Connected-Car Security Has International Attention

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Nora Macaluso

Aug. 20 — Governments around the world are weighing how to adapt privacy and security standards to an automotive industry increasingly geared toward connectivity, as international carmakers try to agree on generally harmonized standards balancing safety and security with consumer demand for more high-tech features.

Most governments in major auto markets, with the notable exception of the U.S., have broad cybersecurity policies that apply to all industries, sometimes issuing guidance about how the rules apply to specific sectors. “There are regulations coming up in different geographies that are all about cybersecurity or privacy,” Anil Valsan, lead automotive analyst at Ernst & Young in London, told Bloomberg BNA. “What you will find is, they're probably not all consistent.”

Many countries, including those of the major carmakers, have data protection laws in place. South Korea, the home of Kia Motors Co. and Hyundai Motor Co., has one of the stricter laws, requiring encryption of personally identifiable information in certain cases.

Carmakers, like all international businesses that sell into other markets, are already bound by their countries' existing privacy policies, Cynthia Rich, senior privacy advisor at Morrison & Foerster LLP in Washington, told Bloomberg BNA. “If they're operating in Europe and Korea and Japan, they are required to comply with these laws,” she said. “The question is how to apply existing data protection rules in this particular context.”

Valsan said any harmonization of standards is likely to come from industry-backed consortia, rather than through the imposition of prescriptive regulations. “Harmonization is a bit of a challenge, especially given the concerns around data privacy,” he said. “There will be a lot of nationalistic sentiments” complicating the process, he said.

Privacy by Design

The auto industry has been in the spotlight since a pair of researchers announced that they were able to take remote control of a Jeep Cherokee's steering and braking systems while the car was driving on a highway. Jeep parent Fiat Chrysler Automobiles NV subsequently recalled 1.4 million vehicles to fix the security flaw.

“There's a big emphasis on privacy by design,” Rich said. “Organizations should be building in privacy and data security into their product-planning process so they comply with data protection laws. The idea is to come up with ways to satisfy the data protection requirements that make sense given the particular technology.”

Automakers say they're doing that. The Alliance of Automobile Manufacturers—which includes members from BMW of North America LLC to Volvo Car Corp.—and the Association of Global Automakers—which includes manufacturers and designers from Aston Martin Lagonda Ltd. to Suzuki Motor Corp.—are working with the U.S. National Highway Traffic Safety Administration to establish a voluntary program for collecting and sharing information about existing or potential threats and vulnerabilities in connected vehicles or associated data networks.

In November 2014, the groups completed privacy principles they pledged to adopt as they develop new vehicles.

The groups consulted with the Federal Trade Commission in coming up with the principles.

The FTC has endorsed NHTSA's proposals to require vehicle-to-vehicle (V2V) communication capability for passenger cars and light truck vehicles by 2019 and create minimum performance requirements for V2V devices and messages.

Government-Industry Cooperation 

Having a common standard would be helpful, and regional government-industry efforts toward devising standards are good steps, Hideki Hada, general manager of electronics engineering at Toyota Motor Co.’s technical center in Ann Arbor, Mich., told Bloomberg BNA.

But there isn't any evidence of momentum for a mandated global standard, he said. “There are some intergovernmental discussions, but it's really just, I think, talking,” he said.

Ernst & Young's Valsan said that if countries adopt wildly different policies, it could be a problem for manufacturers. “It will limit the kinds of services they can offer,” he said. “They will have to think through terms of how they build this modular service they can turn off in different geographies. At the moment, that's not the way the system is built. On top of that they all have to offer even more customization to meet customer needs.”

Complicating the issue is the entry into the connected-car market of companies outside the notoriously secretive auto industry. “The industry has been slow to change,” and technology is lowering the barrier to entry, Valsan said. Companies like Google Inc., Apple Inc. and Uber Technologies Inc. are looking at new products and even “alternative mobility solutions,” and these companies “are dealing with a lot of customer data already,” he said. “They're used to selling services to customers, unlike the auto industry. There are areas where the auto industry's just learning the ropes.”

Regulators may have only so much control.

Nicholas Weaver, a security researcher at the University of California at Berkeley, told Bloomberg BNA that the “key problem with Internet of things devices is they can either accept connections from anywhere—and are often pitifully insecure as a consequence—or they route all communication through central services operated by companies, companies which now have access to all that lovely—and potentially profitable—data.”

His advice: “If it can kill you, do not connect it to the network.” And that would include cars.

Cruising the Autobahn 

The German Ministry of Transport and Digital Infrastructure plans to announce its position on international guidelines for connected cars at the International Auto Show in Frankfurt in September, a spokesman for the German Embassy told Bloomberg BNA. The ministry has held talks with industry, government and safety groups to discuss a range of legal, technical and scientific questions regarding networked automobiles, the spokesman said, adding that Germany's data protection guidelines apply to all information technology components and systems.

Beate Braams, spokeswoman for the Federal Ministry of Economics and Energy, told Bloomberg BNA that the German government in 2013 formed a roundtable on automated driving that includes discussion of data protection. The group, which includes representatives from government departments and industry and consumer associations, will “explore whether and what adjustments in detail are necessary within the current legal framework” that are required “to enable automated and networked driving while ensuring at the same time high data protection and security standards,” Braams said.

The ministry also supports research projects related to connected cars and networking, Braams said. “So far, automated driving has not yet reached market maturity,” she said. “However, the German automotive industry is pushing this topic forward.”

While connected cars offer potential benefits including better security, improved services and reduced pollution, privacy is also important, Braams said. “From the perspective of the Federal Ministry for Economic Affairs and Energy it is important that the consumer interest and high data protection standards are taken into account right from the beginning and are addressed already in the development and research phase,” she said.

The European Union is in the process of replacing its Data Protection Directive (95/46/EC) with a data protection regulation that would be implemented in the same form across the EU's 28 member states, including Germany.

The regulation, which expected to be issued by the end of the year, may be followed in short order by auto-specific guidance, an EU diplomat told Bloomberg BNA on background.

Legislation Would Require U.S. Standards

Meanwhile in the U.S., a bill (S. 1806) introduced by Sens. Richard Blumenthal (D-Conn.) and Edward J. Markey (D-Mass.) would require NHTSA and the FTC to establish standards aimed at preventing the hacking of cars and protecting consumers' privacy.

The “missing dimension” from the proposed legislation is the “quality and level of strictness of the standard,” Richard Wallace, director of the Center for Automotive Research's transportation systems analysis group, told Bloomberg BNA. “Bad standards or weak standards would probably make the problem worse,” he said. “It would basically provide the hackers with the key to the kingdom.”

The U.S. proposed law, the Security and Privacy in Your Car (SPY Car) Act—which hasn't advanced in the Republican-controlled Congress—would be unique internationally in that it would prescribe cybersecurity standards for automobiles.

The U.S. is something of a global outlier, taking an industry-by-industry approach to privacy. “In the United States, the regulations have been quite prescriptive in terms of what companies need to be doing to address the subject of the regulation, whereas in markets like Europe, they are much broader,” Valsan said. Other countries, he said, “set out the standards the company should achieve, rather than being prescriptive.”

Morrison & Foerster's Rich said that in the U.S., “we tend to regulate areas where we're concerned about specific harms,” focusing on rules for areas like credit reporting and health information.

The National Institute of Standards and Technology is taking comment on a report on the U.S. role in international cybersecurity standardization efforts.

The Aug. 10 report, which doesn't mention any specific industry, lays out proposed objectives for the U.S. government in developing international standards. Those include coordination among federal agencies, collaboration with the private sector and using “relevant international standards for cybersecurity” in federal policy making.

To contact the reporter on this story: Nora Macaluso in Lansing, Mich., at nmacaluso@bna.com

To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com