the problem. Automobiles are now capable of directly accessing the internet in the
same manner as a smartphone or a laptop.8
They are now considered a “connected device” and a
component of the internet of things.9
As a component of the internet of things, automobiles are in
constant communication with all other connected devices and report information such as GPS
data.10
This communication allows automobiles to give user specific information by interacting
with other nearby devices.11
The automotive industry adopted this technology quickly because of
the potential application to autonomous driving.12
For this technology to facilitate autonomous
driving each car must learn where it is in relation to every other car through the internet of
things.13
This level of connectivity is also not limited to cars with advanced infotainment systems
or cars that claim to drive themselves.14
Most modern cars communicate over the internet,
7
See Andy Greenberg, Hackers Remotely Kill a Jeep on the Highway – With me in it, WIRED (July 21, 2015),
https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/ (summarizing prior hacks of automobiles
that have been made public and automakers continued assertion that the methods behind these hacks are not
publicly available and therefore not a credible threat).
8
See Katz, supra note 5, at 1 (describing the variety of features offered by manufacturers including the reading of
Twitter and Facebook posts by the infotainment system of Wi-Fi hotspot functionality).
9
See id at 1; see also Peter Lefkowitz, Making Sense of the Internet of Things, 59 Boston Bar J. 23 (2015).
10
See id.
11
See Hill, supra note 1, at 1, 5 (describing vehicle to vehicle (V2V) communication infrastructure allowing cars to
“talk” to each other or infrastructure and how it is prevalent in the automotive industry such that NHTSA proposed
rulemaking that would require V2V in all cars after 2017).
12
See Dorothy Glancy, Autonomous and Automated and Connected Cars—Oh My First Generation Autonomous
Cars in the Legal Ecosystem, 16 Minn. J.L. Sci. & Tech. 619, 646-648 (2015) (explaining the different communication
infrastructures available to automakers for application in autonomous vehicles and their respective advantages).
13
Id at 641, 646.
14
See Katz, supra note 5 at 1.

5. 5
whether the driver is aware of it or not, to exchange information with the vehicle manufacturer.15
Manufacturers communicate with vehicles to continually update the various electronic systems.16
These updates come in the form of software patches and can improve performance or fix errors
in the original operating system code.17
As a result, cars are much like a traditional computer
with an operating system that is regularly updated.
Computers are not only included as an option for convenience or entertainment in the
form of infotainment systems, but they are also necessary for modern cars to operate.18
These
computers are referred to as Electronic Control Units (ECUs).19
Unlike cars of twenty years ago,
cars today cannot function without the aid of computers.20
For example, engines today are
largely computer controlled, meaning functions like valve timing are electronically, not
mechanically controlled.21
The benefit is timing can now be variable resulting in great fuel
efficiency.22
In other words, today’s engines can better adapt to current conditions, rather than
being locked in the same parameters as were installed in the factory, a limitation of mechanical
controls.23
The same is true of transmissions; with the aid of ECUs an automatic transmission
can operate as effectively as a manual transmission because the computer can vary at what RPM
a gear is swapped. ECUs allow for the modification of every aspect of a car. They can in real
15
See Glancy, supra note 12 at 647.
16
Id.
17
Id.
18
See National Instruments, ECU Design and Testing Using National Instruments Products (Nov. 7, 2009),
http://www.ni.com/white-paper/3312/en/#top (describing the various types of ECUs present in modern
automobiles and the general function of each ECU).
19
Id.
20
Id.
21
See KSR International v. Teleflex Inc, 127 S.Ct. 1727, 1729 (2007) (describing how electronic signals, not
mechanical linkages are responsible for translating driver inputs in modern automobiles).
22
See National Instruments, supra note 18, at 1 (explaining how ECUs allow for constant inputs from various
sensors throughout the automobile to allow for adjustments to maintain performance in differing conditions).
23
Id.

6. 6
time adjust the efficiency of a car’s engine, increase or decrease the response of the accelerator,
or even control the brakes on a car.
What is a boon to manufacturers in terms of the extent of control they can offer a driver
through ECUs is also a nightmare for potential electronic intrusion. If a hacker is able to access
an ECU, then they could gain control of any system that ECU regulates.24
For example, with
access to the correct ECU, a hacker could control whether or not pushing the brake pedal
engages the brakes on a car, or cause the car to think the accelerator pedal is fully depressed,
leading to a new wave of unintended acceleration concerns.25
In other words, a hacker could for
all intents and purposes drive a car remotely, despite the driver being physically behind the
wheel.
B. Automotive Manufacturer’s Responses
Initially, the concern regarding hackers being able to remotely control a vehicle was
largely discredited by major manufacturers.26
The main line of argument by the manufacturers
was that it was impossible to access an ECU remotely over the internet and physical access to the
vehicle would be required for this to be a possibility.27
Assuming that a vehicle could not be
controlled without physical access to the vehicle, manufacturers concluded that the cyber-
security concerns were minimal as any hacking attempt would be preceded by other criminal
24
See Cheryl Balough & Richard Balough, Cyberterrorism on Wheels: Are Today’s Cars Vulnerable to Attack?, Bus. L.
Today, Oct. 2013.
25
See id (describing how a hacker who has gained access to an automobile via an ECU can control every feature of
a car both at rest and at high speed).
26
Id (“One security expert estimates that the average auto maker is about 20 years behind software companies in
understanding how to prevent cyberattacks).
27
See Greenberg, supra note 7 (explain how previous hacks were only possible through a wired connection to the
vehicle and thus automakers such as Toyota and Ford dismissed the threat).

7. 7
activity such as trespass to the vehicle.28
They reasoned therefore, that traditional anti-theft
systems would be sufficient to prevent hackers from controlling consumer’s cars.29
Two cyber-security researchers shattered the assumption of a minimal cyber-security
threat to automobiles in October of 2014. Charlie Miller and Chris Valasek successfully hacked
into a Jeep Cherokee over the internet, realizing many experts worst–case scenario.30
To
compound the problem for automotive manufacturers, they were able to do so while not in close
proximity to the vehicle and while the vehicle was being driven.31
While the driver of the car was
on the interstate outside of St. Louis the researchers were able to gain access to the car’s control
systems through its infotainment system while they sat in an office in Pittsburgh.32
Once they
had accessed the systems they were able to exercise control that ranged from an inconvenience,
such as adjusting the air conditioning or changing the radio station, to acts of cyber-terrorism.
Specifically, these experts were able to hack their way to controlling everything from the radio
initially, to the car’s accelerator, transmission and brakes individually, to complete control of all
of these systems. With control of every system the researchers could effectively drive the car. To
cement their point, they were able to cause the car to stop in the middle of the highway.33
What the cyber-security researchers succeeded in doing was the first virtual carjacking.
Once they hacked into the car’s systems, they were in control of the driving functions and the
driver was left without any control of the vehicle. Contrary to intuition, any action taken by the
driver does not override the commands sent over the internet to the ECU by a hacker.34
Instead,
28
See Balough, supra note 24.
29
Id.
30
See Greenberg, supra note 7.
31
Id.
32
Id.
33
Id.
34
Id.

8. 8
it is as if the driver has given no command to the car at all. The only commands recognized by
the ECU of the vehicle are the commands issued by the hackers over the internet because the
ECU is tricked into thinking the hacker’s commands are the sensors that rely driver inputs.35
Additionally, there is no noticeable indication that a hacker has taken over the vehicles control
until they cease to respond to the inputs of a driver.
This is also not the first time this particular team of cyber-security researchers was able to
take control of a vehicle. For several years, these researchers took control of vehicles; however,
all of these past incidents required direct access to the vehicle through the diagnostic connection.
Direct access and control was always through the OBD-II port, a connection service personnel at
a dealership use to diagnose problems with a car.36
Use of this port requires a physical
connection to the vehicle through a cable. Manufacturers therefore, gave little attention to the
findings of these and other researchers regarding cyber-security, returning to their standard
response that the physical access requirement was a sufficient deterrent. Prior to the hacking of
the Jeep Cherokee, there had never been a wireless hacking of a vehicle, let alone through an
infotainment system to gain control of the driving functions of the vehicle.
A further complication in convincing manufacturers of the dangers posed by their finding
are the manufacturers’ belief that the solution to the problem is a quick fix.37
This belief is based
on the same technology that has led to the problem itself. The connectivity that automakers
included so they could update vehicles after they have been sold and allows hackers to remotely
35
Id.
36
See Balough, supra note 24; Jeffrey Gurney, Driving into the Unknown: Examining the Crossroads of Criminal Law
and Autonomous Vehicles, 439.
37
The quick fix automotive manufacturers rely upon is denial of the problem and repairing any flaw in the security
of the vehicle’s computers before the public at large becomes aware. See Greenberg, supra note 5 (“Owners of
[vulnerable] vehicles . . . were notified of the patch in a post on Chrysler’s website that didn’t offer any details or
acknowledge Miller and Valasek’s research”).

9. 9
access vehicles was also the solution in the eyes of manufacturers. They believed that any threat
could be corrected with a software patch, thus preventing the threat in future situations. This,
however, is a retroactive response to the problem and ignores that this situation should never
arise, as one incident of virtual carjacking is too many.
II. Legislative Responses; Proactive and Reactive Approaches
In the wake of Miller and Valasek’s demonstration that cars could be remotely hacked,
some Members of Congress proposed a legislative response. In particular, Senators Ed Markey
(D-Mass) and Richard Blumenthal (D-Conn) proposed legislation entitled the Security and
Privacy in Your Car Act (SPYCA), which would institute various standards and require
manufacturers to adopt consumer protection for their products.38
SPYCA standards were spurned by a growing concern that manufacturers are responding
to cyber-security threats only retroactively and are taking no proactive steps to prevent hacking
of automobiles. Rather than accepting that cars have become analogous with computers and that
manufacturers must approach the problem in the same vein as has been taking in the computing
industry, manufactures continue to insist that hacking is not a threat to cars. This, however, is
only a fiction and the two Senators who proposed this legislation are listening to consumers at
large. The proposal of SPYCA then, is an indication from the legislature that the Computer
Fraud and Abuse Act (CFAA) is insufficient.39
It is not enough to only respond to hackings after the damage has occurred, especially
when lives are on the line as is the case with cars. There must be a legal approach that will
prevent this damage from ever happening. Prior to the proposal of SPYCA, however, the CFAA
38
S. 1806.
39
18 U.S.C. § 1030 (2012).

10. 10
and possibly DMCA are the only federal statutes that would allow for the prosecution of hackers
who conduct virtual carjackings. Both of these statutes provide for prosecution only after harm
has occurred.
A. Computer Fraud and Abuse Act (CFAA)
The most applicable federal statute for any cyber-crime is the CFAA. Although the
CFAA’s primary purpose is to allow for prosecution of hackers of governmental or financial
computers, not automobiles, it can be utilized in this manner.40
The CFAA is a dual use statute,
having both a criminal and a civil component.41
Law enforcement or a private party may bring a
claim under the CFAA for any unauthorized access to a protected computer. If the claim is
brought by law enforcement criminal liability may be imposed, however, claims brought by a
private party can be awarded monetary damages. The criminal aspect of the CFAA is more
relevant to the concept of virtual carjacking, but the civil component could be used by victims
for compensating damage that results from a virtual carjacking. For the CFAA to apply,
however, certain jurisdictional elements must first be met.
Before any of the penalties proscribed by the CFAA can be enforced, the cyber-crime
must affect a protected computer.42
Protected computers under the CFAA are those operated by
the federal government, banking institutions or those involved in interstate commerce.43
A
private consumer’s vehicle would not qualify as a government or banking institutions computer
and therefore can only qualify under the CFAA if interstate commerce is concerned. This can be
achieved in one of two ways with modern connected vehicles. The first method for
40
See id at § 1030(a)(2).
41
See Gurney, supra note 36, at 438,439.
42
18 U.S.C. § 1030(a)(4) (2012).
43
See Gurney, supra note 36, at 439; 18 U.S.C. § 1030(e)(2) (2012).

11. 11
demonstrating interstate commerce is concerned is that the computers subject to hacking are a
component of the car and cars are capable of traveling in interstate commerce.44
If the car did not
travel in interstate commerce, the computers in the vehicle could still qualify for protection under
the CFAA using the second method for demonstrating interstate commerce is concerned. That is
a showing that the car is capable of accessing the internet.45
The argument that if a computer can access the internet it sufficiently satisfies the
requirements of the CFAA stems from how the internet is used. Because the internet permits you
to access computers that are not in the same state, accessing out of state computers would qualify
as interstate commerce. Therefore, in the example given by the cyber-security researchers a hack
of a car in St. Louis that originated in Pittsburgh would satisfy the interstate commerce
requirement.
The next requirement for the CFAA to apply is that the access to the protected computer
be unauthorized or exceeding of authorization given.46
The unauthorized access aspect of the
CFAA is more applicable to cars in their current use because the intended access to the
infotainment system is limited to the driver while using the vehicle. There are not currently
degrees of access to a car such as with computers where multiple users can have access to
varying degrees. Currently there is only one level of access with a car and it is limited to the
consumer driver and possibly the manufacturer. Therefore, the unauthorized access portion of the
CFAA is most applicable to automobiles.47
44
See Gurney, supra note 33, at 439.
45
Id.
46
18 U.S.C. §1030(a)(2)(C) (2012).
47
See Balough, supra note 22.

12. 12
The CFAA can be used to prosecute hackers who virtually carjack modern cars that are
equipped with internet connected infotainment systems in a situation similar to the test
performed by the cyber-security researchers. Because the ECU of these infotainment systems are
capable of accessing the internet in order to contact a manufacturer for software updates or
stream music on an app such as Pandora, they can be considered a protected computer under the
CFAA. All that need be shown for automobiles to receive protected computer status is that the
internet communication are not restrained to only one state.48
Additionally, once a hacker sends
commands to a car that alter the driver’s ability to control the car they are accessing the ECU of
the automobile without authorization because access for a vehicle is limited to the driver.
Technical barriers must be overcome for a hacker to send these commands to the ECU and
therefore the access by a hacker would be unauthorized.
B. Analysis of SPYCA
Although there are few limitations to the application of the CFAA for the prosecution of
hackers who could engage in virtual carjacking, additional legislation is required to provide
consumer protections to drivers of connected vehicles. This legislation is SPYCA and it is
focused less on hackers and more on manufacturers in its requirements.49
The goal in imposing
these requirements on manufacturers is to bring the computer protections for automobiles in line
with the protections of other computer based industries. The concern is great enough to warrant
government intervention because experts have estimated that auto makers are “20 years behind
software companies in understanding how to prevent cyberattacks.”50
The Senators that proposed
48
See Gurney, supra note 36, at 439.
49
S. 1806.
50
See Balough, supra note 24.

13. 13
this legislation then, have made a policy decision that the criminal penalty deterrent of the CFAA
is insufficient.
SPYCA provides consumer protection in two different forms. The first form of consumer
protection provided is protection of driver’s personal data. This protection of a driver’s personal
data applies not only to unauthorized access from hackers, but also protection from collection by
the manufacturers themselves. The intent of the act for the protection of driver data from hackers
is an off-shoot of the measures necessary to prevent unauthorized access. In other words, if the
hacker cannot gain access to the ECU in the car, they cannot use a driver’s personal data.
SPYCA is much more explicit, however, when it comes to how automotive
manufacturers are allowed to access a driver’s data. The first provision of SPYCA for protecting
consumer data from manufacturers is that they must give the driver clear notice that their driving
data can be collected.51
SPYCA also provides that consumers are capable of taking an
affirmative action to cancel the collection and use of their driving data by manufacturers and that
the manufacturers cannot retaliate against this by limiting the use of navigation features in
infotainment systems.52
Finally, the act also provides that automakers are not allowed to use any
of the data they do receive for advertising or marketing purposes without first gaining the
consent of the drivers whose data they are using.53
Protection of a driver’s personal data is only half of the consumer protections
contemplated by SPYCA. The other and arguably more important protections of SPYCA are
requirements for manufacturers to prevent the unauthorized access to a connected vehicle. The
main requirement of SPYCA is that “all entry points to the electronic systems of each motor
51
S. 1806 §30127(b)
52
Id §30127(c)(1)-(2).
53
Id §30127(d)(1).

14. 14
vehicle manufactured for sale in the United States shall be equipped with reasonable measures to
protect against hacking attacks.”54
Although contained in only one relatively short sentence, this
requirement is quite broad in its application. This is because several points of entry are covered
by the statement that “all entry points” be protected against hacking.
The entry points that are included in this requirement are both the direct and indirect
entry points to the electronic systems. The direct points of entry to an automobile’s electronic
system include the OBD-II port.55
The indirect method of entry is any wireless access to the
electronic systems of an automobile.56
The direct method of entry to a vehicle’s electronic system is the traditional method of
hacking that manufacturers have disregarded.57
It is necessary to include direct modes of entry in
SPYCA’s consumer protections, however, because hackers can still access a vehicle’s ECU over
the internet by routing through the dealership service computers that are connected to the
internet.58
Therefore, although the direct method of entry does not allow for real-time
interference with an automobile while it is driven, hackers can still install malicious software that
causes loss to the consumer.59
The indirect method of entry to a vehicle’s electronic system is via a car’s infotainment
system, where a wireless connection is established that allows access to the internet as a whole.60
Although a hacker is only able to initially gain entry through the infotainment system, their
control of the vehicle is not limited to your choice of music. Hackers are able to control the
54
Id §30129(a)(2)(A).
55
Id.
56
Id at 3.
57
Id.
58
Id.
59
Id.
60
Id at 3.

15. 15
driving functions of an automobile because all of the ECU in a vehicle are interconnected.61
Because the ECU are interconnected a breach of one allows the hacker to infect every other ECU
in the vehicle and control them. Therefore, it is necessary to protect every point of entry from
hackers and SPYCA requires just this.62
SPYCA requires not only that reasonable security measures be taken to prevent hackers
from gaining entry to a vehicle, but also further precautions from a hacker gaining complete
control of a vehicle. SPYCA requires that critical systems be separated from non-critical systems
in an automobile.63
This method of isolating a vital computer from other forms of access is
known as “air-gapping” and is an effective means to prevent hacking. This was the primary
means vehicles were protected from unauthorized access prior to becoming connected
devices.64
Although SPYCA does not require than manufacturers disconnect their consumer
products, it does require that they disconnect the vital systems of a vehicle from the internet to
prevent intrusion. In other words, engine management and steering ECUs must be air-gapped
from those that access the internet.
Finally, SPYCA has evaluation procedures built into the statute to ensure manufacturers
comply with the act.65
The evaluation procedures are not review by a federal agency, however,
but are tested for security vulnerabilities using the “industry standard” practices for hackers,
including penetration testing.66
Penetration testing is when a security expert intentionally
attempts to gain access to the protected system in order to determine security weaknesses.
Manufacturers are then required to adjust their protections and isolation measures based on the
61
Id.
62
S. 1806 §30129(a)(2)(A).
63
Id §30129(a)(2)(B).
64
See Balough, supra note 24.
65
S. 1806 §30129(a)(2)(C).
66
Id.

16. 16
results of the evaluation testing.67
Failure to meet these requirements is met with a civil penalty
of $5,000 as a further incentive to manufacturers.68
SPYCA then provides a proactive, rather than reactive framework for the protection of
consumer data and their welfare from hackers. It also seeks to develop an evolving framework
that will stay ahead of hackers through the evaluation process required under the act. This is
similar to the methods used by technology companies such as Google for protection of their
systems and is an acknowledgment by Congress that automotive manufacturers have expanded
their businesses to more than just cars.69
C. Conflicts Between SPYCA and DMCA
Although it is still only proposed legislation, if SPYCA is enacted in its current form it
will likely not be applied as intended by the writers of the Act. Unlike cyber-crime statutes such
as the CFAA, however, the problems with SPYCA do not stem from an ambiguous definition
within the statute.70
Rather, SPYCA’s issues stem from its regulation of identical content as the
Digital Millennium Copyright Act (DMCA) and its failure to address conflicts between the two
statutes.71
The conflict that arises from SPYCA overlapping with DMCA is that DMCA prohibits
circumventing protections on copyrighted material.72
Specifically, DMCA states “No person
shall circumvent a technological measure that effectively controls access to a work protected
67
Id §30129(a)(2)(D).
68
Id §30129(b).
69
See Andy Greenberg, Google Offers $3.14159 Million in Total Rewards for Chrome OS Hacking Contest, FORBES
(Jan. 28, 2013), http://www.forbes.com/sites/andygreenberg/2013/01/28/google-offers-3-14159-million-in-total-
rewards-for-chrome-os-hacking-contest/#37bc69113abd.
70
18 U.S.C. § 1030(a)(1) (determining what constitutes exceeding authorized access has led to different holdings
by courts).
71
17 U.S.C. § 1201.
72
Id.

17. 17
under this title.”73
For security analysts to conduct the analysis required by SPYCA they must
look at the underlying copyrighted software, the very software these technological measures are
intended to prevent access to.74
Not only must security analysts examine the underlying code,
they must also attempt to break through the protections for the copyrighted material, protected by
DMCA, to perform a penetration test required by SPYCA.75
Enacted in 1999, DMCA was originally intended to protect copyrighted material on
physical media such as DVDs, but it does not protect the copyrighted material itself.76
Rather,
DMCA protects the measures utilized to protect the copyrighted material. These technological
measures are broadly defined and inclusive.77
The definition of circumvention of a technological
measure given in the statute is “to descramble a scrambled work, to decrypt an encrypted work,
or otherwise to avoid, bypass, remove, deactivate, or impair a technological measure, without the
authority of the copyright owner.”78
Under this definition any protection of the software in an
automobile, from a passcode to a proprietary program to read encrypted code, will create liability
under DMCA. The only means to avoid liability under DMCA is to be granted access to the
copyrighted material by the owner.79
Therefore, analysts hired by the automaker may evaluate
the software without violating DMCA, but any independent analyst could not.
In the case of DVD’s the intended technological measures are the encryptions used to
prevent access to films stored on the DVD itself. Given that DMCA was intended to protect
copyrighted movies and music, it seems odd that automotive manufacturers would invoke the
73
Id.
74
Id.
75
S. 1806 §30129(a)(2)(C).
76
17 U.S.C. §1201.
77
Id (defining technological measure as anything “that effectively controls access to a work protected under this
title).
78
17 U.S.C. § 1201(a)(3)(A).
79
Id.

18. 18
Act to prevent researchers from accessing the code in automobiles. DMCA, however, applies
whenever there is copyrighted material protected by any technological measure.80
Therefore,
because the code is protected under Title 17 of the U.S. Code and there are measures in place to
restrict access to it DMCA applies.81
Additionally, it is not necessary for the code to be used for personal gain to result in a
cause of action under DMCA.82
The protection provided in DMCA is not conditioned on any
loss resulting from unauthorized access to the copyrighted material. Unlike most copyright law,
which requires a showing that the copying of an original work occurred, DMCA prohibits access
to a copyrighted work.83
To give a real world comparison to the protection provided in DMCA, it
is analogous to a picture behind a locked door. DMCA does not prohibit re-photographing the
picture, which would be a violation of copyright law. DMCA rather, prohibits opening the door
without authorization, or more specifically undertaking any technological means to circumvent
the lock that is protecting the copyrighted material.
Any security expert who attempted to evaluate the protections created by manufacturers
pursuant to SPYCA would expose themselves to liability under DMCA. This is because the
software code that is contained in each ECU in an automobile is encrypted. Unlike a Microsoft
Word document which is readily readable with several programs, the software in automobiles is
only viewable through the use of proprietary programs created by manufacturers. These special
programs function as a cypher to allow the encrypted code to be readable. Because security
analysts must be able to read the code before they can evaluate it for compliance with SPYCA
80
17 U.S.C. § 1201
81
See Balough, supra note 24.
82
See MDY Industries, LLC v. Blizzard Entertainment Inc., 629 F.3d 928 (9th Cir. 2010) (creating a separate cause of
action merely for violating §1201 DMCA).
83
17 U.S.C. § 1201.

19. 19
and they lack the proprietary programs utilized by manufacturers they would have to circumvent
the encryptions to the code. It is this circumvention that constitutes the violation of DMCA.
It should also be noted that the protections provided by DMCA that create liability for
security analysts would also create liability for hackers and cyber-terrorists. Unfortunately, this
creates the same problem as the CFAA. There are legal remedies against hackers, but little
consumer protections to prevent the dangerous activity in the first place. This is the very issue
SPYCA attempts to correct.
This does not mean that SPYCA cannot operate at all. SPYCA still requires that
manufacturers incorporate means to protect consumers. Additionally, SPYCA requires that each
of these protections, particularly the code based protections, be tested for security
vulnerabilities.84
Therefore, the protections that are incorporated to comply with SPYCA will be
tested. Additionally, these tests must be conducted using the best security practices. This
requirement for best security practices could very well include independent outside testing.
Manufacturers could still hire outside consulting firms to test their code and avoid DMCA issue
by granting the outside firm access to the code. DMCA provides exemptions for those
individuals who have authorized access to the copyrighted material even if they circumvent
protections. Another possibility is the manufacturer grants the outside consultant the proprietary
decryption programs, in which case there is no circumvention of security measures. Therefore, if
this is the case, the outside consultant would not be in violation of DMCA § 1201. This is not in
the best interest of consumer protection, however, which is the main focus of SPYCA.
84
S. 1806 §30129(a)(2)(C)

20. 20
III. Possible Solutions to Ensure the Legislative Intents of SPYCA and DMCA are
Maintained
DMCA is not wholly without protections from liability for parties other than the
copyright holder.85
The Librarian of Congress is empowered to create an exemption to liability
under DMCA every three years for parties that would be adversely affected by its protections of
copyrighted material.86
Recently, the Librarian of Congress included an exception to DMCA for
circumvention of technological measures when done for the purpose of security testing of a
motorized land vehicle.87
This exception, however, will not take effect for another year from the
time it was announced; therefore, security analysts cannot currently seek its protection.88
This
exception is also not permanent; it is subject to review every three years and therefore could be
abandoned.89
A permanent exception to DMCA for security analysts should be included in
SPYCA to ensure there is never a conflict with the goals of DMCA and SPYCA in the future.
A. Consumer protection and manufacturer transparency are the motivations behind
SPYCA.
The goal of SPYCA is to provide proactive measures for the prevention of hackers
gaining control of automobiles in order to protect consumers.90
Although automakers testing
themselves and with the help of the consultants they choose would satisfy the requirements of
the Act, it would not be in the best interest of consumers. The example presented at the outset of
85
17 U.S.C. § 1201(a)(1)(B).
86
Id § 1201(a)(1)(C).
87
37 Fed. Reg. § 201.40(b)(7)(i)(B) (2016).
88
Id.
89
17 U.S.C. § 1201(a)(1)(C).
90
S. 1806.

21. 21
this paper is a perfect example of manufacturers not being the best advocates for consumer
protection.
Prior to the finding and demonstration by Miller and Valasek that a Jeep Cherokee could
be hacked and its systems controlled by an individual not in proximity to the vehicle, Chrysler
had vehemently denied the possibility of this occurrence. Their stance along with every other
manufacturer has been that their current security provisions are sufficient and it is unnecessary
for third party analysts to probe their systems. Despite this, third party analysts continually find
vulnerabilities that can be exploited in their code.
This is also not a case that will be resolved by manufacturers choosing not to exercise
their rights under DMCA. It is much more likely that manufacturers will continue to pursue third
party analysts who attempt to circumvent code protections, even if their goal is consumer
protection. As recently as this year, General Motors Corp. (GM) lobbied before Congress that no
current consumers owned their cars, rather every consumer had a license to their car, but the car
itself was owned by GM.91
The basis for this argument was that a car does not function without
the code in its ECU and as this code is copyrighted material, GM in effect owns the car.92
Although Congress rejected this argument, the fact remains that manufacturers are highly
protective of their software and it is not realistic to expect manufacturers to allow third party
analysts to conduct the evaluation testing proscribed by SPYCA. In order to gain the best
consumer protections, the most analysts possible must be allowed to test the software protections
provided by manufacturers in order to stay ahead of those hackers who would seek to do harm.
91
See Kyle Wiens, We Can’t Let John Deere Destroy the Very Idea of Ownership, WIRED (Apr. 21, 2015),
http://www.wired.com/2015/04/dmca-ownership-john-deere/.
92
Id.

22. 22
B. Changes to SPYCA as proposed will resolve the conflict with DMCA.
To resolve the issues presented by the conflict between SPYCA and DMCA it is
necessary that the final form of SPYCA that is passed by Congress include a clear statutory
exemption to DMCA §1201 or require manufacturers to provide their code to third party
researchers. This must be done to fulfill the purpose of SPYCA of protecting consumers. These
methods, however, would need to be sufficiently narrow so as to avoid making DMCA moot on
this issue.
1. Statutory Exemption to DMCA for SPYCA Purposes
An exemption to DMCA §1201 must allow third party analysts, those who are not
employed by manufactures for SPYCA mandated testing, to avoid liability for circumventing
copyrighted code protections. One method to do this is to provide a bar on liability for analysts
who privately report their findings to manufacturers and do not seek to profit from these
findings. In other words, any individual could seek protection from DMCA liability using this
system if they are able to show they do not intend to personally profit from the circumvention of
measures meant to protect copyrighted material. This then, would expand the concept of “fair
use” to not only the eventual use of copyrighted material, but also to include fair use in
circumventing measures meant to protect copyrighted material.
It is important to remember that § 1201 of DMCA deals with circumvention of protective
measures, not the copyrighted material itself so any exemption to § 1201 must refer to the
circumvention of these measures. Using this system, only analysts who have consumer
protection in mind would be protected from liability under DMCA §1201. By necessitating that

23. 23
the analysts not seek profit for their findings, the purpose of DMCA would not be frustrated, that
is the guarantee of profits from copyrighted material to the holders only.
Additionally, by requiring that any findings be transmitted directly to the manufacturer
and in a private matter ensures that the research is being done only for consumer protection. To
allow the findings to be posted publicly, hackers could conduct research into how to break the
protections created under SPYCA, yet shielded from DMCA without ever reporting their
findings to the manufacturers. They therefore, could have legal protection to continue their
hacking activities. Thus, to ensure the purpose of SPYCA is not frustrated, any exemption to
DMCA must require that manufacturers be informed of any findings for the shield from liability
to apply.
The other method that could be enacted by Congress to resolve the issue of SPYCA
conflicting with DMCA is to clarify the language in SPYCA to require manufacturers to use
third party analysts and that they use multiple outside analysts to confirm their results. This
clarification could be used instead of the language that requires testing use the “best security
practices.”93
Although an argument could be made that using outside analysts is implicit in the
language “best security practices” it is an ambiguous term. Clarifying this language would
encourage manufacturers to utilize a “bounty competition” approach that is already
commonplace for the computer data industry. The benefit of using this approach, encouraging
manufacturers to bring in third party analysts, is that it avoids the need to write a comprehensive
statutory exemption to DMCA. This result occurs because DMCA creates liability only for
unauthorized circumvention of protective measures, but no liability is created when the
manufacturer grants access to a third party analyst.
93
S. 1806 §30129(a)(2)(C)

24. 24
One of these methods must be added to SPYCA to exempt third party analysts from
liability under DMCA and ensure that parties other than the manufacturers are probing the
effectiveness of the measures undertaken to prevent hacking. Whichever method is implemented,
however, it must be narrowly tailored. Narrow tailoring is needed to ensure that the goals of both
SPYCA and DMCA are not frustrated.
For a solution to the problems presented in SPYCA to be narrowly tailored so as to not
undermine the purpose of DMCA, the exemption must not permit all circumvention of security
measures. To include this broad of an exemption in SPYCA would be equivalent to the repeal of
DMCA as it is applied to automobiles. As mentioned previously, DMCA can serve as another
means to pursue hackers in the court in addition to the CFAA. Therefore, there is a legitimate
reason to maintain DMCA in its current form, if it can be modified to advance the consumer
protectionist goals of SPYCA. Thus, an exemption to the liability of DMCA must allow for third
party analysts who pursue consumer protectionist goals to circumvent the protections placed on
automobile software, while still providing penalties for those individuals who do not have these
goals in mind, nor are they authorized to access the code.
2. Requirement for Manufacturers to Allow Access to Source Code of Third Party
Analysts
The latter solution, the inclusion of a requirement for third party testing explicitly, rather
than the amendment of DMCA itself or through SPYCA is less ambiguous and will more readily
address the problem at hand. The problem with writing a blanket exemption to DMCA’s liability,
which any party can use for shelter is that it is a highly fact based legal analysis that is prone to
litigation. To prevent hackers from sheltering in this exemption to DMCA, manufacturers will
have to prosecute every individual who is attempting to circumvent measures to prevent access

25. 25
to the copyrighted material. Whether an exemption to DMCA applies can only be based on the
end result of circumventing protective measures. That is, whether the analyst publishes their
findings, either publicly or to the manufacturer. There is no distinction between what a hacker
does and what a consumer protection minded security expert engaging in penetration testing does
prior to publication of their findings. Therefore, manufacturers would have to prosecute everyone
and let litigation decide the intentions of the parties violating DMCA and whether they should
avoid liability.
As a result of the need for the exemption to liability under DMCA included in SPYCA to
be narrowly tailored, a requirement in SPYCA that manufacturers utilize third party testing is the
best option. This solution is the closest to the current language of the law, that manufacturers
conduct testing under the “best security practices,” yet limits the application of the exemption so
as not to neuter the applicability of DMCA. Additionally, this solution facilitates the adoption of
methods utilized in other industries, such as the computer data industry, that automotive
manufacturers would be wise to emulate.
a. The parallels between the problems faced by the automotive industry and the
computer data industry.
The current level of technology in a connected car available to the average consumer is
predominantly another access point to the internet.94
Connected cars are only able to read
information from the internet when directed by the driver.95
The goal of many automotive
manufacturers, however, is to create autonomous cars.96
Manufacturers such as Tesla already
94
See Katz, supra note 5, at 2.
95
Id.
96
See Glancy, supra note 12, at 640.

26. 26
offer features that are capable of independently controlling a car in a limited fashion.97
Autonomous driving of vehicles will present an even greater concern to consumer safety than
automobiles simply being a connected device.
When an automobile is capable of autonomous driving it is necessary that the computers
in the automobiles make decisions about their environment.98
Currently the computers in a car
only respond to inputs by a driver. When functioning autonomously, they will not have these
inputs and must make decisions about direction and speed on their own.99
The car’s software is
functioning as one form of Artificial Intelligence (AI) because it is making driving decisions all
on its own.100
This additional application in automobiles of software creates new and even
greater consumer protection concerns.101
Currently, a hacker must interact in real time with a
connected vehicle to drive it. If the vehicle is capable of autonomous driving, however, a hacker
could implant a virus that would alter the AI and lead to either poor performance, or driving in a
manner that is dangerous to passengers or nearby pedestrians.102
The problem with AI based driving is that the software responsible for it must be able to
interact with and learn from its environment. This is a problem because the traditional method of
isolating a system to protect it does not allow for AI’s interacting with their environment.
Automakers then must develop a system that allows for access, but restricts it in such a way that
false inputs, such as those given by a hacker, cannot influence the AI. The computer data
industry is a valuable parallel because it is also pursuing AI’s and the methods necessary to
97
Tesla has implemented the Summon feature in its current Model S line which allows the car to park itself in a
garage after the driver has pulled into the driveway and exited the vehicle. See Tesla Motors Team, Summon Your
Tesla from Your Phone, TESLA (Jan. 10, 2016), https://www.teslamotors.com/blog/summon-your-tesla-your-phone.
98
See Glancy, supra note 12, at 636,637.
99
Id at 638,639.
100
Id.
101
Id at 664,665.
102
Id.

27. 27
protect these systems. By looking to those methods already used to protect software that is
capable of learning, the automotive industry will be able to stay ahead of hackers for all of the
new features they implement in a vehicle. The main method utilized by the consumer data
industry for testing protections of their systems, including AI’s, is penetration testing by third
party analysts.
C. Best Practices for Protecting Consumer Have Already Been Determined
Instituting a clear requirement in SPYCA that independent third party testing be used
would be the best method to ensure consumer protection because it is the method that best
mirrors the techniques used in the computer data industry. SPYCA should implement a solution
that is more similar to that utilized in this industry because the problems encountered when
securing connected vehicles are identical to those faced when securing servers or personal
computers. Although the outcomes can be different, in the present case the taking control of a
vehicle, in the other case a loss of data, the methods of entry for hackers are identical. In either
case, hackers must circumvent measures designed to limit access to the software that operates
these systems. Although the identical solutions used in the computer data industry will not work
because the base systems are not the same, much like a solution for Windows will not work on a
Mac, the process used to create these solutions is translatable. This is why the solution required
by SPYCA should mirror the solutions used in the industry that continues to deal with these
problems on a daily basis.
Rather than attempt to re-invent the wheel, the major automotive manufacturers should
look to the computer data industry in Silicon Valley for a roadmap of how to conduct proper
security penetration tests. In this industry the main method for testing system security is to allow

28. 28
third party analysts access to the system.103
In fact, the computer data industry incentivizes these
analysts to attempt to breach the protections created by the manufacturer.104
This is done after the
manufacture has concluded internally that their system’s protections are sufficient. For example,
major companies in this industry, such as Google, use a bounty based hacking competition to
guarantee their systems are hacker proof.105
The benefit of these competitions is it allows third party analysts to conduct penetration
testing of Google’s security in an environment controlled by Google. The goal of these
competitions is to simulate the real world, where hackers attempt to breach the security
implemented by the manufacturer. The benefit here, however, is that no damage occurs because
the “hackers” in this case have no malicious motivations. Instead the company conducting the
test stands to learn the weaknesses of their system and can patch any weaknesses discovered
before the product gets to the market. In the case of Google’s competitions, Google gets the
benefit of more people, who can think outside the box, approaching the problem, while also
gaining the benefit of ensuring these analysts are not attempting to hack Google to its detriment.
The benefit of this system speaks for itself. Namely that flaws in security are found much
more quickly. To assume any security system is “hacker-proof” is a fallacy. By admitting to this
problem, in contradiction to what automotive manufacturers have done, Google is able to ensure
they find problems before hackers find and exploit these flaws. This is all done in the interest of
consumer protection.106
The fact that this process is focused on consumer protection is another
correlation that makes it amenable to application in SPYCA. As an act of Congress focused
103
See Greenberg, supra note 69.
104
Id.
105
Id.
106
Because hackers are required to turn over the technique used to complete a successful hack before they can
earn the prize money, Google gains the benefit of learning how its security vulnerabilities occur and can fix the
problem for consumers. See id.

29. 29
primarily on consumer protection, SPYCA would do best to look to the most relatable industry to
the current problem and pick a method from that industry which best address the concerns
advanced in SPYCA. Therefore, it would be best to also use a crowd-sourcing penetration test
method with automotive technology security testing.
A further benefit to these systems, as opposed to an automotive manufacturer simply
hiring a consultant company to evaluate their protections is that it avoids cronyism. Although
SPYCA proscribes standards for how manufacturer’s security systems should be evaluated, the
standards are vague. Not only are the standards vague, there is no governmental agency to
provide oversight. Therefore, there is little incentive for outside consultants to do any more than
“rubber stamp” the systems developed by manufacturers.
This is not to malign the efficacy of outside security consultants, but simply a recognition
of the realities of the market. Consultants who provide more favorable reports to the
manufacturers, who have already given a low priority to consumer protection, will be favored
and receive a greater market share of the evaluation business. If manufacturers were genuinely
concerned about consumer protection, then there would be no need for SPYCA to require them
to take the concern into consideration. An effective application of SPYCA then incentivizes
more individuals to evaluate the effectiveness of manufacturer’s security systems, meaning more
vulnerabilities will be detected and consumers can be ensured that they are actually protected
from cyber-security threats to their vehicles.
The concern of automakers having outside consultants simply rubber stamp their efforts
is more than just a cynical concern as well. The recent Volkswagen Emissions scandal is

30. 30
evidence of this.107
In the Volkswagen case, the automaker was able to deceive tests conducted
by an independent government agency (the EPA) whose job was to ensure the enforcement of
emissions regulations.108
Volkswagen was able to misrepresent the capabilities of their vehicles
during testing through the use of a “defeat device.” Describing it as a defeat device though is a
misnomer, as no additional device was installed on these cars. Rather, Volkswagen engineers
include software in the vehicles that would detect if current driving conditions matched those the
EPA used to test a vehicle’s efficiency.109
If the software made this determination, it would then
force the car into an eco-friendly mode that ensured the vehicle met all the emissions
requirements of the EPA.110
This mode was only accessible, however, during testing and did not
reflect the actual emissions of the vehicle in any way. Volkswagen was able to create a defeat
device then, because only one outside group, the EPA, was testing their vehicles and they used
the same test every time for consistency across manufacturers. A similar situation could apply to
hacking, an automaker could create a special mode that was only active during testing to pass the
evaluation, but not apply this mode during normal operation.
Despite this important role and the lack of incentive to give Volkswagen a good report
the process still failed. Volkswagen was able to misrepresent the capabilities of its vehicles, a
concern raised in SPYCA, and consumers have not received the protections they are guaranteed
by law. In fact, it was not until third-party researchers examined Volkswagen’s vehicles that the
107
Chris Bruce, VW Developed 4 Separate Defeat Devices Over 7 Years, AUTOBLOG (Oct. 19, 2015),
http://www.autoblog.com/2015/10/19/vw-developed-4-separate-defeat-devices-over-7-years/.
108
See Julia P. Valentine, EPA, California Notify Volkswagen of Clean Air Act Violations / Carmaker allegedly used
software that circumvents emissions testing for certain air pollutants, EPA (Sep. 18, 2015),
https://yosemite.epa.gov/opa/admpress.nsf/6424ac1caa800aab85257359003f5337/dfc8e33b5ab162b985257ec4
0057813b!OpenDocument (summarizing the EPA’s initial finding in the notice of violation letter sent to
Volkswagen).
109
Id.
110
Id.

31. 31
defeat devices that allowed them to mislead the EPA’s tests were discovered.111
This is further
proof that to ensure manufacturers are complying with consumer protection standards when
software is involved, multiple evaluators, whose methods are unknown to the manufacturers
prior to testing, must be involved.
Worse still, there have been recent suggestions that other major automakers have
participated in the same kind of activities to circumvent regulations.112
Rather than what many
thought, that Volkswagen was simply a rotten egg, it is more likely that automakers are
incentivized to avoid government imposed regulations in the operation of their businesses. If this
is the case, a self-enforced regulation as is suggested in SPYCA will never work. The incentive
to avoid regulation would encourage the growth of consultants who always gave passing marks
to the efforts of automakers.
To avoid this SPYCA must utilize third-party analysts who can serve as a valid
enforcement mechanism, at no cost to the government. The benefit of these researchers is that
they provide more approaches to the problem, achieving the first goal of better simulating real
world conditions. This is why bounty based hacking competitions are utilized in the computer
data industry by leaders such as Google. SPYCA then, should encourage automotive
manufacturers to engage in the same behavior by clarifying the language of the act to explicitly
describe this system, rather than simply referring to the best security practices. To fail to do so
would show ignorance to the realities of today and SPYCA would be wise to learn from past
mistakes.
111
See Pete Bigelow, West Virginia Researcher Describes How Volkswagen Got Caught, AUTOBLOG (Sep. 23, 2015),
http://www.autoblog.com/2015/09/23/researcher-how-vw-got-caught/.
112
See Noah Joseph, Renault Implicated in Diesel Emissions Cheating, Autoblog (Nov. 24, 2015),
http://www.autoblog.com/2015/11/24/renault-diesel-emissions-cheating-report/.