This quarterly update summarizes key federal legislative and regulatory developments in the first quarter of 2022 related to artificial intelligence (“AI”), the Internet of Things (“IoT”), connected and automated vehicles (“CAVs”), and data privacy, and highlights a few particularly notable developments in the States. In the first quarter of 2022, Congress and the Administration focused on required assessments and funding for AI, restrictions on targeted advertising using personal data collected from individuals and connected devices, creating rules to enhance CAV safety, and children’s privacy topics.
Continue Reading U.S. AI, IoT, CAV, and Privacy Legislative Update – First Quarter 2022
connected cars
Dutch Supervisory Authority Investigates Connected Cars
On March 24, 2020, the Dutch Supervisory Authority (“SA”) announced the launch of a broad investigation into automobile manufacturers, to determine whether any violations of data protection laws have occurred in relation to connected cars.
The Dutch SA sent a questionnaire to all Netherlands-based car and truck manufacturers, asking what…
Continue Reading Dutch Supervisory Authority Investigates Connected Cars
GAO Releases New Vehicle Data Privacy Report
On August 28, 2017, the U.S. Government Accountability Office (“GAO”) publicly released a report regarding consumer privacy issues associated with the rapidly increasing number of cars that are “connected”—i.e., capable of wirelessly monitoring, collecting, and transmitting information about their internal and external environments. The report examines four key issues: (1) the types of data collected by connected cars and transmitted to selected automakers, and how such automakers use and share such data; (2) the extent to which selected automakers’ privacy policies are in line with established privacy best practices; (3) selected experts’ views on privacy issues related to connected cars; and (4) federal roles and efforts related to consumer privacy and connected cars.
Process
The GAO turned to a variety of resources to explore the four identified issues. For starters, the GAO conducted a series of interviews with relevant industry associations, organizations that work with consumer privacy issues, and a sample of sixteen automakers (thirteen of which offered connected vehicles) based on their vehicle sales in the U.S. In addition, the GAO analyzed selected automakers’ privacy policies and compared them to privacy frameworks developed by the Organization for Economic Cooperation and Development (“OECD”) as well as the Federal Trade Commission (“FTC”), the National Highway Traffic Safety Administration (“NHTSA”), and the National Institute of Standards and Technology (“NIST”). Finally, the GAO consulted relevant sources (e.g., federal statutes, regulations, and reports) and interviewed agency officials, including those from the Department of Transportation (“DOT”), the FTC, and the Department of Commerce.
Continue Reading GAO Releases New Vehicle Data Privacy Report
Cloud Security Alliance Releases Guidance for Securing Connected Vehicles
The increasing connectivity of vehicles has raised questions about how to maintain the security of connected vehicles. In response, the Cloud Security Alliance released on May 25, 2017 a 35-page research and guidance report on Observations and Recommendations on Connected Vehicle Security. The Cloud Security Alliance is a not-for-profit organization dedicated to promoting a secure cloud computing environment and whose members include individuals and technology leaders such as Microsoft, Amazon Web Services, HP, Adobe, and Symantec. The comprehensive report includes a background on connected vehicle security design, highlights potential attack vectors, and provides recommendations for addressing security gaps.
The report discusses the multitude of ways that our vehicles are connected to the Internet, including through diagnostic tools, infotainment systems (such as satellite radio, traffic services, etc.), and remote entry and startup. Vehicles also communicate with other vehicles, with infrastructure and with applications, providing information such as vehicle position, speed, acceleration, and braking status. And, as the development of driverless cars continues, those vehicles will need to rely on communications with traffic lights, other vehicles, and pedestrians to maintain the safety of our roadways. Vehicles have also begun to be integrated into other IoT devices, such as Amazon Echo and NEST, which allow consumers to use those applications to remotely start, set environmental controls for, or track the location of vehicles.
As a result of this interconnectedness, the security risk to connected vehicles and the ecosystems that support them is great. In controlled situations, hackers were able to turn off the transmission of a Jeep Cherokee and reduce the speed of a Tesla Model S. Hackers could hijack a vehicle’s safety-critical operations, track a vehicle (and its occupants), or disable a vehicle, despite actions taken by the driver. The Cloud Security Alliance’s report provides a chart of approximately twenty possible attacks against connected vehicles.
Continue Reading Cloud Security Alliance Releases Guidance for Securing Connected Vehicles
Senators Reintroduce Cybersecurity Legislation for Cars and Planes
Senators Ed Markey (D-MA) and Richard Blumenthal (D-CT) reintroduced a pair of bills today relating to the cybersecurity of cars and aircraft, which would impose affirmative security, disclosure, and consent requirements on manufacturers and air carriers. The Security and Privacy in Your Car (“SPY Car”) Act and Cybersecurity Standards for Aircraft to Improve Resilience (“Cyber AIR”) Act were each introduced but not enacted in a previous session of Congress. In a joint press release, the Senators noted that the legislation was designed to “implement and improve cybersecurity standards for cars and aircraft.”
The SPY Car Act
The SPY Car Act would require cars manufactured for sale in the U.S. to comply with “reasonable measures to protect against hacking attacks,” including measures to isolate critical software systems from non-critical systems, evaluate security vulnerabilities, and “immediately detect, report, and stop attempts to intercept driving data or control the vehicle.” It would also require “driving data” collected by cars to be “reasonably secured to prevent unauthorized access,” including while such data is in transit to other locations or subsequently stored elsewhere. Violations of these cybersecurity requirements are subject to civil penalties of up to $5,000 per violation.
Continue Reading Senators Reintroduce Cybersecurity Legislation for Cars and Planes
FTC Announces June Workshop on Connected and Automated Cars
The FTC announced today that it will hold a joint workshop on June 28, 2017 with the National Highway Traffic Safety Administration (NHTSA) to “examine the consumer privacy and security issues posed by automated and connected motor vehicles.” The announcement lists several discussion topics for the upcoming workshop:
- the types
…
Continue Reading FTC Announces June Workshop on Connected and Automated Cars
Fiat-Chrysler Recalls 1.4 Million Vehicles In Response to Security Vulnerability
Last Friday, Fiat Chrysler announced the recall of 1.4 million vehicles to fix security vulnerabilities, further highlighting the importance of properly addressing cybersecurity issues created by the use of connected devices. The recall follows an article published last Tuesday by Wired magazine which described methods used by security researchers to…
Continue Reading Fiat-Chrysler Recalls 1.4 Million Vehicles In Response to Security Vulnerability
Senate Holds Internet of Things Hearing
The U.S. Senate Committee on Commerce, Science, and Transportation held a hearing on February 11, 2015, entitled The Connected World: Examining the Internet of Things. The panelists included Justin Brookman, director of the Consumer Privacy Project at the Center for Democracy and Technology; Adam Thierer, a senior research fellow at George Mason University’s Mercatus Center; Lance Donny, CEO of OnFarm; Douglas Davis, Vice President and General Manager of Intel’s Internet of Things Group, and Michael Abbott, General Partner at Kleiner Perkins Caufield & Byers.
While the hearing covered a variety of Internet of Things (IoT) related topics, an overarching theme the Senators contemplated was how to strike the appropriate balance between encouraging IoT innovation and protecting privacy and data security. The opening statements of Chairman John Thune (R-SD) and Ranking Member Bill Nelson (D-FL) laid out the basic concerns underlying each side of this consideration. Chairman Thune suggested the Committee “tread carefully and thoughtfully before stepping in with a ‘government knows best’ mentality that could halt innovation and growth” while Ranking Member Nelson called talk of overregulating a red herring and stressed that the “promise of the Internet of Things must be balanced with real concerns of privacy and the security of our networks.” But concern about overregulation cut across party lines. Senator Corey Booker (D-NJ), for instance, noted that government efforts in the IoT space should not “inhibit a leap in humanity.”
Continue Reading Senate Holds Internet of Things Hearing