Your car knows if you’ve been bad or good

CYBERSLEUTH

Newspapers this year have been filled with stories about the increasingly personal data being collected by commonplace devices in homes from thermostats to televisions to toys. Thank goodness there's still a place where a person can take escape from having her every move tracked and recorded -- the automobile. Or maybe not.

Everyone knows by now that certain devices a person brings into a car collect data. Cellphones constantly poll the cellular network providing its location so that incoming calls can be routed to it. GPS navigation systems also store data on location and prior destinations. But very few people realize there is a "black box" built into most cars and light trucks that records detailed data about the vehicle.

More than a decade ago, the National Highway and Transportation Safety Administration was considering whether to require manufacturers to install "event data recorders." Many car manufacturers began installing the EDRs voluntarily, so instead of requiring the devices, the NHTSA issued regulations requiring those devices to be capable of capturing a standard set of data including driving speed, whether the brake was activated in the moments before a crash, crash forces at the moment of impact, and air bag deployment timing. 49 C.F.R. Part 563. The regulations also require data be recorded on occupant position, occupant size, presence of a passenger, whether seat belts are used and the position of the seats. 49 C.F.R. Part 563.7. So that the data could be easily recovered, the regulations also required manufacturers to ensure a commercial tool would be available for retrieval of the recorded data by manufacturers and law enforcement, but not the car owner. 49 C.F.R. Part 563.12

The NHTSA regulations were issued for the laudable purpose of gathering data that could lead to safer cars by reviewing accident specifics. And unlike many government regulations, at least minimal thought was given to privacy. The NHTSA regulations required car manufacturers to include language in the car owner's manual that the car was equipped with an EDR. Of course almost no one reads the manual even to figure out how to operate the car's systems and gadgets, and even fewer read the manual to discover whether there are any undisclosed recording devices installed in the car. Not too surprising that more than a decade later, most car owners have no idea that an EDR has been installed in their cars.

In part due to pressure from consumer groups, Congress finally passed the Driver Privacy Act in 2015 generally making data recorded by EDRs the property of the car owner or lessor, and restricting disclosure without the owner's consent. The National Conference of State Legislatures reports that 17 states have also enacted some form of legislation relating to privacy of EDR data.

Car makers, however, have ideas of their own. The Global Automakers association, a group of 19 manufacturers (including U.S. automakers General Motors, Chrysler and Ford), has issued a set of "principles" that substantially limit the benefits of the Data Privacy Act. The EDR data may be owned by the consumer, but the automakers will dictate almost everything else. The automakers decline to allow customers to view the data collected by the EDR in their cars and further, disallow car owners from opting out or disconnecting the EDRs.

The automakers' statement on data retention is the definition of political double-speak. The car manufacturers "commit to making a deliberate determination regarding whether and how long to keep personally identifiable information. When this personal information is no longer necessary for legitimate purposes, automakers commit to deleting or de-identifying the information." Wow.

If their underwhelming commitment to privacy of EDR data is any indication, the automakers can be expected to resist any efforts to protect consumer data generated by "connected cars" of the future. Sophisticated devices and communications systems are being deployed in cars for entertainment, performance and safety. Such systems provide a vast new source of data on occupants in the car, not just entertainment choices but detailed tracking of a driver's location, stops and even his or her physical functioning.

Ford experimented a few years ago with embedding heart rate monitors into car seats to monitor drivers' stress levels. A university in England and a German institute are reportedly developing electrocardiogram systems that could be embedded into cars seats. These systems, would monitor heart rate and alertness to detect when the driver may fall asleep at the wheel. A Spanish institute is working on seat belt embedded sensors that measure respiration. Can an audio monitoring system that listens for driver snoring be far behind?

Devices that detect driver impairment certainly could have legitimate and beneficial purposes, but manufacturers shouldn't be allowed to make drivers and occupants of cars unwilling or unwitting data generators. Auto manufacturers claim their privacy principles "rest on" the Federal Trade Commission's Fair Information Practice Principles for online transactions of data collected from occupants of cars. The FIPP best practices for online privacy are based on five core principles: notice to consumers of how data is collected and how it will be used; providing options to consumers on how their data is used; providing opportunity for consumers to view their data and to contest its accuracy; protection of consumers' data; and enforcement of privacy measures (ranging from self-regulation private remedies or criminal penalties.) Automakers' principles bear little resemblance.

NHTSA and states are developing safety regulations for leading edge technology to be used in autonomous and driverless vehicles, but they should be equally concerned about privacy of data captured by new technologies. A good start would be for NHSTA and states to issue regulations requiring that automakers comply with the FTC principles, allowing consumers to dictate how their car-generated data is collected, stored and used.