Privacy and Security Concern Auto Industry in Connected Cars
Auto industry experts worry about privacy, cybersecurity and safety of connected cars and autonomous vehicles and have acted to correctly design technology from the start. Privacy experts didn't dispute the strides but they said during an FTC event Wednesday that significant questions are surfacing and need to be thought through.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Joseph Jerome, policy counsel with the Center for Democracy & Technology's Privacy and Data Project, said cars are second homes to many Americans and the new technology changes that dynamic. It's not just about geolocation and the ability of being tracked, but also about "when you drive, how you drive, what your interests are, what we perceive your interests to be" with employers, insurers and marketers seeking this data. "This is a real privacy loss," he said. Jerome said huge questions surround how data will be accessed since it might be used in legal disputes and by law enforcement, as well as how some of the functionality like car infotainment systems can be turned on and off. "It's certainly not the Wild West, but it's a complicated universe and if I'm interested in these issues, I really have no idea who to turn to get the information," said Jerome.
Consumers won't accept these emerging technologies if they aren't confident and don't trust them, and privacy is a key, said Hilary Cain, Toyota director-technology and innovation policy. "You asked ... whether privacy is overrated and the resounding answer is 'no,'" she said, responding to the moderator. She cited the auto industry's development of a self-regulatory code of conduct to govern use of vehicle data, which was inspired by the Fair Information Practice Principles. The industry went further and put meaningful restrictions in the code of conduct, she said, adding automakers are prohibited from using sensitive vehicle data for marketing purposes or sharing it with unaffiliated third parties like data brokers without a vehicle owner's affirmative consent.
Acting Chairman Maureen Ohlhausen said the FTC will continue to enforce privacy and data protection rules against manufacturers and service providers and will work with the National Highway Traffic Safety Administration to coordinate, not overlap or duplicate, such actions. She said the commission does this with the Department of Health and Human Services in pursuing health privacy cases and coordinating guidance. She urged Congress to consider data security and data breach notification legislation that will require companies to notify consumers about security breaches as well as strengthen FTC power. She said the auto industry and others should review business education and guidance on protecting personal information.
General Motors implemented privacy by design principles and developed a "robust" cybersecurity strategy, including creating a dedicated, well-resourced product team that looks at threats from the back office to the physical vehicle, said Jeff Massimilla, chief product cybersecurity officer. “It’s not a question of if our industry will ever see a serious cyber incident but when, and when that breach occurs, a successful response will depend on how prepared we are,” he said. Massimilla, also vice chair of the Auto Information Sharing Analysis Center, said that organization shares cyberthreat intelligence, practices incident response activities and is developing comprehensive cybersecurity best practices.
Experts said it's a matter of time before cyberattacks hit connected cars​. Syed Zaeem Hosain, chief technical officer with IoT provider Aeris, said he predicted in March a ransomware attack against a car by year's end, but citing recent major global attacks said it might come sooner. Duke University computer science professor Miroslav Pajic said as hackers figure out how to attack vehicles, they'll make the information available for less-skilled people to use. Argus Executive Director-Business Development Meg Novacek, who described vehicles as being made up of 50 to 100 computers, said it also works the other way, since cybersecurity experts can "immunize" fleets once the attack is diagnosed.
Electronic Privacy Information Center President Marc Rotenberg said cybersecurity is an issue that's "creeping up on American consumers with enormous impact" and most people don't "have a very good understanding of what the practical consequences will be of autonomous vehicles." He said most now think it's an "anomaly" that a car will be hacked or disabled. But he said EPIC found last year that companies that provide auto loans to low-income people were building into vehicles "starter interrupt devices so that they could remotely disable the vehicle if the payments weren't made on time."