Follow-up Comments for the FTC / NHTSA “Connected Cars – Workshop, Project No. P175403

The connected vehicle ecosystem consists of a growing network of automakers, telecom companies, telematics service providers, insurance companies, and a host of other players sprawled across disparate distribution channels. To add to an already crowded landscape, automakers are proactively harnessing partnerships with AI developers and ride-sharing companies, as well as entertainment and social media companies like Facebook that are eager to have a in-vehicle presence.

At the same time, there have been growing calls for a more cautious and measured approach to increasing online connectivity and vehicle data sharing. We applaud the FTC and NHTSA’s recent workshop, and more recently, were pleased to see a number of important privacy and security provisions including in bipartisan legislation that passed out of the House Energy and Commerce Committee to facilitate autonomous vehicle deployment. For example, the SELF DRIVE Act requires the preparation of written privacy plans, the formation of a Highly Automated Vehicle Advisory Council, and envisions further reports by the FTC.

We note that the FTC/NHTSA workshop addressed a variety of unique concerns raised by connected vehicles, but that commentators’ predominant focus was on vehicle cybersecurity. To their credit industry players have demonstrated a degree of proactivity and willingness to address these risks. Automakers, or original equipment manufacturers (OEMs), now share security information through the Automobile Information Sharing and Analysis Center (Auto-ISAC). However, there is still a long way to go. As we noted in our previous comments to the FTC and NHTSA motor vehicle security research is still in its infancy, and the public lacks any meaningful insight into automakers’ data security practices.

Better transparency will be a key driver to improving consumer trust in the connected car ecosystem. As the workshop reiterated, the 2014 Automotive Privacy Principles emphasize transparency as a primary mechanism for detailing OEMs’ commitment to consumer privacy protections, with a focus on exploring a variety of methods to provide clear, meaningful notices. However, in the near three-year period since the adoption of the Privacy Principles, it continues to be unclear how far automakers have moved beyond traditional notice and consent principles to improve transparency for consumers. CDT encourages the OEMs to work together to promote standardized privacy and security disclosures under the Privacy Principles; in particular, we suggest a focus on defining the baselines for data security, notice mechanisms, and sharing with law enforcement.

In order to offer concrete guidance to the industry in these areas, CDT has teamed up with the Usable Privacy Policy Project at the Carnegie Mellon University (CMU) examine one narrow area of the connected car ecosystem: the mobile apps provided by OEMs to facilitate driver access to information on or about their vehicles. Through a combination of natural language processing and static analysis, the CMU team built the Mobile App Compliance System (System). The System is designed to review mobile app privacy policies and compare those disclosures against each app’s actual data use, collection and sharing practices. We tested a total of 32 Android mobile apps offered by the 19 automaker signatories to the Privacy Principles. The System yielded key insights into areas for improvement in notice and transparency, raising the potential utility of technical solutions that users and regulators alike can leverage to manage the growing connected cars economy.