The connected vehicle ecosystem consists of a growing network of automakers, telecom companies, telematics service providers, insurance companies, and a host of other players sprawled across disparate distribution channels. To add to an already crowded landscape, automakers are proactively harnessing partnerships with AI developers and ride-sharing companies, as well as entertainment and social media companies like Facebook that are eager to have a in-vehicle presence.
At the same time, there have been growing calls for a more cautious and measured approach to increasing online connectivity and vehicle data sharing. We applaud the FTC and NHTSA’s recent workshop, and more recently, were pleased to see a number of important privacy and security provisions including in bipartisan legislation that passed out of the House Energy and Commerce Committee to facilitate autonomous vehicle deployment. For example, the SELF DRIVE Act requires the preparation of written privacy plans, the formation of a Highly Automated Vehicle Advisory Council, and envisions further reports by the FTC.
We note that the FTC/NHTSA workshop addressed a variety of unique concerns raised by connected vehicles, but that commentators’ predominant focus was on vehicle cybersecurity. To their credit industry players have demonstrated a degree of proactivity and willingness to address these risks. Automakers, or original equipment manufacturers (OEMs), now share security information through the Automobile Information Sharing and Analysis Center (Auto-ISAC). However, there is still a long way to go. As we noted in our previous comments to the FTC and NHTSA motor vehicle security research is still in its infancy, and the public lacks any meaningful insight into automakers’ data security practices.
Better transparency will be a key driver to improving consumer trust in the connected car ecosystem. As the workshop reiterated, the 2014 Automotive Privacy Principles emphasize transparency as a primary mechanism for detailing OEMs’ commitment to consumer privacy protections, with a focus on exploring a variety of methods to provide clear, meaningful notices. However, in the near three-year period since the adoption of the Privacy Principles, it continues to be unclear how far automakers have moved beyond traditional notice and consent principles to improve transparency for consumers. CDT encourages the OEMs to work together to promote standardized privacy and security disclosures under the Privacy Principles; in particular, we suggest a focus on defining the baselines for data security, notice mechanisms, and sharing with law enforcement.