On February 11, Sens. Ed Markey (D-Mass.) and Richard Blumenthal (D-Conn.)announced that they would introduce legislation intended to address the data privacy and security vulnerabilities with Internet-connected cars. The legislation, if passed, would require manufacturers to adhere to a number of security and privacy standards, including the following:
- Requirement that all wireless access points in the car are protected against hacking attacks, evaluated using penetration testing
- Requirement that all collected information is appropriately secured and encrypted to prevent unwanted access
- Requirement that the manufacturer or third-party feature provider be able to detect, report and respond to real-time hacking events
- Transparency requirement that drivers are made explicitly aware of data collection, transmission, and use of driving information
- Consumers can choose whether data is collected without having to disable navigation
- Prohibited use of personal driving information for advertising or marketing purposes
The legislative proposal served as a follow-up to an earlier report by Sen. Markey, “Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk.” That report was based on the responses from 16 major automobile manufacturers to questions posed by the senator about how driver information is collected and used, and the potential security risks with wireless technologies in cars. The report found that large amounts of personal driver information – including geographic location, destinations entered into a navigation system, parking history locations, and vehicle speed – are collected without the drivers being clearly informed as to how that information will be used. In most cases, the information is shared with third-party data centers, the report said. Further, the report found that nearly 100 percent of cars on the market include wireless technologies that could pose vulnerabilities to hacking intrusions, and that most manufacturers were unaware or unable to report on past hacking incidents.
In addition to Sen. Markey’s report, the FTC highlighted the potential security and privacy risks with connected cars in its recent Internet of Things Staff Report, which we previously covered here. While acknowledging the many safety and convenience benefits of smart cars, the FTC also shared Sen. Markey’s concern about their potential vulnerabilities.
In response, the industry, led by two major automobile coalitions, has adopted self-regulatory privacy principles. In November 2014, 19 U.S. car companies made a commitment to incorporate a series of self regulatory “Consumer Privacy Protection Principles for Vehicle Services” in their vehicles no later than model year 2017. In a letter sent to the FTC, the participating manufacturers said the “privacy principles” would be applied to their vehicles’ technologies and services, such as roadside assistance and navigation services, and will provide a baseline for privacy commitments. The principles include provisions for transparency, choice, respect for context, data minimization, de-identification, data security, integrity, access, and accountability. Sen. Markey said in a statemen tthat these self-regulatory principles were a good first step, but that they did not go far enough in terms of choice and transparency.
As more and more cars join the wave of Internet of Things, legislators and regulators will continue to scrutinize their potential privacy and security risks. Any road forward – whether it be legislative or self-regulatory – must carefully balance the many benefits offered by smart cars with their potential risks. In the meantime, car manufacturers (and their third-party service and technology providers) should continue to monitor this area for legislative developments and start taking steps to implement the self-regulatory principles.