The vehicles we drive are becoming more like smart phones every day. Like smart phones, vehicles store valuable data that can be hacked. The vehicles currently on the market are equipped with everything from GPS capabilities to “black boxes [1],” similar to airplane flight recorders, which store data concerning the driver, passenger and operation of the vehicle. In a September 18, 2014, article in Computerworld [2], Lucas Mearian notes that GPS units alone can provide data on “where your car is at any point in time, it knows where you live, what restaurant you’re in and where you go to church.” He further points out that your vehicle may even know “if you’re interviewing for another job or having an affair.” As seen with other industries, car makers are learning the value of this information.
As technology continues to expand the capabilities of “smart vehicles,” automobile manufacturers are taking steps to protect the information gathered from their vehicle systems. The “Privacy Principles for Vehicle Technologies and Services [3],” created by the Alliance of Automobile Manufacturers and the Association of Global Automakers, which will take effect on January 2, 2016, provides general guidelines for the use and storage of private data collected. Specifically, the guidelines include the following “fundamentals” for those that adopt these standards:
- Transparency: Vehicle owners should be provided with clear, meaningful information concerning the information that will be gathered.
- Choice: Vehicle owners will be provided a choice in whether information should be gathered about their use of their vehicle.
- Respect for context: Vehicle owners’ information will only be used in a manner that is consistent with the terms in which the vehicle owner agreed to have their information collected.
- Data minimization, de-identification & retention: Vehicle owners’ information will only be used for “legitimate business purposes” and will not be retained any longer than necessary.
- Data security: Vehicle owners’ information will be protected against unauthorized use of their information.
- Integrity & access: “Reasonable steps” will be taken to protect vehicle owners’ information.
- Accountability: For those that adopt the Principles, there is a commitment to take “reasonable steps to ensure that they and other entities” adhere to the Principles.
The adoption of these Principles makes clear that even industries and products not historically thought of as targets for hackers must create safeguards for data collection and storage. What’s more, automobile manufacturers may not have concerns limited to data storage or collection. While vehicles capable of automated driving are already beyond the sketching phase, it is not difficult to envision a scenario where hackers could do more than merely steal data.