Security Experts:

Senators Say Cybersecurity Should be Top Priority for Autonomous Vehicles

Self-Driving Cars Need Regulations, But Commercial Priorities May Prevail Over Consumer Privacy

The arrival of autonomous vehicles (AV, or self-driving vehicles) on the public highways is getting closer. Just this month (June 2017), Nutonomy announced a partnership with Lyft for R&D on its existing AV testing on the streets of Boston. Lyft announced yesterday that by 2025 it will provide "at least 1 billion rides per year using electric autonomous vehicles." Also this week, Japanese robotics firm ZMP announced its plan to have an AV taxi on the streets of Tokyo in time for the 2020 Olympics. The need for AV regulation is pressing.

The U.S. Senate Commerce, Science, and Transportation Committee responded Tuesday by releasing bipartisan principles for AV legislation ahead of a Wednesday hearing titled 'Paving the way for self-driving vehicles.' The authors of the principles, U.S. Sens. John Thune (R-S.D.), Gary Peters (D-Mich.), and Bill Nelson (D-Fla.), plan to introduce legislation, but have so far set neither a date nor deadline for this.

The principles focus on safety, promoting innovation, tech-neutral legislation, clarification over federal and state responsibilities, public education, and -- of course -- cybersecurity. The last is minimal. The document states that cybersecurity must be included 'from the very beginning of their development,' and that "Legislation must address the connectivity of self-driving vehicles and potential cybersecurity vulnerabilities before they compromise safety."

In short, it addresses cyber vulnerabilities, but not user privacy. The former is necessary. Researchers have shown for years that the onboard computer systems of existing non-autonomous vehicles are vulnerable to hacking, from the Vlasek/Miller research in 2010 to the Tesla hack late last year.

But user privacy is also important. In March this year, Sens Edward J. Markey (D-Mass.) and Richard Blumenthal (D-Conn.), members of the same committee, re-introduced their own SPY Car Act-- which specifically requires a dashboard to inform consumers "about the extent to which the motor vehicle protects the cybersecurity and privacy of motor vehicle owners, lessees, drivers, and passengers beyond the minimum requirements."

The lack of privacy conditions in this week's bipartisan principles would suggest two camps within the Commerce, Science, and Transportation Committee: one that seeks to prioritize the commercial value of AV, while the other seeks to also protect the privacy of AV users. The reality of modern business is that you cannot maximize both simultaneously.

The dearth of security priority in this week's approach also shows itself in the currently available details of Wednesday's hearing. The introductory remarks from Chairman John Thune talk about the expected benefits from AVs, but never once mention security nor privacy. 

There are four published statements for the hearing: The Alliance of Automobile Manufacturers, The American Center for Mobility (ACM), Mothers Against Drunk Driving, and Nvidia. Three of these statements never mention security nor privacy. 

Only ACM broaches these subjects, but specifically calls for 'voluntary standards'. "Additional voluntary standards are needed immediately to ensure that these new approaches in testing, validation, data collection, data-sharing, privacy, cybersecurity, and other areas are developed to ensure safety, while not inhibiting or stalling the technology development."

Most security professionals believe that voluntary privacy standards simply do not work -- they need to be backed by strict legislation with strong sanctions (see, for example, GDPR). ACM's declaration that it "will fully protect consumer and public privacy and security, and will take steps to ensure that any data or information sharing activities do not violate, hinder, or compromise integrity of any consumer privacy/security agreements or arrangements put in place by manufacturers, testers, agencies, public entities, or by ACM itself" is welcome, but simply continues the concept of self-regulation.

The size, reach and monetary value of the consumer data industry makes it unlikely that user privacy can be maintained voluntarily -- and it is improbable that many people fully understand the extent to which they are currently profiled. A new and detailed analysis (PDF) published this month by Cracked Labs (Vienna) analyzes 'how companies collect, combine, analyze, trade, and use personal data on billions.' It concludes, "we might soon end up in a society of pervasive digital social control, where privacy becomes -- if it remains at all -- a luxury commodity for the rich. The building blocks are already in place."

In the coming mass market of self-driving vehicles, only time will tell whether the privacy-protecting proposals of the CAR Spy Act, or the commerce promoting stance of this week's new proposals will prevail.

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.