The amount of data modern cars collect is a serious privacy concern for all of us. But in an abusive situation, tracking can be a nightmare.

As a New York Times article outlined, modern cars are often connected to apps that show a user a wide range of information about a vehicle, including real-time location data, footage from cameras showing the inside and outside of the car, and sometimes the ability to control the vehicle remotely from their mobile device. These features can be useful, but abusers often turn these conveniences into tools to harass and control their victims—or even to locate or spy on them once they've fled their abusers.

California is currently considering three bills intended to help domestic abuse survivors endangered by vehicle tracking. Unfortunately, despite the concerns of advocates who work directly on tech-enabled abuse, these proposals are moving in the wrong direction. These bills intended to protect survivors are instead being amended in ways that open them to additional risks. We call on the legislature to return to previous language that truly helps people disable location-tracking in their vehicles without giving abusers new tools.

We know abusers are happy to lie and exploit whatever they can to further their abuse, including laws and services meant to help survivors.

Each of the bills seeks to address tech-enabled abuse in different ways. The first, S.B. 1394 by CA State Sen. David Min (Irvine), earned EFF's support when it was introduced. This bill was drafted with considerable input from experts in tech-enabled abuse at The University of California, Irvine. We feel its language best serves the needs of survivors in a wide range of scenarios without creating new avenues of stalking and harassment for the abuser to exploit. As introduced, it would require car manufacturers to respond to a survivor's request to cut an abuser's remote access to a car's connected services within two business days. To make a request, a survivor must prove the vehicle is theirs to use, even if their name is not necessarily on the loan or title. They could do this through documentation such as a court order, police report, or marriage separation agreement. S.B. 1000 by CA State Sen. Angelique Ashby (Sacramento) would have applied a similar framework to allow survivors to make requests to cut remote access to vehicles and other smart devices.

In contrast, A.B. 3139 introduced by Asm. Dr. Akilah Weber (La Mesa) takes a different approach. Rather than have people submit requests first and cut access later, this bill would require car manufacturers to terminate access immediately, and only requiring some follow-up documentation up to seven days after the request. Unfortunately, both S.B. 1394 and S.B. 1000 have now been amended to adopt this "act first, ask questions later" framework.

The changes to these bills are intended to make it easier for people in desperate situations to get away quickly. Yet, for most people, we believe the risks of A.B. 3139's approach outweigh the benefits. EFF's experience working with victims of tech-enabled abuse instead suggests that these changes are bad for survivors—something we've already said in official comments to the Federal Communications Commission.

Why This Doesn't Work for Survivors

EFF has two main concerns with the approach from A.B. 3139. First, the bill sets a low bar for verifying an abusive situation, including simply allowing a statement from the person filing the request. Second, the bill requires a way to turn tracking off immediately without any verification. Why are these problems?

Imagine you have recently left an abusive relationship. You own your car, but your former partner decides to seek revenge for your leaving and calls the car manufacturer to file a false report that removes your access to your car. In cases where both the survivor and abuser have access to the car's account—a common scenario—the abuser could even kick the survivor off a car app account, and then use the app to harass and stalk the survivor remotely. Under A.B. 3139's language, it would be easy for an abuser to make a false statement, under penalty of perjury—to "verify" that the survivor is the perpetrator of abuse. Depending on a car app’s capabilities, that false claim could mean that, for up to a week, a survivor may be unable to start or access their own vehicle. We know abusers are happy to lie and exploit whatever they can to further their abuse, including laws and services meant to help survivors. It will be trivial for an abuser—who is already committing a crime and unlikely to fear a perjury charge—to file a false request to cut someone off from their car.

It's true that other domestic abuse laws EFF has worked on allow for this kind of self-attestation. This includes the Safe Connections Act, which allows survivors to peel their phone more easily off of a family plan. However, this is the wrong approach for vehicles. Access to a phone plan is significantly different from access to a car, particularly when remote services allow you to control a vehicle. While inconvenient and expensive, it is much easier to replace a phone or a phone plan than a car if your abuser locks you out. The same solution doesn't fit both problems. You need proof to make the decision to cut access to something as crucial to someone's life as their vehicle.

Second, the language added to these bills requires it be possible for anyone in a car to immediately disconnect it from connected services. Specifically, A.B. 3139 says that the method to disable tracking must be "prominently located and easy to use and shall not require access to a remote, online application." That means it must essentially be at the push of a button. That raises serious potential for misuse. Any person in the car may intentionally or accidentally disable tracking, whether they're a kid pushing buttons for fun, a rideshare passenger, or a car thief. Even more troubling, an abuser could cut access to the app’s ability to track a car and kidnap a survivor or their children. If past is prologue, in many cases, abusers will twist this "protection" to their own ends.

The combination of immediate action and self-attestation is helpful for survivors in one particular scenario—a survivor who has no documentation of their abuse, who needs to get away immediately in a car owned by their abuser. But it opens up many new avenues of stalking, harassment, and other forms of abuse for survivors. EFF has loudly called for bills that empower abuse survivors to take control away from their abusers, particularly by being able to disable tracking—but this is not the right way to do it. We urge the legislature to pass bills with the processes originally outlined in S.B. 1394 and S.B. 1000 and provide survivors with real solutions to address unwanted tracking.

Right-to-repair advocates have spent more than a decade working for a simple goal: to make sure you can fix and tinker with your own stuff. That should be true whether we’re talking about a car, a tractor, a smartphone, a computer, or really anything you buy. Yet product manufacturers have used the growing presence of software on devices to make nonsense arguments about why tinkering with your stuff violates their copyright.

Our years of hard work pushing for consumer rights to repair are paying off in a big way. Case in point: Today—July 1, 2024—two strong repair bills are now law in California and Minnesota. As Repair Association Executive Director Gay Gordon-Byrne said on EFF's podcast about right to repair, after doggedly chasing this goal for years, we caught the car!

Sometimes it's hard to know what to do after a long fight. But it's clear for the repair movement. Now is the time to celebrate! That's why EFF is joining our friends in the right to repair world by celebrating Repair Independence Day.

EFF is joining our friends in the right to repair world by celebrating Repair Independence Day.

There are a few ways to do this. You could grab your tools and fix that wonky key on your keyboard. You could take a cracked device to a local repair shop. Or you can read up on what your rights are. If you live in California or Minnesota—or in Colorado or New York, where right to repair laws are already in effect—and want to know what the repair laws in your state mean for you, check out this tip sheet from Repair.org.

And what if you're not in one of those states? We still have good news for you. We're all seeing the fruits of this labor of love, even in states where there aren't specific laws. Companies have heard, time and again, that people want to be able to fix their own stuff. As the movement gains more momentum, device manufacturers started to offer more repair-friendly programs: Kobo offering parts and guides, Microsoft selling parts for controllers, Google committing to offering spare parts for Pixels for seven years, and Apple offering some self-service repairs.  

It's encouraging to see companies respond to our demands for the right to repair, though laws such as those going into effect today make sure they can't roll back their promises. And, of course, the work is not done. Repair advocates have won incredible victories in California and Minnesota (with another good law in Oregon coming online next July). But there are a still lots of things you should be able to fix without interference that are not covered by these bills, such as tractors.

We can't let up, especially now that we're winning. But today, it's time to enjoy our hard-won victories. Happy Repair Independence Day!

Protecting people's privacy is the first step we should take to create meaningful online regulation. That's why EFF has previously expressed concerns about the American Privacy Rights Act (APRA) which, rather than set up strong protections, instead freezes consumer data privacy protections in place, preempts existing state laws, and would prevent states from creating stronger protections in the future. 

While the bill has not yet been formally introduced, subsequent discussion drafts of the bill have not addressed our concerns; in fact, they've only deepened them. So, earlier this month, EFF told Congress that it opposes APRA and signed two letters to reiterate why overriding stronger state laws—and preventing states from passing stronger laws—hurts everyone.

EFF has a clear position on this: federal privacy laws should not roll back state privacy protections. And there is no reason that we must trade strong state laws for weaker national privacy protection. Companies that collect and use data—and have worked to kill strong state privacy bills time and again— want Congress to believe a "patchwork" of state laws is unworkable for data privacy, even though existing federal privacy and civil rights laws operate as regulatory floors and do not prevent states from enacting and enforcing their own stronger statutes. In a letter opposing the preemption sections of the bill, our allies at the American Civil Liberties Union (ACLU) stated it this way: "the soundest approach to avoid the harms from preemption is to set the federal standard as a national baseline for privacy protections — and not a ceiling." Advocates from ten states signed on to the letter warning how APRA, as written, would preempt dozens of stronger state laws. These include laws protecting AI regulation in Colorado, internet privacy in Maine, healthcare and tenant privacy in New York, and biometric privacy in Illinois, just to name a handful. 

APRA would also override a California law passed to rein in data brokers and replace it with weaker protections. EFF last year joined Privacy Rights Clearinghouse (PRC) and others to support and pass the California Delete Act, which gives people an easy way to delete information held by data brokers. In a letter opposing APRA, several organizations that supported California's law highlighted ways that APRA falls short of what's already on the books in California. "By prohibiting authorized agents, omitting robust transparency and audit requirements, removing stipulated fines, and, fundamentally, preempting stronger state laws, the APRA risks leaving consumers vulnerable to ongoing privacy violations and undermining the progress made by trailblazing legislation like the California Delete Act," the letter said.

EFF continues to advocate for strong privacy legislation and encourages APRA's authors to center strong consumer protections in future drafts.

To view the coalition letter on the preemption provisions of APRA, click here: https://www.eff.org/document/aclu-letter-apra-preemption

To view the coalition letter opposing APRA because of its data broker provisions, click here: https://www.eff.org/document/prc-letter-apra-data-broker-provisions