Smart Cars, Privacy, and Security

June 6, 2012

Car data recordCongress is on the verge of enacting new legislation to make use of Electronic Data Recorders (EDRs) mandatory in all American cars. 

Like their well-established cousins, the “black boxes” used to re-construct incidents involving aircraft, automotive EDRs capture and store basic operational data associated with automobile use, including vehicle and engine speed, braking status, steering angle, throttle position, seatbelt status, and airbag deployment.

The information processed by EDRs has many valuable potential uses, such as accident re-construction and vehicle operations management.  Yet EDR data can also be abused. 

To date, Congress has not yet fully considered the information security and privacy implications of mandatory EDR use.

Before enacting EDR legislation, Congress should find appropriate answers to basic questions including:

Who will own EDR data?

Who will have access to that data and for what purposes?

Ford and other automakers have launched major research and product development initiatives specifically designed to make their automobiles more intelligent. 

The stated goals of these efforts include the objective of integrating cars into the ever-growing global information and communications network.

Automakers see their vehicles as mobile telecommunications centers, where individuals can quickly and easily access the voice and data communications networks.

They also view automobiles as mobile media and entertainment centers, in which digital content is readily accessible. 

Increasingly, the automakers also view their vehicles as mobile data collection and transmission devices.

Cars are now being constructed to function as part of global sensor networks. 

Sensors embedded in the vehicles will automatically collect and transmit information regarding road conditions, environmental status, and current weather conditions to global data monitoring and analysis centers.

At present, EDR data involves basic operational information.

As automobiles become smarter and diversify their information processing functions, however, the data they collect and transmit will likely become far more varied.

In virtually every instance in which technology has enabled collection, distribution, and analysis of a new set of information, heated debates regarding ownership, access, and rights of use associated with the information have soon followed.

Those debates are currently emerging with regard to automotive data.

As our automobiles become smarter and evolve into devices that collect and transmit information regarding our location, travel history, and communications, the issues of ownership, access, and use associated with that information will be significant. 

Individual automobile users will demand a certain level of privacy for that information, and they will expect the information to be secure from unauthorized and inappropriate access and use.

Automobiles are now, in effect, computers and communication devices. 

The same information privacy and security concerns we have with regard to our computers and mobile phones are also applicable to our cars.

When our automobiles contain detailed records of our travels, our communications, and our transactions, auto manufacturers and dealers, car rental agencies, insurers, employers, and auto maintenance personnel all potentially have access to that personal information.

As our automobiles connect with the Internet and other global networks, they become open to unauthorized access by criminals, governments, and others.

When Congress considers the EDR legislation, it should recognize that each time it permits or mandates collection of data involving individuals, no matter where or how the data are collected, it must also address the difficult issues associated with ownership, security, access, and use of that information.