Public Interest Group Asks FCC to Pause Connected Car Spectrum Usage over Privacy and Cybersecurity Concerns
By Sherrese Smith and Michael London
On June 28, 2016, Public Knowledge
Impending Deployment of Vehicle-to-Vehicle Devices
Over the past two decades, the Department of Transportation and the automotive industry have worked together to develop a framework identifying the types of services and devices that are integral to the development of a connected and intelligent transportation system. Such services include collision avoidance systems to reduce motor vehicle accidents, and automated electronic payment systems to facilitate the payment of tolls and gas.
The National Highway Transportation Safety Administration (“NHTSA”) has provided notice that it intends to require car manufacturers to include vehicle-to-vehicle communication devices in all new cars, and that such a mandate will be fast-tracked. General Motors has also announced that it will include vehicle-to-vehicle communication devices in some of its vehicles this fall.
Vehicle-to-Vehicle Cyber Security and Data Privacy Concerns
In its petition, Public Knowledge expressed a concern about the adequacy of cyber security protections for vehicle-to-vehicle communication devices. A report by Intel noted that there are at least 14 different ways a hacker could access a car’s operating system via a vehicle-to-vehicle device. This could allow a hacker to remotely crash a vehicle by gaining control of a vehicle’s braking, steering, and acceleration functions.
Public Knowledge also raised concerns that connected devices can collect personal information about an individual’s location and driving habits, and can store an individual’s sensitive financial information. The collection and storage of such sensitive information could create an enticing target for hackers.
Concerns Regarding NHTSA’s Ability to Address Cyber Security
Public Knowledge petitioned the FCC because of its concern about NHTSA’s ability to effectively address cyber security and privacy issues. The petition notes that, while NHTSA is currently examining the need for cyber security regulations, it has stated that it will not make a final determination until 2018, despite the impending NHTSA vehicle-to-vehicle mandate and the early implementation by automobile manufacturers. This delay raises concerns that connected vehicular devices could be implemented without adequate cyber security protections, potentially exposing critical safety systems to malicious actors.
Public Knowledge has requested that the FCC (i) impose restrictions on the types of permitted vehicle-vehicle communication devices to allow only non-commercial services to reduce the risk of cyber security attacks, (ii) adopt privacy rules modeled after the FCC’s privacy rules for telephone and broadband providers, and (iii) require device manufacturers to submit cybersecurity plans to the FCC prior to the deployment of such devices. It remains to be seen how the FCC will react to this petition, and we will provide further analysis should the FCC take action.
PH Privacy is Paul Hastings’ Privacy, Cybersecurity and Data Governance blog. We welcome your feedback. Please contact our blog editor with any thoughts or suggestions.