Tell the truth. Who was driving your car when it ran that red light and got flagged by that automated camera? Was it you – or was it your teenage son, who’s not on that car’s insurance policy yet?
Or: you promised to be the only driver on your rental car, but you let your boyfriend drive. Bad!
Since the dawn of driving, it’s often been impossible to prove exactly who was driving when. But modern cars are rolling computer networks, constantly capturing data about how they’re being driven. And that data just might be enough to betray its driver.
According to new research published in Proceedings on Privacy Enhancing Technologies, “at least among small sets, drivers are indeed distinguishable using only in-car sensors…”
Miro Enev, Alex Takakuwa, Karl Koscher, and Tadayoshi Kohno captured data on 15 drivers, plugging into the Controller Area Network (CAN) of a typical 2009 sedan. The researchers tracked those drivers, first, in an isolated parking lot and then along a pre-set 50 mile route throughout the Seattle area.
The results: 100% accuracy when the authors used all available sensors and 90% of available data.
The tested cars report a true cornucopia of data: 16 separate measurements, ranging from vehicle and engine speed to steering wheel angle and fuel consumption rate. However, researchers also achieved strong results using only the brake pedal sensor.
What’s more, they found that a “test driver’s unique fingerprint was consistent across multiple days and roads,” so once a driver is measured, his or her ID data might be usable for quite some time to come.
As the authors point out, thousands of car owners are already voluntarily shipping their CAN data to insurance companies via plug-in dongles, in exchange for rate reductions.
Some are also using emerging applications like Automatic and Zubie that capture and monetize this data in exchange for transforming your car into a “smart car” – capable of remembering your parking space, coaching new drivers, deciphering diagnostic codes, and even gamifying your vehicle (can you beat yesterday’s fuel efficiency)? Moreover, as Wired notes, as more cars become wirelessly web-connected:
…driving data may also be uploaded directly by cars themselves, as Tesla already does.
The study authors aren’t arguing that your insurer, carmaker or app provider is abusing you. But, “present/future systems could upload raw data to servers where it could be compromised or abused.”
Imagine, for example, they capture the data, “for debugging or other purposes but, because of a data breach or subpoena, later exposes that data to a different party who does wish to use the data to compromise the driver’s privacy.”
While these results are limited to 15 individuals, the researchers think they’ll scale. One thing they can’t say yet: will an individual’s signature remain unique if they switch cars?
It’s early days for car data: plenty of questions remain. For instance, who owns your data? According to the researchers:
13 states have adopted the stance that a vehicle’s sensor data is private and the property of the car owner… however within these 13 states there are marked differences on what constitutes acceptable data retrieval without owner consent.
As for the rest of the planet, rules vary widely – where they exist at all.
Beyond “who owns it,” who can get at it? In Wired, head researcher Miro Enev argues that car operating systems are radically insecure:
Instead of making all of a car’s data and sensitive systems available to any device connected to their CAN bus, vehicles should have permission systems, just as… iOS or Android do. A gadget meant to track your fuel efficiency… shouldn’t be able to track every exact push of your brake pedal or turn of the wheel.
Right now, they, umm, CAN. And that may have some very disconcerting implications… a little way down the road.
Dave
And here we have a major reason why I’m going back in time, replacing “modern” vehicles with ones from the pre-Big Brother era, vehicles about which the Insurance Company snoops cannot tell diddly. Another big reason is that I can fix the older ones under a shade tree instead of having to take them to a Dealer who has the million-dollar piece of computer whiz-bangery needed to even find out what’s gone wonky . . . at great expense to me. I feel sorry for the newer generations who have no clue what a spark plug is, much less how to replace one. Now, outside to install a new serpentine belt on the old car, then (maybe) new shock absorbers. Or maybe I’ll just hop on an “antique” motorcycle that can still do >140 all day and go for a ride. Hmmm . . . which one to choose?
Paul Ducklin
I want to ride my bicycle
I want to ride my bike
I want to ride my bicycle
I want to ride it where I like
No number plates. No fuel bills. No licence. No registration. No traffic jams. No biometrics :-)
Anonymous
Unless you’ve got your smart phone with you
Dave
It would be tough to trailer 3 motos to Mexico for a 4-day cross-country rally with a bicycle or, more routinely, to make a grocery run since the nearest supermarket is 23mi distant! Also, there are some cities here in the US that require registration, and license plates, for bicycles.
TonyG
Cars are already doing this, but not for biometric purposes. My car has an alert facility that warns you if you are getting tired. It basically does this by monitoring your driving style – how smoothly you handle the steering – when you are getting tired, movements are less smooth.
David Pottage
This is hardly a new idea. Ross Anderson mentioned it at the end of the Biometrics chapter of his 2001 Security engineering textbook. Though his use case was as an anti theft alarm. The car would detect an unfamiliar driver, notify a control centre, which would phone you back to ask if the driver was authorised, and if not, remotely disable the car.