Earlier this week I had the pleasure of being a panelist at the Automated Vehicles Symposium 2015 in Ann Arbor, Michigan. Our topic was “Privacy Issues Unique to Automated Vehicles,” though there was a lot of discussion about all degrees of “connected cars”–not just the “autonomous” kind.
To put that topic in context, I surveyed the privacy landscape as applied to today’s digital media, especially in social media and ecommerce applications. As I usually do, I began by acknowledging the elephant that’s always in the room during privacy conversations: the First Amendment. Our nation’s commitment to the free and open exchange of information and ideas is so fundamental to our culture and legal framework that data privacy is always the exception rather than the rule. That said, there is a rapidly growing list of such exceptions. I discussed the various situations and subject matters in which some degree of privacy has been protected by statute or common law, ranging from health information to creditworthiness to web browsing–all of which are subjects potentially implicated by connected cars.
I then learned quite a bit about how data is currently, and soon will be, collected from cars from Tom Bamonte, Chief Innovation Officer of the North Texas Tollway Authority. The NTTA operates the automated toll system that interacts with cars by means of small transponders placed on the windshield. Just this simple interaction can build quite a profile of individual drivers, of course, including a history of all their travels. But plenty of other sensors are either available now or soon will be. Bluetooth and cell data signals emanating from the car (such as your interactions with the Waze app) can be harvested. Infrared cameras can detect whether drivers are using dummies to cheat the high-occupancy lanes. License plate-reading cameras can scan tens of thousands of plates an hour. All of this is enormously useful for implementing and enforcing traffic rules.
Of course, it also creates a significant opportunity for repurposing data, but here’s where I was impressed by the NTTA’s standards. Even though they didn’t have to, NTTA has fought for their users’ privacy. As a state-chartered toll authority, NTTA was subject to Freedom of Information Act requests. Some people had begun to figure that out, and requested data on the movement of politicians, law enforcement, and other sensitive topics. NTTA advocated for a bill to exempt this information from FOIA, and won. Moreover, NTTA has so far resisted the enormous temptation to monetize their trove of data by sending users in-car advertisements. In this way, they’ve respected the contextual boundaries in which drivers have given them information–one of the emerging privacy law principles articulated in the White House’s Consumer Privacy Bill of Rights.
Our third panelist was Joe Jerome, policy counsel at Future of Privacy Forum in DC. Connected cars are one of FPF’s focus areas, and they advocate the development of flexible notice and choice mechanisms in connected devices. Connected car technologies, Joe argued, should provide notice that is tailored to the nature of the connected device, the environments in which the device will be be used, and the types of data to be collected and the data’s intended use. Connected car technologies present opportunities to provide notice of data collection through visual or auditory cues and obtain consent through innovative user interface designs.
I also learned that the Alliance of Automobile Manufacturers and the Association of Global Automakers have agreed to a set of privacy principles for vehicle technologies and services. In November 2014, FPF published The Connected Car and Privacy: Navigating New Data Issues, a white paper that explains these principles.
Then we heard from our audience, which consisted of automotive professionals and researchers. They raised a number of questions of high concern to them, including:
- How does the involvement of multiple parties in the transmission of data to and from cars affect disclosure and privacy obligations?
- Will drivers end up incriminating themselves with the information collected by cars? Where does the Fifth Amendment come into play?
- How long is the data kept?
- How is driver health data and other biometrics collected, and how is it used?
- Who will manage the information, since governments are not good at doing so?
- Is there a double standard in how automotive OEMs and trendy social media companies are expected to handle consumer data?
All in all, this panel was a fascinating experience and a valuable discussion of very timely issues. I was honored to be a part of it.
Special thanks to Johanna Zmud of the Texas A&M Transportation Institute in DC for inviting me to participate.