The challenges of security and privacy in the connected car explored by Robert Gray.
Safety and security in advanced autonomous and connected cars likely face heightened scrutiny following Uber’s road test that killed a pedestrian and renewed data privacy concerns in the wake of Facebook’s data sharing scandal involving Cambridge Analytica’s access of user data.
Data safety and cyber-security will, no doubt, receive closer looks both within and outside the automotive industry, especially as vehicles move towards greater autonomy and connectivity.
Consumers and all concerned parties in the production and implementation of autonomous automobiles and connected car technologies are taking note as vehicles increasingly communicate to each other and the world in which they navigate.
After all, the amount of data generated by vehicles is already quite large and expected to grow quickly, generating fresh privacy concerns over both what carmakers, suppliers, and app makers may do with that information as well as the need for enhanced cyber-security. They’re also taking precautions against hacks that can compromise data and even prove deadly if the navigation system is compromised.
Stacy Janes, chief security architect with Irdeto notes that the right security system will protect data and keep passengers safe: “Data security and privacy overlap frequently within the connected transport industry. In fact, only robust security will provide the necessary privacy safeguards, meaning that privacy can essentially be a by-product of the right approach to security.”
Carmakers are building defences into new models. “Privacy is a priority for all automakers,” asserts Wade Newton with the Automotive Alliance, adding, “As vehicles become increasingly interconnected, both data protection and data privacy need to be considered from the earliest stages of product development. In other words, ‘Privacy by Design.’” Newton adds, “(Automakers) have technical and organisational security measures in place to protect customer data against manipulation, loss, destruction, and access by unauthorised parties.”
Who collects, who keeps, who protects your data
It’s no secret that carmakers and some app developers want to collect and cash in on the enormous data opportunities afforded by connected and autonomous vehicles, including behavioural analytics, advertising, insurance, predictive maintenance and personalisation through features, add-ons, and apps.
The billion-dollar question is who will own and safeguard the data? Data must, obviously, be secured and local regulations complied with, but the connected car presents unique challenges. Janes explains: “OEMs must ensure that data such as GPS location and financial data are secure from theft but also from other users of the vehicle that should not have access to the data. The increased connectivity and complexity in modern vehicles is resulting in new risks and threats to personal safety, security, and privacy.”
The security systems expert also says automakers realise these challenges and are implementing more stringent security measures: “This approach involves many layers of security being implemented throughout the network rather than simply protecting systems from the outside-in (perimeter security).”
Janes predicts more risks and threats to personal safety, security, and privacy owing to increased connectivity and more complex vehicles. He sees theft as the biggest threat to connected cars in 2018: “We have already seen fob replication as well as fob signal amplification attacks for theft and we expect to see the latter expand significantly in the near future. We have seen targeted attacks on mobile banking apps in the past and, as connected vehicles become another digital asset accessible via mobile devices, it will become a viable target like any other.”
Newton says carmakers are focused on protecting privacy. “It’s essential to maintaining the trust of our customers,” he says. “Our Privacy Principles reflect a major step in protecting personal information collected in the vehicle.” Newton says they encourage customers to check out those principles at www.automotiveprivacy.com. In the wake of Facebook-Cambridge Analytica this may prove to be wise advice.
In the wake of breaches, companies may face tougher scrutiny in the US than elsewhere according to some legal experts. Michael Morgan, partner and co-leader of the global privacy and cyber-security practice at McDermott Will & Emery, says: “In the US our standards are not necessarily dramatically higher than elsewhere in the world, however the consequences of a failure to secure a system can be quite significant in the US, which is not always true elsewhere around the world.” Of course, this will change soon, at least in the European Union, soon owing to the sweeping changes coming soon in its privacy law; more on that to come.
In the aftermath of a breach, Morgan points out there is an obligation to release the information to customers or business partners or risk a stiff penalty: “You can face dramatic or huge financial losses from an investigation.” Overall, the Los Angeles attorney says companies operating in the US have a pretty wide-reaching ability, at least for now, to use personal data as long as they are up front about how it will be used. “In the auto industry, as data increase in a way that’s collaborative and forward looking, those issues will require a lot more attention.”
Lay of the legal landscape
The rules of the road are changing and experts expect that trend to continue as the laws and regulations seek to keep pace with the technology on the road to full autonomy.
The United States does not have a comprehensive federal law governing vehicular data collection and protection. It’s left to the states, although the US Senate in 2017 did put forth a bill called the American Vision for Safer Transportation through Advancement of Revolutionary Technologies Act (or “AV START” for short).
This bill would require carmakers producing highly autonomous vehicles to create safety evaluation reports indicating how the manufacturer is handling the collection of driving and accident information and how it plans to minimise cyber-security threats. Gail Gottehrer, partner in the data law practice group at Akerman LLP in New York says the act has, “stalled in congress due in part to concerns of senators about safety, and an interest in seeing more stringent privacy and cyber-security provisions in it.”
Meanwhile, the US House of Representatives passed the SELF DRIVE Act last autumn, which would exempt automakers from many safety requirement – some of which may become obsolete such as steering wheels, while requiring companies behind autonomous vehicles to create privacy plans and outline their collection, storage and use of customer data.
“I advise clients to rigorously apply cyber-security best practices in the development and operation of systems that are embedded as part of the vehicle,” explains Morgan. “If you‘re doing updates, how secure is your system for making updates? Protecting your network from ransom ware and other things you need to be concerned about.”
Europe’s drive to greater privacy protection
All parties in the connected and autonomous vehicle space are gearing up for more stringent privacy protection laws in Europe as the General Data Protection Regulation (GDPR) takes effect on May 25.
The regulations are being hailed as the biggest change to privacy law in two decades and are meant to harmonise data protection throughout the EU. Morgan says without hesitation that this will be the biggest near-term change in privacy and security as companies focus on complying with the new regulations. The penalties may be steep for those found in non-compliance.
“Europeans have a completely different view (on privacy) than Americans. Companies have to consider those cultural differences,” notes Morgan, who represents carmakers, tier one and tier two suppliers on privacy and cyber-security matters. He continues: “A European resident would have very different expectations in terms of getting consent (to use their data), how transparent and open and clear you are in using their information, specifying it in details. It creates a challenge.”
Gottehrer notes the new legislation will affect all companies that process personal data in the EU, regardless of where the company is located. She expounds: “The GDPR gives data subjects the right to have their data corrected and deleted, creates the obligation to obtain informed, specific, unambiguously and freely given consent from data subjects before processing their personal data and consent be withdrawn. It holds companies liable for the conduct of their third party and generally requires notice within 72 hours of learning of a breach of personal data.” She makes sure her clients are well aware of the “significant penalties” that can be levied for those not complying.
The US rules may be less stringent, with data protection laws varying from state to state, but global automotive players will need to be ready to conform with the tighter European regulations and China’s, which Gottehrer says are becoming stricter than they were. The more rigorous privacy rules may slow the auto industry’s plans to monetise the data, at least in certain geographic regions, especially selling information and analytics to third parties.
While consumer expectations for privacy and security may differ from region to region, the concerns are fairly uniform. Irdeto’s survey of 8,354 consumers in six countries (Canada, China, Germany, Japan, UK and the US) found that 85% of respondents believe connected cars may be a target for a cyber-attack and Janes says nearly half of these people do not plan to buy one in the future.
“The simple fact is that there are always vulnerabilities present in connected systems, and connected and autonomous cars are no different,” the Irdeto executive says. “Hackers continuously evolve their attack strategies and have exploited vulnerabilities to access vehicle electronic control units (ECUs), controller area network (CAN) bus systems, intelligent transportation systems (ITS).”
Of course, he adds not only must the vehicle be secure but also V2X communications between the vehicle and everything. Janes expects governments to expand their legal frameworks “to include V2X requirements; otherwise the adoption of V2X will be slowed down, which means the timeline to achieve autonomous driving will be delayed.”
The connected vehicle security expert also sees safety and cyber-security merging “as part of a guarantee for the consumer using the service. In the longer-term, cyber-security will be considered as an insurance included in a service rather than a promise that a vehicle is secure. This shift will make cyber-security an important differentiator for OEMs as service providers and fleet managers will only use vehicles that can fulfil certain cyber-security standards required by insurance companies and can ensure the safety and security of its subscribers.”
As industry players focus on Europe’s implementation of GDPR and China’s requirements that restrict transfer of some data outside of that country, automakers, partners and suppliers clearly need to be ready for a bumpier regulatory ride in the US on cyber-security and privacy in autonomous and connected cars and, perhaps, even more so in the wake of the Facebook data kerfuffle and the Uber pedestrian death.