What are Connected and Autonomous Vehicles (CAVs)?
Connected and autonomous vehicles (CAVs) constitute a radical change to our everyday travel. CAVs combine a series of technologies – GPS navigation, advanced vehicle-sensors, telematics, wireless communication, and automated computing – to remove the possibility of human error while driving and to improve road safety. CAVs operate within a broader network of highway and road communication technologies, a process referred to as vehicle to infrastructure communication (V2I). Highway communication and monitoring technology encompasses a plethora of devices: automated license plate readers (ALPR), Bluetooth detection systems, Flock safety cameras, electronic tolling, and other technologies.
Whether they are safe overall, or safer relative to the average human driver, is beyond Restore the Fourth’s remit. But we know privacy, and this brief assesses the privacy and Fourth Amendment implications of broader adoption of CAVs.
In a recent Hearing on Equity in Transportation Safety Enforcement of the U.S. House Highways and Transit Subcommittee, representatives stated that far too often individuals are stopped for reasons other than traffic safety violations, and that ensuring safety on our roadways means not only protecting people from dangerous drivers but protecting people from enforcement abuses.
CAVs and roadway monitoring systems have proliferated as a result of their promise to improve a variety of problems on the road, including traffic, speeding, accidents, pollution and toll collection. But these purported benefits obscure the value of such systems to police, in creating a real-time flood of data on vehicles’ movements. By doing so, these systems pose a grave risk to the Fourth Amendment, which should require police to get a warrant to obtain the pattern of people’s movements through public space. It’s no wonder that these systems are unpopular: A study conducted by the American Automobile Association (AAA) found that 72% of Americans expressed fear or hesitancy toward CAV use.
CAVs collect massive troves of data to function: driver biometric and health data from a steering wheel heart rate monitor or health devices synced through Bluetooth (such as fitness monitors); driver’s visual attention to the road as recorded by a dashboard sensor; data services accessed (phone use, contacts, emails, website browsing and application use histories, radio station consumption); and vehicle location, speed, and occupancy. Current law also requires in all new vehicles by 2024, technological tracking of drivers’ sobriety and attentiveness.
DHS has poured millions into the Heedful Audio Alert System (HAAS), a cellular V2V app that alerts drivers to the presence of law enforcement and first responders. Sometimes called R2V, or a Responder to Vehicle Program, HAAS allows direct communication between law enforcement and vehicles.
CAVs and roadway surveillance technology constitute a mass surveillance network that has the dystopian potential to track our daily lives, data point by data point. One car trip may not paint a detailed picture of one’s life, but the repeated tracking of a vehicle creates a mosaic of information that law enforcement can weaponize. If the data is already pro-actively collected, then it presents too much of a temptation to law enforcement to dip into it not only when someone is suspected of a violent crime, but also to track protesters, people seeking abortion care, and people fleeing government persecution. In short, they threaten our Fourth Amendment and First Amendment rights, in ways that venture capitalists may not really care much about.
The remainder of this brief presents privacy concerns specific to CAVs and their manufacturers, outlines the current legal standing of vehicle surveillance technology, and concludes with a series of policy and action recommendations created by our activists here at Restore the Fourth.
CAV Privacy Concerns
Vehicles are no longer just mechanical devices. CAVs possess hundreds to thousands of Electronic Control Units (ECU) that run code constantly to operate their communications and sensor technologies. Vehicles are exposed to all of the problems and dangers associated with stored data and communications technology, including being hacked. A study conducted in 2010 tested to see if remote attack of CAVs was possible. They found that remote exploitation of CAVs is not only possible, but highly likely given the broad range of attack surfaces available to a potential hacker. These surfaces include but are not limited to: Bluetooth, keyless remote entry, telematics connected to the internet, and VANET, as well as the abundance of vehicle sensors (cameras, lidar, radar, GPS, tire pressure measure sensors (TPMS), inertial measurement units (IMUS), and engine control sensors. Hackers – or governments – could use these to seize your car’s data or, worse, your car’s controls.
Policy that ensures CAV data protection is almost nonexistent. As the Texas A&M Institute explains, in the United States, “There is no single comprehensive legislative framework for data privacy protection. There is also no single regulatory authority. Most states have enacted some form of privacy legislation. However, there is no regulatory framework that specifically addresses connected car data.” The only regulatory efforts in CAV data protection currently are a set of industry guidelines and standards that are not legally binding. The loose and noncommittal nature of these guidelines means that automotive companies do not completely follow standards that protect user privacy.
According to a GAO report that found widespread privacy policy noncompliance, all of the ten largest companies that offer or use in-car location-based services had privacy policies that were lacking, unclear or illegible. Most disclosure agreements were too broad and unclear. Consent for data collection was there, but consumers could not opt out of data retention. All ten use different de-identification methods, with varying effectiveness. Nine share the vehicle data they collect with various third parties, but not including data brokers or marketers. As for the 13 largest companies that produce CAVs or offer CAV services, none of them were shown to substantially demonstrate leading industry practices for privacy protection (transparency, focused data use, data security, data access and accuracy, individual control, and accountability).
Automated License Plate Readers (ALPRs)
ALPRs illustrate the broad scope of data collection on our roads. ALPRs are small cameras that are mounted on road signs, stationary infrastructure, or on the back of police cars. These devices record images of passing vehicles non-stop to identify and track license plate information. Collected images are stored in a database along with GPS information and timestamps. Tens of thousands of ALPRs exist in the U.S. In 2016 and 2017 alone, 2.5 billion license plates were scanned by 173 law enforcement agencies as well as private actors.
ALPRs are regularly used in biased and discriminatory ways. NYPD used ALPRs to spy on those attending services at mosques across the country. ALPRs are deployed to monitor political protesters and activists, in blatant disregard for First and Fourth Amendment rights. Some police departments incorporate ALPR technology into Real Time Crime Centers (RTCCs), enabling ICE, CBP, and DHS to use them to pursue undocumented immigrants, sometimes contravening local ‘sanctuary city’ laws. In Los Angeles, ALPRs are part of Operation LASER, which warrantlessly collected data on anyone police encountered to make solving crimes easier in the future. Operation LASER prioritized quantity over accuracy, intensifying policing in already overpoliced communities.
Pictures taken by ALPRs often include more than just a license plate – vehicle occupants, the surrounding area, and other vehicles nearby can be caught. This data is retained indefinitely and widely shared with private companies, other government agencies, and fusion centers. Private companies, like Rekor Systems Inc., develop sprawling networks of ALPR readers. They provide continual, real-time access to the data their network collects and refines at little to no cost – that’s over 150 million plate reads per month. Rekor’s CEO claims, “This network exists to help law enforcement prevent and solve crimes through a shared resource.” However, 99.5% of license plates scanned are not under suspicion of criminal activity, so data on a very large number of innocent motorists’ movements is being gathered for a very small return.
Auto-Hacking and Security Vulnerabilities
There has been one corroborated instance of a purposeful and malicious remote attack on vehicles. In 2010, a former Texas Auto-Center employee remotely disabled 100 vehicles via internet-connected systems linked to a delinquent car payment program. Other reports detail thieves disabling lock-systems in parked vehicles however they required close proximity to the vehicle.
The vulnerability of CAVs to cyberattacks appears to be a theoretical situation with potentially disastrous consequences. Researchers have conducted numerous experiments that demonstrate modern vehicles with computing or internet capabilities are vulnerable to remote attack and surveillance. For example, a research team was able to send commands through a vehicle’s infotainment system to control dashboard functions, steering, brakes, and transmission all from a remote laptop. They found up to 47,000 vehicles vulnerable to their remote control. Similarly, another researcher was able to gain access to 25 Tesla vehicles across the world.
In 2011, research teams from the University of Washington and University of California at San Diego demonstrated that they could wirelessly disable brakes and locks on a sedan through a myriad of attack surfaces. In one study, it was shown that with possession of a Vehicle Identification Number (VIN) one could pull reams of personal information stored in a vehicle from telematics systems operated by SiriusXM. Over 10,000 different car models were vulnerable to this exploit, leaving highly personal information like email addresses, phone numbers, home addresses, IP addresses, phone activity, and regularly frequented public and private locations at risk.
CAV security vulnerabilities led Senators Edward J. Markey (D-Massachusetts) and Richard Blumenthal (D-Connecticut) to introduce the Security and Privacy in Your Car Act of 2015, or the “SPY Car Act.” The bill purported to establish cybersecurity requirements for automotive manufacturers and to imbue the Federal Trade Commission (FTC) with the power to enforce stricter data privacy and use regulations. Although this bill did not pass, there are other legal frameworks concerned with CAV cybersecurity. The United Nations Economic Commission for Europe (UNECE) established cybersecurity performance and audit requirements as of 2020, which currently apply to 54 countries, including the U.S.
While these legal protections are important, protecting CAV users from the theoretical dangers of remote hackers seems misguided given previous government efforts to obtain private data from vehicles through similar means. Immigration and Customs Enforcement (ICE) and Customs and Border Protection (CBP), both agencies under DHS purview, purchase “vehicle forensics” technology sold by Swedish data extraction firm MSAB and manufactured by Berla, a U.S. company. ICE and CBP have spent close to one million dollars in a single month on vehicle spying tools. For border enforcement agencies like ICE and CBP, the granular location data collected by modern vehicles provides a quick, cost-effective, and more direct method to track and apprehend a suspect than a warranted search. These extraction tools circumvent the Fourth Amendment’s protection against unreasonable searches. ICE and CBP also rely on the fact that their data extraction operations happen without the user knowing, like a remote hacker looking to obtain private information. Intelligence agency capability in this area may by now be widespread, if hard to prove; in 2013, former U.S. National Coordinator for Security, Infrastructure Protection, and Counter-terrorism Richard A. Clarke, acknowledged that, “There is reason to believe that intelligence agencies for major powers—including the United States—know how to remotely seize control of a car.”
While the threat of remote hackers remains largely hypothetical, the specter of data-hungry government agencies spying on motor vehicle operators is a present and dangerous reality.
Vehicular Surveillance and Fourth Amendment Law
CAVs present new challenges to existing Fourth Amendment protections for motorists and raise complicated legal questions:
- How does the large amount of personal data collected by CAVs affect the ‘automobile exception’ to the Fourth Amendment?
- How applicable are Court rulings governing cellphone privacy protections to cars, when we consider that CAVs often connect to smartphones and store their data?
- Should law enforcement officers need a warrant to search a CAV, or can previous vehicular exceptions to the warrant requirement be applied to this new technology?
- How does the Fourth Amendment protect the privacy interests implicated by CAVs?
The Court has not decided on a case involving a CAV. The legal history of the Fourth Amendment has treated automobiles distinctly from other protected properties like houses. A series of Court rulings, dating back to Carroll v. United States (1925), established that a law enforcement officer only needs a reasonable, individualized suspicion to stop vehicles, and probable cause can be established during the stop to justify a search in lieu of a warrant. This precedent, referred to as the “automobile exception,” has paved the way for warrantless surveillance of vehicles and motorists.
Despite the weaker Fourth Amendment protections afforded to motorists, the sheer amount of personal and private data CAVs collect necessitates a reconsideration of precedent. Indeed, that process has already begun. Three recent Supreme Court rulings demonstrate that CAVs should be afforded stronger Fourth Amendment protections: Riley v. California, U. S. v. Jones, and Carpenter v. United States. Riley v California established that cell phones are not subject to the search incident to arrest exception or closed container designation; an officer needs a warrant to conduct a search of a cell phone’s contents, even if it is seized in a vehicle pursuant to arrest. Since CAVs both store cellphone data and collect similar data, Riley v. California should govern the Court’s decision in any future case involving CAVs.
United States v. Jones (2012) dealt with the question of whether a tracking device physically attached to a vehicle by a law enforcement officer to monitor its movements on public streets constitutes a Fourth Amendment violation. The Court held that Jones’s Fourth Amendment rights were violated. The Court based their ruling on the fact that the officer violated the physical integrity of the vehicle and did not base their decision on the privacy interests involved in GPS data. Nonetheless, the Court recognized that the “substantial quantum of intimate information” that vehicular GPS data provides alters “the relationship between citizen and government.” Jones implicitly recognizes that GPS data will need to be protected from discretionary automobile policing, whether that tracking is physical or remote.
The Court has consistently held that there is not a legitimate claim to privacy in information shared with third-parties, a principle referred to as the “third-party doctrine” of the Fourth Amendment. However, the ubiquity of smartphones has brought this legal principle into question. In Carpenter v. United States (2018), the Court denied the state’s access to a wireless carrier’s cell-site location information (CSLI). The majority reasoned that information from unavoidable and expansive CSLI data collection deserves Fourth Amendment protections despite it being shared with a third-party. The same reasoning would apply to CAV data collection, which shares the same depth of collection as cellphones. Just as smartphone technology did, the widespread use of CAV technology is firm grounds to argue for the obsolescence of the third-party doctrine.
What Does Restore the Fourth Recommend?
To protect motorists’ Fourth Amendment rights, Restore the Fourth recommends the following actions:
- Automakers must give consumers the option to disable all data collection and sharing without denying them access to core automotive features like cruise control.
- Automakers must make every effort to collect only the data necessary for consumer and vehicle safety, repair, and popular consumer services. Regulators should establish what constitutes “necessary data.”
- Automakers must provide to all consumers a complete description of their privacy policy, written clearly in plain English and other languages as appropriate, in the U.S. market.
- Owners of a vehicle must be informed that it is their responsibility to ensure that additional drivers are aware of the privacy policy.
- Consumers should be given the opportunity opt out of sharing some types of data without losing access to all services. While some minimum data sharing is necessary for receiving “core” connected services—such as roadside assistance and crash response—consumers should be able to opt out of sharing other data and forego other services such as Wi-Fi and hands-free calling.
- Automakers must make every effort to protect consumer data by limiting data access to certain company staff, using firewalls and encryption, and using penetration testing and code reviews.
- Automakers must conduct privacy risk assessments, which would involve determining the sensitivity of the collected data and the potential risks if the data were improperly lost, accessed, or disclosed. These risk assessments should also evaluate third parties’ use of data collected from connected vehicles.
- Automakers should not be able to share connected vehicle data unless they have the consumer’s explicit consent or have been issued a warrant for specific data.
- Consumers must have the opportunity to review their data for accuracy.
- Consumer consent should be required for dealerships, independent mechanics, or automobile insur¬ance companies to access vehicle data, and there should be limits on how long data can be retained.
- Only de-identified data should be accessible for use in research, traffic control, or marketing.
- Data shared for the purpose of roadside assistance should be clearly defined by regulators, as should a limit on how long such data may be kept by the service provider.
- Privacy practices must be communicated to all employees as well as to any third parties (e.g., telecommunications companies, telematics service providers, and content providers), and the latter must agree to the privacy practices in their contractual agreements.
- Automakers must keep clear records of when, to whom, for how long and exactly what purpose private data is shared.
- Regulators must conduct regular audits of company privacy practices.
- Automakers must be held legally responsible for data protection.