Anthem Breach Update: Free Services For Consumers Affected, Class Action Lawsuits
Prepaid Card Phone Scam: How To Spot It And Not Get Duped

Senator Releases Report Calling For Greater Automobile Security And Privacy

Earlier this month, Senator Edward Markey (D-MA) issued a report calling for greater automobile security and privacy for consumers. The "Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk" report included questions Senator Market posed to 16 automobile manufacturers during 2014. The questions focused upon how vehicles might be vulnerable to hackers, and how driver information is collected and protected.

Senator Markey sent letters to the following automobile manufacturers:

Automobile Manufacturers Queried
1. Aston Martin The Americas
2. Audi of America**
3. BMW North America*
4. Chrysler Group LLC*
5. Ford Motor Company*
6. General Motors*
7. American Honda Motor Co. Inc.*
8. Hyundai Motors North America*
9. Jaguar Landrover LLC*
10. Automobili Lamborghini America
11. Mazda North American Operations*
12. Mercedes-Benz USA*
13. Mitsubishi Motors North America*
14. Nissan North America*
15. Porsche Cars of North America*
16. Subaru Motors America*
17. Tesla
18. Toyota North American Region*
19. Volkswagen Group of America*
20. Volvo North America
*Provided responses to Senator Markey's inquiry letters.
** Audis response was included with Volkswagon's submission.

Some of the questions asked:

  • How does the company assess whether there are vulnerabilities related to technologies it purchases from other manufacturers as well as wireless entry points of vehicles to ensure malicious code or other infiltrations cannot occur? 
  • Does the company utilize independent third parties to test for vulnerabilities to wireless entry points? 
  • Do any vehicles include technology that detects or monitors for anomalous activity or unauthorized intrusion through wireless entry points or wireless control units? And how are reports or unauthorized intrusion or remote attack responded to? 
  • Has the company been made aware of any intentional or inadvertent effort to infiltrate a wireless entry point, and what, if any, changes were made to protect vehicles from vulnerabilities in the future? 
  • What types of driving history information can be collected by navigation technology or other technologies, and is this information recorded, stored, or sold? 
  • Has the company received any request for data related to the driving history of drivers, and what were the reasons and final disposition of the requests? 
  • Which vehicles include technologies that can enable the remote shutdown of a vehicle, and are consumers made aware of this capability before purchase, lease ore rental of the vehicle?

Regarding automobile data security, the report found four trends:

  1. Almost all vehicles (nearly 100 percent) include wireless technologies that could pose vulnerabilities to hacking.
  2. Most manufacturers were unaware of or unable to report on past hacking incidents,
  3. Security measures to prevent unauthorized, remote access are inconsistent and haphazard across manufacturers.
  4. Only two manufacturers were able to describe any capabilities to identify, diagnose, and/or respond to unauthorized access or hacking in real-time. Most said they rely on technologies that cannot be used for this purpose at all.

Regarding privacy, the report found:

  • Auto manufacturers collect large amounts of data about driving history and vehicle performance
  • A majority of automakers offer technologies that collect and transmit wirelessly driving history information to data centers, including third-party data centers. Most did not describe effective means to secure the information collected.
  • Manufacturers use the data collected in several ways with vague descriptions, such as to “improve the customer experience,” and involve third parties. How long the data collected is retained varies greatly across manufacturers
  • Often, customers are not told about the data collection. When they are told, often they cannot decline or opt out of the data collection without disabling valuable features (e.g., navigation)

Download the "Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk" report (Adobe PDF). After reading it, I had several reactions. First, I would love to know why Aston Martin, Lamborghini, and Tesla failed to respond. Are data security and privacy not important to them? If they are important, then does their failure to respond indicate some internal disorganization?

Second, I was struck by the lack of focus on data security among the respondents. Websites and mobile apps provide terms of use and privacy policies. Mobile device manufacturers (e.g., laptops, tablets, smart phones) also provide these policies. Telecommunications providers do, too. Many mobile apps do, too. Why not auto manufacturers? Do they consider themselves a special, exempt class? All auto manufacturers should provide consumers before purchase with terms-of-use and privacy policies that fully discuss data collection, data retention, and data sharing. After purchase, they should inform consumers of changes to those policies

Third, the lack of focus by auto manufacturers on data security and privacy is an alert to the hackers, identity thieves, and fraudsters worldwide that these autos are vulnerable. While writing this blog, I have learned that the bad guys are persistent, creative, and posses the same equipment, software, and technologies as the good guys. Autos contain computing technologies that are similar to other mobile devices (e.g., laptops, smart phones, tablets, fitness devices, and wearables). Autos should have the same data security protections: firewalls, anti-virus software and updates, and so forth. So, it makes sense to keep a strong focus on data security and privacy.

Fourth, the lack of focus by auto manufacturers on data security and privacy is an alert to governments and spy agencies worldwide. Why? They already perform surveillance using other mobile devices. Autos are just another mobile device they'll add to their lists.

The lack of  focus represents a data security and privacy disaster of epic proportions in the making.

What do you think of the automobile security and privacy report?

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Chanson de Roland

Reading Sen. Markey's report, I noted at least these three things. First, Sen, Markey is focused on how an automobile's (auto's) systems for collecting data can compromise the driver/owner's privacy, and do so in ways that are unnecessay or not even advisable for the performance, safe operation, or convenient operation of autos. So once again, user/consumer's privacy is being compromised for the sake of profit without any consideration paid to consumers for the expropriation of their personal information; without any sufficient legal justification for doing so and in a manner that is contrary to the customary principles that determine ownership of intangible intellectual property, i.e., our personal information; without the user/consumer's consent to the expropriation and use of his personal information; and most often even without any notice to consumers that their personal information is being collected and used.

Second, Sen. Markey is focused on safety in both the operation of the autos and in protecting the personal information collected from our autos from being expropriated and/or misused. Safety of autos is pretty obvious, though the threats are many, being limited by only the imagination. Just collecting information about our driving habits can expose us the all manner of threats, but, where, as is the case for modern autos, computers control so much of an auto's critical operations, malefactors can easily use malware to clandestinely seize control of an auto to do everything from simply monitors a driver without his knowledge to even seizing control of his car, while he is driving it.

The safety of the personal information that's collected from our autos is another great threat, because, while profit has motivated makers of auto to implement systems for collecting our personal information for their profit, that same desire for the greatest possible profit has caused them to reduce costs by not making the expenditures to implement even the most basic safety measures to protect the personal information, which they collect, from being stolen and misused, with the potential for great, if not disastrous, harm to the owner and drivers of the autos that they make.

This would make for a pretty depressing picture of yet another breach of our privacy and theft of our personal information, which has become the epitome of the revenue model that funds the profits of much of today's Internet companies and applications. To wit: The website, app, device, service, etc., expropriates our information without any meaningful consent or most often without even any notice, and uses are stolen information to generate their revenues and profits.

But Sen. Markey's report, which I hope that he sent to the general counsels of each of the auto makers, which are listed, supra, has put those auto makers on notice that the devices and software in their autos expose owners and drivers of those autos to danger from the misuse of their collected data; that the computer systems in their autos pose danger to both the safe operation of the autos and the misappropriation of our collected personal information by malefactors. That notice imposes the obligations of tort law, property law, IP (intellectual property) law, contract law, consumer protection law, privacy law, and various state and federal statutory law on auto makers. If they refuse to honor those obligations, I am certain that my brethren at the bar and injured consumers' will seek to hold them accountable for the harm caused by their irresponsible and rapacious conduct in the courts.

Also—and this is something that will shock and prejudice us all—the personal information that auto makers no collect will be available to the government and particularly to government prosecutors for all of their purposes, both legitimate law enforcement and surveillance, as well as illegitimate despotism and tyranny, and will be available to private lawyers for all manners of civil suits, ranging from divorce actions to contract disputes to the entire scope of civil actions. So, by collecting our personal information for their profit, auto makers have created great dangers for democratic government and have also exposed us all to jeopardy of lawsuits in ways that simply did not exist before and which need not exist now if we recognize that we are the owners of our personal information and proceed to regulate auto makers accordingly, both to protect our autos and our personal information from expropriation and misuse.

We will rise up and insist on our rights? Or will we simply let this too slip by until it causes harm to society as a whole and/or to us individually?

The comments to this entry are closed.