A group representing some of the leading foreign automakers who sell in the U.S. released guidelines to protect consumer data collected by in-vehicle technologies and make sure that car owners consent to the collection of everything from geolocation data to biometric identifiers.
The group, Global Automakers, represents foreign auto manufacturers and original equipment makers (OEMs). The Privacy Principles document (PDF here) include guidance on issues like transparency, anonymity and security and are intended to set ground rules for the collection and use of driver or owner information by increasingly sensor-rich vehicles.
“As modern cars not only share the road but will in the not too distant future communicate with one another, vigilance over the privacy of our customers and the security of vehicle systems is an imperative,” said Global Automakers President and CEO John Bozzella in a published statement.
The Privacy Principles are voluntary are are based on the U.S. Federal Trade Commission’s Fair Information Practice Principles (FIPPs). As written, they cover the collection, use, and sharing of certain kinds of information by vehicle technologies and services. They include assurances that automakers will be transparent and give owners “clear, meaningful notices” about data collection and how collected data will be used. Owners will also have the choice of whether or not to share data. Finally, automakers and service providers will commit to making data anonymous and secure it at rest and in transit.
Promises about security were more vague. “Despite the absence of reported hacking incidents affecting vehicles on the road to date,” the group said “the industry also is taking proactive measures to prepare for threats by working to establish a mechanism for sharing vehicle cyber security information among the auto sector.” However, details were noticeably absent in the principles.
Reaction to the statement of principles was mixed. Senator Ed Markey of Massachusetts, who is a member of the Commerce, Science and Transportation Committee, said in a statement that the privacy principles “represent an important first step toward protecting the information collected by modern technology in our cars.”
“Putting limits on the use of geolocation information for marketing purposes and providing consumers with access to the collected information are fundamental to empowering consumers and ensuring their privacy,” Markey said.
However, Markey warned that the proposed principles were vague on how consumers would be informed about data collection, and failed to offer security and privacy guarantees. “As vehicles are equipped with 21st century wireless technology, we need auto companies to make security and privacy as standard as seatbelts and stereos for drivers and their vehicles.”
Josh Corman of the group I Am The Cavalry, which has called for auto industry action on security and privacy, said the willingness of the automakers to acknowledge that connected vehicle technology presents risks was a step forward. However, inattention to securing connected vehicle systems was concerning. “You might encrypt the database where the car stores driver information, but still have the vehicle susceptible to have its steering or brakes disabled,” Corman observed. “My privacy is really important, but I’d like to be alive to enjoy it.”