CAVs and the New Push for Privacy Regulation

For many people, syncing their phone to their car is a convenience – allowing them to make hands-free calls or connect to media on their phone through the car’s infotainment system. But doing so can leave a lot of data on the car’s hardware, even after a user believes they have deleted such data. That was the case in a recent ATF investigation into narcotics and firearms trafficking, where federal law enforcement agents were issued a warrant to search a car’s computer for passwords, voice profiles, contacts, call logs, and GPS locations, all of which they believed had been left on the car’s on-board memory. While it’s uncertain just what was recovered, an executed search warrant found by Forbes claims the information extraction was successful.

While this case doesn’t necessarily raise the same issues of government access to data found in the Supreme Court’s recent Carpenter decision, it does illustrate the growing amount of personal data available to outside actors via the computer systems within our vehicles. And while the 4th Amendment can (usually) shield individuals from overreach by government, personal data represents a potential target for malicious actors, as shown by the recent data breach at Facebook which exposed the data of 30 million users. As cars become yet another part of the greater “internet of things,” (IoT) automakers have to confront issues of data protection and privacy. Security researchers have already began to prod vehicle systems for weaknesses – one group was able to breach the computer of a Mazda in 10 seconds.

There has of late been a great deal of talk, and some action, in Washington, Brussels, and Sacramento, towards mandating greater privacy and security standards. Earlier this month, the Senate Commerce Committee held a hearing on Data Privacy in the wake of the European Union’s General Data Protection Regulation, which took effect in May, and California’s Consumer Privacy Act, which was passed in June. Last month, California also passed a bill that sets cybersecurity standards for IoT devices – and there are similar bills that have been introduced in the House and Senate. While it remains to be seen if either of those bills gain traction, it is clear that there is an interest in more significant privacy legislation at the state and federal level, an interest that has to be considered by automakers and other CAV developers as CAVs move closer and closer to wide-scale deployment.