I’ll tell you a secret, but we have to get out of the car….(Why the auto-makers know more about you than you do)

There is a new report out this week that dives into the auto-industry’s protection, use of (and sometimes) distribution of the data that is being collected by your car’s computer.  “Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk,” was (written and) released by the staff of Senator Edward J. Markey from Massachusetts.   It’s only 12 pages if you have the time.  (if you have a lot more time, the GAO did a much more extensive study in December of 2013 that has drawings and everything)   

The Senator sent letters to 16 major automobile manufacturers, which includes all the ones you can name and then some.  Most responded to a list of very (IMHO) knowledgeable questions about the types of data that on-board computers for new cars collect; what is done with that data; what steps they are taking to preserve the privacy of the data and the security of the on-board computers, themselves.  From those responses, the Senator’s staff provided the following conclusions, as summarize by Consumer Courage:

    1. Almost every car on the road uses wireless technology that is vulnerable to hacking by someone other than the manufacturer; 
    2. Most of the car makers are either unaware of or unable to tell you whether your car’s computer has ever been hacked;
    3. There aren’t any standards that govern how the industry tries to protect your information or prevent your car’s computer from getting hacked. In addition, many of the manufacturers are either hiding how they protect you or don’t even understand the dangers of having their fleet of cars use wireless technology;
    4. Only two of the manufacturers are able to tell if your car is getting hacked while it’s happening and take action to protect you.  Incredibly, most of them responded to this concern by saying that they rely on systems that are used to protect you from something else, entirely; 
    5. Manufacturers collect large amounts of data on driving history and vehicle performance that don’t have anything to do with protecting you;
    6. Most of them store the data with other companies.  Of the ones who keep the data in-house, they weren’t able to describe how they keep it from getting stolen from them; 
    7. Car makers say it’s necessary to gather so much data so they can “improve the customer experience,” but, there aren’t uniform standards that govern where the data is kept, how they use it or how long they keep it;
    8. By and large, they don’t tell you what they’re collecting or give you a choice to say “hey, cut it out.” You can stop some manufacturers from getting this data. But, it means that you have to disable important functions (like Onstar or your GPS)

We’ve all known for  quite a while that our cars have computers that are being used to make them run more efficiently; help us get to where we are going (through GPS systems); keep us safe (weather updates, anti-lock brake systems); and help us when we’re in trouble (OnStar).  If you’re like me, you’ve never given a whole lot of thought to what’s happening to all of the data that your car is generating.  Almost every car collects information that helps your car run better: fuel economy; status of power windows/doors; systems failures; battery status; coolant temperature and engine status are all monitored and sent to the manufacturer at regular intervals.  Your on-board computer will also let the manufacturer know if you have taken your car in for the latest recall and whether you need certain regularly scheduled maintenance.   If your car gets stolen, chances are the manufacturer will be able to locate it.  This is the good news. 

Now the bad news 

Your car will also tell the manufacturer a huge amount of information that ranges from “do they really need to know THAT?” to “downright creepy.”  Your manufacturer gets data that tells them:

    • distances traveled;
    • places frequented;
    • time spent parking vs. driving;
    • where you park;
    • whether you almost get into an accident;
    • which places you go to most often;
    • what time you leave in the morning/get home at night;
    • whether you’re out of town and how far away you are;

If was only that the auto manufacturers were just getting this info, that might be enough to unnerve some folks.  But, how they are getting the information and who else might have access to it only adds to the angst.  They get this information in one of two ways – when you take it in for service and when your computer “reports back” through wireless connections. 

If you take it to the dealership to get worked on, they will (as part of whatever else they are doing) hook it up to the computer, using a cable connection.  That hookup will serve to update the manufacturer’s database as to what’s been going on with your car (i.e. upload the information that we talked about above).  Whether you want them to have the info or not, this is the safest way your car talks to its creator. 

The second way your car tells on you is through a wireless (actually “mobile”) connection and can occur wherever you are.  The big worry with any type of wireless connection is, of course, whether hackers can get into your computer by using wireless technology of their own.  If you thought that auto-makers would have built a super-duper-protected-worry-free network for the transmission of your private personal data, you would have thought wrong.  In fact, the way the report reads, it almost seems like the auto-industry isn’t familiar with the fact that data can be stolen or needs to be protected at all.

This is where it gets a little technical

There are two wireless sets of communications going on here. (We’re calling it wireless because it doesn’t have wires – not because it’s like the wireless connection you have at home.)  Unlike your home network, you don’t have to sign your car up to the network every time you log on. 

    1. Your car has its own network – called a CAN for Controlled Area Network. Each of the car’s systems talk to each other on a mini-wireless (our words) network, because it would take tons of wires to physically hook each of the vehicle’s components to each other; and
    2. Your car talks to the manufacturer over a mobile-type network – usually routed through the GPS that comes w/the car. 

[If your car didn’t come with a GPS, it still talks to the manufacturer whenever you get it worked on and still has a CAN, which makes it easier for the car to talk to itself. But, you don’t have to worry about it talking to the manufacturer using a mobile connection]

So I shop at the Piggly Wiggly…so what? 

Isn’t this all just harmless trivia anyway? I mean, what can somebody do with information about where, when and how I drive after all?  Plenty, it turns out.  If someone can tell what time you leave the house every day or where you usually park your car, it would make it awfully easy to pick those times to try to burgle your house (or auto).  Or, if your kids are in daycare, somebody could use this info to get a pretty good idea where that facility is.  Since the report shows that many of the industry players store this info with separate companies, who can tell if they are selling it to bad guys?; or, if their own security is effective or not?

The danger doesn’t end with just worrying about the wrong person having your personal information.  That’s because there’s a lot more than a hacker can do to your car than figure out where you like to buy gas.  Since most of the major systems of your car respond to commands from a computer, if someone hacks into said computer, they can start giving it commands.  What would happen if you were on the highway and someone (who was not sitting behind the wheel) could tell your car to hit the breaks?; or, if a hacker told your car to sound the alarm at 2:00 in the morning while it was sitting in your attached your garage?; or, to accelerate into oncoming traffic, while you were at a red light?  Bizarre? Yes.  Impossible? Not at all.  (The Senator’s report cited a study from 2011, where researchers were able to do just that)

(Dealerships and lenders already use technology to disable cars remotely, because the owner missed a payment. The problems with this are obvious.  After all, who verifies whether the payment was actually missed?  And, what will happen the first time they disable the car of a pregnant woman who is trying to get to the hospital?; or because their kid has a raging fever?    Or someone who is just trying to drive away, because she is being chased by a teenager who really wants her purse?  Ye-gods)

Is anybody at the wheel?

Unfortunately, the picture that the Senator’s report paints of the industry is not a pretty one.  They seem to be using the same data-breach-aversion plan that most of the major retailers appear to have embraced: “Let’s not worry too much about it, until some blogger writes an expose about how many accounts have been stolen.”

The laws that are on the books that govern privacy have very weak requirements for the hack-ee who lost your information to report any data-breach in the first place.  (why else would Target be able to wait nearly a year before fessing up that they had been hacked?)  This is why we don’t hear about data-breaches until way after the fact and why no company has gotten into trouble for not reporting a breach in the first place.  (not a confidence builder, to be sure) 

New bill

As it happens, while we were putting this post together, there was an announcement that a new bill was being introduced by Senator Markey (the co-sponsor is Senator Richard Blumenthal)

Editor’s note to those who “want the government out of my business”: when this law is finally passed (may it happen soon, in our days) we expect you to call the auto-manufacturers and tell them NOT to follow it, when it comes to your car and your data – because you think that the government has no place passing a regulation of any kind, even if it makes your life safer.  

As Senator Markey puts it: “We need the electronic equivalent of seat belts and airbags to keep drivers and their information safe in the 21st century.” We at the world office of Consumer Courage rarely get excited at the Consumer-protection-bill-introduction stage.  Our experience with legislation that is proposed to help consumers is that we feel much better at the press conference on the day the first version of the bill is introduced than we do on the day the final version actually passes.  As Mark Twain famously said “there are two things in the world that you don’t want to witness being made – sausage and legislation.” At this point all we can do is hope that this sausage doesn’t go bad, before it gets to market.  But, at least we’re talking about it.  (I would tell someone to tell the car makers that we know what’s going on; but, they’ve been listening in on our conversations for a while, anyway)

Posted by Mark Wiseman: who is awfully glad that nobody was spying on his driving (or parking) habits when he was a teenager.