The Privacy Law and Cyber Security Implications of Automobiles
Introduction
Many people are unaware that modern cars come equipped with hundreds of sensors that record their every move. These devices have raised concerns about privacy as cars have become part of the Internet of Things (IoT). Gone are the days when cars were merely a means of transportation. In 2014, Jim Farley, an executive at Ford, admitted that the company could track drivers’ movements via GPS, stating, “We know everyone who breaks the law, we know when you’re doing it.” While Farley later clarified that Ford did not track customers without their approval or consent, the privacy concerns surrounding connected cars persist.
The following technologies are among the most common features of modern cars that have the potential to compromise privacy: (1) Global Positioning System (GPS) (2) Collision Avoidance System (CAS) (3) Voice Recognition and Control.
Global Positioning System (GPS)
Automakers began installing GPS in vehicles in 2000, and what was once a luxury option has become a standard attribute in modern cars. GPS, originally a military system belonging to the US Department of Defense, works by sending signals from satellites to receivers in vehicles, which then calculate the receiver’s location through trilateration. GPS devices collect not only location data, but also information about all movements, which could reveal sensitive information about individuals and pose a threat to their privacy as this information is maintained over time. Additionally, automobile manufacturers routinely collect data from GPS for various purposes, which could implicate privacy concerns.
Collision Avoidance System (CAS)
Until recently, it would have been unimaginable that cars would be equipped with technology that could detect other vehicles or pedestrians, anticipate collisions, and apply brakes automatically. While this collision avoidance system (CAS) is a remarkable safety feature, it also poses a significant threat to our privacy. CAS is a complex system that uses sensors, cameras, lasers, and radars to monitor the vehicle’s surroundings, including other vehicles, pedestrians, and cyclists. When a collision appears imminent, the system can automatically apply the brakes.
Although this technology is impressive, it collects a significant amount of sensitive information, creating a potential threat to privacy. GPS sensors in CAS can detect approaching stop signs, and pedestrian detection systems use advanced sensors to detect human movements. However, the use of gait recognition, which identifies people based on their walking style and pace, raises serious privacy concerns. Even if your face is not recognizable, your identity can be revealed through gait recognition technology.
As collision avoidance systems become more widespread, it is essential to address privacy concerns. The information collected by vehicles could potentially be used for malicious purposes, such as tracking individuals’ movements. While CAS is undoubtedly a remarkable safety feature, it is crucial to ensure that privacy rights are protected.
Voice Recognition and Control
Modern cars come equipped with standard technologies such as Voice Recognition and Control systems that allow drivers to speak commands to their vehicle. These systems use software programs or hardware devices that can decode the human voice. While the collection of voice data is not considered private under the Fourth Amendment to the Constitution, the collection of voice samples by car manufacturers still poses a threat to privacy.
The voice control system is activated by a button on the steering wheel, which allows the driver to speak commands. However, the use of voice recognition and control systems in modern vehicles can potentially compromise privacy. There have been public concerns and complaints about the collection and transmission of private communications by various consumer devices such as TV sets that use this technology, and many state legislatures have taken action in response.
Cars are already collecting a significant amount of data, including sound, through sensors that collect information about the vehicle’s operation and surroundings. These sensors include cameras, radar, thermal imaging devices, and light detection and ranging. This data helps vehicles determine their environment, predict potential hazards, and even act based on those predictions. However, the collection of data about driving habits, destinations, and other revealing information about drivers without their knowledge or consent is a growing concern.
Furthermore, the use of imagery captured by the vehicles’ exterior and interior cameras, including ownership disputes and potential invasion of privacy claims, raises additional concerns. The scale of the problem is significant, but companies that engage in broad data collection do not always implement adequate safeguard measures to protect privacy. Therefore, the use of voice recognition and control systems in modern vehicles must be approached with caution to prevent the infringement of privacy rights.
National security concerns
Modern cars come equipped with sensors and cameras that are capable of recognizing pedestrians. The data collected by these devices is sent to servers owned by car manufacturers. For example, in big cities, cameras equipped with face recognition systems have the potential to collect information about people’s movements. Most modern cars are equipped with high-definition cameras that can recognize pedestrians, as shown in the picture below.
The fact that 45.51 percent of cars driven in the USA are foreign-made raises concerns for national security because many of these cars may transfer all collected information to foreign countries. This could potentially include sensitive information such as the movement of US troops, which could be recorded by front cameras and transmitted to foreign servers.
Privacy Risks and Cyber Security
Obviously, cars are prone to cyber-attacks and hackers can do it eloquently. Hackers might be motivated to hack into the vehicles’ operating systems and steal important passenger data. They can also do it for fun. Hackers frequently disrupt operation of cars and jeopardize the drivers’s safety. Location data can be used for purposes other than to provide services to the consumer, such as selling the data to others for marketing. There are also many reports about hackers who sell sensitive information obtained from car manufacturers.
The Government Accountability Office said privacy groups and policy makers have questioned whether the location data collected and used by various companies offering such services pose privacy risks. The Government Accountability Office is a watchdog that helps to address privacy problems.
“Specifically, they are concerned that location data can be used for purposes other than to provide services to the consumer, such as selling the data to others for marketing. They also have concerns that location data can be used to track where consumers are, which can in turn be used to steal their identity, stalk them, or monitor hem without their knowledge. In addition, location data can be used to infer other sensitive information about individuals such as their religious affiliation or political activities,” the GAO stated.
According to the Supreme Court decision of U.S. v. Jones location information “generates a precise, comprehensive record of a person’s public movements that reflects a wealth of detail about her familial, political, professional, religious, and sexual associations.”
State courts also recognize privacy as a right that should be protected. For instance, the New York Court of Appeals in The People of the State of New York v. Scott Weaver, noted that an individual’s historical location and destination information would reveal “indisputably private” trips, such as to a psychiatrist, plastic surgeon, abortion clinic, strip club, criminal defense attorney, by-the-hour motel, union meeting, and place of worship.
Obviously, information about one’s location or travel patterns may create a risk of physical harm or stalking if that information fell into the wrong hands.
There is also the risk of hacking and uploading private information into the dark web. Car manufacturers cannot guarantee 100 percent safety of information from hackers. By the time a company tells you your data’s been stolen as part of a breach, your information may already be on the dark web.
Frequently, car manufacturers don’t report security breaches. Sometimes, when your private data’s been stolen, you often won’t learn about it until long after the car manufacturer or some other company you’ve trusted with your information notifies you that your personal information has been exposed in a data breach and appeared somewhere in a dark web .
What hackers can do with your information? Criminals can do everything from making purchases and opening credit accounts in your name to filing for your tax refunds and making medical claims. Many don’t realize that billions of these hacked login credentials are available on the dark web, packaged for hackers to easily download often for free .
According to a recent survey from Synopsys and the Society of Automotive Engineers (SAE) International, manufacturers say that it is “likely” or “very likely” that malicious attacks on their software or components will occur within the next 12 months.
The spread of high-tech gadgets used in cars also increases the amount of personal information collected by the vehicle, making strong data protection difficult.
Conclusion
The current federal and state privacy legislation in the US does not effectively apply to vehicle data. While the Driver’s Privacy Protection Act limits the disclosure of personal information obtained from state departments of motor vehicles, it does not extend to data collected by vehicles. Due to the rapid evolution of technology, the government struggles to keep up with developing effective laws that can protect privacy. It is estimated that the law is lagging behind technology by around five years. As such, new laws must be enacted, and car manufacturers should implement privacy protection measures such as privacy by design, storage limitation principle, anonymization, and notice and consent. However, notice and consent puts the burden of privacy protection on the individual, making it a less desirable approach. Instead, anonymization and storage limitation principles are more effective. For example, car manufacturers should only be allowed to store collected information for a maximum of one month. It is important to note that while such measures can protect privacy, hackers can still access and potentially take control of vehicles, making it a national security concern as well as a privacy issue.
References
Alfred Ng, Old hacks strike again: Data from 2.2B accounts lands on the dark web
https://www.cnet.com/news/old-hacks-strike-again-data-from-2b-accounts-lands-on-the-dark-web/
Shelby Brown, Data breaches timeline: EasyJet cyberattack exposes over 9M people, and more https://www.cnet.com/how-to/easyjet-cyber-attack-exposes-over-9m-people-latest-major-data-breach/
Edwards, Jim. Ford Exec: ‘We Know Everyone Who Breaks The Law’ Thanks To Our GPS In Your Car https://www.businessinsider.com/ford-exec-gps-2014-1
How GPS Receivers Work – Trilateration vs Triangulation
https://gisgeography.com/trilateration-triangulation-gps/
Ireson, Nelson. Ford announces new radar based collision avoidance system
https://www.motorauthority.com/news/1030038_ford-announces-new-radar-based-collision-avoidance-system
The privacy implications of autonomous vehicles. https://www.dataprotectionreport.com/2017/07/the-privacy-implications-of-autonomous-vehicles/
States with the most domestic and foreign cars https://insurify.com/insights/states-with-the-most-domestic-and-foreign-cars-of-2019
Top Legal Issues Facing the Automotive Industry in 2020
https://www.natlawreview.com/article/top-legal-issues-facing-automotive-industry-2020
Office of the Attorney General, CCPA
https://oag.ca.gov/privacy/ccpa
The General Data Protection Regulation 2016/679 is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area.
ISO 25237: 2017 Health informatics—Pseudonymization. ISO. 2017. p. 7.