Keeping Your Car’s Data Private

IEEE standard protects from prying eyes the information being recorded

7 February 2014
Photo: David C. Wheller

Share and Print


The EDR—event data recorder—that has been in most cars for years will likely become mandatory in September, and this has a lot of people concerned. That’s because the proposal in question does not address two key areas: protecting the information from unauthorized access and determining who owns the data.

While the IEEE Standards Association supports the proposal by the U.S. National Highway Traffic Safety Administration, which requires that all passenger cars manufactured after 1 September 2014 have EDRs [see image], the proposal lacks the technical security measures for safeguarding the data. That concerns IEEE because government regulators and carmakers have paid scant attention to the issue of data privacy. As for drivers, they have thought about it even less. Most don’t even know they have an EDR unless they find it in their owner’s manual or the information it gathers is used against them in court.

EDR technology was originally built into a sensing diagnostic module that controls air bag deployment. Automakers have voluntarily installed EDRs since the mid-1990s to determine whether air bags deploy properly and to defend themselves against product liability lawsuits. Over time most, but not all, automakers have embedded them. About 96 percent of cars made last year have recorders.

Data is read out through the recorder’s diagnostic module connector port, and the port has been mandatory in all U.S. cars since the 1996 model year. The objective of the NHTSA rulemaking is to use crash data to improve the safety of vehicles by creating a federal motor vehicle safety standard (FMVSS 405) that mandates EDRs in all lightweight vehicles, including passenger cars, SUVs, and some trucks.

Providing a way to safeguard the data was addressed in 2010 with the IEEE 1616a Standard for Motor Vehicle Event Data Recorder Connector Lockout Apparatus. This set specifications to protect the connector against unauthorized access.

“Now is the time to get the word out about the IEEE standard so it can be included in the forthcoming legislation and regulations,” says Thomas M. Kowalick, chair of the IEEE 1616a working group and the inventor of a new product that would benefit from widespread adoption of the standard.

 “The balance between privacy and public safety will be tested as EDRs become mandatory.”

DATA CAPTURE

EDR actually stands for a catch-all term defining a means of collecting data distributed along a vehicle’s controller-area network, better known as the CAN bus, explains Kowalick. He calls this the nerve center of the car. The CAN bus allows microcontrollers and devices within a vehicle to communicate with one another without a host computer. Typically, the biggest processor is the engine control unit (ECU); other controllers are used for the transmission, air bags, antilock brakes, cruise control, audio systems, windows, and doors. Today’s cars can have as many as 70 ECUs. The CAN bus may connect, say, the engine control unit and transmission, or join the door locks, climate control, seat control, and other features.

To help make transportation safer and reduce fatalities, the IEEE 1616 Standard for Motor Vehicle Event Data, released in 2004, establishes a uniform way to capture crash data culled from the CAN bus. This first universal standard for the recorders used in cars and light trucks specified minimal performance characteristics for onboard tamper- and crash-proof memory devices that could capture up to 86 pieces of data, including speed, mileage, seat belt usage, braking behavior, and the vehicle identification number (VIN). Most EDRs collect at least 45 pieces of information.

A crash or air bag deployment typically triggers the EDR, which stores data in the seconds before and during a crash. At the least, it records the vehicle’s speed, whether the brake was pressed in the moments before a crash, information about the state of the engine throttle, and whether the seat belts were buckled.

IEEE 1616a is an amendment to that original 2004 black box standard. In particular, it sets out specifications for a lockout system to block the connector against unauthorized access that could lead to things like data tampering, odometer fraud, and VIN theft. The standard also details how to secure the EDR data when a crash occurs and provides a chain of custody for evidence needed in, for example, a lawsuit.

But the IEEE 1616a working group is worried about safeguarding more than just the crash data. As more features are added to automobiles, including wireless technology, Internet capability, and location-based applications, their information is being stored along the CAN bus and, if left unprotected, is open to hackers. Car manufacturers currently do not offer a lockout mechanism.

“Once the lockout mechanism based on IEEE 1616a is installed, all the driver has to do is turn the key,” Kowalick says of this mechanism, which plugs into a car’s diagnostic port and locks in place with a coded key. “It would be like locking the door to your house. By doing so, you are actively exerting your expectation of privacy.” Kowalick sells such a device, called Autocyb, through his company, Airmika, Inc., in Southern Pines, N.C.

DATA OWNERSHIP

Given the increased concern over data privacy along with the many recent data breaches, IEEE, privacy advocates, and others want the mandate from the traffic safety administration to address the question of who owns EDR data.

The IEEE 1616a working group believes the data the EDR collects is the driver’s to own and share if he or she wishes, no matter whether they own, lease, or rent the car.

 “There is nothing in the car right now that allows drivers or occupants to exert their expectation of privacy,” says Kowalick. That could change.

In January U.S. Senators Chris Coons (D-Del.), John Hoeven (R-N.D.), and Amy Klobuchar (D-Minn.) introduced a bill that addresses the data ownership issue. The Driver Privacy Act make it clear that the owner or lessee of a vehicle also owns any information collected by an EDR. It states that data from an EDR may only be retrieved if authorized by a state court of law, and if the vehicle owner or lessee consents. Moreover, the information can only be retrieved if the car is involved in a NHTSA recall or for traffic safety research. In addition, cars involved in a crash and equipped with an advanced automatic crash notification system can have their EDR information read out if the emergency responders need it.

The bill has gained support from 20 senators so far.

“If the NHTSA puts out its mandate without any consumer protection for privacy, there will be a backlash similar to the one experienced by the agency when it tried and failed to mandate passive restraint systems in the 1980s," Kowalick says. “That’s what we want to avoid.”

Learn More