Diffusing the Connected Car’s Ticking Data Privacy Timebomb

Connected and autonomous vehicles (CAVs) collate a significant amount of data to ensure vehicle safety, requiring an always-on internet connection and hundreds of sensors.

An entire industry has been developed around monitoring, logging, analyzing and monetizing it. Yet, the danger is, particularly with increasing cyber-attacks, that this data could end up being leaked and stolen.

With safety being paramount, and with the threat that hackers could take over a connected and autonomous vehicle, there is increasingly a need to ensure that smart car data leakages. Cassandra Moons, data protection officer at TomTom explains why CAVs are a ticking data privacy timebomb by first of all suggesting that connectivity in cars has evolved in ways that reflect how people live their lives today. So, not long ago the idea of always being connected was just a prediction of the future but nowadays being “always-on” is an increasing reality for many people. It’s becoming the norm.

She elaborates: “There are plenty of drivers out there who use apps developed by companies whose primary purpose is to monetize that data for targeted advertising purposes. It’s highly unlikely that the average driver is aware of, or even thinks about, the level of information and data that is being collected and for what purpose. Cars were once spaces where consumers could disconnect from the outer world, now they’ve become hubs for connectivity. The more drivers rely on quick access to data and connectivity, the higher the risk.”

Data protection minefield

David Trossell, CEO and CTO of Bridgeworks adds that data protection regulations also create a minefield – not just about how to protect the data but also to determine who owns the data in the first place. As such, today, he says there is no single worldwide authority as to what data is collected, who has access to it and how is this data related to the driver or passenger of a CAV.

How, underpinning data protect is the need to protect data and this can become a complex task for carmakers and for service providers operating in the CAV ecosystem. Trossell explains: “I would suspect that each manufacture would require the data to flow back to their data centers which could be in a different geographical area with differing regulations.

“With vehicle manufactures now placing their products in most markets, this creates a nightmare with each country’s regulations as any data could be traced back to an individual vehicle this can then be referenced to person(s). The EU’s GDPR regulations, for example, restrict the location and storage of personal data, which is required to reside within the EU and in the countries that have regulation on the use of person data.”

All about trust

Data protection is about trust and so it’s also importation for CAV development. Moreover, a failure to protect data can lead to reputational damage and huge fines, so the very threat of smart car data privacy being a timebomb must be taken seriously. Moons comments on the importance of cyber-security in the battle to prevent CAV data leakages and to forestall the dire prospect of hackers taking control of connected and autonomous vehicles: “With all this extra connectivity at play, it is inevitable that we will see cyber-security and privacy move further into the spotlight when it comes to connected vehicles. Let’s not forget that connected car data goes both ways. On one hand, more data means higher quality of services for the driver, however if processes and protections are not put in place, extra functionalities could come at the cost of consumer data protection.”

From a corporate perspective there is a need to back up data in more than three places that do not infringe on their own circles of disruption and there is a prerequisite to provide airgaps to protect sensitive data. From the point of view of an individual embracing the freedom of connectivity within a CAV, there is a need to inform them openly about the amount of data being collated on them because it is sometimes forgotten.

Moons thinks the automotive manufacturers to strengthen cyber-security and to put safety controls in place by design to benefit both those “who do and don’t pay attention to how their data may be shared”. With trust at the core of any relationship and for it to be key to ongoing customer loyalty, she adds: “Driving apps need to be trustworthy and reliable; they must protect location and user data; and they should be completely transparent about how this information is being used and offer users control over their data.”

Role for regulators

There is also a role for regulators to play in protecting CAV data. Moons has found that regulatory attention and focus are shifting to the CAV data ecosystem. She continues: “OEMs are being seen as key data custodians when it comes down to protecting CAV data from drivers and controlling access for service providers but eventually every player in the ecosystem of connected vehicles needs to act transparent and accountable: tell what you do with CAV data, do as you tell and be able to prove it.”

Improving data privacy

Looking ahead five years, Moons would like to see data privacy and protect improving. This can be achieved by undertaking regular risk assessments, being transparent, providing user controls, and by enforcing privacy by design. Each of these factors will remain critical in her view over the next few years, and she thinks a thin line will remain to “innovate technology in a privacy compliant manner”.

She concludes by suggesting that future industry standards will be around data minimization, security, and the de-identification of personal data. This is demonstrated by Europe’s ambitions to shape its digital future, shown by the proposition of new regulations around data, the interplay between personal data and non-personal data, which Moons feels will go to a whole new level. So, regulation, tight cyber-security, consumer education, effective data management and transparency are the key to resolving what is otherwise a ticking smart car data privacy timebomb.

One comment

  1. Avatar Andrea Amico, Founder, Privacy4Cars 15th August 2022 @ 6:42 pm

    It’s great to see more concern brewing around the world regarding cars’ privacy risks . However, the concern should not be that “data could end up being leaked and stolen” in a hypothetical future: this has already happened and continuously happens. I am not talking only about the many data breaches that have affected a host of companies in the auto ecosystem. We estimate that the data of more than 200 million people in the US and EU alone is exposed to unauthorized third parties simply because rental car companies, dealerships, and auto finance companies do not have robust processes – or any processes at all – to make sure the personal information consumers leave stored in the vehicle is deleted when the vehicle exchanges hands. I am talking about highly sensitive and regulated phone records, geolocation, biometrics, identifiers, and user profiles (just read your vehicle’s privacy policy).
    Deleting this data from cars is a legal mandatory requirement in the EU under GDPR and will be a legal mandatory requirement in all states in the US come December 9th when the new federal Safeguards Rule comes into effect. Many companies have already taken the step of deleting PI prior to resale but many more are still not acting. This is puzzling because fixing this problem and creating sensible (and obligatory for compliance) consumer protections does not require new technology or systems: it is a simple matter of policy that companies can choose to fix tomorrow morning.

Leave a comment

Your email address will not be published. Required fields are marked *