HR 2414 IH: The Black Box Protection Act, Or Your Car Is Tracking You
Tuesday, July 23, 2013
In December 2012, the National Highway Traffic Safety Administration (NHTSA) proposed new rules requiring manufacturers to install event data recorders (EDRs, or often called "black boxes) in all cars weighing less than 8,500 pounds and motorcycles built on or after September 1, 2014. The new rules supposedly are for safety reasons. Transportation Secretary Ray LaHood said:
"By understanding how drivers respond in a crash and whether key safety systems operate properly, NHTSA and automakers can make our vehicles and our roadways even safer..."
About 96% of passenger cars and light-duty vehicles built for 2013 are already equipped with EDRs. Auto manufacturers ahave voluntarily included EDRs. EDRs can collect data about several types of crashes: front, rear, side, and rollover crashes.
The NHTSA announcement mentioned a partial list of data elements collected by EDRs:
- vehicle speed;
- whether the brake was activated in the moments before a crash;
- crash forces at the moment of impact;
- information about the state of the engine throttle;
- air bag deployment timing and air bag readiness prior to the crash; and
- whether the vehicle occupant's seat belt was buckled.
The announcement also stated:
"... the EDR data would be treated by NHTSA as the property of the vehicle owner and would not be used or accessed by the agency without owner consent."
Most people are familiar with black boxes used in commercial airplanes. After a crash, officials search and recover the black boxes to learn exactly what happened, and to determine the cause of the airplane crash. Well, it works for airplanes. So, it'd be a good idea for cars too, right? What could be wrong with improved auto safety?
Think of an EDR as a mobile computer attached to your car. Like any other computer, it has memory to save data and some computational capabilities. In this instance, the EDR accepts inputs from your car's engine, breaks, speedometer, air bags, seat belt restraint systems, and bumpers.
In a recent news report, NBC News said:
"The boxes have long been used by car companies to assess the performance of their vehicles. But data stored in the devices is increasingly being used to identify safety problems in cars and as evidence in traffic accidents and criminal cases. And the trove of data inside the boxes has raised privacy concerns, including questions about who owns the information, and what it can be used for, even as critics have raised questions about its reliability... to consumer advocates, the data is only the latest example of governments and companies having too much access to private information. Once gathered, they say, the data can be used against car owners... consumer advocates say, government officials have yet to provide consistent guidelines over how the data should be used."
The NHTSA maintains a website with research about EDRs. The Insurance Institute For Highway Safety (IIHS) operates a website (updated in February 2013) with answers to common questions about EDRs. The IIHS site also provides a more complete list data elements collected by EDRs. If you want to see the detailed lists of data elements collected under various conditions, see the 49 Code of Federal Regulations Part 563 regulations dated July 9, 2013.
Well, there still seem to be privacy issues and too many unanswered questions.
1. The announcement includes two instances of conflicting information. The announcement includes both the above list of data elements collected and the following statement:
"EDRs do not collect any personal identifying information or record conversations and do not run continuously."
What? First, in order to make the data meaningful, it EDRs have to record the make and model of the vehicle, plus a time stamp with the date and time. That data can easily identify the vehicle owner or driver. Without make and model, the NHTSA won't know which makes and vehicle models to focus upon when reviewing aggregate data for possible fleet-wide solutions.
Second, the announcement claims to not collect data continuously, but it does collect speed. The collection of speed data must be continuous since the EDR won't know beforehand when a crash will happen. If only collects speed data at or after the point of impact, then the data seems far less meaningful and reliable. The same applies for braking data.
2. The program announcement is incomplete. It did not list the meta data collected. For the NHTSA to effectively use the aggregate data collected, meta data is required. I've mention above four types of meta data: make, model, date, and time. there are plenty more data elements.
3. The program announcement is incomplete. It does not address data security and retention. Where will NHTSA save the data collected? How will data transmission from EDRs to NHTSA computers be protected? Will it be encrypted? How long will EDRs save the data collected? How long will NHTSA computers save the data collected?
4. The program announcement is incomplete. It does not address data sharing and privacy. What other government agencies and corporations will the NHTSA share the data with? One can easily imagine scenarios where auto dealers, insurance companies, and others would love access to consumers' EDR data. Claiming the NHTSA won't use the data without the vehicle owner's consent is not enough. A complete privacy policy would outline the government agencies and companies the NHTSA would share the data with.
Obviously law enforcement agencies (federal and local) would love to access the data collected by EDRs. So would spy organizations like the NSA.
5. Important details seem to vary greatly and are dependent upon state laws -- which aren't necessarily consumer-friendly. What happens when a vehicle is sold, stolen, or crashed beyond repair? In these instances, what are the rights and responsibilities of the vehicle owners? According to an Edmunds news report:
"In most states, the current vehicle owner, or their legal representative, can give or withhold permission to download EDR data... Courts can subpoena EDR data through court orders and some states collect data under their existing laws governing crash investigations.... It's an extremely complex area... auto insurance policies can contain an "Agreement to Cooperate" clause. Such language allows an insurer access to EDR data if it wants it. However, some states have statutes that override these provisions... When a vehicle is sold, the EDR data becomes the property of the new owner... if a car is in a crash and is deemed a total loss by an insurance company, the insurer now owns the vehicle. The insurance company can then access the data on the EDR and could possibly use it in legal proceedings against the former owner..."
6. Can data collection consent by the owner be revoked? In this instance, what happens to data saved by the NHTSA?
7. Since data collected by an EDR would be the property of the vehicle owner that EDR is installed in, can the vehicle owner download data from their vehicle's EDR? If not, why not?
8. How will compliance be performed? The compliance issues I see:
- That EDRs operate as promised
- That the NHTSA does not collect data from vehicle owners that don't provide consent
- That the NHTSA performs adequate data security for data collected
I am sure that there are more issues.
9. How are vehicle owners protected against abuses using the data collected?
In response to the NHTSA rules, several Congressional House representatives proposed in June 2013 the Black Box Privacy Protection Act (HR 2414):
"To require automobile manufacturers to disclose to consumers the presence of event data recorders, or `black boxes', on new automobiles, and to require manufacturers to provide the consumer with the option to enable and disable such devices on future automobiles."
First, congratulations to Representatives Michael Capuano (D-MA) and Frank Sensenbrenner (R-WI) for taking the lead on consumer privacy by introducing HR 2414. It is a good first step. The proposed bill has been sent to a committee for further discussion.
The bill allows auto dealers to access EDR data for diagnosing, servicing, or repairing vehicles. How will data usage be limited to these activities? Other systems (e.g., Onstar by GM) in cars send out notifications after a crash. What EDR data elements do these systems access, save, and transmit?
I'd like to see the proposed bill strengthened beyond simply requiring auto manufacturers to notify consumers that their car has an EDR:
- Requirements for auto manufacturers to provide consumers with privacy policies before and after auto purchase (or rental) that describe the data collected, shared, and retained by EDRs,
- Clear opt-in mechanisms and consent for consumers to authorize the NHTSA with data collection,
- More protections for consumers regarding abuses, lack of privacy policy notification, and unauthorized data sharing,
- Clarification of rights and responsibilities (for consumers, the NHTSA, and auto manufacturers)
- A complete listing of meta data collected
EDRs are another example of technologies that facilitate the collection of data about consumers by governments; data that is ripe for sharing and abuse. Other examples include utility smart meters, drones, automated license plate readers, and mobile devices. This trend makes it imperative for consumers to demand privacy protections and policies from governments and vendors.
What is your opinion of EDRs? Of the Black Box Privacy Protection Act?
Comments
You can follow this conversation by subscribing to the comment feed for this post.