Data and security issues in a world of connected cars

Mobility patterns are changing and technological innovations in electrification, connectivity and autonomy are driving this change. The automobiles of the future will be even more connected and feature a higher degree of automation than today’s vehicles. Artificial intelligence (AI) is also finding its way into on-board systems to an ever-increasing extent. These two aspects, especially, create problems that may not be quite apparent at first. The greater use of connectivity and autonomy increases the demand for sensors and software, thus generating more data - which will be at the heart of these reshaped mobility ecosystems.

In this context, and especially bearing in mind that the average connected car will produce an estimated four terabytes of data a day. The issues surrounding data ownership and security are complex. Who owns the data that an autonomous car generates and who is allowed to use it? Does it belong to the company that “generates” the data, or should it be shared so it can be independently validated and used by other companies? This would both enhance security and lower the barriers to market entry.

In the case of a semi-autonomous or even just a connected car, does the individual own the data that it generates, or should the manufacturer have rights of access? This in turn raises issues of personal data privacy, since amongst the most “private” of data is location related data, be it a current position of the vehicle (and thus the driver) or a complete history of locations travelled.

Data: who is in the driving seat?

Connected and autonomous vehicles are also changing the way customers interact with the original equipment manufacturers (OEMs). In the past, these manufacturers only had occasional direct contact with their customers, mainly through dealers. In the advent of autonomous or even just connected services, a more direct contractual relationship starts to appear.

Historically, the situation was much easier for OEMs wanting to collect data from connected vehicles. When purchasing a vehicle and signing the contract, in the general terms and conditions the authorization to collect and “appropriately” use obtained data was included. There was no way to object to the collection and transmission of data, short of not buying the vehicle. Once given, the OEM could either refuse to acknowledge the withdrawal or discontinue a certain service.

The situation changed dramatically in 2018 with the General Data Protection Regulation (EU) 2016/679. When the GDPR became into force on 25 May 2018 it significantly strengthened the rights on data protections and privacy for all individuals in the EU and EEA, specifically addressing issues surrounding their respective personal data (or personally identifiable information), which enjoy special protection.

The European Union Agency for Network and Information Security (ENISA) in its study “Cyber Security and Resilience of smart cars” made it clear that protecting user data, which is all data relating to an identified or identifiable person, is of particular relevance and should thus be protected accordingly. It was further said that in the case of connected cars, such data may especially include all location-based data.

In 2016, the European Commission in its publication on EU Strategy on Cooperative Intelligent Transport Systems pointed out that “the protection of personal data and privacy is a determining factor for the successful deployment of cooperative, connected and automated vehicles. Users must have the assurance that personal data are not a commodity and know they can effectively control how and for what purposes their data are being used.” The EC continues that essentially it can be assumed that all data generated by and originating from a vehicle is personal data or personally identifiable information. This statement clearly had the GDPR in mind, and was once again emphasized by the European Commission’s COM(2018) 283 on the EU strategy for mobility of the future. It was said that while “there is no sector specific approach on the protection of the vehicle against cyberattacks, for data protection on the other hand, the EU rules on the protection of personal data apply to any processing of personal data, including those collected from vehicles”.

Contrary to before, a service provider cannot refuse to provide a service anymore simply because the user has not given consent to a particular data use, or has withdrawn it. In a case where consent to a certain data use is demanded, but that specific data use is unrelated to the actual service provided, this is a violation of the GDPR. As a consequence, an OEM or another service provider cannot refuse or stop providing that service, without violating the GDPR as well.

The next turn: ePrivacy Regulation

Another step along the road will be the new ePrivacy Regulation (ePR), to replace the ePrivacy Directive of 2002. While the ePR is still in draft, its aim is to consolidate the implementation by member states, and is intended to complement the GDPR. While the ePrivacy Regulation is mainly directed towards electronic communications service providers, the regulation still impacts how data obtained from vehicles is shared with third parties. In case the intended data sharing standards of the European Commission are not met, an OEM may well be prohibited from selling such connected cars to its customers, and as with GDPR significant penalties could be imposed.

One important area of future connected and autonomous cars is vehicle to vehicle (V2V) communication. The aim of V2V communication is to avoid accidents by enabling nearby vehicles to exchange position and speed data while driving. Depending on the implementation, the driver of a vehicle may receive a warning if there is a risk of an accident, or the vehicle itself can take preventive measures such as braking or evading the other vehicle.

This falls under the ePrivacy Regulation definition of ‘interpersonal communications services’, which enable interpersonal and interactive exchange of information between a limited number of individuals, designated by the sender of the communication. Interactive communication means that the service enables the recipient of the information to respond. Whether this meets the requirements of exemption to the ePrivacy Regulation, such as the exchange of information between machines, is something that needs to be resolved. This can only come after the ePR comes into force.

Data security

There are also cyber security concerns, which don’t simply cover hacked vehicles crashing but also data privacy in a world of increased ride-sharing and car-sharing, or the hacking of manufacturer-to-vehicle communications. Deloitte recently observed, that “cyber risk poses perhaps the greatest threat to the future of mobility, and data governance, privacy, and protection will likely be of paramount importance.”

The overarching development from personally owned and driven cars to fully autonomous options introduces more and more points of potential weaknesses in the connected car ecosystem. These must be addressed appropriately by all players involved, most particularly the OEMs. ENSIA specifically defines the expected good practices for assuring cyber security and resilience, including the implementation of a dedicated security team and extensive penetration testing, both by internally as well as externally by third parties, including third-party code review especially for cryptography. More generally, ENISA recommends achieving consensus on technical standards for good practices and defining an independent third-party evaluation scheme to sufficiently address security issues in automotive systems.

The future is autonomous

A lot has been done so far to strengthen an individual’s right to privacy and data autonomy in a connected car. What happens with these new rights along the road from connected to autonomous? Some have predicted that, with the move to mobility as a service, individual car ownership will significantly decrease, and the driver (or rather the driven) will not be the owner of the vehicle anymore. How will the fundamental change in ownership structure impact the acquired rights, since there is no contractual relationship any more between the passenger and the manufacturer?

Currently, not much changes, as the relationship between generated data and driver-status remains mostly unaffected. Nonetheless, all stakeholders in a self-driving car future, in particular those new to the automotive field, should be aware that trust in a particular service will remain the most valuable commodity and is paramount for a successful adoption of this new technology. Such trust requires that all concerns are dealt with completely and satisfyingly. Transparency must be at the forefront of all efforts to promote a shared ecosystem, efforts to implement privacy-by-default and privacy-by-design should be intensified, and data economy and data avoidance, i.e. minimizing generation and collection of personal data should be at the heart of everyone’s technology strategy.

Conclusion

The protection of individual’s data has been established as the ultimate goal, clarifying that data ownership effectively lies with the driver and no one else. OEMs and other players must make privacy a key part of their firm culture and approach this field with a holistic view on data privacy. After all, it is the journey that is the product, not the transported.