As AVs Rev Up, the Data Privacy Fight Could Shift to Your Car
There are plenty of unknowns regarding the future of self-driving cars, but one thing is certain: the mobility industry will be fueled by data. And that means automotive companies will have to address many of the same privacy issues that Facebook, Google, and other social media and Internet firms are grappling with now.
By 2030, global revenues from automotive data-related services are expected to reach between $450 billion and $750 billion, according to a McKinsey report from 2016. By 2025, an estimated 700 million Internet-connected cars will collectively upload 10 million terabytes of automotive data per month. Four terabytes will processed each day, the McKinsey report predicts.
Given the volume of information involved, some mobility experts have taken to calling data “the new oil.” That takes into account the potential monetary value of all that consumer data generated by AVs and their riders, which will no doubt be profitable. But there are also unanswered questions about privacy and the pitfalls of sloppy vehicle data hygiene.
How will data privacy work in autonomous vehicles that belong to fleets or shared car networks, which will have a series of owners and riders over the life of the machine? Will our digital footprint travel with us from car to car, similar to the way it does today with our smartphones? How vulnerable will driverless cars be to outside hackers and identity thieves? How will companies process and store the data going back and forth between cloud-based servers and connected cars? And how will the tech industry contend with computers on wheels that also require strict safety (and perhaps privacy) regulations?
Companies such as Otonomo are already helping industry players navigate some of these issues. Lisa Joy Rosner, the Israel-based firm’s chief marketing officer, says her company’s automotive data services platform is a neutral entity that works with car and tech companies to “ingest, secure, cleanse, normalize, aggregate, and enrich automotive data from multiple sources.” She describes the platform as a sort of Rosetta Stone that can translate and “reshape” raw vehicle data, which differs depending on the make and model.
“As the Internet of Things proliferates, we expect everything to talk to each other in order to service us,” Rosner says. “We’ve had some early successes in the EU because our products are built for [regulatory] compliance from the ground up, but we have active engagements with pretty much all of the automotive manufacturers.”
The US lags far behind the EU in terms of data privacy laws, but that could change. Last year, former California Governor Jerry Brown signed the California Consumer Privacy Act, which gives residents more control over their personal data. With a $7,500 fine per violation and no cap on fines, Rosner expects it will lead to national changes on the privacy front. (The public comment period for the CCPA just ended last month, so its implementation is coming soon.)
In Rosner’s opinion, consumer desire for effective AV services means they will have to agree to share personal, private data—but that also means the companies providing mobility services will have to be able to prove their trustworthiness. When Otonomo surveyed connected car owners about the in-vehicle services they currently get, such as navigation instructions, almost everybody surveyed said they wanted them, and 80 percent said they were willing to share their personal data to access them.
“Overwhelmingly, people with connected cars want services,” Rosner notes. “When we ask them who they trust, 77 percent said they trust [the company that makes their car],” with banks being one of the only entities that scores higher than automakers. Given the high level of trust already, does that mean automotive companies have a unique opportunity to monetize vehicle and rider data?
“At Otonomo, we don’t look at it like monetization,” Rosner says. “We look at data like, how can we make it useful?” The idea that good data stewardship will lead to increased customer loyalty, the adoption of new services, and better returns on technology investments is perhaps the more important monetization angle to consider, she maintains—an idea she feels automakers are beginning to warm up to.
“AVs will be our living room, home office, and playground on wheels,” she adds, and that will require allowing mobility companies to access personal data. “The car will be like a smartphone, but right now, we’re only in flip phone territory.”
Gail Gottehrer, an attorney based in New York whose practice focuses on emerging technologies, says the law is always reactive, but new technology is proactive. “We’re getting to the point where [driverless] tech is almost ready to go, but a lack of clear laws or regulations is holding it back,” she says. “I advise companies what to do during the gap.”
Gottehrer says despite the lack of federal AV regulations—there are currently a patchwork of state laws governing the testing and operation of driverless cars—privacy is top of mind for companies developing self-driving vehicles. That’s been especially true since the EU last year enacted General Data Protection Regulation (GDPR), the legal framework that stipulates how its citizens’ personal information is collected and processed.
“I teach a class at Columbia, and my grad students are shocked by the amount the car knows about you, and that’s before you plug in the phone or a dongle collecting information,” she says.
In the future, AVs will likely know your gender, the kinds of content you consume, whether or not you have a companion, bank account information, age, and dozens of other data points. Gottehrer can envision an Orwellian scenario in which your car knows if you’re driving through certain neighborhoods at certain times of the night, which may lead to extrapolations about the rider’s interest in drugs or prostitution that could then be reported to an employer, law enforcement, or an insurance company. Someone could even program a car to notify the police if certain words are spoken, she says.
“What inferences can be drawn and sold?” Gottehrer asks.
Data monitoring and weaponization already occurs in fleet operations, she says, and she mentions a possible scenario in which a fleet driver visits a cancer clinic on their lunch hour and then gets fired because the presumption is that the driver is sick. Another example: data shows the fleet vehicle parked outside of a bar for a few hours, so the driver is suspected of abusing alcohol and loses their job. What keeps Gottehrer up at night is the idea of this vehicle-derived information making its way into court and being used against people to paint specific pictures of their lives.
But the data could also be used to help people in court. “There have been murder cases where people are acquitted by the information from their car,” she says.
Gottehrer thinks we’ll see more lawsuits around vehicle data breaches in the future, or cyber insurance that spells out who has the responsibility to protect vehicle data—or the liability if something goes wrong. “Companies want to own and monetize data, but then they have a duty to protect it,” she adds.
The threat of nefarious hackers breaking into an AV’s computer and causing it to, for example, drive off a cliff is definitely something that automakers take seriously, she says. But she sees data privacy as the more imminent concern.
As cars grow more sophisticated and tech-enabled, safety and quality-of-life enhancements will undoubtedly benefit the public. People with limited personal mobility will have much greater freedom and independence; shared vehicle networks should cut pollution and congestion; and a vehicle’s biometric sensors might be able to stop drunk people from driving, or tired drivers from falling asleep.
“There are tremendous benefits to autonomous vehicles, but where is the data going?” Gottehrer wonders. “Who is it getting resold to? We can’t lose sight of the fact that it’s all data about people’s lives.”
Just like the social media business model, if an in-car service is free, “you’re the product,” Gottehrer points out. Consumers may be willing to pay a premium to protect their data privacy, but first they must grasp the scope of the issue.
“We have to understand that there are trade-offs, and we should educate people along the way instead of later,” she says.