Following the flurry of press coverage surrounding the proposed next generation of driverless cars, privacy groups are asking questions about what will happen to the data the cars (necessarily) collect, which – in the wrong hands – might prove tempting for abuse. Other car manufacturers plan on rolling out real-time data streams of information about your surroundings as you drive, featured on clever displays around the car, but similar data-sharing concerns apply here as well (not to mention distraction-caused accidents).
My colleague Stephen Cobb points out a current example in the automotive data gathering realm where Progressive Insurance goes to great lengths to be specific about what data they collect with their recent, highly promoted Snapshot product, which plugs into your car diagnostic port and records driving habits, to hopefully allow them to dole out discount rates for “good drivers.” They also try to reassure drivers that bad things won’t happen to the data once it’s collected, though they mention it may be used for “research.”
The typical assurances against private tracking data going rogue are usually that they’re anonymized. But as we pointed out in an earlier article about tracking mall goers by monitoring their mobile phone signals and creating a map of where they visit, if you can track physical movement you can still create a pretty complete picture of a given citizen’s life.
If, for example, you stop at a sporting goods store, and then Victoria’s secret, it would be easy to guess you were a woman, possibly with kids who like sports. If you next stopped by a daycare, the data-based “guess” would get eerily accurate. If you then drove to a garage to park every night, it’s a good bet the “anonymous” data would also know where you – and your kids – live. This is what private detective characters in movies are hired to do, find out where you go and what you do. Only now, this information is automatically collected and stored, all without the shady detective in the bushes. Multiply this by all the data points that are needed to drive your car hands off, and after a day of driving, the data collected becomes highly specific, the kind of granularity marketers – legitimate and otherwise – would drool over.
Recently, there has been press surrounding law enforcement requests to access personal data relevant to a case they’re investigating. Specifically, what is the burden of proof needed to compel a provider to produce information about a given person? In the case of a driverless car, it’s easy to imagine law enforcement asking for specific details about where a subject is at the moment, but it’s also easy to imagine heavy-handed law enforcement abuses where providers are “encouraged” to reveal information, even without a warrant, as in the case of the many law enforcement phone information requests which have been granted without one, but by using pen registers and other means instead.
But let’s say you’re not running from the law, why should you care? I watched a TED talk about the Firefox Collusion add-on, which shows how much information is being collected through websites and third parties they share with, the amount is astonishing. The presenter, Gary Kovacs, goes on to explain that the information in his example came from the browsing habits of his young daughter. He then opines that if a scary guy was physically following his daughter around gathering the same kinds of information about where she goes and what she does, he’d have the guy arrested.
In the case of driverless cars, will there be an explicitly stated opt-in policy, where drivers don’t have to consent to data tracking unless they want to, and that data would be destroyed and not shared once it’s collected for its immediate purpose of driving the car? Some would hope so. But in the meantime, expect strong pressure from multiple fronts to share the soon-to-be-gathered treasure trove of information about you, well, not you specifically, but someone who drives where you do, visits places you do, and lives where you park your car every night.
Cameron Camp
Security Researcher
ESET Ireland 