Get the Facts
A proposed question that would appear on the November 2020 ballot creates serious cybersecurity threats and will help strangers, hackers and criminals gain remote access to vehicle telematic systems, exposing sensitive, personal data in real-time.
The Coalition for Safe and Secure Data was formed to stop the misinformation campaign being waged by lobbyists and their national political funders who are determined to undermine existing laws and protections.
Telematics is the technology that allows us to send information to and from a car. It involves a wide range of data from how fast a car is going, to its location, to how the vehicle’s system is performing. Turn-by-turn directions are made possible by telematics.
Yes, some cars use this data already. Over the next few years, many new vehicles will include these systems.
Right now, access to this data is secure and controlled. Automakers collect data from the vehicle to improve product designs, monitor for safety recall concerns, and provide consumers with requested services, like turn-by-turn navigation, or automatic emergency 911 services after a crash. Information relating to the repair of a vehicle is accessible and it has been for many years now.
As with most consumer innovations, consumer convenience and safety are the motivating forces behind telematics. Forty years ago, cars did not have tire pressure sensors, nor did they have a button to call for help in an emergency; these improvements continue to make your maintenance easier and trips safer.
Real-time access means that anyone can remotely view your data instantly as you drive. As opposed to accessing data through the on-board diagnostic port, which requires repair shops to view information while they are plugged into the car at a specific location while your car is safely in “park.”
This effort is being pushed by lobbyists funded by a national political group. The local repair shop in your town does not need access to your personal driving data. They can get vehicle data directly from the vehicle when you bring it in. That same local repair shop is likely not in a position to properly store highly sensitive consumer data.
Historically, automakers, consumer privacy groups, and cybersecurity groups are opposed to exposing consumer data in this way, because of the risks to both cybersecurity and privacy.
When this same issue emerged in California in 2014, it was strongly opposed by domestic violence advocacy groups out of concerns related to stalking and abuse. For example, if a woman was fleeing an abusive partner, and her partner owned the car, he would be able to track her location and potentially even disable the vehicle.
Civil rights groups also opposed the California proposal, due to concerns about racism and redlining.
No, mechanics do not need telematic data to repair your car. All information pertaining to diagnosis and repairs is available today, and will be tomorrow, through existing vehicle technology.
When you pull in to your mechanic’s garage, they can plug into your car’s port and will be provided with diagnosis and repair information.
No, your choice for who you trust to do your repairs is guaranteed. Your preferred repair location will always be able to access repair information through existing vehicle systems. Car owners will always be free to visit the auto repair shop of their choice, and the existing law ensures that every repair shop will have the information necessary to diagnose and repair your vehicle.
The more third parties can access data, the more likely it is to be misused.
With real-time, remote access to your vehicle, strangers, hackers and criminals can see where you go and learn personal details. They will know which coffee shop you stop at each morning, the routes you take to avoid rush hour, how often you go to your gym, and how fast you drive to pick up your kids on time. They will know which neighborhoods you drive in, and what time of day.
Nothing in the proposed law limits how much information anyone can view, or what they can do with it. Some of the potential consequences could include higher insurance rates, extremely targeted advertising, or even dangerous stalking situations – all based on what strangers see when you don’t even know you’re being watched.
Privacy groups oppose this ballot question because it creates tremendous uncertainty about who is accessing your data and when.
Yes. If this ballot question passes, strangers, hackers and criminals can easily gain real-time, remote access to your driving data. Anyone and everyone wants your information – this legislation will make it easier for them to get it without you knowing.
If this ballot measure passes, once a consumer grants permission for any company to access their information, that company will be able to store and sell the data to anyone without the consumer knowing.
If your driving data is made remotely available in real-time, it will be extremely valuable for advertisers. Advertisers will be able to see where you are, the direction you’re heading, and could potentially use your data to hassle you by marketing products to you based on where you are or your past driving habits.
Our opposition’s ballot proposal specifically includes language to allow the “ability to send commands to in-vehicle components.”
There are serious cybersecurity threats whenever personal data is being transmitted remotely in real-time. Cyber criminals will have many more and easier opportunities to hack into your personal data. They would also have another, more vulnerable option to try and hack into your car directly.
Complex data requires complex security. The space shuttle has 40 million lines of code. Your car has 120 million lines of code. This is an enormous amount of information that must be properly protected.
Automakers invest millions of dollars per year to safely store driving data from hackers. On an annual basis, these automakers stop countless attempts by criminals to access this information.
Conversely, there are no requirements for data protection or safe storage standards for repair shops included in the ballot question. In fact, many businesses who would gain access to your data under this proposal lack the cybersecurity infrastructure to be able to guarantee the safety of this sensitive information.
Cybersecurity groups oppose this ballot question because the more strangers, hackers and criminals who can access your personal data, the more prone to misuse it becomes.
Automakers spend millions of dollars each year to take the steps needed to protect your information.
In today’s world, keeping data safe and secure is a primary concern for everyone, including automakers. Automakers consider cybersecurity from the earliest design phase through vehicle production and after, constantly developing new and cutting edge protections to keep a consumer’s data safe.
The primary risks for consumers are privacy invasion of their personal driving data and the risk of hacking of the car’s system. Complex data requires complex security.
The cybersecurity concerns of this proposal are exponentially greater when we consider a future in which vehicles are capable of driving themselves. Autonomous vehicles will run on data. There has to be absolute confidence that the data utilized by these advanced vehicles is pure and uncorrupted.
When strangers, hackers and criminals can easily gain real-time, remote access to your driving data, the risks of misuse and hacking are profound.
Most new cars today generate terabytes of data while in normal usage. Most of it is not stored or recorded, but it is used by vehicle systems to operate your car. Even less is captured in some form that would allow it to be transmitted off the vehicle via telematics.
Our cars are becoming more computerized with every passing year. Vehicles today can have up to 120 million lines of code. For comparison, the space shuttle had 40 million lines of code. Vehicles today are cleaner, greener, and safer than cars of just a few years ago, largely as a result of computerization and data. With advancements in over-the-air updates – just like on your cell phone – soon consumers will not need to go into a dealer or repair shop at all for some fixes, saving the owner both time and money.
Real-time, remote access to your driving data poses an imminent threat to your location and travel behavior. It is not just your local, independent repair shop that will have access to this data, it is a broader network of individuals whose intentions can’t be carefully monitored.
Domestic violence advocates realized how dangerous this information could be in the wrong hands and they rallied to defeat similar legislation in California.
An excerpt from California Coalition Against Sexual Assault’s testimony stated that this proposal would:
“Increase the likelihood that third parties who are ill-intended, will have the ability to retrieve valuable information stored on a car’s computer system in order to identify the car operator’s location and driving habits. It will allow these people to access very detailed information, including how, when and where a person drives.
From this information, a third party, such as a sexual predator, could stalk and/or harm victims by exploiting insecure transmissions of vehicle information. With the recent high profile retail security breaches, we have learned that all it takes for private information to be dangerously exposed is one careless or unscrupulous third party.”
Yes, in 2014, California rejected a piece of legislation that would have granted real-time access to vehicle driving data, after a broad opposition coalition formed. Those that lined up against this bill included, police, domestic violence shelters, the NAACP, chambers of commerce, and telecommunications and technology advocates, all voicing their concerns relating to privacy, safety, and cybersecurity.
Every day, hackers across the world are seeking ways to compromise systems that grant them access to private information. If your driving data is stored on an app that is hacked, it could be possible for criminals to remotely unlock and start your car.