In a recent development, two US senators have urged the US Federal Trade Commission (FTC) to take action against automakers for sharing driver data without proper consent. Senators Ron Wyden and Edward Markey raised concerns about the increasing data privacy challenges and misleading terms of service associated with modern smart cars.
The senators specifically pointed out the data-sharing practices of General Motors, Honda, and Hyundai, who were found to be collecting and selling driver information, such as acceleration and braking data, to a data analytics company called Verisk. This data was then used to prepare driver behavior reports that were resold to insurance companies. The automakers failed to obtain informed consent from customers before sharing their information and obscured their data-sharing relationship with Verisk in lengthy disclosures, according to the senators.
The senators emphasized the need for immediate investigation into this industry-wide issue, calling for accountability from both automakers and data brokers. They highlighted the deceptive practices used by these companies, including the manipulation of consumers through misleading claims about how driver data would be used. The senators urged the FTC to hold senior company officials responsible for the blatant abuse of customer privacy.
This incident sheds light on the larger security and privacy issues surrounding modern, highly connected software-defined vehicles. While these vehicles offer advanced features like automation, autonomous capabilities, and customizable user experiences, they also collect vast amounts of data that can be vulnerable to cyberattacks.
Riley Keehn, a lead regulatory and government affairs consultant for SBD Automotive, highlighted the extensive personal and sensitive information stored in vehicles, making them prime targets for cyber threats. Keehn mentioned various attack vectors, including hardwired systems, insecure Wi-Fi networks, and compromised aftermarket components, that threat actors could exploit to access this data.
To mitigate these risks, Keehn suggested implementing security-by-design approaches and adhering to industry best practices and regulations like UN R155 and UN R156 on cybersecurity management systems. However, the lack of a comprehensive data privacy regulation in the US, compared to regulations like the GDPR in the EU, poses challenges in ensuring consumer privacy.
The patchwork of inconsistent rules at the state level in the US further complicates data privacy requirements, with some states having clear guidelines for handling data while others lack specific regulations. This lack of national guidance creates risks at the business level and can lead to a culture within OEMs where security measures are insufficient.
David Brumley, CEO of ForAllSecure, emphasized the importance of obtaining informed consent from drivers before sharing their data for purposes like advertising. He called for separate consent requirements for different types of data sharing, especially for services like roadside assistance and autonomous driving. Brumley also stressed the need for laws prohibiting companies from limiting functionality based on consent decisions.
While the senators’ call for FTC intervention is a step in the right direction, Brumley expressed skepticism about the agency’s ability to drive meaningful change due to its reliance on free-market dynamics. He suggested that stricter EU regulations and consumer advocacy could play a crucial role in pushing for stronger data privacy protections and accountability in the automotive industry.
In conclusion, the FTC’s involvement in addressing data privacy issues in the automotive sector is a positive step, but more comprehensive regulations and consumer awareness are needed to safeguard driver data and promote transparency in data-sharing practices. The growing reliance on connected vehicles underscores the urgency of establishing robust data privacy measures to protect consumer rights in an increasingly digital world.