SPY Car Bill Would Set Cybersecurity Standards

Aims to protect data privacy, security for V2V
Author:
Publish date:

A couple of high-profile senators are giving new meaning to protecting mobile broadband data security.

Sens. Ed Markey (D-Mass.) and Richard Blumenthal (D-Conn.) have introduced a bill that would establish cybersecurity and privacy standards for the software and electronics in cars that will be collecting data as the Internet of things moves more deeply into the dashboard.

Responding to the increasing use of connected devices in automobiles, the pair have introduced the Security and Privacy in Your Car (SPY Car) Act, which would direct the National Highway Traffic Safety Administration (NHTSA) and the Federal Trade Commission to come up with federal standards for protecting driver privacy and data security given the connected features in cars and the sharing of info with third parties via vehicle-to-vehicle (V2V) communications.

The FCC is taking over broadband data privacy enforcement from the FTC per its new Title II-based net neutrality rules, but a spokesperson for Markey's office said they were confident the FTC would have jurisdiction over the consumer-facing software and hardware the bill targets.

Specifically, the bill would do the following:

I. [Set] Cybersecurity Standards

"NHTSA, in consultation with the FTC, should develop standards that prevent hacking into our vehicle controls systems. These performance standards should require that:

"Hacking protection: all access points in the car should be equipped with reasonable measures to protect against hacking attacks, including isolation of critical software systems and evaluated using best security practices, such as penetration testing;

"Data security: all collected information should be secured to prevent unwanted access—while stored on-board, in transit, and stored off-board; and

"Hacking mitigation: the vehicle should be equipped with technology that can detect, report and stop hacking attempts in real-time."

II: [Set] Privacy Standards

"The FTC, in consultation with NHTSA, should develop privacy standards on the data collected by our vehicles. These standards should require:

"Transparency: owners are made explicitly aware of collection, transmission, retention, and use of driving data;

"Consumer choice: owners are able to opt out of data collection and retention without losing access to key navigation or other features (when technically feasible), except for in the case of electronic data recorders or other safety or regulatory systems; and

"Marketing prohibition: personal driving information may not be used for advertising or marketing purposes without the owner clearly opting in."

III: [Create] Cyber Dashboard

"NHTSA, in consultation with FTC, should establish a 'cyber dashboard' that displays an evaluation of how well each automobile protects both the security and privacy of vehicle owners beyond those minimum standards. This information should be presented in a transparent, consumer-friendly form on the window sticker of all new vehicles."

Related