The smarter our cars get, the more data they collect. Congress may finally be getting serious about the privacy and security implications of that trend.
The House Energy and Commerce Committee wants to require car manufacturers to lay out, in clear language, what kind of data their vehicles collect and how it is used. The committee also wants to raise the consequences of hacking into these vehicles, which are increasingly become targets of malicious actors.
Committee staff have put together the framework of a bill to give the National Highway Traffic Safety Administration (NHTSA) more authority over car security and privacy. The “discussion draft” will serve as the blueprint for a Subcommittee on Commerce, Manufacturing, and Trade hearing next Wednesday.
“There is an urgency for improvement with both automakers and NHTSA as the next generation of vehicles and innovation are set to emerge.”
One section of the draft calls for car manufacturers to “develop and implement a privacy policy outlining the practices of such manufacturer regarding the collection, use, and sharing of covered information” within a year of the bill’s enactment. The policy would need to include “a commitment to retain the covered information no longer than is determined necessary by the manufacturer for legitimate business purposes.”
Car companies would also have to “implement reasonable measures to protect covered information against loss and unauthorized access or use.”
The draft also spells out punishments for improperly accessing a car’s computer systems, a problem that has grown increasingly common as those systems become more complex and thus more vulnerable. Anyone convicted of hacking into a car would face a civil penalty of up to $100,000 per hack.
The attention to car security vulnerabilities comes at a chaotic time for the automotive industry. In late July, cybersecurity researchers took control of a Jeep’s computer system and remotely stopped it in its tracks. The same day, two senators introduced a bill to tighten safety standards, and Chrysler recalled 1.4 million cars to fix the flaw. Intel set up a research group to study car cybersecurity in September, several months after Toyota, General Motors, and Ford customers filed a class-action lawsuit over security issues in their vehicles.
The House committee’s draft calls for the NHTSA to establish an Automotive Cybersecurity Advisory Council that would propose “best practices” for car companies to follow. The Council would include representatives from the Defense Department, the NHTSA, and the National Institutes of Standards and Technology, which develops and recommends technology standards like commercial encryption protocols.
“There is an urgency for improvement with both automakers and NHTSA as the next generation of vehicles and innovation are set to emerge,” Reps. Fred Upton (R-Mich.) and Michael Burgess (R-Texas), chairmen of the committee and the subcommittee, respectively, said in a statement. “It is an ever-changing landscape, and we look forward to working with our colleagues and stakeholders as this important process continues.”
Photo via Axion23/Flickr (CC BY 2.0) | Remix by Max Fleishman