Unsafe at any Connection: Autonomous Vehicles Lacking in Privacy, Security Protections
Long after the release of the Ford Pinto, and subsequent book by Ralph Nader “Unsafe at Any Speed”, the auto industry became accustomed to regulations at almost every corner. In the digital age, we need to consider automotive cybersecurity and privacy to be just as important as other safety features we’ve learned to depend on.
However, when it comes to cybersecurity, research by Singaporean academics shows that regulation is missing in action.
The advance of autonomous vehicles (AVs), especially as the car fleet begins to electrify, is important to city sustainability. But what about their impact on privacy, or their susceptibility to security vulnerabilities?
The recent Tesla Autopilot flaw I discussed in my previous post, in which attackers found that adversarial AI attacks could force Autopilot to attempt dangerous lane changes, was merely the latest in a long string of cyberattacks on vehicles dating back to 2015, when Charlie Miller and Chris Valasek first demonstrated their attack on a Jeep Cherokee.
Questions about privacy have a similarly long provenance, whether it’s something simple like car renters forgetting to wipe their contact lists, or insecure apps associated with smart cars exposing an owners’ private data. For example, Nissan’s NissanConnect app was criticised as insecure in 2016, and while most of the focus at the time was on remotely-controlling the car, it’s clear that the app was transmitting personal information without encryption.
In this article, first published last year in the journal Energies and now available on the arXiv open portal, Hazel Si Min Lim and Araz Taeihagh of the Lee Kuan Yew School of Public Policy at the National University of Singapore, take an in-depth look at the twin issues of autonomous vehicle privacy and security, and how those interact with city sustainability.
So far, Taeihagh and Lim argue that data ownership is ill-defined in the auto industry, although it’s key to who is responsible for privacy. They write: “…the ability of AVs to store and communicate personal data may conflict with data privacy laws, creating ambiguity regarding the ownership, storage, and transmission of data collected in the AV”.
The authors note that AVs are, nonetheless, vital to a sustainable smart city to increase road capacity, reduce congestion and improve traffic flow. Or, to improve safety, encourage ride-sharing, and, through their connectedness, create an interactive relationship between vehicles and the road networks they drive on (e.g. traffic lights that respond to localised conditions, and light-free pedestrian crossings). They could also be deployed to make access to transport more inclusive.
And while difficult to quantify, we can expect AVs to make transport more environmentally sustainable, both through greater efficiency, and because autonomy is closely associated with the electrification.
These factors make the rise of AVs look almost inevitable, and that puts an uncomfortable spotlight on their privacy and security.
The first privacy issue is the simple volume of data AVs collect and, in the context of the smart city, share. Sensor data that keeps the manufacturer in touch with a car’s condition might be relatively benign, but other data – trip information, for example – is both collected and shared with insufficient protection, according to Taeihagh and Lim.
The threat of individuals being harassed with advertisement due to the sharing of trip data is bad enough for most. However, as we see with China’s notorious “social credit” system, private information is increasingly subject to state abuse.
Taeihagh and Lim note that “it is important to safeguard against the misuse of personal information that can inflate societal discrimination, which is crucial for sustainability from the perspective of social stability”. The demands of privacy must be balanced against the benefit of information sharing.
It’s easy to call privacy an imperative, but it’s also clear to Taeihagh and Lim that government action on AV privacy is at best in its infancy, and at worst, hostile to privacy. The European Union leads the way with its General Data Protection Regulation (GDPR), but in the AV context, the GDPR has been criticised as “excessive regulation of the commercial use” of AV data.
Other countries are taking a similar approach to the EU. Rather than tackling AV data privacy as a specific use-case, they’re concentrating on drafting more generalised “application agnostic” rules. The paper’s analysis covers China, Japan, Singapore, South Korea, the USA, Germany, France, Australia
Singapore and the USA have taken the most action on AV privacy, with both countries implementing legislation. America has arguably the most stringent regime. The paper notes: consumers must be informed about data collection; if a consumer terminates data collection and sharing, they should retain “access to all features and services provided by the vehicle”.
Laggards identified in the paper include Germany, France, and Australia, all of which have acknowledged the issue, but gone no further than expressing an intent to deal with AV privacy. Germany, Taeihagh and Lim observed, requires a “black box” to help assign accident liability, but that legislation overlooked privacy. Australia and the UK have non-mandatory design principles in place to cover privacy.
The problem with implementing and regulating the cybersecurity applied to AVs comes from the host of systems and vectors that exist:
- External network connections provide a vector to attack a vehicle, and the networks themselves could be attacked to disrupt vehicle operations
- Attacks have been demonstrated against AVs’ event data recorders (black boxes), GPS systems, sensor systems, controller network protocols and more
- AVs can, themselves, be vectors from which an attacker can launch attacks on infrastructure upstream from a compromised vehicle.
Surprisingly, for an industry so accustomed to regulation, the authors found cybersecurity is something of a regulatory black hole in the AV business. They observe: “automotive industry standards lack sufficient coverage for the breadth of cybersecurity risks faced by AVs”.
America has the SPY Car Act, which includes some protections against vehicle hacking, but some US states perceive gaps in the law’s coverage. California, Massachusetts and Pennsylvania have created their own AV cybersecurity laws:
- California’s requirement that AVs can “detect and react to cyberattacks” was approved as a permanent regulation in February 2018
- Massachusetts’ draft legislation includes AVs in IoT regulation, allowing its Department of Consumer Affairs and Business Regulation to implement regulations to protect personal information and data;
- Pennsylvania implemented what the paper describes as “non-mandatory recommendations for AV testers to provide proof that cybersecurity precautions are taken”. The law places obligations on testers and the state’s department of transport to notify each other in the event of a cybersecurity incident.
Most other countries Taeihagh and Lim analysed – the EU, Singapore, Germany, France, Australia, the UK, South Korea, China and Japan – have generalised cybersecurity regulations that don’t specifically cover AVs, and there are public education efforts underway in several countries.
The motor industry will need a lot more than “public education” to get security under control.