As technology continues to evolve and become integrated into our lives, there are significant questions about privacy and security. We’ve discussed before the “Internet of Things,” which is a computerized network of physical objects. In IoT, sensors and data-storage devices embedded in objects interact with Web services. Such connected televisions, refrigerators and other devices can raise privacy and security questions.
For example, consider the “smart” or “connected” car. People buy such vehicles for the benefits of integrating technology into something where they can be for hours at a time. Your car or truck knows where you go and when. It knows how fast you drive and how quickly or slowly you brake. Your car knows if you’re wearing a seatbelt.
Privacy experts have noted that unclear or vague privacy or usage policies could allow companies that collect drivers’ sensitive data to share or sell that information with others, creating databases that may invade the privacy of consumers. For example, the locations where individuals drive to could reveal deeply personal information. Do you go to a church or mosque at the same time every week? Have you visited an adoption or fertility organization? Did you join a protest or demonstration? Did you recently start going to a building that includes the offices of several psychotherapists or one that houses a drug addiction clinic?
One privacy issue recently arose with connected automobiles — and it caught many people off-guard. ABC25 in West Palm Beach, Fla., reported that a Ford car with opt-in 911 Assist allegedly ratted out a hit-and-run driver in Florida.
Around the same time [as the hit-and-run accident], police dispatch got an automated call from a vehicle emergency system stating the owner of a Ford vehicle was involved in a crash and to press zero to speak with the occupants of the vehicle.
The person in the vehicle, Cathy Bernstein, told dispatch there had been no accident, that someone pulled out in front of her and that she was going home. She said she had not been drinking and didn’t know why her vehicle had called for help.
After police interviewed Bernstein and viewed her damaged car, she was arrested. Notably, the 911 Assist feature is opt-in, so the driver turned on the feature. However, it’s unlikely she thought about the consequences of her car automatically dialing the police if it believed it had been in an accident. This goes to the point about individuals not fully understanding connected devices.
The Government Accountability Offices considered the issue of privacy and automobiles with “in-car” services. In a report (pdf), the agency interviewed and assessed the privacy practices of selected carmakers, GPS device companies, and mobile map application firms. (The agency said it chose the companies “because they represent the largest U.S. market share or because their services are widely used.”) The GAO found: “All 10 selected companies have taken steps consistent with some, but not all, industry-recommended privacy practices. In addition, the companies’ privacy practices were, in certain instances, unclear, which could make it difficult for consumers to understand the privacy risks that may exist.”
Automakers have considered the issue and last year, 19 signed onto “privacy principles” (pdf) for in-car technology. Of note, they said, “sensitive information, like geolocation information and driver behavior information receives heightened protection.” Also important: The privacy principles are voluntary.
Beyond the privacy issues we’ve discussed, there are also security issues. The consequences of a hacker attack on a vehicle could be deadly. In July, a Wired reporter wrote about an experiment where security researchers were able to remotely take over the Jeep that he was driving — at 70 mph on a highway. They initially accessed controls for the air conditioning and radio, making innocuous hacks. But then they cut the transmission, and the accelerator stopped working. “I didn’t panic. I did, however, drop any semblance of bravery, grab my iPhone with a clammy fist, and beg the hackers to make it stop.”
Earlier this year, the Washington Post delved into the issue of hackers attacking cars with wireless features.
“They haven’t been able to weaponize it. They haven’t been able to package it yet so that it’s easily exploitable,” said John Ellis, a former global technologist for Ford. “You can do it on a one-car basis. You can’t yet do it on a 100,000-car basis.”
Yet Ellis and other experts fear the race to secure the Internet of Things already is being lost, that connectivity and new features are being added more quickly than effective measures to thwart attacks. […]
If a hacker-proof car was somehow designed today, it couldn’t reach dealerships until sometime in 2018, experts say, and it would remain hacker-proof only for as long as its automaker kept providing regular updates for the underlying software — an expensive chore that manufacturers of connected devices often neglect. Replacing all of the vulnerable cars on the road would take decades more.
While targeted attacks on select connected automobiles aren’t currently easy to complete successfully, the threat remains. There is also the threat of an attack on a widespread group of vehicles. Consider also what kind of damage could be done with a widespread attack on individual or groups of connected homes. Sometimes, there are vulnerabilities and consequences that aren’t apparent to individuals. The privacy and security risks are real, and we need to address them.