Several automakers have agreed on a set of privacy principles that they say will govern the way that they handle personal information generated by vehicles, geolocation data and other sensitive information that is being produced by in-car computers and networks.
The principles are the result of discussions among many of the world’s major car manufacturers, along with the Federal Trade Commission, and come at a time when automakers are under increased scrutiny from regulators and researchers for their security and privacy practices. Security researchers have been focusing more and more attention on the security and operations of embedded systems in the last couple years, and vehicles have been at the forefront of that movement. Well-known researchers Charlie Miller and Chris Valasek have demonstrated a number of weaknesses in the systems in various cars, including areas ripe for remote exploitation.
But the privacy of the information collected and generated by the computers in modern vehicles hasn’t gotten as much attention. However, the government has been pressuring automakers to address the issue before it becomes a serious problem. In a document sent to the FTC, members of the Association of Global Automakers and the Alliance of Automobile Manufacturers committed to a set of privacy principles, including:
- Our members will not disclose the customer’s geolocation data to the government unless the government produces a warrant or a court order.
- Our members will not market to their customers using identifiable personal data collected by the vehicle unless the customer explicitly agrees.
- Our members will not share sensitive personal data collected by the vehicle with data brokers and other third parties unless the customer explicitly agrees.
- Our members will each have a dedicated web portal that will contain their privacy information.
Just a few years ago, the idea of automotive privacy would’ve mostly involved tinted windows. But the advent of ubiquitous and powerful onboard computers in vehicles loaded with features such as GPS, Bluetooth connectivity and high-speed WiFi have shifted the discussion dramatically.
“Automakers are integrating innovative systems in the initial stages of design and production providing consumers with safe, smart, and sensible vehicle choices,” said John Bozzella, president and CEO of Global Automakers, a trade group that represents foreign manufacturers, including Ferrari, McLaren, Nissan and Honda. “As advanced technologies continue to evolve and become increasingly data driven, we will continue to adopt best practices and work with experts and other stakeholders to ensure consumers are protected.”
In their letter to the FTC, the trade groups say that the rapid adoption of advanced technology in vehicles is a challenge for automakers. The principles in the privacy framework comprise transparency, choice, respect for context, data minimization, data security, integrity and access, and accountability. Earlier this year, automakers also notified the National Highway Traffic Safety Administration that the industry will work toward establishing an ISAC in order to share security vulnerability and threat data.