Andrea Amico, founder and CEO at Privacy4Cars, is passionate about privacy and security, and is chock full of stats and facts on how far-reaching data sharing has become and how many companies have access to personal information. Vehicles themselves collect and store more information than most of us would ever realize, and there is growing history of breaches, warnings, lawsuits, and even settlements. Amico presented all of this in a session at March’s 2022 NAFA Institute & Expo, startling attendees with more than just his blue hair.
Amico first engaged the crowd by handing out USB filters that allow a cell phone to charge without its data being retrieved. The point was to warn attendees to never use other USB sticks, especially given by vendors, “because it’s how bad guys do things.”
Then, Amico provided some basic definitions: Security in this case is defined as preventing unauthorized people or companies from having access to personal data, and privacy is the right to have data in the first place.
Chances are you don’t really know how your car works, he said. Car collect data locally (and that data is not stored in a database that has traditional security and privacy) and increasingly they send data out. Consequently, just like with laptops, securing vehicle data must start from protecting the data that is on them... but the more connected they are, the more complex the issue becomes.
When you plug your phone into a car, whether to pair it or charge it via a USB, lots of information from that phone is collected. This can include:
- Biometric IDs.
- Call logs.
- Text messages.
- Calendar events.
- Downloaded files.
- Medical providers.
- Navigation history.
- Home address.
- Garage codes.
- Health and credit information.
- Third-party apps.
Companies and individuals can buy this data for a steal, too. Amico said the current market price is somewhere between $10 and $60 per person per year.
While most drivers only see directions on their GPS navigation in the car, that geolocation goes much further than the vehicle's infotainment or the manufacturer. It is also shared with firmware providers, component manufacturers, telecom providers, other connected devices, traffic services, weather services, insurance companies, Google, Apple, and more.
Don’t believe it? Check out these headlines.
- Data From 540,000 GPS Vehicle Trackers Leaked Online
- Plug-N-Pwned: Comprehensive Vulnerability Analysis of OBD-II Dongles as A New Over-the-Air Attack Surface in Automotive IoT
- 'Privacy Protecting' Car Location Data Seemingly Shows Where People Live, Work, and Go
In this case, sharing is not caring.
State & Federal Laws
“There's a lot of things in which America leads in, but privacy is not one of those things,” Amico said, referencing Europe’s General Data Protection Regulation (GDPR), known as the toughest privacy and security law in the world.
In the U.S., without a federal privacy law, data regulation is left up to states. And all 50 states do regulate the personal information collected by vehicles, but not all laws are equal. California, Colorado, Virginia, and Utah, have privacy laws modeled after Europe’s GDPR; while California adds on IoT security laws; and Illinois, Florida, California, Washington, as well as some cities, have biometrics laws. New Jersey was the first state to pass a bill about vehicle telematics and driver monitoring, where companies must tell employees they’re being tracked. If they don't, the company is actually liable.
Biometrics laws, in particular, are under scrutiny, and several companies are facing several lawsuits for violations. In an example, Amico offers this: “You drive a Tesla, it has a camera facing you, it is actually recognizing you, but plaintiff attorneys increasingly are arguing that it is not asking for your consent. In Illinois, for instance, the statutory damages for biometrics violations are $500 a person, so a smart attorney has run the tab and they figure out it's probably worthwhile suing Tesla.”
To help understand the statutes that apply to your state, Privacy4Cars offers a free online resource.
Don't be a stat: know your rights, delete your data, & keep your privacy safe.— BZConsultants (@BzConsultants) April 13, 2022
Youtube: https://youtu.be/ZX5m28Gi5Uk?utm_source=twitter&utm_medium=referral&utm_campaign=facts_not_feelings_episode22&utm_content=andrea_episode#BZConsultants #FactsNotFeelings #AndreaAmico #Privacy4Cars #Privacy #Automotive @Privacy4Cars pic.twitter.com/cG9u4mMDZ9
While many companies will issue statements about their ethics, anonymization of data, compliance with GDPR or CCPA, Amico advises digging deeper.
What to Read or Ask OEM & Telematics Providers
- Privacy policies and terms of service.
- Contract and clauses on consent, use, sharing and retention of data.
- If they claim geolocation data is anonymized (if so, it’s a red flag as that is hardly possible).
- Documentation of compliance with California’s IoT law (even if you’re not in California).
- Take the Privacy4Cars fleet risk assessment (below).
Privacy4Cars Fleet Risk Assessment
There are steps you can take to protect your data. In 2018, the FTC actually advised fleets to dump the data stored in cars in a message called “Be discreet when you delete your fleet.”
Amico recommends connecting with fleet management companies (FMCs), many of which offer in-vehicle data deletion at the time of sale — Element, Wheels Donlen, and Holman all do, he said.
Actions to Take to Reduce Risk
- Read all privacy and service policies.
- Ask your FMC what solutions they have in place to help.
- Engage legal.
- Perform CISO/compliance checks.
- Delete all in-vehicle data at handoffs and sale.
- Perform a data privacy assessment.
- Get vehicles under the same policy policies as other devices (laptops, phones).
- Prune! What data do you really need?
- Implement robust consent management.
- Demand a telematics “kill switch” for off-work hours.
To the last point in the list above, Amico elaborates that in Europe, employees — and any family members — who use a work vehicle for personal use after hours cannot be tracked. California has plans to adopt this rule starting in January, and more states will likely follow suit. Until then, Amico recommends asking your telematics provider how to turn off tracking between shifts.
Additionally, consider adding to your fleet policy a clause about shared vehicles and rentals that requires data deletion at handoff.
“As a business, to protect your employees, you need to start protecting yourself,” Amico said.