Written by Taylor Armerding to Naked Security
Assuming it’s paid off, you might think you do. It’s your responsibility to maintain it. If something breaks, you have to pay to fix it. If you hit somebody or something with it, you’re liable for the damage.
But the data you generate in your autonomous car of the future? Apparently not so much. If you expect the US Congress to protect your personal privacy, including ownership and control of those data, as the nation moves into the era of autonomous vehicles (AV), you need to temper your expectations.
Legislation is in the works in both houses of Congress to regulate AVs, although the House is ahead of the Senate – the Committee on Energy and Commerce released the text a couple of weeks ago of a proposed bill titled the SELF DRIVE Act.
Yes, that’s an acronym. As is regularly the case, legislators craft a tortured phrase to yield an acronym that is easy to remember. This one’s complete name is the “Safely Ensuring Lives Future Deployment and Research in Vehicle Evolution Act”. Try remembering that.
The bill does have an entire section on privacy, even though that didn’t make it into the title. But, as privacy advocates note, while it requires manufacturers to develop a privacy plan that spells out to consumers what is collected, used, shared and stored, and also tells them what choices they have regarding those practices, there is nothing in the bill that says who owns the data, and how owners can access or delete it.
In response, the Electronic Privacy Information Center (EPIC) issued a statement arguing that, as they had recommended in testimony while the bill was being drafted, “consumers (should) control the personal information that is created and stored by the vehicles they operate, rent, and own”.
Based on support for the bill, EPIC and other advocates have an uphill climb. It was reported out of committee on a unanimous (54-0) vote.
The major focus of the bill is to create “a regulatory structure that allows for industry to safely innovate with significant government oversight,” according to committee chairman Greg Walden (R-Ore.).
It also includes a section on cybersecurity, but the language is not terribly reassuring there either, when it comes to vehicles moving at 65mph (105kph) miles per hour or more. It requires only that manufacturers have cybersecurity practices that will guard against “reasonably foreseeable” risks. Try getting agreement on that in a courtroom.
Besides the lack of anything explicit about who owns the data generated by the vehicle, EPIC also objected, in a letter to the committee in June, to a provision that forbids states, “from issuing any rule, regulation, or law that is not identical to a previously issued Federal Motor Vehicle Safety Standard (FMVSS) issued by NHTSA (National Highway Transportation Safety Administration), including in the areas of software and communications systems”.
While EPIC agrees there may be a need for national uniformity on vehicle design and mechanics, the software and communication regulation will “prevent states from developing innovative privacy safeguards. This stands in contravention to the historic role that states have played in the privacy arena,” EPIC said
The organization called for the creation of an “Automated Driving System Cybersecurity Advisory Council that will include members from “privacy and consumer organizations” outside government and industry.
None of those objections or recommendations are addressed in the current language of the bill. And Walden’s office did not respond to several requests for comment.
All of which will leave AV users exposed – both to physical and privacy risks – according to critics. Susan Grant, director of Consumer Protection and Privacy at the Consumer Federation of America, agrees with EPIC that the bill doesn’t give consumers “any privacy rights or control” over the personal data that will be collected. She added:
Even worse, it gives neither the Department of Transportation or the Federal Trade Commission any rulemaking authority in that regard.
Autonomous cars are computers on wheels, raising all the same concerns about online privacy and security. The committee should go back to the drawing board to craft better legislation to address those concerns.
