Privacy Regulations Needed for Next-Gen Cars | Threatpost

Driverless automobiles, long-haul trucks and military transport vehicles are on a fast track for wide deployment over the next five to 10 years. That much is clear.

Vehicle manufacturers are all in, and innovation is racing forward. Meanwhile, captains of industry and political leaders are eager to reap the benefits of autonomous transportation.

The big pros: more efficient travel, less pollution, improved vehicle utilization and a leadership role for the United States in autonomous vehicle innovation. This is according to a 2017 report from The Center for the Study of the Presidency and Congress, a nonprofit and nonpartisan think tank.

Of course, allowing a computer to autonomously control powerful, fast-moving machines carrying fragile humans implies safety risks. However, the major safety concerns are clearly delineated and should be straightforward to address. And experts say vehicle travel actually should be much safer with a computer behind the wheel.

The stickier matter is how to address a slew of murky privacy concerns spinning out of the rise of driverless cars and trucks. State and federal regulators have begun shaping regulations to address both safety and privacy concerns, and industry standards are being hashed out as well. However, it’s anyone’s guess, at this point, what blend of rules and best practices will ultimately emerge.

“We should expect legislative requirements related to vehicle upkeep, including mechanical, electrical and software systems,” said Rusty Carter, vice president of product management at Arxan Technologies, a San Francisco–based supplier of application security systems.

When it comes to preserving the privacy of the occupants of driverless vehicles, however, the burden still rests with the individual.

At present, vehicle owners are tasked with vigilance.

“Consumers need to remain vigilant and exercise their rights to limit collection and use of any data that is collected,” said Elizabeth Rogers, a privacy and data security partner at Michael Best & Friedrich. “Varying levels of consent should be incorporated into the design of these systems, with express consent being required before sharing a consumer’s unique and individualized driver data.”

Next Great Interface

Autonomous vehicles are destined to become our next major user interface.  Between our smartphones, smart homes, smart workplaces and smart cars, we’ll have multiple connected devices tracking and analyzing our behaviors during every waking moment.

“Autonomous vehicles are driving the transition from a hardware-driven machine to a software-driven electronics device,” said Dinakar Munagala, president of Thinci, an El Dorado Hills, Calif.–based startup developing computing platforms for the auto industry.

Driving today requires a human’s full attention. But cars are rising steadily up the Society of Automotive Engineers’ zero to five scale of vehicle autonomy. Most cars today are at level 0: equipped with automated systems that can send warnings, and temporarily intervene, but not able to control the vehicle on their own.

But more and more models are being delivered at level 2, where automated systems can take over steering, accelerating and braking, though the driver must stay ready to intervene. And a few models have achieved level 3, at which the driver can divert his or her attention for brief periods, say to watch a video or answer email.

Level 4 widens the circumstances under which self-driving can take place, and at level 5, human driving is completely eliminated. “The major automakers predict the arrival of completely autonomous vehicles in 2020, at the earliest, out to 2025 in the midrange, and 2030 at the furthest,” Thinci’s Munagala told Threatpost. “We’re inclined to believe it will be the earliest date.”

V2X Model

Wide use of level 5 vehicles will require the kicking into high gear of next-gen business networks that make intensive use of IoT and AI. “The industry is trying to move toward a vehicle-to-everything (V2X) connected model where cars will not only talk to each other, but also to the infrastructure around them and possibly more,” said Stacy Janes, chief security architect at Irdeto’s connected transport division.

Irdeto is a 50-year-old, Amsterdam-based supplier of antipiracy software used by big media companies to preserve digital rights. It recently set up shop in Detroit to direct that expertise toward securing dashboard systems of driverless vehicles.

Janes, like other security experts, has no doubt that cybercriminals are tracking all of these developments – and preparing to take full advantage. “Attackers will often use weak entry points to gain access and move to more valuable targets,” Janes told Threatpost. “The eventual V2X network will be exposed to such attacks, with possible safety risks and disruption of transportation as the result.”

Bryson Bort, chief executive officer of Scythe, an Arlington, Virg.–based supplier of pen-testing tools, said he anticipates hacktivists and purveyors of ransomware will readily adapt to the expanded attack surface autonomous vehicles afford.

“We have to worry about data integrity,” Bort said. “We’ve seen how it is possible to affect the data AI collects, with the simple example of how putting tape on a stop sign can cause the car to misinterpret the sign.”

Bort said he believes that when autonomous vehicles hit critical mass, federal authorities will be compelled to designate them as critical infrastructure.

Europe and Canada have drawn regulatory lines, but the U.S. has yet to enact comprehensive data privacy law.

Privacy Muddle

It’s not just criminal hackers that are of concern. With the automotive and tech sectors charging hard toward fresh sources of revenue associated with the rise of a V2X economy, privacy controversies rage on.

“Manufacturers are already looking at how to monetize all of this wonderful new data they are collecting from enhanced sensors and increased connectivity,” said Bort.

Europe and Canada have drawn hard regulatory lines that put individual citizens in firm control of their personal data. But in the U.S., no comprehensive data privacy law yet exists. That complicates achieving a broad consensus about how to approach both safety and privacy issues. For example, 17 states and the District of Columbia today have statutes relating to data retrieval from the event data recorders carmakers began installing in 2013. Yet only North Dakota’s law specifically refers to data privacy, says Rogers, the privacy attorney.

Meanwhile, the National Highway Traffic Safety Administration in December 2016 proposed regulating vehicle-to-vehicle (V2V) communications, in particular the collection of speed and location data, as well as any information about the number of occupants. Then, in mid-2017, NHTSA held a workshop with the Federal Trade Commission to commence discussion of privacy and security issues relating to driverless cars.

Rogers believes it is unlikely any federal laws specifically addressing data privacy of autonomous vehicles will be forthcoming anytime soon.

That said, something has to give. On the one hand, commercial interests, including carmakers, are proactively plotting ways to resell blocks of location data and data collected by onboard cameras, microphones and other sensors. According to a recent CBS News report, carmakers are looking into selling data to mapping companies as well as to developers of apps that monitor traffic conditions.

Meanwhile, privacy advocates, led by the Washington D.C.–based Electronic Privacy Information Center, or EPIC, are pushing back with calls for more European-like, citizen-centric privacy rules. As driverless cars, facial recognition systems and other IoT systems gain traction – and stir privacy debates – the federal government may yet be forced to address data privacy at a national level.

“Autonomous vehicles will likely be swept up, like all other industries, by a federal data privacy law that regulates the way that all businesses collect, store, process and share consumer data,” Rogers said. “That’s likely to include a consumer bill-of-rights, similar to California’s Consumer Privacy Act.”

Critical Maintenance

Meanwhile, there is one fundamental safety issue that must likewise be fully addressed: how to keep autonomous vehicles mechanically safe over the longer haul.

Jennifer Tisdale, director of connected mobility and infrastructure at Grimm, an Arlington, Virg.–based embedded systems security firm, observed that our smartphones and laptop computers generally become obsolete and get replaced by more secure versions every 24 months. However, cars today stay on the road for 150,000 to 200,000 miles, typically changing owners multiple times, she said.

“We have to look at security through that entire lifecycle of the car because there is a lot at stake,” Tisdale said.

Grimm recently opened a facility in Sparta, Mich., to add autonomous vehicle systems research to the proprietary projects it normally handles for U.S. military and intelligence agencies.

“If you’re an adversary, you’re not going to hack a car during the R&D phase, because you don’t have access to it,” Tisdale said. “But the longer the car is on the road, the more time people will have to tinker with it and gain an understanding about how vehicles are networked together.”

One approach could be to treat driverless cars as we do passenger aircraft, said Arxan’s Carter. It is not out of the realm of possibility that the NHTSA might one day take on oversight duties similar to how the Federal Aviation Administration governs safety of air travel.

“To maintain public safety, we should expect that vehicles controlled by software systems will incur much more stringent requirements for operation, just as we have with requirements around aircraft maintenance and safety,” Carter said. “Ultimate liability in collisions will likely hinge on maintenance hygiene and record keeping.”