Autonomous Vehicle - Recommendations to Protect Personal Information
A variety of measures may be employed to help protect personal information collected and stored by Autonomous Vehicles (AVs). The following are the recommendations:
1) Privacy by design
The design of an AV can include privacy by design, right from the beginning of the product development process, considering the context and content. The data collected by an AV have the complexity arising from multiple drivers, rental vehicles, change of ownership, and others as they leave traces of their data in the vehicle.
The FTC endorsed privacy by design¹ and called for entities to implement best practices to protect consumers’ private information. These best practices include making privacy the ‘default setting’ for commercial data practices.
Data from AVs could be anonymized, but steps have to be taken to ensure that data cannot be re-identified, taking into account technological developments and regulatory guidance².
2) Security by design
Security of AVs is a growing concern due to i) the increased exposure of the functionality to potential attackers ii) the reliance of vehicle functionalities on diverse autonomous systems, and iii) due to the interaction of a single-vehicle with myriads of other intelligent systems in urban traffic infrastructure. Security by design principle for intelligent and complex autonomous systems, such as an AV, is poorly understood and rarely practiced³.
The Fair Information Practice Principles (FIPPs)⁴ can be considered a baseline while designing AVs as they collect enormous data for their operation. Tesla didn’t follow FIPP’s security principle. Crashed Tesla vehicles bought from junkyards disclosed PII⁵ as the data was not encrypted.
There can be end-to-end encryption of all communication at rest and in motion to protect the AV data. End-to-end encryption will render any stolen data useless. It would be better if the National Institute of Standards and Technology (NIST)⁶ can provide some guidelines specific to AVs to identify potential threats and vulnerabilities, provide an understanding of security impacts, and specify guidelines to mitigate risks.
3) Continuous Privacy Harm Assessments
AV’s algorithms require massive amounts of data to train and improve performance which depends on the quality and quantity of data used for training them. As the AV systems are evolving, the data collection and usage can be analyzed frequently by utilizing Daniel J. Solove’s taxonomy⁷ of privacy harms, Helen Nissenbaum’s contextual approach⁸, and Mulligan et al.’s analytic⁹ privacy frameworks to prevent harm to the data subjects.
4) Transparency
To gain the users’ trust, manufacturers can provide transparency on how the data is collected, what features are used, how they are used, how the algorithm reacts based on the input, etc.
AV manufacturers can use the model cards¹⁰ framework during the design of the algorithm for transparent model reporting. Model cards provide benchmarked evaluation in various conditions, such as across different cultural, demographic, or phenotypic groups and intersectional groups. Model cards also disclose the context in which models are intended to be used, details of the performance evaluation procedures, and other relevant information.
5) End-to-end Consent and Opt-out
Notice and consent are key principles under the Fair Information Practice Principles⁴, which serve as the foundation of many privacy laws and frameworks. Under various regulations, drivers may have the right to opt-out of personal data sales (CCPA’s “Do Not Sell My Personal Information”), to access or download their data, or to have all of their data deleted (GDPR and CCPA).
AVs have many components and third-party services (OEMs) that use data. A simplified interface provides options to consent and opt-out for each service clearly defined with high-level and granular sections. Also, offer shorter and contextual privacy notices as they hold greater promise based on the California Department of Justice (DOJ)¹¹ privacy policy statements and privacy notices.
6) Regulations and Guidelines
Most of the current regulations¹² on motor vehicles’ safety are based on the assumption of humans driving vehicles. New regulations¹³ can be adopted where ethics have to be given utmost importance starting from the vehicle’s design to its adoption in society.
Also, biometric data collection significantly raises the stakes for privacy and security as consumers can’t change their fingerprints or irises after that data is sold or breached. The Illinois state government came up with the Biometric Information Privacy Act (BIPA)¹⁴, which requires informed consent before collecting biometrics data.
Congress and state legislatures could pass Driver Privacy laws¹⁵ to protect AV data, similar to the federal and state laws that protect Event Data Recorder (EDR) data.
A unified federal law is required for AV data collection, usage, and retention policies considering human values at the core. The federal government can regulate data privacy¹⁶ as the vehicle manufacturer can promise to de-identify personal information¹⁷ (what time a user left home and to where the user went), but due to different standards maintained by different manufacturers, there is a risk that some of them will allow re-identification.
References
[3] https://arxiv.org/pdf/1810.00545.pdf
[8] https://doi.org/10.1162/daed_a_00113
[9] https://doi.org/10.1098/rsta.2016.0118
[10] https://arxiv.org/pdf/1810.03993.pdf
[11] https://oag.ca.gov/sites/all/files/agweb/pdfs/cybersecurity/making_your_privacy_practices_public.pdf
[12] https://www.nhtsa.gov/laws-regulations
[13] http://www.nhtsa.gov/staticfiles/rulemaking/pdf/Autonomous-Vehicles-Policy-Update-2016.pdf
[14] https://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004&ChapterID=57
[15] https://www.congress.gov/bill/114th-congress/senate-bill/766/text
[16] https://www.gao.gov/products/GAO-14-81
[17] https://www.theguardian.com/technology/2016/jun/08/self-driving-car-legislation-drones-data-security
Thank you for reading! Please 👏and follow me if you liked this post, as it encourages me to write more!
