New guidelines: cybersecurity, privacy and your self-driving car

The US Department of Transportation (USDOT) has just issued its eagerly-awaited “guidance” for self-driving and “highly automated” vehicles – and you sense its as pumped about these technologies as any Tesloid, Uberite, or Googler.

The government’s stated goal is: to “accelerate the revolution,” ensuring that “these technologies are safely introduced… provide safety benefits today, and achieve their full safety potential in the future.”

If they succeed, millions of people will be placing their lives in the “hands” of some stunningly data- and software-intensive devices: their own, the vehicles they use for on-demand transportation, and the cars and trucks they’ll share the roads with. So it’s worth considering what the Policy has to say about information security and privacy.

To begin, the government wants automated vehicles to collect a lot of data:

Manufacturers and other entities should have a documented process for testing, validation, and collection of event, incident, and crash data, for… recording the occurrence of malfunctions, degradations, or failures in a way that can be used to establish the cause of any such issues.

[To] …develop new safety metrics, [they] should collect, store and analyze data regarding positive outcomes… in which the HAV system correctly detects a safety-relevant situation, and successfully avoids an incident.

All of this data should be kept “strictly in accordance with the manufacturer’s consumer privacy and security agreements and notices.” What’s more, the government would like those to be fairly robust, at least for the US.

For example:

• Consumers should get “accessible, clear, meaningful data privacy and security notices,” with choices about “collection, use, sharing, retention, and deconstruction of data, including geolocation, biometric, and driver behavior data that could be reasonably linkable to them personally”
• Data in production vehicles should be used “only in ways… consistent with the purposes for which [it] originally was collected”
• Manufacturers should collect and keep “only for as long as necessary the minimum amount of personal data required to achieve legitimate business purposes,” de-identified “where practical”
• Manufacturers should be ready to share event reconstruction data to promote safety throughout the industry, but that data should be stripped of personal identification

Next, there’s vehicle cybersecurity – already a plenty-big issue with human-driven cars (as we’ve been telling you here and here and here and here).

Here, USDOT serves up a lot of best-practice language:

Manufacturers and other entities should follow a robust product development process based on a systems-engineering approach to minimize risks to safety, including those due to cybersecurity threats and vulnerabilities…

The identification, protection, detection, response, and recovery functions should be used to enable risk management decisions, address risks and threats, and enable quick response to and learning from cybersecurity events…

All good, if done well! To that end, USDOT exhorts automakers to “consider and incorporate guidance, best practices, and design principles” from multiple leading sources, throughout industry and government.

Meanwhile, everything security-related:

…should be fully documented and all actions, changes, design choices, analyses, associated testing and data should be traceable within a robust document version control environment.

When vulnerabilities are discovered, the industry should share knowledge:

Each industry member should not have to experience the same cyber vulnerabilities in order to learn from them.

For the moment, pretty much all of this is voluntary. Doing it that way was a lot faster than creating formal requirements. Those might come later, as the industry matures and it’s clearer what’s needed.

Presumably some other federal agency will get to worry about the four million Americans who currently drive for a living.