Automotive CybersecurityAutonomousConnected Vehicle

FTC warns connected car legislation could weaken the security and privacy principles

Published: October 24, 2015 | Washington, DC

The Energy & Commerce Committee of the U.S. House of Representatives held a hearing on October 21st titled Examining Ways to Improve Vehicle and Roadway Safety to consider (among other matters) Vehicle Data Privacy legislation for internet-connected cars.

The proposed legislation includes requirements that auto manufacturers:

  • “Develop and implement” a privacy policy incorporating key elements on the collection, use and sharing of data collected through technology in vehicles. By providing the policy to the National Highway Traffic Safety Administration, a manufacturer earns certain protection against enforcement action under Section 5 of the Federal Trade Commission Act.
  • Retain data no longer than is determined necessary for “legitimate business purposes.”
  • Implement “reasonable measures” to ensure that the data is protected against theft/unauthorized access or use (hacking).
Manufacturers that fail to comply face a maximum penalty, per manufacturer, of up to $1 million. The penalty for failure to protect against hacking is up to $100,000 per “unauthorized” access.

The Federal Trade Commission provided feedback on proposed legislation to address privacy and security concerns through an official testimony. This testimony noted that the Commission has been actively examining privacy and security issues related to connected cars, specifically pointing to the National Highway Traffic Safety Administration on its proposed vehicle-to-vehicle privacy and data collection rule-making. 

In regards to the proposed legislation, the testimony of Maneesha Mithal, associate director of the FTC’s Division of Privacy and Identity Protection noted that it “could substantially weaken the security and privacy protections that consumers have today.”

Maneesha_Mithal_FTC_Connected_Car_LegislationsThe testimony stated that the proposed safe harbor for auto manufacturers who submit privacy policies to the Department of Transportation was possibly too broad, allowing manufacturers a safe harbor from FTC enforcement actions even for privacy policies that significantly limit consumer protections, and even if they do not follow the terms of the privacy policies they submit. In addition, the safe harbor would prevent the FTC from taking action related to privacy issues beyond a manufacturer’s cars, including its use of consumer data collected from its websites. Finally, the safe harbor would allow manufacturers to make changes to privacy policies that would apply retroactively to consumer data that was collected previously.

The testimony also expressed support for the goal of deterring criminals from accessing vehicle data.

The testimony noted, however, that portions of the proposed legislation related to hacking would reduce researchers’ incentive to seek out privacy and security vulnerabilities in consumer products, and that the work of these researchers has been important to enhancing consumer security.

Furthermore, the testimony also expressed concern with provisions of the draft legislation regarding the creation of a council to develop cybersecurity best practices for the industry. The hearing agenda, as well as the text of the draft legislation is available here.

Source: FTC
Tags

Related Articles