CDT and four top cryptography and security experts submitted the following comments in response to the National Highway Traffic Safety Administration’s (NHTSA) notice of proposed rulemaking to establish a new Federal Motor Vehicle Safety Standard (FMVSS), No. 150, which intends to mandate and standardize vehicle-to-vehicle (V2V) communications for new light vehicles. We are professors of computer science with extensive research expertise in cryptography, data privacy, and network security (we detail our qualifications below). We are joined in these comments by the Center for Democracy & Technology (CDT), a nonprofit advocacy organization that works to promote democratic values by shaping technology policy and architecture and that supports laws, corporate policies, and technologies that protect privacy and security online.
Our comments highlight our concern that NHTSA’s proposal standard may not contain adequate measures to protect consumer privacy from third parties who may choose to listen in on the Basic Safety Message (BSM) broadcast by vehicles. Inexpensive real-time tracking of vehicles is not a distant future hypothetical. Vehicle tracking will be exploited by a multitude of companies, governments, and criminal elements for a variety of purposes such as vehicle repossession, blackmail, gaining an advantage in a divorce settlement, mass surveillance, commercial espionage, organized crime, burglary, or stalking.
Our concern is that the privacy protections currently proposed for V2V communications may be easily circumvented by any party determined to perform large-scale real-time tracking of multiple vehicles at once. This poses a serious costs for both individual privacy and society at large, and we caution that the proposed privacy statement does not adequately disclose these threats to consumers. We also note that they are not accounted for in the proposed rule’s cost-benefit analysis.
A more privacy-conscious design employing advanced cryptographic techniques (as opposed to a simple public broadcast accompanied by a digital signature) may help resolve some of the privacy concerns. We conclude that we have serious reservations about privacy risks inherent to the current design, and caution that extensive changes would need to be made to significantly reduce these risks.