Washington – As both Congress and the federal government struggle to develop a strategy for the Internet of Things and responding to the increasing use of connected devices, including automobiles, Senators Edward J. Markey (D-Mass.) and Richard Blumenthal (D-Conn.), members of the Commerce, Science and Transportation Committee, introduced legislation Tuesday that would direct the National Highway Traffic Safety Administration (NHTSA) and the Federal Trade Commission (FTC) to establish federal standards to secure our cars and protect drivers’ privacy. The Security and Privacy in Your Car (SPY Car) Act also establishes a rating system — or “cyber dashboard”— that informs consumers about how well the vehicle protects drivers’ security and privacy beyond those minimum standards.
Last year, Senator Markey released the report Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk, which detailed major gaps in how auto companies are securing connected features in cars against hackers. For example, only two of the 16 car companies had developed any capability to detect and respond to a hacking attack in real time and, and most customers don’t even know that their information is being collected and sent to third parties.
“Drivers shouldn’t have to choose between being connected and being protected,” said Senator Markey. “We need clear rules of the road that protect cars from hackers and American families from data trackers. This legislation will set minimum standards and transparency rules to protect the data, security and privacy of drivers in the modern age of increasingly connected vehicles. I look forward to working with Senator Blumenthal to ensure auto safety and security in the 21st century.”
“Rushing to roll out the next big thing, automakers have left cars unlocked to hackers and data-trackers,” said Senator Blumenthal. “This common-sense legislation protects the public against cybercriminals who exploit exciting advances in technology like self-driving and wireless connected cars. Federal law must provide minimum standards and safeguards that keep hackers out of drivers’ private data lanes. Security and safety need not be sacrificed for the convenience and promise of wireless progress. I thank Senator Markey for his leadership and profoundly significant fact-finding in protecting consumers. The road to new auto technology is wide enough for both progress and privacy.”
“We feel that as cars become more connected, software security becomes more important,” said Chris Valasek, Director of Vehicle Security Research at IOActive and Charlie Miller, security researcher. “In addition to robust, well-tested software, technology for monitoring, logging, detecting, and possibly stopping attacks should also be implemented.
“As America’s vehicles become more and more connected to the internet, and wireless vehicle to vehicle technology adds important safety to tomorrow’s cars, vital security and privacy concerns need to be addressed as well,” said Jack Gillis, Consumer Federation of America. “Senator Markey and Blumenthal’s SPY Car Act will help prevent hacking attacks and insure personal privacy as new vehicle safety and monitoring technology is introduced.”
The SPY Car Act includes the following cybersecurity and privacy provisions, as well as the establishment of a rating system, or “cyber dashboard”:
- Cybersecurity Standards
NHTSA, in consultation with the FTC, should develop standards that prevent hacking into our vehicle controls systems. These performance standards should require that:
- Hacking protection: all access points in the car should be equipped with reasonable measures to protect against hacking attacks, including isolation of critical software systems and evaluated using best security practices, such as penetration testing;
- Data security: all collected information should be secured to prevent unwanted access—while stored on-board, in transit, and stored off-board; and
- Hacking mitigation: the vehicle should be equipped with technology that can detect, report and stop hacking attempts in real-time.
II: Privacy standards
The FTC, in consultation with NHTSA, should develop privacy standards on the data collected by our vehicles. These standards should require:
- Transparency: owners are made explicitly aware of collection, transmission, retention, and use of driving data;
- Consumer choice: owners are able to opt out of data collection and retention without losing access to key navigation or other features (when technically feasible), except for in the case of electronic data recorders or other safety or regulatory systems; and
- Marketing prohibition: personal driving information may not be used for advertising or marketing purposes without the owner clearly opting in.
III: Cyber dashboard
NHTSA, in consultation with FTC, should establish a “cyber dashboard” that displays an evaluation of how well each automobile protects both the security and privacy of vehicle owners beyond those minimum standards. This information should be presented in a transparent, consumer-friendly form on the window sticker of all new vehicles.