Modern field guide to security and privacy
Mike Blake/Reuters/File

Opinion: An automotive privacy collision

The National Highway Traffic Safety Administration owes it to motorists to set more robust and clearer privacy standards for connected cars.

For many motorists, privacy concerns end with whether or not another driver can spot the occasional nose pick.

But as cars become more connected, and on-board information systems become like fully functional computers that track motorists' every move, there's plenty of reasons to be more guarded about privacy while behind the wheel.

The National Highway Traffic Safety Administration (NHTSA) recently released an Automated Vehicle Policy with a section on privacy considerations. But it left many questions unanswered.

What are carmakers actually collecting about drivers? Who are they sharing it with? What are car companies doing to protect that information? And how will drivers know when they're giving away too much personal information? 

Here's a look at some of the points the NHTSA raises and what those could mean for drivers.

"Provide consumers with accessible, clear, meaningful data privacy and security notices. Explain how entities collect, use, share, secure, audit, and destroy data generated by, or retrieved from, their vehicles."

Automotive companies and software makers need to remember that drivers will be viewing privacy notices and agreements on a relatively tiny screen, in a high-risk environment that necessitates being alert and aware. These kinds of notices should be presented in ways that aren't easy to ignore but also shouldn't make drivers go through a lot of annoying steps.

"Offer consumers choices regarding the collection, use, sharing, retention, and deconstruction of data, including geolocation, biometric, and driver behavior data."

Tracking drivers can have direct, physical consequences if that information is shared indiscriminately. Because the stakes are high, automotive tech firms need to make these kinds of consumer choices easy to understand. And people need to be able to withdraw consent at a future date, if they decide they no longer want to allow certain information to be tracked or shared.

"Use data only in ways that are consistent with the purposes for which it was originally collected."

This is where things get dicey. There's no commonly accepted use yet of driver data. In the "Respect for Context" section of the Consumer Privacy Bill of Rights, which is frequently referenced in the NHTSA document, they mention targeted ads as something that some people now expect, but acknowledge that others find it problematic. This leaves a lot of ambiguity about what software makers are permitted to do with our data..

"Collect and retain only for as long as necessary the minimum amount of personal data required to achieve legitimate business purposes, and take steps to deidentify sensitive data."

While this is excellent advice for minimizing the exposure of data collected in cars, it's problematic when you consider location data. The routes each of us takes in our car between workplace and home, among other locations we frequent, are as unique as fingerprints.

"Implement measures to protect data that are commensurate with the harm that would result from loss or unauthorized disclosure of the data."

How would you quantify the harm that results from scammers getting something as "harmless" as your phone number and calling you hundreds of times a day? Or email addresses, which they could use to send you emails that might contain malicious software or harmful links? How would a software vendor quantify that same risk? I’m betting that their assessment would be wildly different than yours.

"Implement measures to maintain the accuracy of personal data, and permit users to review and correct information."

But how would they rate the problems associated with having bad data, compared to how you would rate it? And even if we could all agree on what the level of risk is, what should they be doing about it?

"Take reasonable steps to ensure that the entities that collect or receive consumers’ data comply with applicable data privacy and security agreements."

An excellent idea in theory, but vague in practice. Is it "reasonable" to just ask those entities once and take their word for it? Or does "reasonable" mean auditing those entities on a regular basis?

Unfortunately, this new automated vehicle policy inherits vague verbiage the associated problems with the Consumer Privacy Bill of Rights. American motorists deserve better. If we can't come up with acceptable and clearer privacy standards for cars soon, drivers will simply remain lost when it comes to privacy on the road.  

Lysa Myers is a security researcher at ESET. Follow her @LysaMyers.