FTC concerned over weak consumer provisions in automotive cybersecurity rules

By Steve Brachmann
October 27, 2015

automobiles-blurred-335A rush of high tech components which are being incorporated into the coming generations of automobiles has been a major coverage area of focus this year on IPWatchdog ever since the advent of the autonomous vehicle was heralded at this year’s Consumer Electronics Show. Self-driving tech is by no means the sole research and development focus of the auto industry, where a dramatic increase in patenting activity underscores widespread innovations in heads-up displays, telematics units and more. Much of this development is fueled by the growing Internet of Things (IoT) sector and the incorporation of wirelessly connecting information technologies into all objects, including cars.

Technological development often spurs on conversations on regulating those technologies and we’ve definitely seen that as the case with both IoT and self-driving cars. In April, we had reported that five states had enacted legislation regulating autonomous vehicles in some way at that time. Road safety has always been an area where the regulatory conversation has focused heavily on consumer protections but the same is becoming increasingly true of data privacy. In January of this year, a staff report issued by the Federal Trade Commission indicated a need for IoT companies to develop strong data privacy and cybersecurity standards to protect the data collected from customers.

There are many avenues which a cyber attacker can use to gain unauthorized access to a vehicle. Malicious code can be sent through device-to-vehicle (D2V) connections made wirelessly, through the Bluetooth communications protocol or via a wired USB connection. The on-board diagnostics (OBD) port is another way through which a car can be hacked by a device carrying malware. More cars are being produced to communicate on the 802.11p wireless standard, establishing vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I) connections which must also be secured.

At the end of October, the FTC again made a push on Capitol Hill for stronger data privacy standards, this time dealing specifically with the idea of connected cars. In prepared testimony for the hearing, entitled Examining Ways to Improve Vehicle and Roadway Safety, the commission brought up concerns it had with certain provisions of rules currently being drafted by the National Highway Traffic Safety Administration (NHTSA), which will require auto manufacturers to outfit their cars with vehicle-to-vehicle communications units in an effort to improve safety on America’s roads. The testimony was presented by Maneesha Mithal, an associate director of the FTC’s Division of Privacy and Identity Protection, during an October 21st hearing of the House Subcommittee on Commerce, Manufacturing and Trade.

A background memo released prior to the hearing notes that, despite declining vehicle-related fatalities over the past decade, there is a growing threat to driver and passenger safety caused by manufacturer error, evidenced by the millions upon millions of cars recalled for safety concerns by major automakers like Toyota Motor Corp. (NYSE:TM) and General Motors Company (NYSE:GM). The NHTSA rules requiring V2V communications units is an attempt to leverage increased growth in vehicle safety technologies, such as automatic emergency braking, to improve road safety despite vehicle system failure.

[Internet-Things]

Although the rules may keep passengers safer on the roads, the FTC fears that the rules as they are currently drafted do not provide adequate consumer safety provisions for data protection. Provisions related to data privacy, hacking prohibition and cybersecurity are covered by Title III of the drafted rules. This section requires car manufacturers to file privacy policies on data use and collection with the Secretary of Transportation for public dissemination; failure to do so results in a $5,000 per day fine leading to a maximum penalty of $1 million.

The rules establish safe harbor from FTC actions against unfair or deceptive practices once a car manufacturer submits a privacy policy that meets predetermined privacy element standards. This aspect of the NHTSA rules proves to be troublesome to the FTC, for seemingly obvious reasons. However, Mithal’s testimony does point out some aspects of the rules as written that could be exploited to weaken consumer data privacy protections. For example, if a manufacturer expressly states in the privacy policy that it collects data for sale to third-parties without an option for a customer to opt out, the manufacturer is still covered by safe harbor because it submitted the privacy policy. A manufacturer could also be protected by the safe harbor rules even if they willingly neglect their own privacy policies as long as they’ve submitted an approved policy.

It doesn’t help that the NHTSA connected car rule draft doesn’t exactly clarify the required privacy elements of those manufacturer data policies. There’s also no differentiation in the type of data collected, whether it involves vehicle sensor data or a passenger’s browsing history on any Internet-connected telematics unit. Although a consumer might want a car manufacturer to track vehicle data for driving safety, that person might not approve as much of the automaker tracking his or her purchases or music preferences.

Oddly enough, the FTC is in favor of weakening Title III provisions regarding hacking, albeit still from the standpoint of consumer protection. Section 302 of the NHTSA draft establishes a civil penalty of $100,000 for the unauthorized access of a vehicle’s electronic control units or critical safety systems. However, the FTC worries that this mechanism for deterring criminal activity may also have the unintended consequence of harming the efforts of security researchers who identify vulnerabilities in connected cars. A blanket prohibition of any hacking activity could remove incentive from vehicle systems security research at a time when some companies, like GM, are working to establish cybersecurity programs which reward individuals who uncover security flaws.

In addition, the FTC notes how car manufacturers have had an outsized voice in developing the best practices for automotive cybersecurity. Half of the Automotive Cybersecurity Advisory Council drawn together to develop those best practices are automakers; the other half of the council consists of regulatory agencies like the FTC and NHTSA along with consumer advocates groups and other representatives of the automotive industry. The council also approves practices by a simple majority, so vehicle manufacturers could muscle through provisions which aren’t so friendly to consumers with a single swing vote. Further, there are no stipulations that the best practices developed by the council must cover any certain area of cybersecurity and the NHTSA administrator which reviews manufacturer policies must meet a very high standard of review in rejecting a manufacturer’s plan that doesn’t meet the outlined best practices. The FTC also thinks that the regular review of best practices, which occurs annually, doesn’t occur often enough in order to address emerging risks and technologies in a timely fashion.

There has also been action in the Senate this year on the subject of connected cars and securing data privacy for consumers. In July, the Security and Privacy In Your Car Act, or SPY Car Act, was introduced, co-sponsored by Senators Ed Markey (D-MA) and Richard Blumenthal (D-CT). The bill would require carmakers to build information technology security standards into the vehicles which they manufacture and it establishes a civil penalty of $5,000 for each violation of unauthorized access to be paid by anyone caught in that type of violation. If passed, the SPY Car Act would direct the FTC and NHTSA to work together to develop standards in IT security in privacy that can be applied to both vehicle electronics as well as associated in-vehicle networks.

The auto industry hasn’t been lax in its attempt to stave off cybersecurity concerns. A June post on a blog hosted by The Wall Street Journal talked about a technology known as public key infrastructure being developed by a group of eight automakers. The technology establishes a mechanism through which a vehicle can communicate securely with another vehicle with which it has no prior relationship. The system would utilize encryption methods and digital keys to establish a security scheme that could be scaled up for incorporation by 200 million vehicles or more.

The Author

Steve Brachmann

Steve Brachmann is a freelance journalist located in Buffalo, New York. He has worked professionally as a freelancer for more than a decade. He writes about technology and innovation. His work has been published by The Buffalo News, The Hamburg Sun, USAToday.com, Chron.com, Motley Fool and OpenLettersMonthly.com. Steve also provides website copy and documents for various business clients and is available for research projects and freelance work.

Warning & Disclaimer: The pages, articles and comments on IPWatchdog.com do not constitute legal advice, nor do they create any attorney-client relationship. The articles published express the personal opinion and views of the author and should not be attributed to the author’s employer, clients or the sponsors of IPWatchdog.com. Read more.

Discuss this

There are currently No Comments comments.