Automobile Event Data Recorders (Black Boxes) and Privacy

• News |
• Background |
• History |
• EDR Privacy Risks |
• EPIC on EDRs |
• Articles |
• Resources

Latest News

• Internet of Things Legislation Introduced in Senate, House: Bipartisan legislation governing the Internet of Things was introduced this week in the Senate and House of Representatives. Sens. Mark R. Warner (D-VA) and Cory Gardner (R-CO) along with Sens. Maggie Hassan (D-NH) and Steve Daines (R-MT) introduced the Internet of Things (IoT) Cybersecurity Improvement Act of 2019 in the Senate, and Reps. Robin Kelly (D-IL) and Will Hurd (R-TX) filed the bill in the House. The legislation would require the National Institute of Standards and Technology to set baseline security standards for Internet-connected devices. EPIC has diligently advocated for stronger regulation of IoT, and called attention to the privacy and security risks of connected cars in comments to NTHSA, complaints to the CFPB, congressional testimony, FTC workshops, petitions to NHTSA and an amicus brief to Ninth Circuit. (Mar. 14, 2019)
• EPIC Urges Department of Transportation to Improve Framework on Connected Car Safety: In detailed comments to the Department of Transportation EPIC urged the agency to establish national privacy and safety standards for connected cars. The agency requested comment on its revised framework that establishes "voluntary guidance" for the development of autonomous vehicles. "A connected car is the ultimate Internet of Things device," EPIC explained, highlighting the risks of autonomous vehicles. EPIC has diligently advocated for stronger regulation of IoT. EPIC has called attention to the privacy and security risks of connected cars in comments to NTHSA, complaints to the CFPB, congressional testimony, FTC workshops, petitions to NHTSA and an amicus brief to Ninth Circuit. (Dec. 10, 2018)
More top news »
Senator Markey Insists on Privacy, Safety for Self-Driving Vehicles » (Dec. 6, 2018)
In a statement this week, Senator Markey said he would not permit legislation on self-driving cars to proceed until the bill created meaningful "safety, cybersecurity, and privacy protections" for consumers. In January, EPIC wrote to the Senate that industry self-regulation has not been effective and that "national minimum standards for safety and privacy are needed to ensure the safe deployment of connected vehicles." EPIC has long supported baseline protections in self-driving vehicles. EPIC has appeared before Congress, written to federal agencies, and provided amicus briefs about the privacy and security risk of autonomous vehicles. In comments to the European Commission this week, EPIC identified several key concerns related to connected cars.
EPIC Urges European Commission to Address Security Risks of Connected Cars » (Dec. 5, 2018)
In comments to the European Commission, EPIC identified several key privacy and security concerns related to the development of connected cars. EPIC emphasized the need for comprehensive regulation to ensure the safety of connected vehicles and encouraged the Commission to require developers to build in safety measures, and not place new burdens on drivers. "Safety features should be under the hood, not on the dash board," EPIC wrote. EPIC has diligently advocated for stronger regulation of the Internet of Things , including connected vehicles. EPIC has highlighted the risks of connected cars in testimony before Congress, at the Federal Trade Commission, in comments to federal agencies, and in amicus briefs.
EPIC to Congress: Examine "Connected Devices," Safeguard Consumer Privacy » (Mar. 6, 2018)
EPIC sent a statement to a House Committee on Energy and Commerce in advance of a hearing on the NTIA, a key technology policy agency. EPIC warned that "American consumers face unprecedented privacy and security threats," citing both data breaches and "always on" devices that record users' private conversations. EPIC said that Congress and the NTIA should establish protections that minimize the collection of personal data and promote security for Internet-connected devices. EPIC warned of growing risks to consumer safety and public safety. EPIC has testified before Congress, litigated cases, and filed complaints with the FTC regarding connected cars, "smart homes," consumer products, and "always on" devices.
EPIC Warns Senate of Dangers of Connected Cars » (Jan. 24, 2018)
In advance of a hearing on self-driving cars, EPIC submitted a statement to the Senate on the privacy and security risks of autonomous vehicles. Researchers have been able to hack connected cars, and the vehicles have caused several accidents. EPIC told the Senate that industry self-regulation has not been effective and that "national minimum standards for safety and privacy are needed to ensure the safe deployment of connected vehicles." EPIC has worked extensively on the privacy and data security implications of connected cars, having testified on "The Internet of Cars" and submitted numerous comments to the National Highway and Transportation Safety Agency. In a recent amicus brief to the Supreme Court, EPIC underscored the privacy risks of modern vehicles, which collect vast troves of personal data.
EPIC Warns Congress of Risks of "Internet of Things" » (Jan. 18, 2018)
In advance of a hearing on Internet of Things, EPIC urged Congress to consider the privacy and safety risks of internet-connected devices. EPIC told Congress that the Internet of Things "poses risks to physical security and personal property" because data "flows over networks that are not always secure, leaving consumers vulnerable to malicious hackers." EPIC said that Congress should protect consumers. EPIC is a leader in the field of the Internet of Things and consumer protection. EPIC has advocated for strong standards to safeguard American consumers and testified before Congress on the "Internet of Cars."
Connected Vehicles Bill Moves Forward in Senate, Privacy Reporting Added » (Oct. 4, 2017)
Today the Senate Commerce Committee favorably reported the "AV START Act," a bill that aims to facilitate the deployment of connected vehicles. The Committee adopted Senator Edward Markey's (D-MA) amendment that directs the National Highway Traffic Safety Administration to create a publicly accessible database to determine the personal data collected by connected cars, how that information is used, data minimization and retention practices, security measures, and privacy policies of car manufacturers. EPIC has long supported privacy protections for automated vehicles.
NHTSA Revised Automated Vehicle Policy Lacks Privacy Safeguards, Senate Considers Draft Bill » (Sep. 12, 2017)
The National Highway Traffic Safety Administration released revised guidance for automated vehicles. The modified guidance encourages manufacturers to develop best practices to minimize cybersecurity risks. However, the NHTSA guidance lacks mandatory standards and fails to safeguard privacy stating that the Federal Trade Commission is responsible for consumer privacy. Previous NHTSA guidance established privacy standards and required developers to minimize data collection. The Senate Commerce Committee is now considering the "AV START Act" concerning automated vehicles. The draft bill proposes voluntary cybersecurity and also lacks consumer privacy standards. Today the NSTB also released findings that Tesla's autopilot feature contributed to a highway fatality earlier this year. EPIC has long advocated for privacy and cybersecurity safeguards to be a central component of automated vehicle development.
Houses Automated Vehicle Bill Lacks Privacy Standards, Would Preempt State Safeguards » (Sep. 7, 2017)
The House of Representatives has passed the "SELF DRIVE Act" to encourage the deployment of "automated vehicles" in the United States. Responding to widespread privacy concerns, the bill requires manufacturers to create "privacy plans" and asks the FTC to prepare a privacy study on the automated vehicle industry. The bill supports the development of "Privacy Enhancing Techniques," such as anonymization. But the SELF DRIVE Act lacks essential privacy and safety standards and would preempt stronger state laws. EPIC has repeatedly urged Congress and federal agencies to establish strong public safety standards for automated vehicles. EPIC also backs state efforts to develop privacy and safety safeguards.
Senators Introduce Legislation to Strengthen Cybersecurity for Internet of Things » (Aug. 1, 2017)
A bipartisan group of Senators, including Senators Mark R. Warner (D-VA), Cory Gardner (R-CO), Ron Wyden (D-WA) and Steve Daines (R-MT), have introduced legislation to improve security of Internet-connected devices. The Internet of Things (IoT) Cybersecurity Improvement Act of 2017 would require "Internet of Things" devices purchased by the U.S. government to meet minimum security standards. IoT device manufacturers who sell products to the federal government must commit that their IoT devices: (1) are patchable; (2) do not contain known vulnerabilities; (3) rely on standard protocols; and (4) do not contain hard-coded passwords. "The proliferation of insecure Internet-connected devices presents an enormous security challenge," said EPIC Advisory Board member Bruce Schneier, "The risks are no longer solely about data; they affect flesh and steel." EPIC has been at the forefront of policy efforts to establish safeguards for IoT devices, connected cars, "smart homes," consumer products, and "always on" devices. A 2015 report from the Aspen Institute also explores "Policies for the Internet of Things."
EPIC Provides Suggestions for "Self-Driving" Vehicle Legislation » (Jul. 5, 2017)
EPIC has sent a statement to Congress ahead of a hearing to discuss proposed self-driving vehicle legislation. The House Energy & Commerce Committee drafted several bills related to the development and deployment of "self-driving" vehicles. EPIC urged the Committee not to pre-empt states from issuing their own self-driving vehicle regulations, to encourage developers to be transparent in the development of autonomous vehicles, and to urge that advocacy groups be included in connected car advisory councils. EPIC has been a leading advocate for privacy and safety in the development of connected and autonomous vehicle and has participated in workshops, written to NHTSA, and actively informed Congress of privacy and safety related developments in connected and autonomous vehicles.
EPIC Recommends National Safety Standard for "Self-Driving" Vehicles » (Jun. 28, 2017)
In remarks today to a joint workshop of the FTC and NHTSA, EPIC President Marc Rotenberg called for the establishment of national safety standards prior to the deployment of "self-driving" vehicles on the nation's highways. "Given the current vulnerabilities of networked communications, self-driving vehicles are simply unsafe at any speed," said Mr. Rotenberg. EPIC has participate in numerous NHTSA rule makings on auto safety, proposed stronger data protection standards for connected vehicles, and sided with consumers in a case concerning the risks of autonomous vehicles. In extensive comments for the FTC/NHTSA workshop, EPIC pointed to known vulnerabilities with bluetooth communications, auto hacking, "level 3" control, malware and ransomware, auto repossession remote deactivation, and safety defects. EPIC urged the FTC and NHTSA to focus on "data protection, vehicle safety, consumer protection, and privacy." EPIC also said that the ability of states to develop safety standards must be maintained. EPIC warned that the failure to establish robust safety standards could be "catastrophic."
EPIC Recommendations for Tech Week Meeting: Protect U.S. Consumers » (Jun. 20, 2017)
In advance of a White House / OSTP meeting on "emerging technologies," EPIC has sent a statement to the Office of Science and Technology Policy. EPIC urged the Administration to focus on consumer protection and address the numerous privacy and security risks related to the "Internet of Broken Things." EPIC recommended recommended Privacy Enhancing Technologies, data minimization, and security measures for Internet-connected devices. EPIC also urged the Administration to issue regulations on drone privacy as mandated by Congress and to establish minimum safety standards for connected cars. EPIC warned that "The unregulated collection of personal data and the growth of the Internet of Things has led to staggering increases in identity theft, security breaches, and financial fraud in the United States."
EU Parliament Releases Draft Report on ePrivacy Directive » (Jun. 19, 2017)
The European Parliament's Committee on Civil Liberties, Justice, and Home Affairs has released a draft report on regulations for privacy and electronic communications. The draft contains several proposals to strengthen online privacy, including end-to-end encryption in all electronic communications and a ban on encryption backdoors. Protecting the privacy of communications is "an essential condition for the respect of other related fundamental rights and freedoms," according to the report. EPIC has urged the FCC to follow developments with the ePrivacy Directive and has recommended the use of end-to-end encryption in applications including commercial e-mail and connected cars.
EPIC Urges House Committee to Back Consumer Safeguards for Internet of Things » (Jun. 13, 2017)
EPIC has sent a statement to the House Energy and Commerce Committee in advance of a hearing on "IOT Opportunities and Challenges." EPIC raised the "significant privacy and security risks" of the Internet of Things. A recent report from the Pew Research Center on the Internet of Things underscores the need to develop new safeguards for what some call "The Internet of Broken Things." EPIC has been at the forefront of policy efforts to establish safeguards for connected cars, "smart homes," consumer products, and "always on" devices.
EPIC Renews Call for Connected Cars Safeguards » (May. 2, 2017)
In comments to the FTC and NHTSA ahead of a June workshop, EPIC underscored the need to safeguard consumers and improve vehicle security. EPIC also defended the role of states that are developing new safeguards for connected vehicles. For more than a decade, EPIC has been a leading advocate for privacy and security measure for connected vehicles. EPIC routinely submits comments to federal agencies regarding the unique challenges that these vehicles present. EPIC has also testified before Congress, filed amicus briefs, and submitted statements on the risks of autonomous vehicles.
EPIC Brings Attention to Auto "Starter Interrupt Devices" » (Apr. 5, 2017)
In a letter to the House Financial Services committee about the Consumer Financial Protection Bureau, EPIC highlighted its complaint about automobile "starter interrupt devices." EPIC alleges that companies use these devices to monitor borrowers' location and disable vehicles in violation of the Consumer Financial Protection Act. EPIC has asked the Bureau "to enjoin their unfair and abusive practices." In testimony, detailed comments, and letters, EPIC has urged Congress to establish safety standards for connected vehicles. EPIC has also submitted comments to the CFPB on debt collection practices and publication of consumer complaint narratives.
EPIC Urges Senate Commerce Committee to Back Algorithmic Transparency, Safeguards for Internet of Things » (Mar. 22, 2017)
EPIC has sent a letter to the Senate Commerce Committee concerning "The Promises and Perils of Emerging Technologies for Cybersecurity." EPIC urged the Committee to support "Algorithmic Transparency," an essential strategy to make accountable automated decisions. EPIC also pointed out the "significant privacy and security risks" of the Internet of Things. EPIC has been at the forefront of policy work on the Internet of Things and Artificial Intelligence, opposing government use of "risk-based" profiling, and recommending safeguards for connected cars, "smart homes," consumer products, and "always on" devices.
Senators Markey and Blumenthal Introduce Bill to Protect Driver Privacy in Connected Cars » (Mar. 22, 2017)
Senators Edward Markey (D-MA) and Richard Blumenthal (D-CT) have introduced the "Security and Privacy in Your Car Act of 2017." The SPY Car Act would establish cybersecurity and privacy standards for new passenger vehicles, and establish a privacy rating system. A 2014 report from Senator Markey "detailed major gaps in how auto companies are securing connected features in cars against hackers." The bill would also prevent the use of driver data for marketing purposes without consent. In 2015 EPIC testified before Congress on the need for privacy and safety safeguards for connected vehicles. In 2016 EPIC filed an amicus brief in federal appeals court to protect consumers in cases involving connect vehicles.
EPIC Complaint Seeks Investigation of Auto "Starter Interrupt Devices" » (Mar. 21, 2017)
EPIC has filed a complaint with the Consumer Financial Protection Bureau over the use of automobile "starter interrupt devices." The EPIC complaint alleges that companies use these devices to "monitor borrowers' real-time location, limit borrowers' movements to prescribed boundaries via geo-fencing technology, and disable vehicles in remote or dangerous locations" in violation of the Consumer Financial Protection Act. EPIC has asked the Bureau "to enjoin their unfair and abusive practices." In testimony, and detailed comments, and letters. EPIC has urged Congress to adopt privacy and safety standards for connected vehicles. EPIC has also submitted comments to the CFPB on debt collection practices and publication of consumer complaint narratives.
EPIC Asks Congress To Examine Privacy and Safety Concerns for Connected Cars » (Feb. 15, 2017)
EPIC has sent a letter to a House committee on Digital Commerce and Consumer Protection for a hearing on "Self-Driving Cars: Road to Deployment," urging the establishment of privacy and safety measures for connected cars. EPIC warned that connected vehicles raise substantial risks for consumers. EPIC explained that voluntary guidance and self-regulation do not provide meaningful protection. EPIC has testified before Congress and submitted detailed comments on the need for privacy and safety standards for connected vehicles.
EPIC Urges Congress to Examine "Connected Devices," Safeguard Consumer Privacy and Protect Public Safety » (Feb. 2, 2017)
EPIC sent a letter to a House Subcommittee on Communications and Technology in advance of a hearing on the NTIA, a key technology policy agency. EPIC warned that "American consumers face unprecedented privacy and security threats," citing recent examples of hacks of devices, including home locks and cars, connected to the internet. EPIC said that Congress and the NTIA should establish protections that minimize the collection of personal data and promote security for Internet-connected devices. EPIC warned of growing risks to consumer safety and public safety. EPIC has testified before Congress, litigated cases, and filed complaints with the FTC regarding connected cars, "smart homes," consumer products, and "always on" devices.
Aspen Institute Report Explores Artificial Intelligence » (Jan. 30, 2017)
The Aspen institute released a report on the Artificial Intelligence workshop on connected cars, healthcare, and journalism. "Artificial Intelligence Comes of Age" explored issues at "the intersection of AI technologies, society, economy, ethics and regulation." The Aspen report notes that "malicious hacks are likely to be an ongoing risk of self-driving cars" and that "because self-driving cars will generate and store vast quantities of data about driving behavior, control over this data will become a major issue." The Aspen report discusses the tension between privacy and diagnostic benefits in healthcare AI and describes "some of the alarming possible uses of AI in news media." EPIC has promoted Algorithmic Transparency and has been at the forefront of vehicle privacy through testimony before Congress, amicus briefs, and comments to the NHTSA.
EPIC Urges Senate Committee to Safeguard Consumer Privacy in Internet of Things and Telemarketing Bills » (Jan. 24, 2017)
EPIC sent a letter to the Senate Commerce Committee on Monday about privacy and security concerns in two pending bills. The DIGIT Act would "encourage the growth" of the Internet of Things and "help identify barriers to its advancement." The Spoofing Prevention Act would extend the laws prohibiting Caller ID spoofing to text messages, international calls, and Voice-over-IP calls. EPIC pointed out the "significant privacy and security risks" to American consumers of the Internet of Things. EPIC also argued for "a requirement that any automated calls reveal (1) the actual identity of the caller and (2) the purpose of the call." EPIC has been at the forefront of policy work on the Internet of Things, recommending safeguards for connected cars, "smart homes," consumer products, and "always on" devices. EPIC also supports robust telephone privacy protections and recently advised Congress on modernizing telemarketing rules.
FTC Sues D-Link Over Poor Security in Internet Routers and Cameras » (Jan. 12, 2017)
The Federal Trade Commission has filed a lawsuit against Internet of Things device maker D-Link. The complaint alleges that D-Link failed to use adequate security in its internet cameras and routers despite promises that the devices were "easy to secure" and used "advanced network security." The poor security practices alleged by the FTC include using easily-guessed default passwords, mishandling code-signing keys, and storing usernames and passwords in plaintext. EPIC has worked extensively on the risks of the Internet of Things, recommending safeguards for connected cars, "smart homes," and "always on" devices. In 2013, EPIC submitted comments to the FTC addressing the security and privacy risks of IoT devices.
Senate Explores Security of Ground Transportation, Witnesses Express Privacy Concerns » (Dec. 9, 2016)
The Senate Commerce Committee examined security issues in road and railroad transportation. Witnesses expressed concerns about the cybersecurity of commercial trucking networks, customer data, and hacking of a truck's braking systems. Witnesses also proposed a credentialing system for access port facilities. EPIC has submitted comments to NHTSA and testified before Congress on the safety and privacy risks of automated vehicles.
EPIC Recommends Privacy and Safety Standards for Autonomous Vehicles » (Nov. 23, 2016)
In comments to the National Highway Traffic Safety Administration, EPIC has backed strong privacy and safety standards. Responding to the "Federal Automated Vehicles Policy," EPIC said self-regulation would not be enough to protect drivers in the United States. EPIC urged the safety agency to mandate the Consumer Privacy Bill of Rights, establish new oversight authority, and protect state privacy rules for autonomous vehicles. EPIC is on the front lines of vehicle privacy as well as efforts to regulate the "Internet of Things." EPIC also defends the right of states to develop strong privacy laws.
EPIC to Testify on Car Privacy and Data Security » (Nov. 17, 2015)
EPIC Associate Director Khaliah Barnes will testify at a hearing on "The Internet of Cars" before the House Oversight and Government Reform on Wednesday, November 18, 2015. The hearing will address the safety and privacy issues confronting drivers in vehicles connected to the Internet. EPIC's prepared statement urges Congress to pass legislation establishing privacy and cybersecurity rules to protect driver data and prohibit malicious hacking of connected cars. EPIC states, "New vehicle technologies raise serious safety and privacy concerns that Congress needs to address." EPIC has previously examined the privacy and data security implications of the Internet of Things and the "Internet of Cars", and recommended strong safeguards for consumers.
Senators Markey and Blumenthal Push Automakers to Protect Drivers from Remote Hacking » (Sep. 17, 2015)
Senators Edward Markey (D-MA) and Richard Blumenthal (D-CT) have sent letters to 18 automakers asking how each company is protecting drivers from remote hacking. Earlier this year, a reporter detailed his experience driving a hacked Jeep. Markey and Blumenthal have also introduced the SPY Car Act to establish cybersecurity and privacy requirements for new passenger vehicles. EPIC has urged the Transportation Department to protect driver privacy. EPIC has written extensively on interconnected devices, including cars, known as the "Internet of Things" and has also said that "cars should not spy on drivers."
Senators Markey and Blumenthal Introduce Bill to Protect Drivers from Remote Hacking » (Jul. 21, 2015)
Senators Edward Markey (D-MA) and Richard Blumenthal (D-CT) have introduced the "Security and Privacy in Your Car Act of 2015." The SPY Car Act would establish cybersecurity and privacy requirements for new passenger vehicles, and inform consumers about the risks of remote hacking. The SPY Car Act follows a report from Senator Markey, which "detailed major gaps in how auto companies are securing connected features in cars against hackers." The bill would also prohibit manufacturers from using consumer driver data for marketing purposes without consumer consent. EPIC has urged the Transportation Department to protect driver privacy. EPIC has written extensively on interconnected devices, including cars, known as the "Internet of Things" and has also said that "cars should not spy on drivers."
Senate Committee Approves Modest Driver Privacy Bill » (Mar. 30, 2015)
The Senate Commerce Committee voted unanimously to approve the Driver Privacy Act of 2015, a bipartisan bill limiting access to event data recorder or "black box" data. Under the Act, black box data could only be obtained with: (1) a court or administrative order; (2) consent of a car owner or lessee; (3) a federal transportation safety investigation if personal information is redacted; (4) emergency crash medical response; or (5) traffic safety research if personal information is redacted. The Senate Commerce Committee approved a stronger bill last year. EPIC previously recommended safeguards for black box data in USA Today and Costco Connect and then urged the Transportation Department to establish privacy rules for data access.
Senator Markey Report Warns of Risks with "Connected Cars" » (Feb. 10, 2015)
A report from Senator Edward Markey (D-MA) finds lax privacy practices at leading auto manufacturers. The Senator said the safeguards in the auto industry for data collection are "inconsistent" and "haphazard." The investigation also revealed, "automobile manufacturers collect large amounts of data on driving history and vehicle performance." Senator Markey has called on the Department of Transportation and the Federal Trade Commission to issue rules to protect driver privacy and security. EPIC has urged the Department of Transportation to protect driver privacy. EPIC has written extensively on interconnected devices, including cars, known as the "Internet of Things" and said also that "cars should not spy on drivers."
EPIC Urges Department of Transportation to Protect Driver Privacy » (Oct. 21, 2014)
EPIC has submitted detailed comments to the National Highway Traffic Safety Administration, urging the agency to protect driver privacy for "vehicle-to-vehicle" (V2V) technology. The technology transmits data between vehicles to "facilitate warnings to drivers concerning impending crashes." NHTSA is in the initial stages of mandating vehicle-to-vehicle technology. EPIC's comments pointed to several privacy and security risks with V2V techniques. EPIC urged NHTSA to "complete a more detailed privacy and security assessment of V2V communications" and to: "(1) not collect PII without the express, written authorization of the vehicle owner; (2) ensure that no data will be stored either locally or remotely; (3) require end-to-end encryption of V2V communications; (4) require end-to-end anonymity; and (5) require auto manufacturers to adhere to the Consumer Privacy Bill of Rights." Last year EPIC, joined by a coalition of consumer privacy organizations and members of the public, urged NHTSA to protect driver privacy and establish privacy safeguards for car "black boxes." For more information, see EPIC: Event Data Recorders and EPIC: Internet of Things.
Car Data Privacy Bill Moves Forward in Senate » (Apr. 10, 2014)
The Senate Commerce Committee voted unanimously to approve the Driver Privacy Act, a bipartisan bill that would provide privacy safeguards for event data recorders or "black boxes." Introduced by Senators John Hoeven (R-ND) and Amy Klobuchar (D-MN), the bill prohibits unauthorized access to data that records the activities of drivers. Under the Act, data could only be obtained with: (1) written consent of all of the car owners or lessees; (2) a court or administrative order; (3) a federal transportation safety investigation if personally identifiable information is redacted; (4) emergency car crash medical response; or (5) traffic safety research if personally identifiable information is redacted. Last year EPIC, consumer privacy organizations, and members of the public, urged the National Highway Traffic Safety Administration to protect driver privacy by establishing many of the proposed safeguards in the Driver Privacy Act. For more information, see EPIC: Event Data Recorders and Privacy.
EPIC, Coalition Seek Privacy Safeguards for Car Data » (Feb. 12, 2013)
EPIC, joined by a coalition of privacy, consumer rights, and civil rights organizations, and members of the public, urged the National Highway Traffic Safety Administration to protect driver privacy and establish privacy safeguards for "event data recorders." The agency has proposed mandatory installation of "black boxes" in all cars and small trucks by 2014. Thirteen states have passed laws that limit the use of EDRs. EPIC recommended that the agency: (1) restrict the amount of data that EDRs collect; (2) conduct a comprehensive privacy impact assessment; (3) uphold Privacy Act protections; (4) require security standards for EDR data; and (5) establish best practices to fully protect the privacy rights of vehicle owners and operators. EPIC argued that it is contrary to reasoned decisionmaking for the agency to mandate massive data collection and not fully amend its current regulations to protect individual privacy. For more information, see EPIC: Event Data Recorders and Privacy and EPIC: The Drivers Privacy Protection Act (DPPA) and the Privacy of Your State Motor Vehicle Record.
EPIC Urges Public Support for Driver Privacy Safeguards » (Feb. 6, 2013)
The National Highway Traffic Safety Administration has proposed regulations for event data recorders (EDR) that will become mandatory in all cars and small trucks by 2014. Building on state privacy laws, EPIC has urged the federal agency to adopt comprehensive privacy safeguards for vehicle owners and operators, including driver ownership of data, limitations on disclosure, and better security for the data collected. EPIC has also launched a national campaign to encourage public comments to the federal agency. To support EPIC’s comments Tweet: "@EPICprivacy [Your Name] supports EPIC’s EDR Comments #EDRprivacy" or email EDRprivacy@epic.org with Your Name and the subject line "I support EPIC’s EDR Comments." The public can also submit comments directly to the agency. For more information, see EPIC: Event Data Recorders and Privacy.
Federal Agency Proposes "Black Box" Mandate for Cars » (Dec. 14, 2012)
The National Highway Traffic Safety Administration has proposed that, beginning September 1, 2014, all new cars will be required to have Event Data Recorders. The devices record detailed information about drivers, which can be made available to insurance companies, the police, and others. Currently, there are minimal privacy protections in the draft regulation. The public will have until February 11, 2013 to provide comments to the agency. EPIC recommends that commentators urge the agency to "Strengthen privacy safeguards." For more information see EPIC - Event Data Recorders and Privacy and EPIC - Driver Privacy Protection Act.

Background

On December 13, 2012, the National Highway Traffic Safety Administration (NHTSA), published in the Federal Register a request for public comment on a proposed rule that would mandate that all automobiles manufactured for sale in the United States after September 1, 2014 must have an Event Data Recorder (EDR) or black box. The deadline for EDR public comment is February 11, 2013.

EDRs are devices that can internally record, retain and report 30 seconds of data related to drivers' operation of an automobile. The data stored may be accessed by third parties such as law-enforcement for post crash investigations or repair shops for diagnostic purposes. Since 1996, EDR technology has been included in automobiles sold in the United States. The amount of data required by NHTSA (30 seconds) is outlined in agency specifications, but the amount of data that may be collected is not limited by NHTSA.

Automobiles and computing technology are creating a new level of data services that drivers may access while traveling in lightweight vehicles. Computing technology is facilitating automation of many driving functions through applications such as cruse control, hands free telephone calling, turn-by-turn directions, and Telematic (satellite) communication based services. The increased use of computing components and telecommunication technology in cars is raising the level of data collection and sharing that is associated with drivers/owners. The volume and type of information collected can include location, condition of the car, data services accessed (phone use, programs listened to, radio station consumption), time spent in automobiles, operation data on automobile, etc. The full list of data collection is known by automobile manufacturers and is depended on the design of the computing and telecommunications capacity of the automobile. In many ways cars are becoming fully integrated with computing and telecommunication technologies--which makes them a new source of data collection on consumers.

Today, some high-end automobiles utilize wireless data transfer capabilities. This approach in the future may become more common. The United States Patent and Trademark Office (USPTO) has a patent application for remote wireless management of a vehicle's electronic control unit. The patent is currently under appeal. Wireless transfer of information means that no vehicle contact is necessary to access information. However, this method does not reduce the need to properly secure the vehicle’s Diagnostic Link Connector (DLC) and anyone with the compatible reader could access data such as the Vehicle Identification Number (VIN) and could alter the VIN, if it is not properly protected. The protection of the wireless data should be assured by taking steps to disallow access by unauthorized third parties to the DLC. Strong encryption may offer import security protection for the data and the EDR software. However, physical control over the device itself would remain a key component of protecting the data. If the integrity of the data is questioned then the purpose of EDRs is undermined.

The key to securing EDR data from misuse or abuse according to the IEEE-1616a Standard is to seal the physical port of the EDR device with a lock with the key held by the automobile owner. IEEE, a large, global technical professional organization, is dedicated to advancing technology for the benefit of humanity. Through its highly cited publications, conferences, technology standards, and professional and educational activities, IEEE is the trusted voice on a wide variety of areas ranging from aerospace systems, computers and telecommunications to biomedical engineering, electric power and consumer electronics.

The IEEE Standards Association, a globally recognized standards-setting body within IEEE, develops consensus standards through an open process that engages industry and brings together a broad stakeholder community. IEEE standards set specifications and best practices based on current scientific and technological knowledge. The IEEE-SA has a portfolio of over 900 active standards and more than 500 standards under development. The IEEE EDR standard is IEEE-1616a.

In the Federal Register/Vol. 77, No. 240, published on Thursday, December 13, 2012/Proposed Rules (PDF version see page 74147, under "Data Retrieval," the following is stated: "Part 563 requires that each vehicle manufacturer ensure, by licensing agreement or other means, the commercial availability of retrieval tool(s) for downloading or imaging the required EDR data. The data-imaging tool must be commercially available no later than 90 days after the first sale of the vehicle for purposes other than resale."

History

In the digital information economy, law and policy advocates work in advance of broad adoption of new mobile telecommunication and computing technology to protect consumer privacy and sometimes civil liberty rights. Prudent measures to protect the public are welcomed, but when these measures are not accompanied by limitations that restrict the collection and use of personal information to the purpose of the collection then secondary uses and potential abuses or misuses of personal information are likely.

For example, the E911 policy proposal advanced as a consumer safety measure required that all cell phones sold in the US must use the Global Position System (GPS) or cell tower triangulation techniques to assure that the location of a cell phone could be determined. E911 Cell Phone and Smart Location identification requirements became law but are now used by third parties e.g. cell phone app developers, cell phone companies, and law-enforcement to record data on the location of users.

The sole expressed purpose for E911 at the beginning of the policy debate was to locate cell phone users who were in need of emergency assistance. However, because limitations on the use of cell phone location data were not established in the law that created E911 on cell phones this data has created a new area of advocacy work to protect consumer privacy and has opened legal arguments by law-enforcement. The law-enforcement argument over cell phone location data asserts that it should not be protected by the 4th Amendment to the Constitution of the United States. This Amendment's enforcement would require due process.

The relevance to the EDR debate is that without safeguards and appropriate security measures EDR data would someday create privacy and civil liberties challenges similar to those associated with E911 telecommunication technology. Further, the court decision in EPIC US v Jones" dealt with legal questions that may not answer privacy and civil liberties challenges that involve the Telematic and EDR features associated with automobiles.

EDR Privacy Risks

Automobiles are integrating computing technology that enhance the ability of others to collect location and operation data in near real time. In the data driven economy this data is of value. There are only 13 states with laws that address EDRs and vehicle operators.

• Lack of consumer knowledge of the technology's presence in vehicles
• Driver Access to EDR data
• Security of EDR data to assure chain of custody and accuracy
• Transparency on each type of event that would trigger data collection
• Universal law that outlines the purpose of the data collection and limits the use of EDR data to the purpose of the collection
• Driver control (ownership) of data
• Integration of EDR data collection with non-vehicle operation related features
• There are no limits on the number of data elements that NHSTA may require in the future
• There are no limits on EDR data collection, retention and use by third-parties

EPIC on EDRs

• EPIC et al., Comments to NHTSA Docket No. NHTSA-2012-0177 (2013)
• EPIC Comments to NHTSA Docket No. NHTSA-2004-18029 (2004)
• EPIC Comments to NHTSA Docket No. NHTSA-2002-13546 (2003)
• The Next Data Privacy Battle May be Waged Inside Your Car, Jaclyn Trop, The New York Times, January 10, 2014
• A Black Box for Car Crashes, Jaclyn Trop, The New York Times, July 21, 2013
• Are Vehicle Black Boxes a Good Idea?, Marc Rotenberg, The Costco Connection, April 2013
• Black Boxes in Cars: Privacy, Safety Concerns with On-board Tech, CBS This Morning, April 1, 2013
• Another View: Steer Clear of Cars That Spy, Marc Rotenberg, USA Today, August 18, 2011

Articles

• Hackers Remotely Kill a Jeep on the Highway, WND, July 22, 2015
• The Times They Are A-Changin' for Transportation, Tom Kowalick, The Institute, March 10, 2014
• Driving Freedom: Black Boxes Still Lack Consumer Protection, Tom Kowalick, The Institute, February 12, 2014
• Keeping Your Car's Data Private, Kathy Pretz, The Institute, February 7, 2014
• Michigan gets $1.6M of 29-state Toyota settlement, BY DAVID SHEPARDSON DETROIT NEWS WASHINGTON BUREAU, February 15, 2013
• Can Both Tesla And The New York Times Be Right? Maybe., Joann Muller, Forbes, February 14, 2013
• Tesla To New York Times: It's On, BY NEAL UNGERLEIDER, FEBRUARY 14, 2013
• Tesla, New York Times trade shots over Model S coverage, by James Holloway, Ars Technica Feb 14, 2013
• Editorial: 'Black boxes' are in 96% of new cars, USA Today, January 6, 2013
• Analyst worries auto black boxes invite privacy abuse by officials, Mark Tapscott, Examiner, December 13, 2012
• Gov't Calls For Black Boxes In New Cars, JOAN LOWY, Associated Press, December 7, 2012
• NHTSA gets White House OK to mandate vehicle 'black boxes', David Shepardson Detroit News Washington Bureau, December 6, 2012
• Justice Dept. to defend warrantless cell phone tracking, Declan McCullagh, CNET, October 2, 2012
• The Automotive Black Box Data Dilemma, Willie D. Jones, IEEE Spectrum, April 4, 2012
• Emerging Technologies at Odds with Long-Held Privacy Tenets, Leslie A. Gordon, ABA Journal, May 1, 2011

Resources

• Senator Ed Markey, Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk, February 2015.
• A Policy Review of the Impact Existing Privacy Principles have on Current and Emerging Transportation Safety Technology, The National Surface Transportation Safety Center for Excellence, May 12 2011
• Toyota Recalls and Government Response
• National Highway Safety Administration EDR Page
• EPIC Driver Privacy Page