Senators Ed Markey of Massachusetts and Richard Blumenthal of Connecticut have reintroduced the Security and Privacy in Your Car (SPY Car) Act of 2017. They first introduced the bill, along with a similar bill for aircraft, during the last session.
The SPY Car Act places the onus for automotive cybersecurity and privacy standards on the shoulders of the National Highway Traffic Safety Administration (NHTSA) and the Federal Trade Commission (FTC). The law would require critical software systems — those required for operation of the vehicle — to be isolated from noncritical systems. And then those isolated systems should be tested for security.
It also addresses securing personal information, including all data “collected by the electronic systems that are built into motor vehicles,” against unauthorized access. If there is a hacking attempt, the SPY Car Act calls for all cars to be equipped with the ability to detect the breach, report it and stop it from taking over the vehicle or collecting driving data. If a manufacturer doesn’t include this capability, under the law it would be fined $5,000 per car that didn’t have security technology built in.
So far, the SPY Car Act seems like something we’d expect to see. But then Sens. Markey and Blumenthal take another step in requiring a “cyber dashboard.” This would tell the driver how far above and beyond the basic requirements a car company has gone to secure the onboard electronic systems via an “easy-to-understand, standardized graphic.” So some kind of scorecard would be placed where anyone could see it.
But wait, there’s more! The SPY Car Act also requires that every vehicle give “clear and conspicuous notice” to the driver about what driving data is being collected, if it’s being transmitted or saved, and how it’s being used. Once you know this, the law would require that manufacturers give you the right to opt out of data collection without interfering with your ability to use navigation tools. And that data can only be used for marketing to you if you choose to opt in.
The SPY Car Act does exempt black-box-type data collection. That basic data is still useful in the event of a crash, or to check the emissions history of a vehicle.
Vehicle tracking specialists Satrak Plant Security polled 2,000 people in the U.K. recently and found that 40 percent of respondents said hacking was a “fairly serious” concern, which echoes other polls of consumers’ attitudes toward automotive cybersecurity. Now that NHTSA has created guidelines for autonomous vehicles, maybe it can build on its best practices guidelines if the SPY Car Act is passed.