It’s not news that various branches of the federal government have been studying a range of privacy and consumer safety issues that arise with ever more connected vehicles. What is new is the Government Accounting Office (GAO)’s report to the House Subcommittee on Research and Technology, Committee on Science, Space and Technology about how current passenger vehicle manufacturers address the many privacy issues that arise with connected vehicle use.
GAO interviewed industry associations and organizations that work on privacy issues and also interviewed 16 automakers that were selected based on their U.S. passenger vehicle sales. GAO reviewed the written privacy policies of the automakers against a set of leading privacy practices and issued a report, Vehicle Data Privacy: Industry and Federal Efforts Under Way but NHTSA Needs to Define its Role, on August 28, 2017.
Connected vehicles offer services to consumers through the capability of wireless communication systems. Typically in-vehicle sensors and global positioning systems generate data that are transmitted through two-way communications between a vehicle and a central computer system or call center, although other data may be available through an individual’s smartphone connection.
Data that is or could be collected by connected vehicles can be placed into six distinct categories, and GAO interviewed U.S. automakers about their collection and use of each type of data:
- Personal Communications
- Driver behavior
- Biometrics and health
- Vehicle health
What GAO Found
- 13 of the 16 automakers GAO interviewed currently sell at least some cars that are equipped with technologies and services that wirelessly transmit and receive data and are thus considered connected cars.
- Types of data collected by automakers:
- All 13 collect vehicle health and location data
- 10 collect driver behavior data
- Three collect infotainment data
- None reported collecting personal communication or biometrics and health data.
How data is used:
- Connected Vehicle Services – of those automakers collecting data, all reported providing automatic crash notification or roadside assistance, which relies on location data, vehicle health, and sometimes driver behavior data. For example, sensors connected to vehicles may detect airbag deployment and rollover status that could be used to request assistance from emergency responders.
- Research and Development – all but one of the automakers use collected data for research and development, specifically to improve vehicle safety and performance.
- Marketing – five automakers reported using collected data to market products to the drivers related to their own vehicles’ health.
Automakers do not have a uniform view on who owns the data collected:
- Seven said that data ownership is legally unclear or they do not have a position
- Three said that the vehicle owner owns the data, but that the automaker has a license to use the data
- Two said that the automaker owns the data
- One said that the automaker owns the anonymized data and the customer owns personal data
- None of the automakers currently share collected data with unaffiliated third parties without explicit consumer consent, at the request of a consumer, or to comply with a valid court order.
- Seven automakers share collected data about vehicle health with dealerships to aid in vehicle servicing.
- Two automakers reported sharing collected data with insurance companies to enable consumers to participate in insurance plans that base premiums on driving behavior.
- Several automakers reported sharing and using de-identified data.
- One automaker shares de-identified vehicle health data with university-based researchers to examine vehicle structural integrity after crashes.
- Others shared de-identified location data with traffic services.
GAO identified six leading practices most relevant to connected vehicle data privacy based on its analysis of well-known Fair Information Privacy Practices, which include (1) transparency, (2) focused data use, (3) data security, (4) data accuracy and access, (5) individual control, and (6) accountability. The GAO report observes that 13 of the 16 automakers it surveyed have signed onto auto industry Consumer Privacy Protection Principles to demonstrate their commitment to privacy. All of the automakers had privacy policies that were readily accessible from their public website, but GAO found that the policies were not clearly written. In addition, while most reported limiting their data collection use and retention in general terms, most failed to provide much specificity as to what data was used and how it was used. In interviews, all the automakers reported using policy and technological measures to protect data such as limiting access, using firewalls and encryption, and using penetration testing and code reviews. While all the automakers indicated that they obtain explicit consent from consumers before collecting data, if consumers opt out of sharing their data they typically lose all connected vehicle functionality, which could become a larger issue as vehicles become even more connected and autonomous.
In addition, GAO also interviewed 16 privacy experts to identify leading privacy practices relevant to connected vehicles. These experts indicated the importance of the following privacy issues: (1) tracking, (2) loss of consumer control over personal information, (3) insecure data, (4) lack of sufficiently informed consent and low consumer awareness, (5) disparate treatment, (6) lack of sufficiently informed consent or lack of company transparency, and (7) little or no consumer choice about privacy. The report notes there are differing levels of concern on these points, including concern about the options consumers might lack if they fail to consent to use of their data.
Federal Oversight Roles
There are no federal laws expressly conferring broad protections for consumers’ data and no single federal agency that oversees data privacy. The Federal Trade Commission (FTC) is acknowledged as having broad authority to challenge unfair or deceptive acts or practices. While the FTC has not brought an action against a connected vehicle manufacturer, it has brought a number of other law enforcement actions in the privacy and data security arena and is thus seen as a relevant federal agency in vehicle data collection and use, particularly if automakers fail to follow their own announced policies and procedures. The GAO report also acknowledged several of the FTC’s reports that outline best practices for companies that collect and use consumer data and that may provide guidance on a range of issues.
According to agency officials, the National Highway Transportation Safety Administration (NHTSA) has broad authority over the safety of passenger vehicles, but thus far has not been perceived to have the authority to regulate consumer privacy as it relates to motor vehicles or motor vehicle data, despite its mandate to consider the privacy impacts of its regulatory activities. As noted in the October 2016 Cybersecurity Best Practices for Modern Vehicles Report, there is a tighter connection between cybersecurity and safety. In June the FTC and NHTSA held a Connected Cars joint workshop which brought together a variety of stakeholders, including industry representatives, consumer advocates, academics, and government regulators. NHTSA and the FTC noted the importance of fostering the development of connected cars while protecting consumer privacy and promoting security. The GAO report acknowledged that the FTC and NHTSA have collaborated on vehicle data privacy and coordinated their respective efforts in this area, but that NHTSA has not clearly defined and communicated its roles and responsibilities related to the privacy of connected vehicle data to its stakeholders. The GAO report observes that this situation should change.
The GAO report provides a snapshot of the data collection and use practices of connected passenger vehicles in the U.S. by a range of auto manufacturers, examining how data practices align both with automakers’ own privacy policies and with other relevant privacy practices. The report acknowledges the authority and role of the FTC and calls on the Secretary of Transportation to direct NHTSA to define, document, and externally communicate the agency’s roles and responsibilities for connected vehicle data privacy.