News & Insights  |  Newsletters

Connected Cars Are on Policymakers’ Security and Privacy Radar

August 2015
Privacy In Focus

Regulators and legislators are concerned about connected cars amid increased media attention to reported security vulnerabilities. On July 24, 2015, automobile manufacturer Fiat Chrysler recalled 1.4 million cars and trucks because the vehicles contain various security vulnerabilities related to their UConnect wireless Internet feature. According to news reports, researchers were able to gain access to the internal software of a 2014 Jeep Cherokee, take control of the vehicle, and maneuver physical parts of the vehicle, like the vehicle’s wheels. Indeed, another car company, Tesla, took swift action during early August to remedy a claimed security flaw in its cars’ software. We expect increasing scrutiny, and potential action, about privacy and security issues raised by connected car technology.

NHTSA and FTC Initiatives

Interest in the security of connected cars is not new. Last year, the National Highway Traffic Safety Administration (NHTSA) initiated an Advance Notice of Proposed Rulemaking and a Request for Information on connected cars and cybersecurity. Over 50 industry leaders on vehicle, wireless, Internet, and privacy commented in the two proceedings on the benefits of connected cars for overall highway safety. They also addressed concerns about the privacy and security of consumer data collected in support of connected car functionality. Questions were raised about the collection and transmission of personal and vehicle-generated data. For example, the National Motorists Association argued that any time data is transmitted wirelessly through connected devices, “the threat of appropriation and malicious use of that information exists.” The Alliance of Automobile Manufacturers agreed that the collection of “[s]ensitive information, such as geolocation, driver behavior, and biometric information” must be “carefully protected.” But industry also urged caution in prescribing standards that can stifle innovation. NHTSA’s current privacy framework for connected cars is based on concepts found in the 2007 Vehicle Infrastructure Integration Consortium Privacy Policies Framework and the National Institute of Standards and Technology’s (NIST) Fair Information Practice Principles (FIPPs) framework.

NHTSA is not the only agency to consider connected cars. The Federal Trade Commission (FTC) is watching the intersection of security and privacy. In the FTC’s Internet of Things report published in January 2015, the Commission noted the benefits of connected devices in general but also focused on connected cars. The report explained that connected cars can alert drivers to hazardous road and driving conditions and provide vehicle diagnostics to ensure that the vehicle is functioning properly. These benefits will continue to be of interest to industry leaders as well. The report, however, also highlighted various potential security threats and concerns as connected cars, by their very function, “collect, transmit, store, and potentially share vast amounts of consumer data, some of it highly personal,” which, in return, also increases security concerns for companies in the industry.

Congressional Actions

On Capitol Hill, lawmakers have demonstrated interest in the impact of connected cars on privacy and security. This past February, Sen. Ed Markey (D-MA) released a report titled Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk. The report detailed areas of claimed vulnerability and discussed ways to protect driver data.

Recent events have raised the profile of their concerns, leading to draft legislation and calls for further NHTSA activity. Amid the media attention to connected cars, Sen. Markey and Sen. Richard Blumenthal (D-CT) introduced the Security and Privacy in Your Car Act (SPY Car Act). That bill would give authority to the FTC and NHTSA to create “reasonable” security standards for car manufacturers, as well as impose substantive privacy standards and disclosure obligations, to be monitored and enforced by the FTC. The senators also have sought a federal regulatory investigation. On July 28, 2015, Sens. Markey and Blumenthal wrote a letter to Dr. Mark Rosekind, administrator of the NHTSA, explaining that they “were deeply troubled to learn that these software defects can be exploited by malicious hackers to potentially wreak havoc on our roads.” The senators requested that NHTSA “conduct an investigation to determine whether there are other vehicles currently on American roads that suffer from similar or entirely new security and safety defects,” to prevent similar, widespread events like the reported threat to Fiat Chrysler and Tesla vehicles.

Interest is growing in the privacy and security of connected car technology. We expect activity this year in Congress and increased attention by NHTSA and the FTC.