Earlier this month, Senator Edward Markey’s (D-Mass) staff released a report “Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk,” which heavily criticized the manner in which vehicle and driver behavioral data is collected, stored, and shared by the automotive industry. The report addresses both concerns about hackers’ ability to penetrate the connected car ecosystem and remotely control the vehicle, as well as the commercialization of drivers’ personal data without their awareness or permission.

Similar to the conclusions reached in the report, Parks Associates believes the connected features that are being added to improve driver safety, could compromise the very safety of the drivers and their personal information, if not designed and implemented well.

Sen. Markey surveyed 16 auto manufacturers regarding the pervasiveness of wireless technology in cars, and on policies and procedures designed to protect drivers, both from hackers and leaks of personal information. Representatives from BMW, Chrysler, Ford, General Motors, Honda, Hyundai, Jaguar Land Rover, Mazda, Mercedes-Benz, Mitsubishi, Nissan, Porsche, Subaru, Toyota, Volkswagen (with Audi), and Volvo responded.

The results illustrate inconsistent security strategies across the industry, in terms of remote access prevention, real-time interventions to such attacks, and data management and retention. Furthermore, large amounts of data are being collected from the vehicle, but the protection of the drivers’ personal information, and of the connected car ecosystem itself, is largely lacking.

The report states “two major coalitions of automobile manufacturers recently issued a voluntary set of privacy principles.” Transparency, responsible use of data, and most of all, accountability, are the guiding pillars behind these principles. Standards, according to the report, should include security system validation, hacking and security breach prevention measures, real-time response interventions for successful hacking occurrences, consent to having one’s data collected, along with knowledge of how that data is being shared and used, and giving drivers an opt-out option from data collection.

On behalf of the Auto Alliance, their CEO Mitch Bainwol has said "Automakers believe that strong consumer data privacy protections are essential to maintaining the trust of our customers. Our privacy principles reflect a major step in protecting personal information collected in the vehicle." Alliance members have dedicated themselves to “reasonable measures” to protect driver data. Compliance with these principles from all Alliance members is expected on all 2018 model year vehicle. All of their principles do specifically leave one window open, geo-targeted advertising.

According to the report, intervention is needed from the National Highway Traffic Safety Administration (NHTSA), alongside with the Federal Trade Commission (FTC). Otherwise, there will be no uniform set of standards protecting drivers and their data.

Parks Associates believes in-vehicle connectivity—and the data collected and transferred using that connectivity—is opening up entirely new business opportunities for auto manufacturers, dealerships, app developers, mobile carriers, and others in the connected car value chain. It also promises valuable new services for consumers, from better safety and emergency response features, to more personalized entertainment services, and even the ability to save money on vehicle maintenance and insurance premiums. However, vehicle and driver data must be accessible to several parties in order to make many of these services feasible, which means more tracking data is going to be collected and potentially vulnerable to unauthorized parties. The Senator’s concern about the security of this data is valid. Not only do data breaches and remote access to vehicles make for bad business, they could potentially threaten lives. And, as the Internet of Things continues to grow, so will the data being collected, and the number of opportunities for people to abuse this data. The auto industry has every incentive to get ahead of this issue and establish uniform data security standards.