The Race To Regulate Self-Driving Cars

States across the US are scrambling to figure out how to regulate self-driving cars, wearable technologies that track our health, smart homes that constantly monitor their infrastructure and the rest of the devices emerging from the so-called “internet of things” (IoT). The result is a smattering of incomplete and inconsistent law that could depress the upside of the technology without really addressing its risks.

What’s most notable about these early regulatory attempts is not that they are varied – that is to be expected. It’s that the regulations deal mostly with physical safety, leaving privacy and cybersecurity issues almost wholly unexamined. This seems to be a pattern now, true too of drone regulation, where regulatory bodies have jurisdiction over physical threats, not informational ones.

The regulatory apparatus is stuck in the atomic age as the regulated technology thrusts into the fully networked age.

Seven states and the District of Columbia have now enacted laws that address autonomous vehicles, and many more states have laws in the pipeline. The most obvious defect of these early attempts is that they don’t deal with data flows through connected cars. They typically define an autonomous vehicle, prescribe registration and notice requirements for putting them on the roads, and require that there be manual override and a licensed driver in a position to control the vehicle.

Some deal with the allocation of liability, insurance and more detailed safety issues. Some impose special taxes for vehicle owners (hello DC, which has special taxing needs). There is the usual industry criticism that state regulation will result in a patchwork of conflicting rules that will depress automotive innovation. What is to be done, they ask, when one state requires a steering wheel and foot-applied brakes, while another state does not?

These laws fit self-driving cars into century-old licensing regimes without dealing with what makes them so different

In the absence of federal action, what often happens is that California establishes the standard as an early mover with a huge market. This was the case with data breach legislation, where California’s stringent requirements established the industry standard. With revenge porn liability, California moved first and other states followed, so diversity of state action is not in itself necessarily a persistent problem.

What is most troublesome about the autonomous vehicle laws is not how they differ, but how they are alike. They all fit the new paradigm of self-driving vehicles into century-old licensing regimes, without really dealing with what makes autonomous cars so different.

If we think about self-driving cars along a spectrum of autonomy, as suggested by the National Highway Transportation Safety Administration (NHTSA), the state laws are aiming at the mid-spectrum “highly autonomous” vehicles. These are cars that usually drive themselves, but may require human intervention under extraordinary circumstances.

By contrast, “fully autonomous” vehicles – those that need no human driver and may not even have human-operable controls – are not yet permitted. At the other end of the spectrum are the “partially autonomous” cars already on the road. These surrender some of the functions of driving to automatic processes, but need a fully alert human ready to take over at any moment.

The new state laws, in addition to addressing only highly autonomous cars, are focused only on the driver-vehicle physical interface.

That would be fine and proper if the physical interface were the only one that mattered. If the public safety risks posed by autonomous vehicles were solely threats to life and limb, it would be good enough to address the risks as an extension of 20th-century motor vehicle regulation.

But the logical interface between driver and car is just as important. Self-driving cars implicate data-flow issues that are common to many IoT technologies, resulting from constant real-time communications between users and their environments, and then between users and data collectors.

This is data that can reveal intimate and commercially valuable personal details, including geolocation and driving habits. BMW’s sensors are supposedly so sophisticated that they can tell if a child is on board – data that brokers have sought in order to entice parents to pull off the road for kid-friendly offers.

As well as privacy issues there are the security threats. Researchers have shown that the vehicle controls are vulnerable to hacks. This has raised the specter of bad actors taking over automotive braking or steering functions either just for kicks or as a cyberwar tactic.

Although there is an industry agreement on information privacy best practices, state laws don’t incorporate them. So far, state regulations fail to address or even acknowledge the data privacy and security problems associated with the collection, use, storage and dissemination of data gathered from autonomous vehicle use. They don’t deal with the potential for unauthorized third-party access to the data, nor do they deal with routine public safety questions such as whether police should have “back door” control over suspects’ cars when in active pursuit.

California has draft regulations that do address the informational privacy issues, if only glancingly. These require notice and consent before information can be collected from operators other than what’s needed to operate the vehicle.

A mandatory opt-in for data collection is only one of the best privacy practices. In 2014, the major automakers voluntarily adopted Fair Information Practice Principles. These include commitments to transparency, consumer choice, minimization of data collection and retention and de-identification. The principles require heightened protection for personally identifiable information, such as geolocation, driver behavior, and biometric data.

The voluntary best practices, without more, are not all that helpful besides the fact that they’re voluntary. There is enough ambiguity in them to drive an autonomous fleet through. A manufacturer can promise to de-identify personal information (like what time you left home and where you went), but different manufacturers will do this to different standards and some of these standards will allow re-identification. Manufacturers might choose to allow consumers to opt in before collecting their data, but if the smartphone market is anything to go by then consumers would have a much impaired experience if they declined.

At the federal level, a bill has been introduced that does a little less than nothing: it requires a government audit of the Department of Transportation to see if that agency is capable of enacting consumer protections. Anticipating that there will be federal policy at some point, tech and car companies (Uber, Google, Lyft, Ford) have formed a lobbying group to shape autonomous vehicle policy.

What is happening in the autonomous vehicle space recapitulates drone regulation. A spate of state laws have addressed drone flights over private property and critical infrastructure, government drone use and image capture. What federal regulatory policy there is comes out of the Federal Aviation Administration, so just as the NHTSA is an agency that sees to the safety of cars, so the FAA sees to the safety of aircraft. The FAA’s draft drone regulations, as might be expected, address the licensing of pilots and the prevention of drone crashes and flight interference.

And again, these regulations don’t address information privacy and cybersecurity – matters way outside the FAA’s competence. Into this vacuum has stepped the Department of Commerce, whose advisers have convened various interested groups to discuss drone privacy, and in May came up with a voluntary guide to best practice. Yet some of those groups, including the Electronic Frontier Foundation, criticized the process for being too dominated by industry, and refused to sign on.

In the absence of any federal capacity to regulate for data privacy and cybersecurity, these issues are bound to fall between the cracks of state and federal rule making.

The physical side of self-driving cars, and drones, may be significant, but the informational side is revolutionary. And for now, we have to trust those industries to regulate themselves.

Guardian:

 

« ISIS Suspect Was Sending Encrypted Emails
‘Dropping Elephant’ Is A New Cyber Espionage Group »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

BSI Group

BSI Group

BSI is the business standards company that equips businesses with the necessary solutions to turn standards of best practice into habits of excellence

Prolinx

Prolinx

Prolinx provide secure Data Centre hosting services and other fully managed security services for networks and information systems.

Intrinsic-ID

Intrinsic-ID

Intrinsic-ID's authentication technology creates unique IDs and keys to authenticate chips, data, devices and systems.

CERT-FR

CERT-FR

CERT-FR is the French national government computer security incident response team.

Maryville Online - Cybersecurity Program

Maryville Online - Cybersecurity Program

The Cybersecurity Program at Maryville Online is designed to help students reach opportunities in cybersecurity leadership and management through an entirely online curriculum.

Kaymera Technologies

Kaymera Technologies

Kaymera’s comprehensive mobile enterprise security solution defends against all mobile threat and attack vectors.

Raz-Lee Security

Raz-Lee Security

Raz-Lee Security is the leading security solution provider for IBM Power i, otherwise known as iSeries or AS/400 servers.

Torsion Information Security

Torsion Information Security

Torsion is an innovative information security and compliance engine, which runs either in the cloud or your data centre.

Onsist

Onsist

Onsist brand protection services provide proactive defense against fraudulent use of your brand online.

CYSEC SA

CYSEC SA

Cysec is equipped to deliver agile security solutions for the most challenging IT infrastructures around the world.

Open Systems

Open Systems

Open Systems is a Secure Access Service Edge (SASE) pioneer delivering a complete solution to network and security.

MetaCert

MetaCert

MetaCert’s Zero Trust browser software reduces the risk of organizations being compromised with a phishing-led cyberattack by more than 98%.

Epic Machines

Epic Machines

Epic Machines is a Value Added Reseller and Managed Security Services provider offering Security Transformation using Cloud-native solutions to commercial and government markets.

Security Risk Advisors (SRA)

Security Risk Advisors (SRA)

Security Risk Advisors deliver cybersecurity services to leading companies in the Financial Services, Healthcare, Pharmaceuticals, Technology and Retail industries.

Vault Cloud

Vault Cloud

Vault Cloud, Australia's National Cloud, is an Australian owned and operated company specialising in secure, sovereign, hyperscale cloud infrastructure.

Twilio

Twilio

Twilio are the customer layer for the internet, powering the most engaging interactions companies build for their customers. We provide simple tools that solve hard problems.