How to protect what your car knows about you

Most of today’s newer automobiles are “connected,” with dozens of electronic sensors and other digital technologies tracking everything from where a vehicle is located, to how it’s being driven, to its level of performance, to who is driving it.

The amount of data these technologies generate, already significant, is poised to increase as traditional vehicles become more automated. And if we’re learning anything from the revelations about Facebook’s oversharing of data with Cambridge Analytica, it might be that companies that collect significant amounts of customer data rarely can be trusted to fully protect it.

The automotive industry has an unprecedented opportunity to use customer’s car data in new ways, including improving safety, enhancing vehicle efficiency, and reducing costs. It also is poised to make money from it. Global management consulting firm McKinsey has estimated that vehicle data could be worth $450 billion to $750 billion by 2030. Connected-car data marketplace vendor Otono recently reaffirmed this massive opportunity.

That’s great, if you’re a car company. But if you’re a consumer, your enthusiasm will likely depend on how much of that value you get in return for giving up personal information—and for waiving legal and privacy protections. Maybe you’d get better directions, or more easily find open parking spaces. But increased conveniences come at a cost I suspect many are not willing to pay.

WHERE IS THE CAR DATA COMING FROM?

Last year, a large auto manufacturer asked my company GRIMM to help it with data security. Perhaps the most interesting aspect of its proposal was a diagram of the scope of work, which was predominantly filled with the backhaul networks for data communication, connectivity, and Web services to be included in the company’s cars.

The car itself, located in the lower-left corner of the diagram, was clearly just a small part of its overall technical system. The game has already changed.

A connected vehicle’s Global Positioning System receiver is perhaps its most obvious source of data collection. It always knows the car’s exact location, and it readily shares it over a network with providers of location-based services we’ve come to rely on, from mapping our destinations to helping us navigate around traffic congestion along the way.

Data about the vehicle’s use and the condition of its components—including fuel consumption, mileage tracking, speed of travel, oil and tire pressure, and last date of service—help manufacturers improve their next-generation designs. A lot of this information also reveals insights into the habits of the driver—information that insurance companies or law enforcement agencies might want.

And, naturally, third-party apps embedded into a vehicle’s driver interface, from those that navigate to those that stream music, continually collect data about user preferences and location.

REWARDS AND RISKS OF CONNECTED CARS

When aggregated, all of this data can yield fairly detailed personal profiles of vehicle owners, including where they live, where (and when) they travel, and how they drive. In an era of big-data analytics, it will be increasingly used to calculate a driver’s anticipated needs, preferences, and behaviors.

Companies could use vehicle and driver data to determine usage-based insurance premiums, for example, to suggest preferred retailers or restaurants along a driver’s route, or even to push promotions geared toward car maintenance.

The great majority of the car-buying public is simply unaware of the breadth of information their vehicle generates and their vehicle manufacturer tracks about them.

Such services could prove quite valuable to drivers. But as a recent hack of Tesla cloud systems for cryptojacking reminds us, the data collection they require comes with risks. Some of those risks are tied to the following questions: How is the data protected at the point of collection? Where is it stored? How (and when) is it being shared with third parties, and what are they doing with it? Who might be able to see when the car is away from home?

The interiors of connected vehicles are hardly private spaces, yet most drivers—uninformed about how their vehicle data is being collected, analyzed, and used—still consider them mobile fortresses. Carmakers aren’t telling them which data they’re collecting and sharing. Nor are they giving them the types of opt-outs they typically see in mobile-app privacy settings.

The great majority of the car-buying public is simply unaware of the breadth of information their vehicle generates and their vehicle manufacturer tracks about them.

‘NUTRITION LABELING’ FOR YOUR CAR

I don’t know of any auto manufacturer, to be fair, that is already monetizing the vehicle or driver data it collects. But given the tremendous market potential, it’s only a matter of time before one does. As carmakers develop business plans around the data they share, they will need to drive their data collection policies toward ones requiring drivers’ informed consent.

The food industry has already been forced, by law, to take this approach. By reading standardized nutrition labels on products at grocery stores, consumers can make active, knowledgeable choices about what they eat, and thereby better protect their health. Car manufacturers (and any other companies that collect consumer data) should similarly offer standardized, easy-to-understand disclosure statements that outline which data they could collect and share, how the data could be used, how the data will be protected. They should also allow customers to opt out of data sharing.

Whether legislated, industry-founded, or even sponsored by a third party like Consumer Reports, standardized data collection “nutrition labels” would help consumers understand the implications of buying a certain connected vehicle. Consumers need to demand this transparency and choice before the market does.


Leave a Reply