Such smart vehicles, especially cars, are a growing concern among privacy activists, who say the IT systems in them can help track the vehicle as well as use data from phones paired to these vehicles.
“The issue the world over is that cars are using either an Apple or Google protocol to connect to the car systems. This means that the GPS location, your driving preferences, etc, all go to these companies. In that sense, your car is just another device, like your phone, that is helping making Google and Apple data rich,” said a senior technology
industry executive who has worked with large conglomerates.
It was to get around this monopoly of sorts that three automobile giants — BMW, Mercedes, and Audi — got together in 2015 to buy Nokia’s HERE Maps for $3 billion but most Indian automobile companies rely on Google and Apple.
At present, there is a machine-to-machine (M2M) policy laid out by the department of telecommunication, which sets broad guidelines of data custody. While the M2M service provider, which is the automobile company in this case, should have custody of data. The company, in turn, is required to have a web interface for making the information available to the licensee of technology.
The implications of privacy, however, are not discussed much in India and it is possible that some car companies collect and store some information through their sensors and GPS chips often installed in most vehicles these days. “There is no clear protocol on how to deal with this data,” added the executive quoted above.
Ford India, however, in a reply to a questionnaire said the company was one of the founding members of the Auto ISAC (Automotive Information Sharing and Analysis Center), a global OEM cybersecurity alliance. With vehicles becoming increasingly connected and autonomous, Auto ISAC launched the Proactive Safety Principles in January 2016. The fourth principle in it talks of “Enhance Automotive Cybersecurity” by exploring and employing ways to collectively address cyber threats that could present unreasonable safety or security risks. This includes the development of Best Practices to secure the motor vehicle ecosystem.
It is very difficult to do anything about data privacy because as a user, the car owner gives consent for data collection and use. According to Mishi Choudhary, technology
lawyer and managing partner at Mishi Choudhary & Associates, cars implicate privacy issues similar to many internet-of-things devices. “The geospatial data, traffic patterns, pedestrians crossing the streets, and other such pieces can be monetised, then it raises different issues as all this is locked in a black box as its proprietary. Having said that there should be mandatory uniform privacy and safety standards but currently emphasis has been more on the physical safety of the cars than on privacy and cybersecurity.”
“A lot of car store information in the public cloud, containerised for private use. There are some RFC standards for interfaces that specify how data will be collected, not what you can and cannot collect. You also can't localise data at all. Once it goes on to the Internet, it isn’t local anymore. A copy of the data might exist in the country though,” said a cybersecurity consultant who did not wish to be named.
A Hyundai executive, however, claimed that the company stores all data in servers based in India though a questionnaire sent to the company did not elicit any response.
At the same time, vehicle ownership is not linked in the cloud. “The data is anonymised in that sense, which is a bit of a silver lining,” said the consultant.
There are more complex issues, however, around data ownership. For example, if music is played in the car on Spotify, and the user has accepted their terms and conditions, Spotify will get access to the equipment number of the car. Apple or Android, or any other operating system that there on the phone will also store car's identification number. “So it becomes not just about ownership but who owns your usage behaviour. To top it all, you have opted in to these services so they are not collecting this data illegally or without consent,” said the consultant.
Maruti, India’s largest car manufacturer, provides Suzuki Connect to its premium NEXA customers. Based on the advanced Telematics Control Unit (TCU), it has features like live vehicle tracking, driving behaviour analysis, emergency alerts, and preventive functions. “Customer data captured through Suzuki Connect is totally secured and all details related to customer movement are shared only with customer. All user and vehicle data involves deep encryption and can be accessed only through a secure authorisation method,” said a Maruti Suzuki spokesperson on email. “The solution incorporates a very high level of security implementation, similar to the ones used in banking systems. Our teams are always working to provide new and better solutions to customers,” he added.
The Ford spokesperson too said ensuring data security and privacy were important pillars of their strategy. “At Ford, we are stewards of data our customers provide to us and we are committed to protecting it,” he said.
Physical security is another key challenge that comes out of the connected car systems. Earlier this year, when British insurers found there was about a 29 per cent rise in vehicle theft claims, the police there blamed keyless car entry systems for some of these thefts. According to a BBC report, the local police believed thieves, normally working in pairs, will target a car parked outside a house. One criminal would hold a device close to the car that boosts the signal meant for the key. His accomplice will stand close to the house with another device that relays that signal to the key, fooling the system.
These smart cars can, however, be jammed or restricted within an area if the car dealer is informed in time, provided that the key code has not been broken. With cloud-based charging systems being planned for electric vehicles, the privacy threat will get even more real for automobiles. As the cybersecurity consultant puts it: “It is important to have overall regulation so that you don't feel vulnerable. Like the European General Data Protection Law, which gives the user the right to remove, exit, delete their data so the user doesn't feel unsafe.”