Given the explosive growth in the connectivity of every day “things,” several government agencies are focused on how best to support innovation and the benefits of an increasingly connected, data driven society, while weighing options for mitigating the cybersecurity and privacy risks relating to the Internet of Things. The pace of development with respect to connected cars and autonomous vehicles has drawn particular attention.
Most recently, in January 2018, the Federal Trade Commission (FTC) issued a “Staff Perspective” on the Connected Cars Workshop hosted by the FTC and National Highway Traffic Safety Administration (NHTSA) last June 28, 2017. Workshop participants included representatives from across private industry, government agencies, consumer groups, and academia. While the FTC recognizes that autonomous vehicles have the “potential to revolutionize motor vehicle safety,” the Staff Perspective summarizes the key takeaways from the one-day workshop specific to discussions around consumer privacy and cybersecurity concerns associated with connected vehicles.
- A Variety of Stakeholders in the Connected Car Ecosystem will Collect Data for Different Purposes
The Staff Perspective recognizes that a range of organizations in the connected car environment will collect data from vehicles, including not only vehicle manufacturers, but insurers, app developers, and other entities that provide services such as entertainment content delivery, regulatory diagnostics, and features yet to be developed. Much of this data will be used for safe vehicle operation, such as vehicle-to-vehicle (V2V) speed and position data used to navigate traffic and avoid accidents. However, developers of infotainment systems, for example, may collect and use data to enable consumers to utilize functions such as navigation, music, phone contacts, and the Internet. Similarly, third-party providers may collect and transmit information about consumer driving habits for diagnostics and big data analytics, including, for example, to price insurance.
Workshop participants recognized that certain data uses are critical to autonomous vehicle use and safety, while other data collection is merely for consumer convenience. Other uses were perceived as harmful; for example, some participants expressed concern about insurance companies using driving data to raise rates or penalize safe drivers who opt out of data collection.
- The Sensitivity of Data Collected Will Vary
The Staff Perspective also recognizes that the sensitivity of the collected data will vary across the privacy spectrum. Specifically, participants recognized degrees of privacy concerns ranging from those associated with less sensitive anonymized, aggregate data used for traffic management purposes, to information about specific vehicle performance and gas mileage, for example, to highly sensitive personal information showing driver location or biometric data used for authentication purposes.
- Data May be Used for Unexpected Purposes
Because of the range and volume of data collected, the Staff Perspective further recognizes that consumers might be concerned about “secondary, unexpected” uses of the data, such as the sale of personal information to third parties who in turn use the information to target products to consumers. Accordingly, participants discussed transparency about data collection and use, and consumer consent and opt-out options.
With respect to these three key issues associated with the collection and use of a variety of types of data associated with connected vehicles, participants at the workshop underscored the importance of addressing privacy concerns to encourage consumer adoption of connected car technologies. Workshop participants discussed the need to consider different approaches to data collection and use depending on whether the particular data being collected is necessary for safety and autonomous vehicle operation or, conversely, whether it involves personal information collected for non-critical uses. Participants also noted the need for consumer input, education, and choice.
The Staff Perspective recognizes the important initiatives already underway in the industry, including the Consumer Privacy Principles of the Alliance of Automobile Manufacturers and Global Automakers and the collaboration between the National Automobile Dealers Association and the Future of Privacy Forum to produce consumer education about the information that may be collected, guidelines for collection and use, and consumer options for such collection and use.
- Cybersecurity Concerns
Finally, the Staff Perspective also summarizes workshop discussions focused on the cybersecurity risks posed by connected and autonomous vehicles. Noting that hackers no longer need physical access to a vehicle to cause harm, participants recognized that malicious actors pose a myriad of potential threats. External actors can hack into a single vehicle for malicious purposes, attack a large number of connected cars simultaneously, or target our transportation systems to cause significant risks to public safety and welfare.
The Staff Perspective describes several cybersecurity best practices to address some of the security risks associated with connected vehicles, including (i) sharing threat intelligence and vulnerability information through industry groups; (ii) specific network design solutions such as, for example, segregating safety functions from non-critical safety functions; (iii) risk assessment and mitigation throughout the vehicle lifecycle (from design and development through end-of-life); and (iv) industry self-regulation and standard setting to establish baseline security measurements.
Lastly, the Staff Perspective notes a couple of pertinent developments since the workshop took place last June. In particular, the NHTSA and U.S. Department of Transportation released new federal guidance pertaining to automated vehicles, Automated Driving Systems 2.0: A Vision for Safety, on September 12, 2017. In addition, the U.S. House of Representatives passed the Safely Ensuring Lives Future Development and Research in Vehicle Development (SELF DRIVE) Act (H.B. 3388) (https://energycommerce.house.gov/selfdrive/). The bill would require autonomous vehicle manufacturers to develop written cybersecurity and privacy plans. The bill also would require the NHTSA to develop a rulemaking and safety priority plan for highly autonomous vehicle standards and require the FTC to conduct a study and submit a report to Congress on privacy issues relating to the highly autonomous vehicle ecosystem. Although not discussed in the Staff Perspective, we also note that the U.S. Senate introduced The American Vision for Safer Transportation through Advancement of Revolutionary Technologies (AV START) (S. 1885) in September 2017 that proposes a variety of legislative changes relating to the development of self-driving transportation. However, the AV START bill hit a roadblock in the Senate in early February 2018: according to reports, at least three senators have placed holds on the bill due to concerns about safety and that the bill does not go far enough to regulate developers of autonomous vehicles. Consequently, issues surrounding autonomous and connected cars will likely be a continued point of discussion by Congress in the coming months.
Given the rapid pace of development in vehicle automation and connectivity, industry, government, consumer groups, and other stakeholders will undoubtedly continue to collaborate on best practices and examine policy to strike a balance between innovation and consumer protection.
 Bryan Koenig, FTC Chief Says Connected Cars Require ‘Regulatory Humility’, Law360 (June 28, 2017), https://www.law360.com/articles/939274/ftc-chief-says-connected-cars-require-regulatory-humility-.
 Office of U.S. Senator John Thune (September 28, 2017), Thune Introduces Bipartisan Autonomous Vehicle Legislation [Press Release], retrieved from https://www.thune.senate.gov/public/index.cfm/2017/9/thune-introduces-bipartisan-autonomous-vehicle-legislation.
 John D. McKinnon, Self-Driving Car Legislation Stalls in the Senate, Wall Street Journal (February 12, 2018).