SINCE the automatic car eclipsed the manual car in 1995 (a year before commercial internet came into play in this part of the world), more and more automation has gone into the car (as well as commercial vehicles and even bikes).

The convenience of automation in driving and creature comforts within the car, as well as the rise of broadband and mobile connectivity, all led to modern vehicles having driving automation, user comfort automation, entertainment and navigation automation too. All these, when integrated together, created a singular tiny ecosystem that can store a lot of personal and private information about you,

the driver.

While convenience is always welcome, can a hacker potentially learn a whole lot about us, and use it against us? Worse, can data companies that collect these information, become weak spots for hackers to exploit, or even insiders or stakeholders to use these information?

“Smart” vehicle

Your modern car is just another digital device run by more than 100 other devices – sensors and control modules called electronic control units. They monitor or control everything from oil pressure to airflow, coolant, engine operation, throttle, brakes, fuel pressure, infotainment, and more.

And many of them also monitor you. Sometimes, that could be a welcome thing, such as your car calling 911 if you have been knocked unconscious in an accident. But as The Markup, a non-profit organisation, documented recently, your “smart” vehicle is also collecting “a firehose of sensitive data” and then transmitting it to dozens of companies. Some are major insurance or telecom brands, but many are part of “an ecosystem of dozens of businesses you never knew existed”.

The Markup listed 37 companies, which it said was an incomplete list. Most of these businesses that are not insurers or telecoms fall into the category of “vehicle data hubs” and “vehicle telematics”. That means they collect, analyse, organise and sell data – your data.

According to The Markup, “most drivers have no idea what data is being transmitted from their vehicles, let alone who exactly is collecting, analysing and sharing that data, and with whom”.

Synopsys Software Integrity Group principal scientist Sammy Migues said even if vehicle owners did know, the data “would not make any sense to many, and even those who understand the data probably can’t think of all ways it could be misused”.

No choice

Even those who understand and object to it “cannot really do anything about it except not buy a car – for now, until the non-cyber used car market dries up.

So, what is the future? “There will be no non-telemetry-generating cars going forward,” Migues said.

While all these companies fly under the radar of mainstream awareness (probably because they do little to no public advertising), they are part of the nascent but growing connected-vehicle data industry, which is estimated to be worth US$300 billion (RM1.34 trillion) to US$800 billion by 2030.

According to McKinsey and Company, those interested in profiting from vehicle data deal include businesses in stationary trade and leisure, governments, advertising and marketing, content providers, third-party marketplaces, financial services, tech companies, charging and fuelling providers and infrastructure players. McKinsey adds that the list is “non-exhaustive”. In other words, information is not just power. It is money – lots of money.

But obviously, vehicle information is also personal. Which means it has privacy implications, or invasion-of-privacy implications. The Markup noted that vehicle data collection starts the moment a driver gets into a car. Dozens of sensors collect and send data to the car’s computer, covering everything from whether the doors are unlocked to whether there are passengers, the internal temperature and the status of the sunroof.

Once a trip starts, sensors also collect and transmit location and speed, use of the brakes, headlights, wipers, tyre pressure, what is playing on the entertainment system, whether oil level is low, whether the vehicle needs a scheduled maintenance, and more.

Some of these data collection yields information we find convenient, like those signs on the highway telling us how many minutes it will take us to go the next 12km. How do “they” know that? By GPS tracking of your vehicle and all the others around you. It is also why your smartphone directions app can tell you if there is a traffic jam on the route you are about to take.

So many uses

But that is just a mini slice of the data that makes its own journey from the car manufacturer to the connected-vehicle data marketplace to be, as they say, to be “monetised”.

In some cases, companies are upfront about using data collection for surveillance. Multiple insurers offer discounts to policyholders who agree to instal a sensor in their cars that will then monitor their driving – how far, when, where they go, their speed, how they use the brakes and accelerator, and more.

The discount on an annual premium can range from US$150 or more. Of course, another way to look at it is that drivers who want to maintain their personal privacy have to pay a “penalty” of US$150 or more.

But overall, those in the vehicle data hub and telematics industries insist there is no personal privacy risk – that the data they collect, collate, analyse and sell is aggregated and anonymised, which they say means vehicle owners do not need to worry about being identified or surveilled.

And they argue that there are significant benefits to the collection and analysis of that date – that it is useful for everything from traffic management to electric vehicle infrastructure planning, fleet management, advertising, mapping, city planning and location intelligence.

Not so simple

Nevertheless, there are mixed views from privacy experts. Identity Theft Resource Centre chief operating officer James Lee said those claims are generally true and that significant legal privacy protections for vehicle owners already exist.

He acknowledges that the cybersecurity of that data is crucial. But he said if rigorous security protections are in place along with knowing consent and anonymisation, “then all of the elements of proper data use and protection are in place”.

But Privacy and Security Brainiacs chief executive officer Rebecca Herold said it is not that simple. She agrees there is value to data being aggregated and anonymised, but said that does not make personal privacy bulletproof.

While aggregating massive amounts of data would, in theory, eliminate any way to link specific data points to specific individuals, “with artificial intelligence (AI) and machine learning (ML) tools, and even long-used rudimentary sorting algorithms, this does not protect privacy,” she said.

“They can often comb through all this digital data to detangle the assumed chaos, creating ‘reidentified’ data to result in clear views of specific individuals.”

Herold added that even anonymisation – stripping personalised data from datasets – can be undermined by evolving technology.

“AI/ML algorithms are improving and reducing this effectiveness, and this is reduced further when anonymised data is combined with other datasets, where even more connections to individuals can be revealed.”

More granular, more personal

Like everything in the digital world, data collection continues to get more detailed and, as they say, “granular”, measuring everything from heart rate to driver fatigue, which means it is more personalised and intrusive.

According to Migues, even if data is anonymised, it can be abused. “Even anonymous data has a lot of value and a lot of ways to be misused,” he said.

Lee agrees that personal data can be misused and abused. But he believes that while the US needs stronger data protection, data privacy and identity management laws, “the goal should not be to end data sharing for fear of a surveillance state. There are good and valuable benefits from data when it is properly collected for a permissible purpose with informed consent”.

Herold said the need for more rigorous privacy laws is critical. “There are some mind-blowing and privacy-invasive data collection products being imagined, planned and tested that have not yet been introduced to the public.”

Privacy hell

Electronic Frontier Foundation staff technologist Bennett Cyphers goes even further. He told The Markup that the combined volume of data for sale and lack of regulation in most US states is “a match made in privacy hell”, adding that “the unique nature of location and movement data increases the potential for violations of user privacy”.

“The more different ways you are being measured in your vehicle, the more likely it is that someone can use the characteristics of all of those different data points to fingerprint a particular user or a particular vehicle,” he said, adding that “people’s location traces are extremely unique”.

Migues is also skeptical about the promise of anonymity. While he agrees that some may strive to keep the promise of anonymity, “to suggest that all collectors and aggregators ethically and morally deidentify all data the moment they get it and never allow for it to be tied to a specific car or human is to suggest that I will win the next MegaMillions without even buying a ticket”.

Does that mean the expected growth of this industry will simply add one more nail in privacy’s coffin? If history is any guide, it could.

Get in front of it

Herold said the government needs to do better to get in front of it, contending that the current hodge-podge of state and federal laws will not do it.

“Instead of creating situation-specific types of laws and regulations, we need to establish a federal data management regulator,” she said, “to set rules and regulations governing the guardrails, security and processes that must be implemented for any type of data collection, derivation, processing, analysis, use, sharing, selling, modifying, archiving, and deleting”.

She said that could help “wrangle a large portion of those vehicle privacy horses back into the barn”. But she notes that this is not just about connected cars, given that there are dozens to hundreds of business sectors involved in data collection.

This article was contributed by Taylor Armerding, a security advocate from Synopsys, a leader in software integrity.