Department of Transportation

On August 28, 2017, the U.S. Government Accountability Office (“GAO”) publicly released a report regarding consumer privacy issues associated with the rapidly increasing number of cars that are “connected”—i.e., capable of wirelessly monitoring, collecting, and transmitting information about their internal and external environments.  The report examines four key issues: (1) the types of data collected by connected cars and transmitted to selected automakers, and how such automakers use and share such data; (2) the extent to which selected automakers’ privacy policies are in line with established privacy best practices; (3) selected experts’ views on privacy issues related to connected cars; and (4) federal roles and efforts related to consumer privacy and connected cars.

Process

The GAO turned to a variety of resources to explore the four identified issues.  For starters, the GAO conducted a series of interviews with relevant industry associations, organizations that work with consumer privacy issues, and a sample of sixteen automakers (thirteen of which offered connected vehicles) based on their vehicle sales in the U.S.  In addition, the GAO analyzed selected automakers’ privacy policies and compared them to privacy frameworks developed by the Organization for Economic Cooperation and Development (“OECD”) as well as the Federal Trade Commission (“FTC”), the National Highway Traffic Safety Administration (“NHTSA”), and the National Institute of Standards and Technology (“NIST”).  Finally, the GAO consulted relevant sources (e.g., federal statutes, regulations, and reports) and interviewed agency officials, including those from the Department of Transportation (“DOT”), the FTC, and the Department of Commerce.
Continue Reading GAO Releases New Vehicle Data Privacy Report

The increasing connectivity of vehicles has raised questions about how to maintain the security of connected vehicles.  In response, the Cloud Security Alliance released on May 25, 2017 a 35-page research and guidance report on Observations and Recommendations on Connected Vehicle Security.  The Cloud Security Alliance is a not-for-profit organization dedicated to promoting a secure cloud computing environment and whose members include individuals and technology leaders such as Microsoft, Amazon Web Services, HP, Adobe, and Symantec.  The comprehensive report includes a background on connected vehicle security design, highlights potential attack vectors, and provides recommendations for addressing security gaps.

The report discusses the multitude of ways that our vehicles are connected to the Internet, including through diagnostic tools, infotainment systems (such as satellite radio, traffic services, etc.), and remote entry and startup.  Vehicles also communicate with other vehicles, with infrastructure and with applications, providing information such as vehicle position, speed, acceleration, and braking status.  And, as the development of driverless cars continues, those vehicles will need to rely on communications with traffic lights, other vehicles, and pedestrians to maintain the safety of our roadways.  Vehicles have also begun to be integrated into other IoT devices, such as Amazon Echo and NEST, which allow consumers to use those applications to remotely start, set environmental controls for, or track the location of vehicles.

As a result of this interconnectedness, the security risk to connected vehicles and the ecosystems that support them is great.  In controlled situations, hackers were able to turn off the transmission of a Jeep Cherokee and reduce the speed of a Tesla Model S.  Hackers could hijack a vehicle’s safety-critical operations, track a vehicle (and its occupants), or disable a vehicle, despite actions taken by the driver.  The Cloud Security Alliance’s report provides a chart of approximately twenty possible attacks against connected vehicles.
Continue Reading Cloud Security Alliance Releases Guidance for Securing Connected Vehicles

On October 24, 2016, the U.S. Department of Transportation’s National Highway Traffic Safety Administration (“NHTSA”) announced the release of Cybersecurity Best Practices for Modern Vehicles, a non-binding, proposed guidance document designed to assist the automotive industry in improving motor vehicle cybersecurity and mitigating threats to safety.

The guidance is intended to apply broadly to “all individuals and organizations manufacturing and designing vehicle systems and software,” including entities that design, supply, manufacture, alter or modify motor vehicles or motor vehicle equipment.  The voluntary best practices described in the guidance are intended to “provide a solid foundation for developing a risk-based approach” to mitigating cybersecurity risks throughout the automotive industry.Continue Reading NHTSA Releases Proposed Cybersecurity Guidance for the Automotive Industry and Solicits Public Comment

Earlier this week, the U.S. Department of Transportation’s Advisory Committee on Aviation Consumer Protection (“ACACP”) held a meeting in Washington, D.C. to discuss data privacy and security issues relevant to the aviation industry.  The meeting featured presentations by representatives of the airlines, travel agents, online travel agents, global distribution systems (“GDS”), and consumers. According to ACACP committee member Charles Leocha, this week’s meeting marked the first time that the Federal Trade Commission (“FTC”), the Department of Transportation (“DOT”), and the air travel industry had come together to discuss consumer privacy — a discussion he said was “long long overdue.” In his opening remarks, Leocha characterized travel data as “some of the most sensitive and intimately revealing” consumer data, and expressed optimism that the meeting would be “step one” towards establishing a DOT privacy rule or guidance on best practices.

At the meeting, Robert Gorman, a Senior Attorney from the DOT presented on the Department’s authority to enforce privacy rules and regulate unfair and deceptive trade practices by air carriers.  He suggested that the Department would likely determine that a privacy violation rose to the level of an unfair or deceptive trade practice where a company:

  • Violated the terms of its consumer-facing privacy policy;
  • Disclosed personal information in a manner that violates public policy, is immoral, or causes substantial consumer injury not offset by any countervailing benefit;
  • Violated a rule where such violations are considered unfair or deceptive trade practices; or
  • Violated the Children’s Online Privacy Protection Act (COPPA), which the DOT has the authority to enforce against air carriers.

Gorman reported that he and his colleagues were not aware of receiving any complaints against air carriers for violating consumer privacy, but stated that the DOT is considering whether to issue guidance on complying with COPPA.Continue Reading Department of Transportation Meeting Focuses on Data Privacy in Air Travel