First they came for the regulations…
The change happened last month, in an announcement of little fanfare: Department of Transportation Secretary Elaine Chao issued a new set of proposals for the official roll-out of self-driving cars.
Her agency had done away with the 15-point plan released last year by the Obama administration and replaced it with a “clearer, more streamlined, less burdensome” document consisting of a loose set of guidelines for the automotive industry.
Among other intentions, the voluntary policies hope to herald a technology in autonomous driving that can curb dangerous human driving habits—responsible for “9 out of 10 serious roadway crashes,” the document declares—and institute at least a vague outline of what the federal government wants to see in the rides of the future.
But it’s what the authors of the DOT report are turning a blind eye to that’s the problem.
The 26-page list of suggestions makes virtually no mention of consumer privacy, meaning self-driving cars could not only record where a driver is going, who they’re with, and what they’re saying—but also share that information directly with corporations or sell it to the highest bidder.
The vehicles represent Big Data’s Holy Grail, and the new regulations do nothing to stop them from spying on drivers.
A Game of iSpy
Just how much will cars know about their drivers?
For starters, information immediately available to them: the direction drivers are traveling in; how fast they’re getting there; what stops they’re making.
But extrapolated out across a lifetime, the vehicles will be privy to the much more intimate life patterns: not just current location, but all of the places a driver has been. Not just the destination they’re headed toward, but all the places they frequent—or the spots they’ve stopped visiting, or started flat-out avoiding.
Many new vehicle models already connect some of these dots, using previously captured data to infer a driver’s preferences, and suggest certain songs or routes to them, among other conveniences. But cars are becoming increasingly smarter, and their measurements have become increasingly intimate—some even going as far as reading a driver’s biometrics.
Anything from the line of a driver’s gaze to the beat of their heart is or has been recorded by a vehicle, arguably to ensure greater safety by making sure, among other things, that eyes are on the road and motorists are in good health while driving.
At their most extreme, cars will even be able to know who is behind the wheel, using physical hints like fingerprints or faces to determine who’s driving—and adjust all personal settings accordingly.
This doesn’t include information gleaned from the myriad new sensors, cameras, and microphones being built into the cars, which will be able to record not just the contents of the vehicle but what’s going on outside it. The autos will also have access to any communique that transpires while a phone is synced up to a car’s Bluetooth system. (The National Automobile Dealers Association has received so many questions about these latter features that they’ve issued a brochure to advise interested buyers on everything that may be monitored.)
And it’s not just the breadth of what cars know that’s expanding; it’s also the ways that information can be utilized—or exploited.
An Optimal Situation
App companies and other Big Data farmers have a word for this massive information intake: “optimizing.” They encourage consumers to connect, sign on, and share because learning more, they say, will let them set the stage for a more personal—and therefore better—experience. Many connected car companies have used the same line.
But just how much is “optimized” time worth to them?
Concrete numbers are hard to come by, but it’s been reported that Google and Facebook alone sell personal “profiles”—a potent mix of demographical data and cultivated preference or search histories—for up to $20 per user.
In 2012, the online data broker industry raked in a total of $426 million in revenue from selling personal information, according to the latest report on the subject compiled by the Federal Trade Commission (FTC). Its most profitable sector by far was marketing, with brokers making more than $196 million that year by selling a mix of data-based products—from snippets of “identifying information,” such as names, social media usage, race, religious affiliation, parental status, credit card usage, and net worth, among others, used to help clients understand who’s visiting their websites, to “marketing lists,” where data sets of like-minded individuals are sold as a bundle to firms who are more interested in targeted advertising.
And that’s just the tangible value of user data. The wealth of knowledge it offers whomever possesses it is incalculable—and nearly infinitely applicable. (That’s partially because of how integrated machines have become, allowing users to generate a daily information trail without realizing it. After requesting to see the intel dating app Tinder had kept on her, one reporter alone was sent more than 800 pages of data.)
As users’ main means of transport, cars will have greater access into their personal lives than even dating apps. Such information can be used for anything from cultivating more accurate auto insurance estimates to much more elaborate acts of advertising—conceivably even using precise geo-tracking technology to let a driver know when they’re approaching a favorite store and what they have on sale.
The data collection itself could also prove an enticing invitation for those with more nefarious motivations.
But to see how the Department of Transportation plans to deal with the issue, you’ll practically have to read between the lines.
A Historical Footnote
When the first list of self-driving car suggestions was released in September 2016, privacy was one of the 15 checkpoints its authors asked auto manufacturers to consider when building their autonomous vehicles. Specifically, the previous policies said car owners should know which metrics were being tracked and have the chance to opt out of any information collection they weren’t comfortable with.
True to its “streamlined” promise, however, the new document (officially released by the National Highway Traffic Safety Administration [NHTSA]—a branch of the DOT) whittles down any appearance of the word “privacy” to exactly four uses—including two in the footnotes.
On a separate website to which the footnote links, agency officials say consumer privacy is “not directly relevant to motor vehicle safety” and should instead be overseen by the FTC. (For their part, FTC officials called for more leadership from the NHTSA—and more testing exemptions on the vehicles—in their latest report on the subject, but failed to list a single privacy recommendation.)
Still, NHTSA officials acknowledge the “significant amount of vehicle data generated” by using the cars may be considered “sensitive and personal” to some drivers. They ask automakers to consider this fact when fostering consumer “acceptance” of the technology—but don’t comment on their general use of it, and stop short of any attempt to regulate the data collection.
The same laissez-faire attitude is not extended to metrics on the automakers themselves, though. The corporations are officially advised by the NHTSA to keep some of their own data private—including anything that could be considered “confidential business information.” (The terminology mirrors that from recent legislation passed by the House of Representatives, which uses the phrase—shortened to “CBI”—to describe, among other things, any data related to crashes the cars are involved in.)
The new guidelines direct manufacturers to submit Voluntary Safety Self-Assessments—but warns them to keep any CBI out of them “as it would be information available to the public.”
So how should users deal with technology they’ll know so little about, but which will know so much about them?
A Checkered Solution
Without strong backing by the federal government, drivers may have to rely piecemeal on carmakers to protect their privacy.
Indeed, some manufacturers have already heeded the call, creating a list of privacy principles they promise to follow starting with their 2017 models. (The collective, called the Alliance for Automobile Manufacturers, is comprised of 12 major carmakers, including BMW, Fiat Chrysler, Ford Motor Company, General Motors, Jaguar Land Rover, Mazda, Mercedes-Benz USA, Mitsubishi Motors, Porsche, Toyota, Volkswagen, and Volvo.)
Among their promises, the group says it will keep some data private, but it also acknowledges that other information may be used for marketing—or otherwise sent to third parties. But officials for the companies say a car owner’s consent will be sought before their information is sold. (Concerned consumers, the alliance suggests, can always ask what information on them will be collected—and why.)
Still, the rules aren’t enforced by any outside entity, and automakers who break their promises will likely never see punishment.
In the meantime, it seems drivers will just have to accept that the powers that be will know much more than their Internet histories—they’ll know the exact direction they’re headed.