Google Autonomous Vehicle

When Autonomous Vehicles Crash, Is The Software Liable?

Many industries are wrestling with the blinding speed of technologic change. Mobile devices like smartphones and tablets are transforming the way employees work and customers interact with a business. And that doesn’t even take into account the (coming) revolution of smart devices and remote sensors that is referred to as The Internet of Things.

Google Autonomous Vehicle
When autonomous vehicles crash, who (or what) is to blame? (Photo courtesy of Google.)

But few industries are wrestling as hard with the implications of that change as the Insurance industry, which must assess the long-term impact of huge forces like technology innovation or, say, climate change on risk. One example: how will the advent of autonomous vehicles or even computer augmented driving change the auto insurance business? And, when two computer-guided cars crash, who (or what) is liable?

Those were some of the questions posed to attendees at this week’s Emerging Technology (or EmTech) Conference at The Massachusetts Institute of Technology (MIT). The speaker, Joe Coray, is the Vice President of Technology & Life Science, Renewable Energy and International business at the insurance giant The Hartford. He was addressing the “facts and myths of disruptive innovation” like autonomous vehicles and implantable medical devices, and how it will impact risk calculations by his firm and others. 

Coray said the benefits to society of highly efficient and reliable computer guided automobiles are enormous. “Without traffic jams, how much faster can people get to work? How much less road rage will there be?” And that doesn’t even consider the safety improvements. Data from the insurance industry show that 81 percent of auto accidents are due to operator error of one kind or another – from fatigue to bad judgement in adjusting to road- or weather conditions. The costs of all those accidents are enormous, also.

“As a country, we spend $14 billion a year litigating automobile accidents, which includes the costs of attorneys, hospital stays, and so on,” Coray told EmTech attendees on Thursday. Autonomous vehicles – especially if they are adopted in great numbers – could reduce the number of accidents and, thus, the cost of claims related to those accidents enormously.

But many complex questions need to be answered before that, especially regarding liability. “How do we train and license drivers to operate autonomous vehicles,” Coray wondered. “How much time do we allow to switch between autonomous operation and driver input?”

And, when accidents do occur, where does the liability lay? That is already a complex question in the world of human-driven cars. With computer driven cars, it’s downright vexing, Coray warned. “When you have an autonomous vehicle and the vehicle crashes, is it the driver’s fault? The driver, almost by definition, cannot be negligent. Is the car libel or is it the software? Was the problem a program that did not work satisfactorily?” 

The traditional chain of liability, which started with the driver and extended to the auto manufacturer, will become far more complex, Coray warned. And similar issues face insurance companies in the area of medical device failures, as implantable medical devices that also communicate with the outside world become more common.

Software security has become a pressing concern in the automobile industry, as more late-model vehicles sport complex software stacks to support in-vehicle entertainment systems and a growing network of remote vehicle sensors that monitor everything from the vehicle’s location to speed and tire pressure to the outside weather conditions.

At the DEFCON hacker conference in August, for example, the security researchers Charlie Miller and Chris Valasek showed how they could manipulate a car using software based hacks of the electronic control units (ECUs) in a Toyota Prius– disabling the brakes and manipulating the steering wheel and dashboard. And, in May, the National Traffic Safety Administration told Congress that more research is needed into “vehicle cyber security” to address the threats to a coming generation of networked automobiles that connect to the public Internet and to each other.

In Talking Code, a Security Ledger hosted video, sponsored by Veracode, I spoke with Chris Wysopal of Veracode and Joshua Corman of Akamai about software security and automobiles.

Corman, the Director of Security Intelligence at Akamai Technologies, said that the advent of security as an issue for products like automobiles is akin to the safety revolution in the 1960s, 70s and 80s, as regulators mandated features like seat belts in cars, often over the objections of car makers. “The auto industry thought safety would destroy innovation and cost too much and buyers would hate it,” Corman said. “Today you have the five-star crash rating system and if you want a really safe car for your kid, you have signals to help you steer that and price it. I can’t tell you the difference between a two star and a three star rating, but I can tell you I probably want a three.”