IF you hadn't noticed yet, your modern car is just another digital device. Actually, a device run by dozens to more than 100 other devices — sensors and control modules called electronic control units.
They monitor or control everything from oil pressure to airflow, coolant, engine operation, the throttle, brakes, fuel pressure, infotainment and more. Many of them even monitor you. Sometimes that could be a welcome thing.
But as documented recently, your "smart" vehicle is also collecting "a firehose of sensitive data," transmitting it to dozens of companies in "an ecosystem of dozens of businesses you never knew existed."
"Most drivers have no idea what data is being transmitted from their vehicles, let alone who exactly is collecting, analyzing, and sharing that data, and with whom," said Sammy Migues, principal scientist with the Synopsys Software Integrity Group. "Even if vehicle owners did know, the data "wouldn't make any sense to many, and even those who understand the data probably can't think of all ways it could be misused."
While all those companies fly under the radar of mainstream awareness, they are part of the nascent but growing connected vehicle data industry, which it's estimated would be worth $300 billion to $800 billion less than eight years from now, by 2030.
delivered to your inbox
According to McKinsey & Company, the ecosystem of companies interested in profiting from vehicle data — which ranges from 1 to 2 terabytes per day per vehicle — includes stationary trade and leisure, governments, advertising and marketing, content providers, third-party marketplaces, financial services, tech companies, charging and fueling providers, and infrastructure players. In other words, information is not just power. It's money — lots of money.
But obviously, vehicle information is also personal. Which means it has privacy implications. Or, more to the point, invasion-of-privacy implications. Data experts noted that vehicle data collection starts the moment a driver gets into a car.
Once a trip starts, sensors also collect and transmit location and speed, use of the brakes, headlights, wipers, tire pressure, what's playing on the entertainment system, whether oil level is low, whether the vehicle needs scheduled maintenance, and more.
Some of that data collection yields information we find convenient, like GPS tracking of your vehicle telling you and others your exact location. It's also why your smartphone directions app could tell you if there's a traffic jam on the route you're about to take.
But that's just a mini slice of the data that makes its own journey from the car manufacturer to the connected vehicle data marketplace to be, as they say, "monetized."
Those in the vehicle data hub and telematics industries insist there is no personal privacy risk — that the data they collect, collate, analyze and sell is aggregated and anonymized, which they say means vehicle owners don't need to worry about being identified or surveilled.
And they argue that there are significant benefits to the collection and analysis of that date — that it's useful for everything from traffic management to electric vehicle infrastructure planning, fleet management, advertising, mapping, city planning and location intelligence.
Mixed views from privacy experts
James Lee, chief executive officer of the Identity Theft Resource Center, acknowledged that the cybersecurity of that data is crucial. But he said if rigorous security protections are in place along with knowing consent and anonymization, "then all of the elements of proper data use and protection are in place."
But Rebecca Herold, chief executive of Privacy & Security Brainiacs, said it's not that simple. She agrees there is value to data being aggregated and anonymized but said that doesn't make personal privacy bulletproof.
While aggregating massive amounts of data would, in theory, eliminate any way to link specific data points to specific individuals, "with artificial intelligence (AI) and machine learning (ML) tools, and even long-used rudimentary sorting algorithms, this does not protect privacy," she said. "They can often comb through all this digital data to detangle the assumed chaos, creating 'reidentified' data to result in very clear views of specific individuals," she said.
Bennett Cyphers, staff technologist at the Electronic Frontier Foundation (EFF), goes even further. He said that the combined volume of data for sale and lack of regulation in many places is "a match made in privacy hell," adding that "the unique nature of location and movement data increases the potential for violations of user privacy."
"Even anonymous data has a lot of value and a lot of ways to be misused," Migues said.
Lee agrees that personal data can be misused and abused — he notes that "anonymous telematic data, if stolen, could reveal that certain makes or models are more likely to need certain repairs."
Lee believes that while there's a need for stronger data protection, data privacy, and identity management laws, "the goal shouldn't be to end data sharing for fear of a surveillance state. There are good and valuable benefits from data when it is properly collected for a permissible purpose with informed consent."