Your car is a lot more than just a car these days. Forget about the in-car entertainment system with the USB port and the iPhone jack. If you drive a late-model vehicle, it has been tricked out with hundreds of wireless sensors to monitor everything from tire pressure to braking and acceleration. These sensors communicate over a VAN – or Vehicle Area Network – that’s not all that different from the LAN that connects the computers, servers, printers and other peripheral devices in your office.
Beyond that, automakers are taking their cue from mobile device makers- and for good reason. Apple booked $10 billion in sales through its AppStore in 2013 alone. That’s not too shabby, when you consider that much of that revenue came in $.99 increments!
But, as Jessica Naziri (@jessicanaziri) noted in yesterday’s Los Angeles Times, cars are the new gadgets. After all, the Detroit Auto Show is still weeks away, but automakers have made the pilgrimage to Las Vegas to show off their latest connected vehicles at the Consumer Electronics Show (CES). Automakers are talking up plans for cross industry standards for connected vehicles and the apps they’ll run. Autoblog reported that Audi, GM, Huyndai and Honda are partnering with Google and chip maker NVIDIA on an Open Automotive Alliance. The goal: “bring Google’s Android operating system to the auto industry on a large scale.”
But AppStore-like features can beget AppStore-like problems, especially in areas such as privacy and security. That’s the message from the U.S.’s Government Accountability Office (GAO), which issued a report this week that found leading automakers are often not following industry-recommended privacy practices with their connected vehicles.
[Related Reads: Insecure At Any Speed: Are Automakers Failing The Software Crash Test?]
The report, GAO-14-81, was commissioned by Sen. Al Franken, who is Chairman of the Senate Subcommittee on Privacy, Technology and the Law. In it, the GAO warns that automakers are failing to adequately inform car owners of the ways in which data collected by in-car apps and navigations systems is being shared with third parties.
Of ten automakers surveyed by the GAO, almost all fell afoul of industry-recommended privacy practices in one or more areas. While admitting to collecting driver data and location data from vehicles for internal use, and to share with third parties (including law enforcement), the companies’ privacy practices were, GAO found “unclear” in certain instances which “could make it difficult for consumers to understand the privacy risks that may exist.”
Among the problem areas identified by GAO were vague language in regard to the reasons for collecting data and how that data is handled. Automakers also were vague about how data they collect is de-identified before it is shared, and many of the 10 surveyed don’t provide a way for customers to have any data collected from them purged by the automaker. Automakers did not have clear policies, internally, to hold themselves, their employees and business partners accountable for violations of customer privacy, GAO said.
A lack of clear federal guidelines is part of the problem, GAO said. Federal laws like the Federal Trade Commission Act, The Communications Act of 1934 and the Electronic Communications Privacy Act of 1986 were written before the advent of the public Internet, let alone connected vehicles. The FTC and National Telecommunications and Information Administration have written voluntary guidelines that they recommend automakers adhere to – but adherence is purely voluntary.
In the absence of new federal regulations, The GAO recommends that the FTC consider issuing guidance on protecting the privacy of location data in automobiles. The NTIA should provide goals, milestones and performance measures that could be used to structure industry codes of conduct.
Despite a lack of new lawmaking, Congress has taken note of the privacy and security issues stemming from connected vehicles. In December, for example, U.S. Senator Ed Markey (D-MA) sent a letter to automakers asking for information about consumer privacy protections and safeguards against cyber attacks in their vehicles. The security of connected vehicles was also a topic of conversation at a November FTC Workshop on security and The Internet of Things, with speakers debating the relative costs and benefits of new, connected vehicle technology.
Pingback: Cisco Eyes Security Services For Connected Cars | The Security Ledger
Pingback: Parsing Google's Internet of Things Acquisitions | The Security Ledger
Pingback: Government: Safety of V2V Outweighs Security, Privacy Risk | The Security Ledger