To manufacturers bullish on internet-connected cars, a world of networked vehicles is one with fewer deadly crashes, reduced traffic, and new revenue streams. To data security researchers, they’re possible vectors of attack —high velocity weapons and roving data-reapers — posing as enticing targets for hackers.
As part of a series of Congressional hearings focused on thorny tech issues, representatives from Tesla, General Motors, and Toyota were asked to appear in front an oversight subcommittee in the House of Representatives Wednesday. After lawmakers voiced concerns over consumer privacy, data collection, and network security, the assembled automakers responded with a resolute and unified message: hands off our cars.
“We are in a period of rapid innovation for automotive safety,” said Diarmuid O’Connell, Tesla’s vice president of business development. “Overzealous or premature regulation...can actually deter or block safety innovations.”
Toyota’s vice president of connected services Sandy Lobenstein said the auto industry “came together and developed privacy principles,” putting car makers at the “forefront of protecting consumer data in the emerging Internet of Things.” An established industry code of conduct, Lobenstein said, “is precisely the type of effort that the government has encouraged from the private sector.”
Of particular interest to members of Congress is the possibility of advancing industry-wide standards for cybersecurity and consumer privacy. Several lawmakers mentioned a widely-read Wired article, in which security researchers hacked a Jeep Cherokee and remotely tampered with its brakes, steering, and engine.
For concerned legislators, networked cars represent another platform susceptible to data breaches, and potentially lethal intrusions. In 2013, nearly six million vehicle crashes led to 32,619 deaths in the United States. For malicious hackers, the advent of web-enabled cars could herald a new sort of weaponized computer.
“Rushing to regulation is not in my opinion the answer,” said Rep. Ted Lieu. “But neither is a lack of accountability or standards.” Lieu is advancing legislation that would initiate a one-year government study to recommend regulations for automotive software, safety, cybersecurity, and privacy.
“With all due respect, our industry can't wait for government,” said Harry Lightsey, executive director for customer experience at General Motors, who said the company is hard at work developing technologies intended to limit collisions and protect connected cars from hacking.
Though, when asked by Rep. John Mica, a Republican from Florida, if an industry-wide cyber security standard exists, he indicated that it does not, as did Tesla’s O’Connell and Toyota’s Lobenstein.
For Khaliah Barnes, associate director for the Electronic Privacy Information Center, the auto industry’s promises of self-regulation around connected cars are especially concerning for consumer privacy. “Most car companies and other companies, including Google, fail to inform consumers of their data collection practices,” she said. “And few give consumers true control.”
Location data, credit card numbers, and text messages are among the types of personal information that cars can now store. And, according to Barnes, carmakers are not doing a good job telling consumers how that data is used. Barnes supports a Senate bill that would establish baseline federal standards for automobile cybersecurity, instituting federal penalties for car hacking. The same proposal limits how car data can be shared with marketers and other third parties.
Hamza Shaban is a technology policy reporter for BuzzFeed News and is based in Washington, DC.
Contact Hamza Shaban at Hamza.Shaban@buzzfeed.com.
Got a confidential tip? Submit it here.