News

Can the Government See Private Consumer Data from OEMs?

New report highlights privacy issue with connected cars

According to a new report from Automotive Newsa recent meeting between the auto industry’s leading cybersecurity experts and FBI’s Operational Technology Division, connected cars could be a point of conflict between OEMs and the government. Executives who attended the meeting at the FBI’s Quantico, Va. complex said that automakers would risk betraying customers’ trust if they made private data available to law enforcement instead of deleting or masking them.  This comes after the Apple-FBI feud that started after the tech giant refused to crack the password on an iPhone recovered from a shooter in the terrorist attacks that occurred in San Bernardino, Calif., on December 2, 2015.

One executive who asked AN to not be identified, said that there’s already a lot of pressure on the auto industry to do a better job when it comes to security and that the pressure from the government is making things harder. In 2015, 11 million vehicles were sold with telematics systems, up from the four million units in 2010, according IHS Automotive. By 2021, that number is expected to grow to 16.5 million, meaning almost every new car sold will have some form of telematics system. The higher amount of vehicles with telematics systems means automakers are connecting vast amounts of data, which they hope to use for catching technical problems early, build newer services, and sell anonymous data to third parties.

Historically, law enforcement only made use of data from cars on specific situations such as recovering black boxes for forensic purposes when investigating a crash. According to Stephen Tupper, an attorney specializing in privacy at Dykema Gossett in Detroit, government officials turned to telecom companies to collect location data for suspects by using cell tower data to locate a mobile device. However, with automakers building a large archive of information, law enforcement could possibly ask for more information. “We’re early enough in the life cycle of this technology that, frankly, law-enforcement organizations don’t have the technical know-how or the wherewithal to make much sense of these data,” Tupper said in an interview. “But I think that’s going to be a short-lived situation. Law enforcement will get a lot better at that going forward.”

While tech companies like Google usually release a “transparency report” to show how frequently the government asks for information on their users, automakers don’t and it isn’t clear how often law enforcement requests data from connected cars. “Your car essentially knows where you sleep, where you work, where you eat, where your kids go to school, if you go to church, if you’re having an affair — you name it,” according to Nate Cardozo, a staff attorney at the Electronic Frontier Foundation, a nonprofit devoted to civil liberties online. “But the OEMs are opaque. They don’t tell us what they’re collecting, they don’t tell us with whom they’re sharing it, and they don’t tell us how often the government comes knocking.”

Currently, no laws have been enforced for data collected from connected cars that outline what the government can request legally. “People won’t adopt the technology if they think all this information is going to be available to the government or other private parties,” Tupper said. “There’s going to need to be a legislative solution, but I don’t know what it’s going to look like, and it’s going to be really, really difficult.”

Automakers have since written their own guidelines due to the absence of federal law. In November 2014, the Alliance of Automobile Manufacturers and the Association of Global Automakers said that they will disclose any collection of private data, story private data only for legitimate business uses, and ask for permission before sharing them for marketing purposes. According to alliance spokesman Wade Newton, the guidelines are “very direct in establishing that automakers will clearly state the limited circumstances when they may share information with the government.” The agreement, which took effect in January, applies to telematics services and for new 2017 model year vehicles and was done so to ensure that there’s balance between consumer privacy and government inquiries for people’s personal data.

If automakers are concerned about the government asking them for personal data, they could stop retaining it. However, knowing customers’ habits allows automakers to deliver valuable services to consumers. Toyota, for example, had this in mind when it created Toyota Connected, which was formed to build in-car services that learn from customers’ habits while monetizing the data by offering it to its dealers and partners.

Jon Allen, a consultant at Booz Allen Hamilton who also helped build the Auto ISAC database that automakers and suppliers use to share information on potential cyber threats, said that automakers can’t afford to betray consumers’ trust if they want to capitalize on the benefits of connected car data. “You can’t do analytics with vehicle data unless consumers trust what you’re going to do with their data,” he said