1. Field of the Invention
The present invention relates to motor vehicle connector lockout devices, and in particular to lockout devices for vehicle diagnostic data link connectors.
2. Background Description
The past four decades have witnessed an exponential increase in the number and sophistication of electronic systems in vehicles. A vast increase in automotive electronic systems, coupled with related memory storage technologies, has created an array of new safety engineering opportunities and subsequent consumer acceptance challenges.
Virtually every passenger car and light truck manufactured in or imported to the North American market since model year 1996 includes an Environmental Protection Agency (EPA) mandated diagnostic link connector to allow access to engine and emissions diagnostic data. This onboard diagnostic link connector (OBDII) is regulated by the Code of Federal Regulations (CFR) (40 CFR 86.094-17(h) and revisions for subsequent model years. It is standardized by the Society of Automotive Engineers (SAE) Vehicle Electrical Engineering Systems Diagnostic Standards Committee. The physical configuration of the output plug is specified under SAE J1962 and through the International Standards Organization under ISO 15031-3 and is increasingly used as an access point to other in-vehicle electronics systems, sub-systems, computers, sensors, actuators and an array of control modules including the air bag control module. The onboard diagnostic link connector is also used as a serial port to retrieve data elements from on-board systems, sub-systems, modules, devices and functions that collect and store data elements related to a vehicle crash such as a Restraint Control Module (RCM) and Event Data Recorder (EDR).
Thus, the onboard diagnostic link connector provides a portal for capture of an increasing volume of sophisticated sensor data regarding the operating condition, operation and behavior of vehicles, and in particular the operation and behavior of vehicles involved in crashes. Consumers continue to be interested in safety advancements but remain concerned about issues of privacy, tampering and misuse of vehicle crash data.
The EPA communications protocol utilizes a Controller Area Network (CAN) to provide a standardized interface between the diagnostic link connector and the tools used by service technicians and vehicle emission stations. CAN uses a serial bus for networking computer modules as well as sensors. The standardized interface allows technicians to use a single communications protocol to download data to pinpoint problems and potential problems related to vehicle emissions. Full implementation of the CAN protocol is required by 2008. Because it is a universal system, the use of the diagnostic link connector and the CAN serial bus alleviates the problem that the data would only be accessible through the use of multiple interfaces and different kinds of software, if at all.
While standardizing the means and protocols for data extraction is generally considered a positive advancement in surface transportation by helping to assure that systems perform properly over the useful life of vehicles, it has also created the possibility of extracting data from motor vehicles that can be used in civil and criminal legal proceedings. For example, the National Highway Traffic Safety Administration (NHTSA) cites an Event Data Recorder (EDR) as a device or function voluntarily installed in a motor vehicle that records a vehicle's dynamic, times series data and/or technical vehicle and occupant information for a brief period of time (seconds, not minutes) before, during and after a crash. EDRs collect vehicle crash information intended for retrieval after the crash. These devices are common in many vehicles. The USDOT/NHTSA estimates that about 9.8 million (64 percent) of the 15.5 million new light vehicles with a gross vehicle weight rate (GVWR) less than or equal to 3.855 kg (8,500 pounds) are already equipped with electronic control systems, which, in one form or another, are equivalent to an EDR. The following table lists vehicle manufacturers, their share of the market, the estimated portion of each manufacturer's production that is equipped with EDRs, and the weighted market share of EDRs. As noted in the table, data for passenger cars and light truck sales were derived from two separate sources: the 2004 Wards Automotive Book for passenger cars and the Mid-Term Mid-Model Year Fuel Economic Report Data for light trucks with GVWR less than or equal to 3,855 kg (8,500 pounds).
Estimate of the Number EDRs in Light Vehicles withA GVWR of 3,855 Kilograms (8,500 Pounds) or LessPercent% WithLineSales*of SalesEDRs**# of EDRsBMW279,7061.7% 0%0Daewoo137,8510.2% 0%0DaimlerChrysler1,997,34612.8% 21%419,443Ford3,125,78020.6%100%3,125,780GM4,407,11028.3%100%4,407,110Honda1,380,1538.1% 0%0Hyundai397,4582.4% 0%0Isuzu75,4400.2%100%75,440Kia234,7921.4% 0%0Mazda163,6941.6%100%163,694Mercedes186,5531.3% 0%0Mitsubishi161,5231.5%100%161,523Nissan*785,7194.8% 0%0Porsche16,7730.2% 0%0Subaru131,3301.1%100%131330Suzuki70,4410.4%100%70,441Toyota1,723,02711.2% 71%1,224,449VW372,0572.3% 0%0Total15,546,75364.3% 9,778,110*Passenger cars were based on the 2004 Wards Automotive Year Book, December 2004; light trucks/vans with GVWR <= 3,855 kg (8,500 pounds) were based on the Mid-Model Year Fuel Economic Report Data.**Based on 2005 NCAP survey12002 figures
Some systems collect only vehicle acceleration/deceleration data, while others collect these data plus a host of complementary data, such as driver inputs (e.g., braking and steering) and vehicle systems status. The way in which this is accomplished may be described in the following somewhat simplified manner. The EDR monitors several of the vehicle's systems, such as speed, brakes, and several safety systems. It continuously records and erases information on these systems so that a record of the most recent 8-second period is always available.
If an “event” occurs, i.e., if a crash meeting a pre-determined threshold of severity occurs, as measured by changes in the monitored data, then the EDR moves the last 8 seconds of pre-crash information into its long-term memory. In addition, it records and puts into its long-term memory up to 6 seconds of data relating to what happens after the start of the crash, such as the timing and manner of deployment of the air bags. In general, EDRs are devices that record safety information about motor vehicles involved in crashes. For instance, EDRs may record (1) pre-crash vehicle dynamics and system status, (2) driver inputs, (3) vehicle crash signature, (4) restraint usage/deployment status, and (5) post-crash data such as the activation of an automatic collision notification (ACN) system.
EDRs are devices which record information related to an “event.” This event is defined as a vehicle crash. EDRs can be simple or complex in design, scope, and reach. They can make a major impact on highway safety, assisting in real-world data collection to better define the auto safety problem, aiding in law enforcement, and understanding the specific aspects of a crash. It is generally agreed that the more we know about motor vehicle crashes—the better opportunity to enhance vehicle and highway safety. Manufacturers have been voluntarily installing EDRs as standard equipment in increasingly larger numbers of light vehicles in recent years. They are now being installed in the vast majority of new vehicles. The information collected by EDRs aids investigations of the causes of crashes and injuries, and makes it possible to better define and address safety problems. The information can be used to improve motor vehicle safety systems and standards.
As the use and capabilities of EDRs increase, opportunities for additional safety benefits, especially with regard to emergency medical treatment, may become available. EDRs installed in light vehicles record a minimum set of specified data elements useful for crash investigations, analysis of the performance of safety equipment (e.g., advanced restraint systems), and automatic collision notification systems. Vehicle manufacturers have made EDR capability an additional function of the vehicle's air bag control systems. The air bag control systems were necessarily processing a great deal of vehicle information, and EDR capability were added to the vehicle by designing the air bag control system to capture, in the event of a crash, relevant data in memory.
EDRs have become increasingly more advanced with respect to the amount and type of data recorded. Since 1998, the EDR function in light vehicles (under GVWR 10,000 lbs) is typically housed in a control module, such as the sensing and diagnostic module (SDM), the engine control module (ECU) or the stability control or 4-wheel steering modules. These modules are located in various places in the vehicle, such as under a front seat, in the center console or under the dash. Current EDR designs were developed independently by each automaker to meet their own vehicle-specific needs.
Both the data elements and the definition of these data elements vary from EDR to EDR. Both GM and Ford, for example, record vehicle impact response vs. time—i.e., a crash pulse. GM, however, stores the crash response as a velocity-time history recorded every 10 milliseconds while Ford stores the crash response as an acceleration-time history recorded every 0.8 millisecond, e.g. stored in the Ford Windstar RCM. Even for a given automaker, there may not be a standardized format. The GM SDM, for example, has evolved through several generations.
Until recently, there has been no industry-standard or recommended practice governing EDR format, method of retrieval, or procedure for archival. The preferred method is to connect to the onboard diagnostic connector located in the occupant compartment under the instrument panel. Despite the obvious safety benefits that might accrue, however, the use of EDRs has not been without controversy. EDRs were designed to help automakers build safer vehicles. But manufacturers have used the data to defend against product liability claims. Police investigators have also increasingly been using the data to charge drivers with speeding violations and more serious vehicular crimes. And insurance companies want the data to dispute unwarranted claims and tie policy rates to driving behavior.
Privacy advocates and consumer groups oppose allowing data collected for safety purposes to be used for other purposes, especially when most drivers are unaware that their cars have boxes or mechanisms that can be used as evidence against them. They also question whether the data is accurate, since few tests have been conducted to establish its reliability. A number of research studies have concluded that although the EDR data (and the recorder itself) may be “owned” by the automobile's owner or lessee, that data may almost certainly be used as evidence against the owner (or other driver) in civil or criminal cases.
Furthermore, nothing within the federal rules of evidence or the Fifth Amendment's protection against self-incrimination would exclude the use of data recorded by EDRs. Similarly, owners might be prohibited from tampering with the data. Even where statutory authority to require EDRs exists, the public may not want open, unrestricted access to a device installed in their automobiles because unrestricted access may appear to impede their personal privacy interests. Thus public acceptability of EDRs is an important issue paralleling the legal issues raised by EDRs. For example, a class action suit, filed in New Jersey in 2000, alleged that General Motors never told owners of their vehicles that EDRs were installed. The public is largely unaware of EDR systems, how they operate, and who has access to the driving information that can be read from these systems.
At present, vehicle crash data from EDRs is accessible by law enforcement, automakers, state and federal government agencies, automotive repair facilities and automotive insurance companies. Four states—Arkansas, Nevada, North Dakota and Texas—followed the example taken by California lawmakers in 2003 and have enacted laws that specify how motor vehicle event data recorders (“EDRs” or auto “black boxes”) are to be regulated in their respective jurisdictions. Similar legislation is being considered in New York, Massachusetts, New Jersey and Pennsylvania. In another seven states—Alaska, Connecticut, Montana, New Hampshire, Tennessee, Virginia and West Virginia—EDR bills were introduced in 2006, but they failed to pass before those legislatures adjourned.
In a Jan. 6, 2006 editorial USA Today noted that “It's common knowledge that airplanes have ‘black boxes’ that record flight data so safety experts can reconstruct what went wrong after an accident. But few motorists are aware that their late-model cars contain similar devices—and that police and insurers might use the data against them. Six states (Arkansas, California, Nevada, New York, North Dakota and Texas) have recently passed laws requiring that automakers notify motorists of the devices, known as event data recorders (EDRs), and limiting access to them. Nevada's law, which took effect Jan. 1, 2006, requires the owner's permission before data can be retrieved.”
The devices are the size of a pack of cigarettes and are in more than 70% of all new passenger vehicles. The National Transportation Safety Board (NTSB) wants them in every new car sold in America, but privacy concerns have slowed that effort. EDR data monitoring speed, braking, seat-belt use, steering and more can sort out responsibility for accidents and lead to improved vehicle design. But other uses of the data may be made by police, auto insurers, and litigants. Few guidelines exist for resolving who owns the data, and court rulings vary. EDRs can lead to safety improvements, but in response to privacy concerns the federal government may require that all affected motorists are informed that the devices are present in their vehicles.
NHTSA's EDR research website lists the following potential users and consumers of EDR data: insurance companies, vehicle manufacturers, government, law enforcement, plaintiffs, defense attorneys, judges, juries, courts, prosecutors, human factors research, state insurance commissioners, parents' groups, fleets and drivers, medical injury guideline data usage, vehicle owner and transportation researchers and academics, with the auto industry as one of the major future consumers of EDR data. This large, broad and unregulated list of people and entities with the potential ability to get access to private information from an EDR without the driver's consent is alarming and disturbing to many consumers. Invasion of privacy, violation of constitutional rights of the vehicle owners, and ambiguity regarding ownership of the EDR data are fundamental reasons for opposition to these technologies. The data an EDR records could be decisive in a criminal or civil case. Further, a driver's insurance coverage might someday depend on information collected from an EDR. Important rights could be at stake.
Since vehicles have a universal serial bus diagnostic link connector port to accommodate connecting peripheral devices such as electronic scan tools capable of re-engineering and altering odometers this has given rise to vehicle tampering. Under current practice, anyone with access to a vehicle may plug a portable scan tool device with a flash memory card and interface into the diagnostic link connector port and copy (or tamper with) information in the vehicle Controller Area Network (CAN). Since portable flash memory cards are usually very small, removing the portable flash memory card from the diagnostic link connector port and taking the information out of the vehicle is relatively easy.
Since the loss of proprietary and confidential information can be very costly with regard to lost revenue and corporate liability, most automakers take significant security precautions to protect against the theft of corporate information. Some companies take steps to keep vehicle information from being downloaded without proper authorization. Rental car companies and automotive lease dealers would suffer economically from widespread tampering with vehicle status information, including information accessible through the diagnostic link connector. After-market products are currently available such as the Uif Technology Co., Ltd., (Shenzhen, China) which advertises a “Mileage Correction Kit” which is marketed as “a compact interface that will allow you to easily read/write/modify the mileage/km of your car without the need to remove the dash. It connects to the on-board diagnostics port located in your car.”
It is estimated that every year, more than 89,000 vehicles with tampered odometers reach the Canadian marketplace at a cost to Canadians of more than $3.56 million according to estimates by a United States of America based company called CarFax. A 2002 U.S. National Highway Traffic Safety Administration study shows that each year more than 450,000 Americans will inadvertently buy a used vehicle with the mileage gauges rolled back. That makes tampering with odometers a $1.1-billion-a-year industry in the United States of America alone.
The definition of tampering can be extended to any means used to modify, remove, render inoperative, cause to be removed, or make less operative any device or design element installed on a motor vehicle or motor vehicle power-train, chassis or body components which results in altering federal motor vehicle safety standards (FMVSS). Required installation of EDRs and the availability of EDR data that is accurate and has not been altered by tampering may be viewed as part of a comprehensive system of safety standards. Automotive insurance companies also have an interest in assuring that real-time crash data generated by EDR devices has not been altered by tampering.
Further, however, unless improved mechanisms to prevent unauthorized access become available, increased consumer awareness of the existence and accessibility of EDR data may prompt a consumer revolt against the installation of EDRs. This could negatively impact sales and/or lead many manufacturers to offer owners the option to turn off their EDRs; there could even be pressure to stop installation of these devices altogether. Such developments would seriously limit the amount of EDR data collected for research by personnel in law enforcement, insurance, government, manufacturing, and education.
The Electronic Privacy Information Center (EPIC) suggests that strong privacy safeguards might further any public safety interests by promoting adoption of the technology by drivers who, under present circumstances, do not feel the presence of these devices are worth the risk. Consumers Union (Docket # NHTSA-2002-13546-79) believes the most important issue to consider regarding traceability of EDR data is the balance between protection of consumer (i.e., vehicle owner) privacy and utility of the captured data. Thus, there is a recognized need to provide both a means of consumer protection for permitting EPA mandated OBD data related to engine and emissions diagnostic data to be downloaded by service technicians and vehicle emission inspection stations while at the same time securing crash data for vehicle owners, thereby protecting privacy and avoiding tampering in an inexpensive and useful manner.
In recent years advances in telecommunications have created an industry called “Telematics.” Telematics is a wireless communications system designed for the collection and dissemination of information, particularly in reference to vehicle-based electronic systems, vehicle tracking and positioning, on-line vehicle navigation and information systems and systems for providing emergency assistance. Such developments hold out the promise of improved safety and services to motorists, but these improvements may be delayed or compromised if consumer concerns about unauthorized access to EDR devices are not addressed.
The increasingly electronic-driven nature of new vehicles has made it difficult for consumers to either diagnose malfunctions in their vehicles or to repair them. Even professional mechanics must now rely on sophisticated electronic equipment to diagnose and repair vehicular malfunctions. To better aid in the diagnosis of such vehicular malfunctions, passenger cars have been required, since 1996, to include an on-board diagnostic port (OBD port), or a diagnostic link connector (DLC). An OBD or DLC essentially comprises a plug-in type connector that is coupled to the on-board computer in the vehicle. The on-board computer is coupled to various sensors at various places within the vehicle, to sense the existence of a malfunction in the various locations of the vehicle. By plugging in an appropriate “scanner” device into the OBD or DLC, error codes can be retrieved. These error codes provide information as to the source of the malfunction.
Typically, the scanner devices used today to retrieve such error codes from an OBD or DLC port are large, complex, and—importantly—expensive. The devices typically include a data processing computer, having a cable that can be coupled to the OBD or DLC port. The error codes are retrieved from the vehicle, and fed into the processing unit of the device. The processing unit of the device includes software for processing the information retrieved from the error code, which, along with a database of information, correlates the error codes to specific vehicle malfunction conditions.
As noted in U.S. Pat. No. 6,957,133 to Hunt, et al., most vehicles manufactured after 1996 include a standardized, serial 16-cavity connector, referred to herein as an ‘OBD-II connector’, that makes these data available. The OBD-II connector serially communicates with the vehicle's Electronic Controller Units (ECUs) and typically lies underneath the vehicle's dashboard. Conventional GPSs can be combined with systems for collecting the vehicle's OBD-II diagnostic data to form ‘telematics’ systems. Such telematics systems typically include (1) a microprocessor that runs firmware that controls separate circuits that communicate with different vehicle makes (e.g., Ford, GM, Toyota) to collect OBD-II data; (2) a GPS module; and (3) a separate wireless transmitter module that transmits the GPS and OBD-II data.
Privacy is the single most important issue affecting the success or failure of implementing the Event Data Recorder. In a position paper presented to the NHTSA EDR Working Group titled Information Privacy Principles for Event Data Recorder (EDR's) Technologies (Kowalick, 1998) it was noted that individual motorists or others within motor vehicles have an explicit right to privacy. Although this right to privacy is not explicitly granted in the Constitution, it has been recognized that individual privacy is a basic prerequisite for the functioning of a democratic society. Indeed an individual's sense of freedom and identity depends a great deal on governmental respect for privacy. Therefore all efforts associated with introducing future EDR technologies must recognize and respect the individual's interests in privacy and information use. Thus, it is imperative to respect the individual's expectation of privacy and the opportunity to express choice. This requires disclosure and the opportunity for individuals to express choice, especially in regards to after-market products. Current OEM EDR technology limits an individual's expression of both privacy and choice.
There is a market and established method for diagnostic inspection, repair and maintenance of motor vehicles. However, there is also an emerging shadow market for re-engineering of in-vehicle electronics (such as odometers). The resale value of a vehicle is often strongly influenced by the number of miles or kilometers a passenger vehicle has on the odometer, yet odometers are inherently insecure because they are under the control of their owners. Many jurisdictions have chosen to enact laws which penalize people who are found to commit odometer fraud. In the US (and many other countries), vehicle maintenance workers are also required to keep records of the odometer any time a vehicle is serviced. Companies such as Carfax then use this data to help potential car buyers detect whether odometer rollback has occurred.
As described above, the vehicle diagnostic port can be used and misused for a variety of purposes. The diagnostic port provides a common portal for a variety of information, including information that can be used to the disadvantage of the owner/motorist. At present this portal remains unprotected from uses not authorized by the owner, a situation that is not viable for consumers and therefore likely to retard effective exploitation of the beneficial potential of this portal.
Therefore, a more practical and convenient means of preventing casual and unauthorized downloading of information from EDR devices is needed. Such a means is needed not only to protect the privacy of vehicle owners and motorists, but to build an acceptance of the portal among consumers as owner/motorists so that the portal will be available for data useful to the development of safer vehicles and improved services and products for the driving public. Further, the means that are needed must not interfere with or obstruct current practices that are designed to prevent the owner/motorist from tampering with data such as the odometer record of total vehicle mileage.