Marshall Chase, Associate Director, Advisory Services, BSR

Over the past few weeks, academic researchers have demonstrated the ability to remotely hack into and control vehicle locks, brakes, and other systems, and Massachusetts Senator Edward Markey recently released a critical report on the security and privacy of electronic systems in new cars. While the public has been discussing security and privacy concerns in industries like social media, finance, retail, healthcare, and telecommunications for a couple of years now, this recent news is a warning to the auto industry: We haven’t seen a large-scale vehicle hack or data breach (yet).

The industry recognizes these concerns, and is starting to address them. Individual companies are increasing their attention to cybersecurity. As highlighted in the Markey report, late last year, industry associations agreed to a set of privacy principles, and an industry spokesman pledged that automakers would increase protections to “go beyond similar principles in other industry sectors.”

But the report notes that more needs to be done to raise awareness and protect the public, including establishing government standards. BSR’s work with information and communications technology (ICT), healthcare, and other companies suggest that a more comprehensive approach is needed. We see four significant areas for development:

  1. Incorporate human rights norms. In addition to potential dangers to human life from vehicle hacking, there is a likelihood that law-enforcement agencies will request that auto companies share information about drivers with the government, such as current location, travel history, and communications data. Through efforts such as the Global Network Initiative, the ICT industry has established principles to balance the responsibility to assist with law-enforcement requests with the responsibility to respect user privacy (a right enshrined in Article 12 of the Universal Declaration of Human Rights). Auto companies could usefully do the same. More generally, following the UN Guiding Principles on Business and Human Rights, automakers should maintain appropriate policies (as many do) and conduct human rights impact assessments that include user privacy and security issues. They can also adopt strategies, processes, and trainings to address relevant human rights impacts.
  2. Understand the implications of where data are produced and held. Cars and data both move across borders. If a connected car crosses the U.S.-Canada border, or the border between Latvia and Russia, it might alter the type of data that can be collected, where that data can be stored, and who has access to it. As of this September, for example, Russian law will require data collected about its citizens to be stored on Russian soil. These issues are complex, and companies should consider, for instance, whether jurisdictional powers cover the location of the car, or the location of the data center.
  3. Understand who manages the data. Data from connected cars may be collected by the automakers, by equipment manufacturers or service providers, or by other contracted parties. While the industry’s Consumer Privacy Protection Principles say that signatories will “encourage those businesses to respect the privacy of [users],” they also note that the principles apply only to participating members. To maintain consumer trust, automakers will need to ensure that whoever handles user data abides by basic rules to protect privacy.
  4. Increase transparency. So far, automakers are not saying a lot about the Markey report, or about how they handle vehicle data security and privacy. In contrast, many leading ICT companies industry have started disclosing more about how they handle data, and about government requests for data. If the auto industry is to truly “go beyond other industry sectors,” companies will have to offer more detail about the data they collect and how it is used.

Ultimately, the world of connected cars and smart transportation holds tremendous promise for a safer, cleaner, more connected society. Measures to ensure security and privacy are needed to support consumer confidence and adoption, so that concerns don’t become a roadblock to progress—or worse, an avenue to violate human rights. And the auto industry is in a good position: It is especially important to incorporate these and related considerations, such as “Privacy by Design” principles, into the early stages of rapid technological change. Companies can do this now, before a major incident, instead of in reaction to one.