Test Driving Privacy and Cybersecurity: Regulation of Smart Cars
Written by Joseph Jerome
The modern automobile is less a mechanical device and more an intricate computer. Regulating the privacy and security risks presented by a computer on wheels has its challenges: as technologist Bruce Schneier said to the House Energy and Commerce Committee in a hearing on IoT last Wednesday, the average connected device has “crossed four regulatory agencies and it’s not even eleven o’clock.” This dynamic is particularly true in the automated vehicles context, but the issue went unexplored in the Committee’s hearing on self-driving vehicles the day prior.
CDT has noted that creating standards, addressing privacy concerns, and developing infrastructure to support smart cars are pressing concerns. But there remains confusion about which regulatory agency should be in the proverbial driver’s seat.
The regulation of smart cars – and various technologies within these vehicles – has been complicated by conflicting regulatory priorities and overlapping jurisdiction held by the National Highway Traffic Safety Administration (NHTSA), the Federal Trade Commission (FTC), and the Federal Communications Commission (FCC).
The Road Should Begin at NHTSA
Regulating autonomous vehicles should begin with the NHTSA. The agency has broad authority to regulate “motor vehicle safety” and has experience dealing with automakers and vehicle components and technologies. While NHTSA has already made it quite clear that regulating autonomous technologies falls within its responsibilities for addressing vehicle safety, it is less clear how it might regulate with regard to privacy and cybersecurity.
NHTSA has sent mixed signals on whether privacy and cybersecurity are safety priorities. The agency has taken some steps to establish regulatory authority on these issues, arguing that vehicle-to-vehicle (V2V) readiness will encompass data security and privacy standards, and has published a set of non-binding cybersecurity best practices in October. The best practices detail protections such as encrypting access to vehicle firmware and segmenting internal safety communications, but they are largely aspirational in several important policy areas. They provide little guidance for companies on how to collaborate with security researchers and independent third-party security auditors, for example, or ways to improve supply chain transparency.
On driver privacy, it is less clear how the agency views its role. NHTSA’s automated vehicles policy provides only cursory privacy guidance, directing companies in the autonomous ecosystem to model their practices after a 2014 set of privacy principles released by automakers. While focusing on privacy and committing publicly to set of principles was an important first step, how or whether they are implemented in practice will be the true test. NHTSA must address important privacy considerations regarding driver data, such as when and how to de-identify data, enacting data minimization, and setting data retention limits.
The Federal Trade Commission’s Role in the Passenger Seat
If NHTSA is in the driver’s seat with respect to policing automotive privacy and cybersecurity, the Federal Trade Commission (FTC) is riding shotgun. While NHTSA prioritizes safety, the Commission’s consumer protection mandate and authority to monitor unfair and deceptive business practices should readily extend to automakers’ public privacy statements and baseline responsibility to implement reasonable security measures.
Connected cars are certainly on the FTC’s radar. FTC staff recently filed comments with NHTSA on approaches to protecting user privacy and cybersecurity in communications between vehicles. Additionally, Commissioner Ohlhausen called on automakers to consider their privacy and security issues as similar to other consumer technology-focused industries, while Commissioner McSweeny warned that the FTC takes seriously its “responsibility in helping signatories adhere to industry best practices.”
Currently the FTC’s authority is inherently limited. It lacks any specific jurisdiction or expertise on motor vehicles, and it has no authority to issue privacy or security rules in this space. There have been legislative efforts to empower the FTC in this area. For example, lamenting the “inconsistent and incomplete” state of automotive security and privacy practices, Senator Markey last year proposed the SPY Car Act, which would have given the FTC a more explicit role. The legislation would require the FTC to consult with NHTSA to establish privacy and security standards and also mandate the two agencies to develop “cyber dashboard” stickers. As Senator Markey identified, the two agencies have complementary missions, and there appears to be ample room for the two to collaborate in this space.
Keeping Tabs on Vehicular Communications
The role of the Federal Communications Commission (FCC) in regulating smart cars is something of a wild card. The Commission has widespread power to regulate technologies it designates as telecommunications services, which includes broadband internet access. This authority suggests that the FCC could be a significant player in establishing privacy and security standards for various communications technologies supporting connected vehicles. Further, while the 2015 Open Internet Order currently excludes “limited-purpose devices such as automobile telematics” from regulation under Title II, there is little stopping the Commission from wading into the fray in the future.
More importantly, as spectrum regulators, the FCC controls the allocation of 75 MHz of spectrum for use in vehicle safety and mobility applications. Dedicated Short Range Communications, or DSRC, will soon allow vehicles to communicate with the world around them. While safety applications have been prioritized, DSRC will also facilitate commercial uses such as mobile payments and advertising down the road. As a result, the FCC is currently considering a potential rulemaking to protect the privacy of drivers with DSRC-enabled vehicles. The FCC also has pledged to work closely with both NHTSA and the FTC on an array of “interrelated issues” implicated by smart cars.
Getting privacy, security, and safety policies right for smart cars is crucial. With state and federal lawmakers, advocacy groups, and industry pursuing different strategies for addressing privacy and cybersecurity in automobiles, there should be more public cooperation among federal regulators. NHTSA has the subject-matter expertise, while the FTC and FCC have different technical and enforcement capabilities in the realm on privacy and data security. Whether or not a jurisdictional gap ultimately exists, drivers will benefit by having all three agencies working together and on the same page.