Markey continues to be one of the most thoughtful and forward-looking privacy legislators in the US.
The report [PDF] states
New technologies in cars have enabled valuable features that have the potential to improve driver safety and vehicle performance. Along with these benefits, vehicles are becoming more connected through electronic systems like navigation, infotainment, and safety monitoring tools. The proliferation of these technologies raises concerns about the ability of hackers to gain access and control to the essential functions and features of those cars and for others to utilize information on drivers’ habits for commercial purposes without the drivers’ knowledge or consent.
To ensure that these new technologies are not endangering or encroaching on the privacy of Americans on the road, Senator Edward J. Markey (D-Mass.) sent letters to the major automobile manufacturers to learn how prevalent these technol- ogies are, what is being done to secure them against hacking attacks, and how personal driving informa- tion is managed.
This report discusses the responses to this letter from 16 major automobile manufacturers: BMW, Chrysler, Ford, General Motors, Honda, Hyundai, Jaguar Land Rover, Mazda, Mercedes-Benz, Mitsubi- shi, Nissan, Porsche, Subaru, Toyota, Volkswagen (with Audi), and Volvo. Letters were also sent to Aston Martin, Lamborghini, and Tesla, but those manufacturers did not respond.
The responses reveal the security and privacy practices of these companies and discuss the wide range of technology integration in new vehicles, data collection and management practices, and security measures to protect against malicious use of these technologies and data.
The key findings from these responses are:
1. Nearly 100% of cars on the market include wireless technologies that could pose vulnera- bilities to hacking or privacy intrusions.
2. Most automobile manufacturers were unaware of or unable to report on past hacking incidents.
3. Security measures to prevent remote access to vehicle electronics are inconsistent and haphazard across all automobile manufacturers, and many manufacturers did not seem to understand the questions posed by Senator Markey.
4. Only two automobile manufacturers were able to describe any capabilities to diagnose or meaningfully respond to an infiltration in real-time, and most say they rely on technolo- gies that cannot be used for this purpose at all.
5. Automobile manufacturers collect large amounts of data on driving history and vehicle performance.
6. A majority of automakers offer technologies that collect and wirelessly transmit driving history data to data centers, including third-party data centers, and most do not describe effective means to secure the data.
7. Manufacturers use personal vehicle data in various ways, often vaguely to “improve the customer experience” and usually involving third parties, and retention policies – how long they store information about drivers – vary considerably among manufacturers.
8. Customers are often not explicitly made aware of data collection and, when they are, they often cannot opt out without disabling valuable features, such as navigation.
These findings reveal that there is a clear lack of appropriate security measures to protect drivers against hackers who may be able to take control of a vehicle or against those who may wish to collect and use personal driver information.
In response to the privacy concerns raised by Senator Markey and others, the two major coalitions of automobile manufacturers recently issued a voluntary set of privacy principles by which their members have agreed to abide. These principles send a meaningful message that automobile manufacturers are committed to protecting consumer privacy by ensuring transparency and choice, responsible use and security of data, and accountability. However, the impact of these principles depend in part on how the manufacturers interpret them, because
(1) the specific ways that transparency will be achieved are unclear and may not be noticed by the consumer, e.g., text in the user manual,
(2) the provisions regarding choice for the consumer only address data sharing and do not refer to data collection in the first place, and
(3) the guidelines for data use, security, and accountability largely leave these matters to the discretion of the manufacturers.
The alarmingly inconsistent and incomplete state of industry security and privacy practices, along with the voluntary principles put forward by industry, raises a need for the National Highway Traffic Safety Administration (NHTSA), in consultation with the Federal Trade Commission (FTC) on privacy issues, to promulgate new standards that will protect the data, security and privacy of drivers in the modern age of increasingly connected vehicles.
Such standards should:
- Ensure that vehicles with wireless access points and data-collecting features are protected against hacking events and security breaches;
- Validate security systems using penetration testing;
- Include measures to respond real-time to hacking events;
- Require that drivers are made explicitly aware of data collection, transmission, and use;
- Ensure that drivers are given the option to opt out of data collection and transfer of driver information to off-board storage;
- Require removal of personally identifiable information prior to transmission, when possible and upon consumer request.