Driverless cars are coming. After testing prototypes for years, companies are poised to roll out self-driving vehicles for consumer use. The future is here. But, are we ready for it?

The existing law is clearly not. There are currently no federal statutes governing driverless cars, and only eight states (i.e., California, Florida, Louisiana, Michigan, Nevada, North Dakota, Tennessee, and Utah) and the District of Columbia have enacted laws addressing driverless cars. These state statutes typically define “autonomous vehicles,” or “autonomous technology,” establish parameters and guidelines for their testing, and/or require that the vehicles have either manual override or a licensed driver in a position to assume control of the vehicle. Some of these statutes also deal with manufacturer liability, owner insurance, safety standards, and the promulgation of additional regulations by the state department of motor vehicles concerning the operation of the vehicle. Only the California statute, however, addresses even minimally the data generated and collected by the driverless car, requiring that the manufacturer provide a written disclosure describing what information is collected by the “autonomous technology” equipped in the vehicle to the purchaser.

The privacy implications of the driverless car are significant. The data that such a vehicle could collect and the potential uses of that data could be extraordinarily intrusive. Driverless cars could provide both historic and real-time, continuous geolocation data. Companies could utilize this data to determine not only your current location and destination but also every place that you have been. This data could lead to commercially valuable, but extremely sensitive and intimate information about individuals being discovered. Advertisers may be able to discern the purchasing patterns of individuals by tracking what stores they frequent. Insurers may be able to determine what the lifestyle of individuals is like by following their daily activities (e.g., constant trips to the gym) and dining habits (e.g., persistent trips to fast food restaurants).

Data ownership may present a challenge. Who owns the data collected by a driverless car may not always be easy to ascertain. The manufacturer of the vehicle may claim ownership. However, if the manufacturer employed another company’s GPS or mapping service or software in the vehicle’s navigation system, that other company may similarly have a claim on the data. Not only is data ownership a potential issue, but data usage may also be a concern. How companies use the data they collect is typically governed by the company’s privacy policy. Unfortunately, the terms of many of these policies are often be so broad or ambiguous that consumers are unable to discern with whom their data is being shared and for what purpose their data is being utilized.

The Alliance of Auto Manufacturers, Inc., a major automakers trade group, adopted a list of privacy principles for vehicle technologies and services in 2014. These principles include commitments to transparency, increased consumer choice, reasonable and responsible use of information, data minimization, de-identification, and retention, data security, and accountability. They also require that consumers must affirmatively consent to having geolocation, biometric, and driver behavior data and other identifiable information used for marketing or by third parties. Unfortunately, these principles are nonbinding and subject to the interpretation of the specific auto manufacturer. State laws and regulations have neither incorporated nor even endorsed them. Therefore, for the present, the auto industry remains self-regulating in determining data collection, ownership, retention, and usage policies relating to self-driving cars.

There is greater certainty in determining the limits of law enforcement in obtaining and using the potential data collected by driverless cars. The government would likely draw a distinction between real-time and historic geolocation data, affording more protection to real-time information. The Department of Justice has stated that, absent extraordinary circumstances, it will obtain a search warrant for any real-time geolocation data. In contrast, the government has maintained, and multiple Courts of Appeal have agreed, that a search warrant is not required for the government to obtain historic cell site information.

An equally pressing concern with driverless cars is their security. Driverless cars require considerably more components than the current counterparts. Driverless cars may rely on lasers scanners and other sensors to map out their surroundings, routers to maintain a constant wireless connection to transmit data about their surroundings, and software to process the data the vehicles collect. Each of these components is interconnected and constitutes an additional potential entry point for hackers to get into the car’s computer system.

Hackers are already able to access vehicles that are connected to the Internet remotely and exercise control over them. In 2015, cybersecurity experts hacked into the Jeep Cherokee of a technology writer for Wired Magazine to demonstrate the vulnerability of the vehicle’s dashboard computer. The experts controlled the air-conditioning, radio, and windshield wipers of the Jeep Cherokee remotely, before making the vehicle come to a complete stop on the interstate. They were also able to track the GPS coordinates of the Jeep Cherokee. Criminals have also been able to exploit this vulnerability. In Houston, the police discovered that criminals were able to use a laptop to hack into the computer system of a 2010 Jeep Wrangler, start the engine and steal it from the owner’s driveway.

Security concerns about connected vehicles prompted the filing of a class action complaint in 2015 in Cahen, et. al., v. Toyota Motor Corp, et. al., No. 3:15-cv-01104 WHO against Toyota Motor Corp., Ford Motor Co., and General Motors LLC, alleging fraud, false advertising, and violations of consumer protection laws based on a purported failure to disclose their vehicle’s lack of electronic security and a susceptibility to hacking. The district court dismissed the complaint, finding that the plaintiffs lacked standing because they had not suffered an actual injury and possessed only a speculative risk of future harm. The plaintiffs appealed and the case is currently pending before the Ninth Circuit. The Electronic Privacy Information Center (EPIC) has filed an amicus curiae brief, requesting that the Ninth Circuit reverse the dismissal. The EPIC alleges that connected vehicles without authentication or encryption are inherently vulnerable and pose more than a speculative risk of harm.

Driverless cars offer great promise in improving safety and convenience. But, they also pose considerable privacy and security risks. Federal and state governments need to consider all the risks very carefully and make a concerted effort to address them before urging adoption of this revolutionary, new technology.

Originally published by IPWatchdog​ on September 5, 2016.​