This fact likely won’t take anyone by surprise: our cars have been collecting data on us for decades. Your car knows when you last had its oil changed and how hard you’re accelerating or braking in real-time. This data can be gathered from the car’s on-board computer and collected using purpose-built devices or at a dealership’s service department. Because it requires specialized equipment to access, this type of data has historically been relatively protected.
But as cars become increasingly connected – whether through Wi-Fi connections, smartphone tethering, or even connections to the cloud for real-time computing and over-the-air updates – this game is changing dramatically. Our cars know and store much more about us than they ever have before: our names, home addresses, where we’ve been, where we’re going, and possibly even personal financial information.
In some ways, this shift is both valuable and necessary. A car with an active real-time data connection can incorporate more autonomous driving features, which need to make constant calculations about the vehicle’s surrounding environment to keep its occupants safe. On top of that, there’s the matter of convenience. For example, many people would be happy to have their cars store their credit card information and automatically pay for their morning cups of coffee at the drive-thru. The Mercedes-Benz MBUX infotainment system has been capable of over-the-air updates since its launch in 2018 and has since added functionality such as locating available parking spaces and playing quiz games.
On the other hand, the price of this advancement is that our personal information becomes highly vulnerable, and the technology required to adequately protect it has not been keeping up, according to AJ Khan, CEO of Vehiqilla, Inc., and industry leader in automotive cybersecurity.
“If you look at the state of cybersecurity right now in vehicles, there is a lot of work to be done,” Khan said. “The good news is we know that that work needs to be done, but I think a lot of effort needs to be there.”
Dr. Benjamin Fung, associate professor of information studies at McGill University, says the key difference with the data collected today is that it allows for inferences to be made about drivers and their lifestyles. This is not only personally identifying, but also has the potential to be highly lucrative and valuable.
“As a (car) manufacturer, if I know that you were browsing some TVs two days ago on the web and now you’re near a Best Buy where there’s a promotion, I may push this ad to your screen,” Fung said. “From the raw data, they can make those inferences on behaviour. In fact, it's quite obvious.”
More critically, informed consent is lacking for these types of data collection. Dr. Rajen Akalu, assistant professor of business law with Ontario Tech University, completed a study in 2019 in which he developed a proposed privacy code for connected vehicles. In doing so, he concluded that automakers currently gather consent from their customers in an overarching, take-it-or-leave-it style, often rolling together critical functions such as using location data for roadside assistance alongside other forms intended for behaviour analysis or monetization.
“What (current privacy legislation) tends to do is cause companies through their lawyers to draft boilerplate, standard privacy statements that are ostensibly about protecting privacy but are really more about defending the company against non-compliance,” Akalu said. “There is a certain value in keeping things vague. It allows for plausible deniability.”
For Mercedes-Benz’s part, the automaker updates its terms and conditions whenever new updates are being pushed that require new use of end user data, according to Mike Dosenbach, vice-president of cloud and connectivity for Mercedes-Benz Research & Development North America.
“We know that the safe and responsible handling of data is the basis for the acceptance of connected driving,” Dosenbach said.
Another concern yet to be addressed, Khan says, is the issue of how privacy laws change between jurisdictions. A car crossing international borders or even individual state lines in the U.S. could have its data subject to different degrees of legislative protection without its occupants’ knowledge.
“Canada has very stringent privacy laws, while in other places, especially the U.S., the privacy laws are more specific to a state,” Khan said. “Your data becomes susceptible to potential malicious attackers, depending on the state.”
At this juncture in this technology’s development, Khan says that providing education and transparency to consumers is critical for building trust. He suggests that a solution such a rating system – along the lines of the safety ratings provided by the Insurance Institute for Highway Safety in the United States, for example – could help consumers clearly understand how well a given car is equipped to protect their personal information.
Until such solutions become more commonplace, he says the most important thing a driver can do is to ask plenty of questions, both of automakers and dealerships, about what types of data are being collected and how the information will be used and stored.
“Right now, consumers don't go and ask (about) the cybersecurity features of their vehicles,” Khan said. “Ultimately, it's the consumers who will be affected from a cyber breach. I think the consumers need to be educated on this point.”