Two automaker groups, with representation from major manufacturers, like Ford Motor Company, BMW, Mercedes-Benz and Toyota, have penned a benchmark privacy document for protecting data collected through in-car technologies.
The Alliance of Automobile Manufacturers and the Association of Global Automakers published the “Consumer Privacy Protection Principles,” (PDF) Wednesday and presented the framework to the Federal Trade Commission (FTC).
In a letter to FTC Chairwoman Edith Ramirez, the groups' CEOs Mitch Bainwol and John Bozzella said that the principles coincide with the associations' existing commitments to the National Highway Traffic Safety Administration (NHTSA). In July, the groups agreed to establish an information sharing and analysis center (ISAC) for the auto industry, where information on “cyber-related threats and vulnerabilities in motor vehicle electronics or associated in-vehicle networks” could be communicated, the letter said.
The new framework, which offers “baseline privacy commitments” for automakers, entails seven principles: transparency among automakers regarding collected or shared information, presenting consumers choice as it pertains to data collected about them, and having “respect for context” – or considering the impact collected information could have on drivers.
Data minimization, collecting and retaining information only as necessary for “legitimate business purpose,” was also one of the seven principles, along with commitments to protect data, and make sure information, such as subscription and registration data, are maintained accurately and can be reviewed and corrected by drivers. Finally, the last principal is accountability – making sure automakers take “reasonable steps to ensure that they and other entities that receive covered information adhere to the principals.”
“Covered information” is defined as “identifiable information that vehicles collect, generate, record or store in an electronic form” on behalf of participating manufacturers through vehicle technologies and services, the document said. Personal subscription information, provided while individuals subscribe or register for the technology or services, would also fall under compliance protections.
The voluntary guidelines are meant to protect vehicles manufactured on and after January 2, 2016.
The document notes that, when compliance requires an engineering change to a vehicle, participating automakers would be expected to rectify the concerns no later than vehicle model year 2018.
Last August, a grassroots security movement called “I am The Cavalry,” introduced a cyber safety program to encourage collaboration between researchers and automakers as vehicles become increasingly connected.
The initiative called, the “Five Star Automotive Cyber Safety Program,” outlined critical capabilities automakers should demonstrate, including incorporating security in the vehicle design, development and testing phase, and publishing a coordinated disclosure policy for those wishing to report security vulnerabilities in cars.
Last month, the Electronic Privacy Information Center submitted its thoughts to NHTSA on vehicle-to-vehicle (V2V) communications, technology that transmits data between vehicles to help warn drivers of potential crashes. EPIC suggested that, before V2V capability was required in light vehicles (like passenger cars and light truck vehicles) that NHTSA should agree not to collect PII without the consent of vehicle owners and require end-to-end encryption of V2V communications, among other security measures.