The Connected Car and the Race to KeepConsumers in the Driver’s Seat on Data Privacy

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Ellen S. Pyle

Ellen S. Pyle is discovery counsel at McDermott Will & Emery LLP in Washington. Elle focuses her practice on information governance, data privacy and enterprise risk management. She can be reached at epyle@mwe.com.

Automation technology is rapidly advancing, connecting a variety of devices to each other and the internet. One of the most exciting points of this emerging “internet of things,” and one frequently in the news this year, has been the automated or “connected” car. The connected car incorporates technology which includes systems which sense and interact with the environment around them, as well as systems which connect wirelessly from vehicle-to-vehicle (V2V), or from vehicle-to-infrastructure (V2I) (computer).1

Increased automation promises increased safety, enhanced efficiency and other benefits. Imagine the benefits of being able to navigate effortlessly around traffic, having your vehicle speed perfectly keyed to optimal fuel efficiency, or your vehicle sensing and relaying to you information on the presence of dangerous defect.

However, as cars automation increase, and cars move towards completely driverless automation, issues emerge regarding safety, data security and privacy. Connected cars collect and transmit large amounts of data, accessing data systems within the vehicles, as well as within its various electronic accessories (entertainment centers, GPS) and the drivers' electronic accessories (cell phones, etc.), and transmitting that data system to system and system to internet.

A problem arises in that the connected car contains multiple system and data point connections, all of which are involved in the transmission of data. These system and data point connections have wildly varying levels of interoperability and security. Thus much of that data, including very sensitive information on owners, drivers' and even passengers' cell phones and other devices, may be exposed and vulnerable to unauthorized access or identity theft. Another very real risk is that the automobile can be remotely hacked and hijacked. The latter risk received wide publicity this summer at a technology conference when a vehicle's dashboard function, including steering and braking, were publicly accessed and hijacked remotely through a hackers laptop. The demonstration made crystal clear that the concerns of safety, data security and privacy must be balanced with the benefits of increased automation in this nascent industry.

A Short History of the “Connected” or Self-Driving, Fully-Automated Car

The evolution of the modern “connected” car began in 1908 when the first Ford Model T entered into production. Almost thirty years passed before the first programmable computer was created by Konrad Zuse, and yet another thirty to forty years would pass before three additional critical automation elements, the laser, the digital camera and Light Detection and Ranging (LIDAR) were developed.

The laser was first built in 1960 by Theodore H. Maiman at Hughes Laboratories. Digital cameras were introduced by Eastman Kodak in 1975. The device used a sensor to capture images which were then transferred to a memory card of other storage device for later use of processing. Though first used primarily for military and scientific uses, they quickly gained in popularity. By 2005, digital cameras had largely replaced film cameras. LIDAR, a remote sensing method that uses pulsed laser light to measure distance, was introduced in the 1980s.

By 1988, BMW had introduced the first “drive by wire” system, replacing mechanical linkages and cables with electronic control modules and sensors. There were numerous advantages to the system: replacement of the mechanical elements of cable with more responsive electronic components; reduction of moving parts and associated wear and tear; improvement of accuracy which provided better response, fuel economy and emissions control.

Partially propelled by the introduction of advanced microprocessors (the Linux system in 1991 and the Pentium processor in 1993), automated, driverless motor vehicles have rapidly progressed in the last two decades.

The U.S. Government has supported the development of connected cars. Military efforts which demonstrated the ability of driverless automated vehicles to navigate off road terrain began in 2001. Congress noted the advantages of driverless vehicles as early as 2001, setting a goal of making 30 percent of combat vehicles autonomous by 2015.

The government also supported the civilian market. In 2004, the Defense Advanced Research Projects Agency (DARPA), a prominent research arm of the U.S. Department of Defense, held its first “Grand Challenge for Robotic Vehicles.” The competition was meant to spur research and development of autonomous ground vehicles. Though the competition attracted a lot of attention, none of the vehicles competing made it through the rough terrain desert course.

A year later though, enough progress had been made that several “connected” driverless vehicles finished. The fastest of these vehicles, Stanley, used a combination of systems including drive by wire, LIDAR, GPS, gyroscopes, accelerometers and a digital camera to navigate the course. The various on board electronics interacted or connected, with each other and with six Intel Pentium M computers, which processed the incoming data, interpreted it and “drove” the course. Stanley was thus one of the first truly “connected” cars.

By 2007, when the challenge was moved to an urban setting, the contest included traffic regulations, traffic merges and obstacles. The course required that the vehicles not only negotiate the course but execute complex analysis regarding the real time actions of other autonomous vehicles, and make decisions according to the traffic regulations in existence on the course. This was sophisticated intelligent interactive decisions. Six vehicles finished.

In 2010, Google announced that it had been developing its own fleet of self-driving cars, and had already logged 140,000 miles on California streets. From 2010 to 2013, Google self-driving cars logged more than 400,000 additional driverless miles. Further, Google is not the only company engaged in the development of driverless cars. Video has surfaced showing cars in Germany, Korea, Great Britain, Japan and China. Nissan and Mercedes have announced plans to introduce an automated self-driving car by 2020. Google aims to introduce theirs by 2017. Tesla has announced that their 90 percent self-driving vehicle will hit the market in 2016.

Regulation

Several federal agencies are poised to regulate connected vehicles. These agencies include the NHTSA, the Intelligent Transportation Systems (ITS), the Federal Trade Commission (FTC) and the Federal Communications Commission (FCC).

NHTSA is responsible for developing, setting and enforcing federal motor vehicle safety standards (FMVSSs) and regulations for motor vehicles and motor vehicle equipment.2 The NHTSA is responsible for the regulation of the design and use of autonomous connected vehicles as it possesses the regulatory authority to regulate safety standards in both new automobiles and aftermarket equipment.3 The NHTSA has outlined the various benefits of connected cars including potentially reduced emissions, enhanced access for the disabled, and safety oriented benefits such as prevention of crashes.4

The NHTSA has argued against state specific regulation which it argues is impractical due to the extremely rapid evolution in various self-driving technologies. Instead, the Agency recommends that states enforce four basic principles: (1) ensure that “the process for transitioning from self-driving mode to driver control is safe, simple, and timely;” (2) “self-driving test vehicles should have the capability of detecting, recording, and informing the driver that the system of automated technologies has malfunctioned”;; (3) “installation and operation of any self-driving vehicle technologies does not disable any federally required safety features or systems;” and (4) “self-driving test vehicles record information about the status of the automated control technologies in the event of a crash or loss of vehicle control.”5

Though the NTSHA has not yet set out specific regulations on connected cars, it has made recommendations for state governments' testing and use. For example, the NHTSA has recommended a specific driver's license endorsement for connected vehicle operators. Licensed operators should be required to be seated in the driver's seat so that they might take control of a vehicle in an emergent situation.6

The NHTSA has stated that it plans to deliver a Notice of Proposed Rulemaking by 2016 in regards to V2V communications technology. The NHTSA has emphasized that V2V systems must have secure communications between devices without interference, and that owner/drivers' personal identifiable information must be protected.7

The collection of data from the event data recorder has raised concerns about privacy in the event that the data were used for reasons unrelated to safety.

The NHTSA has also introduced regulations which require that all new vehicles sold in the U.S. be equipped with an event data recorder (EDR).8 An EDR is similar to an airplane black box in that it records and stores data gathered from automobile systems. The data is collected for analysis in the event of an accident or system malfunction. Data collected may include that concerning: speed, brake deployment, crash impact force, throttle engagement at time of impact, air bag deployment and seat belt usage.

The collection of data from the EDR has raised concerns about privacy in the event that the data were used for reasons unrelated to safety. For example, the release of EDR data, such as seatbelt use or driver speed, might be an intrusion into privacy if it was released to government entities or law enforcement agents. Further there were concerns as to the rightful ownership of the data once it were collected. Was it the car owner, or the data collector's at that point? And in the case of the latter, was the car owner/drivers consent no longer a controlling factor? The NHTSA attempted to stem these concerns by requiring that the owner permission be obtained before the data were used.9 The stored, collected data also presents concerns. Many EDRs transmit data to emergency response centers at the time of a crash. The collection of multiple vehicles computer data and storage in a central location, the emergency response center, presents a liability risk for data privacy.

The NHTSA has thus far been deferential to the states as regards licensing, driver training and operative conditions.10 Thus far, they have though expressed reservation that the States permit connected cars for anything other than purely testing purposes.11 Though there is no federal law or regulation prohibiting any use outside of testing, presumably the operation of connected cars is legal.12 That is not to say that the NHTSA couldn't exercise its powers and effectively prohibit connected cars. In the event that there was a finding of safety risk caused by connected vehicles, it is entirely within the NHTSA's power to entirely prohibit their use.

The FTC has also been actively involved in protecting consumers through the regulation of the use of consumer data in various networked systems in the internet of things, including connected cars.

The U.S. Department of Transportation Intelligent Transportation Systems office (ITS) has also been engaged in research in protecting privacy in connected vehicles. ITS aims to ensure that the deployment of connected vehicle technology is being carried out in a manner that protects consumers from invasion of their privacy and unauthorized access (hacking).13 ITS seeks to specifically ensure that V2V technologies have been designed to help protect against vehicle tracking, will not collect financial information, personal communications or personally identifiable information about individuals or vehicles, and will have protection against third parties tracking. ITS claims that V2V systems will allow the National Highway Traffic Safety Administration (NHTSA) and motor vehicle manufacturers to find “production runs” of defective equipment but will not use VIN numbers or other specifically identifiable vehicle or driver information. Data de-identification/anonymization will be a major protection method. Additional protections envisioned include physical, technical and administrative controls. Physical controls would include protection of the equipment such as tamper-proof casings. Technical controls would include methods and systems designed to protect user data including firewalls, encryption and access management. Administrative controls would include “[l]aws and regulations regarding unauthorized collection, storage, and disclosure of data” and the “Fair Information Practice Principles.” 14

The FTC has also been actively involved in protecting consumers through the regulation of the use of consumer data in various networked systems in the Internet of things, including connected cars.15 Section 5 of the Federal Trade Commission Act (FTC Act) (15 U.S.C. § 45) prohibits ‘‘unfair or deceptive acts or practices in or affecting commerce.”16 An act or practice is unfair where it 1) causes or is likely to cause substantial injury to consumers; 2) cannot be reasonably avoided by consumers; and 3) is not outweighed by countervailing benefits to consumers or to competition.17 An act or practice is deceptive where 1) representation, omission, or practice misleads or is likely to mislead the consumer; 2) a consumer's interpretation of the representation, omission, or practice is considered reasonable under the circumstances; and 3) the misleading representation, omission, or practice is material.18

This provision of the FTC Act allows the FTC to intervene in instances where companies failed to reasonably protect consumers' personal information.19 The FTC can step in where “[a] company was not adhering to the practices to protect a consumer's personal information that the company claimed to abide by in its privacy policy.”20

The FTC is involved in developing regulation on connected cars, having offered testimony before Congress,21 participated in workshops related to privacy and security in connected cars,22 presented papers on security and privacy in the internet of things, and provided commentary to the NHTSA on its proposed vehicle-to-vehicle privacy and data collection rulemaking.23 FTC recommendations have included building security into devices from the start/privacy by design, vendor security, vetting and oversight, as well as the use of multiple layers of security to defend against unauthorized access (defense in depth), and monitoring.

The FCC also is involved in connected car regulation and its related data protection and security. The FCC regulates wireless communication standards used by autonomous vehicles. The automobile industry is engaged in the development of short-range communication (DSRC) for V2V communication use and has reserved DSRC for wireless V2V and V2I communication.24 V2V communication and V2I will be dependent on system interoperability and effectiveness. Thus, the FCC is engaged on development of cooperative standards for interoperability between autonomous vehicles.25

Finally, it is worth mentioning that the United States auto industry has made a concerted effort to self-regulate. Several U.S. auto manufacturers have come together in the creation of the Consumer Privacy Protection Principles For Vehicle Technologies and Services, a sort of “best practices” guide on automakers collection, use and sharing of sensitive consumer information collected, generated, recorded or stored in electronic format in automobiles. The guide promotes the practice of seven principles of data practices: transparency, choice, respect for context, data minimization, de-identification and retention, data security, integrity and access and accountability.26 Though the principles apply only to signatory auto manufacturers, they represent an important step in data privacy protection in the automobile industry.

Conclusion

Fully automated or “connected” cars carry the promise of enhanced efficiency, increased safety, and other benefits. As the automation increases, however, and cars move towards becoming completely driverless, more and more data will be generated, collected, stored, transmitted and shared. This data will include vehicle system data and accessory system data, as well as personal identifiable data from the owner, driver and passengers' personal devices. Vehicles and their systems will be at risk for unauthorized access, hijacking and theft. Owners, drivers and passengers personally identifiable information will also be at risk for unauthorized access and use.

As the collection, use and storage of the data from connected cars carries such significant privacy risks, regulators such as the NHTSA, ITS, FTC and FCC, as well as the auto industry itself, must prepare methodologies to ensure that those risks are minimized. The benefits from increased automation will need to be balanced against the growing need for data security and privacy. Only then can the benefits of the connected car truly be realized.