Connected Cars: Who owns my car data?

How secure is my personal data in a connected car?

We are increasingly living in the era of the Internet of Things.  The Internet of Things – or IoT – describes the growing number of everyday objects containing embedded computers that are able to connect to the Internet and send and receive data.   

Examples of IoT devices include smart domestic devices such as Amazon Echo, Nest thermostats and smart lightbulbs, wearable technology such as Apple watches and Fitbits, even smart pet feeders!   Then of course there are connected cars.

Research in 2015 predicted that cars will be a “major element” of the Internet of Things, with one in five vehicles having some kind of wireless network connection by 2020.   But how do cars connect to the Internet and how do they then use it?

A connected car is equipped with Internet access, and usually also with a wireless local area network.  This enables the car to share internet access with other devices inside and outside the vehicle.

Some of the main ways in which Internet access can then be used in a car are:

  • Journey management – eg traffic information, parking assistance
  • Vehicle management – eg reports on vehicle condition, service and MOT reminders, remote operation
  • Safety – eg warning of external hazards, monitoring vital vehicle responses
  • Entertainment – eg Smartphone interface, Wifi hot spot, music, video, social media
  • Driver assistance – eg autopilot in heavy traffic, operational assistance in parking
  • Well being – eg fatigue detection, environment adjustment, medical monitoring

All well and good.   But with the Internet of Things in general there are growing concerns about data security.  Many IoT devices are feared to be a little lacking in the security stakes and as yet there are no common standards for IoT devices.  If you are using a connected car then an amount of your personal data will be stored in the car’s software.  What happens to that data when you no longer own the car?

This issue has been described as a “ticking time bomb” by the group IoT Now.   The process of erasing all personal data from a vehicle is fairly complex due to the wide variety of mobile operating systems, car manufacturers and other devices connecting to different car makes and models.    Even the same make and model of car is likely to change its operating systems and apps over different production years.  

All this means that there is no single standard for the data security of cars.  Therefore when a car is resold, it is potentially open to data from previous owners being unlawfully accessed and falling into the wrong hands.

What kind of data are we talking about here?  Obviously it does depend on how you use the connectivity in your car but if you are connecting a mobile device to your car then the software may store data such as address books, call and message logs, texts, instant messages and GPS data.   

Going one step further, if you use Internet browsing or social media in your car then your log-in details may also be stored by the car’s software.   For example if you use your car  Internet for managing your finances online and have potentially sensitive issues such as bad credit logbook loans, then this data could potentially be accessed by others.

So what is the answer to this key issue?  What needs to happen is for car manufacturers to incorporate into vehicle software the necessary features and capabilities to allow data to be easily and permanently wiped from the car when it changes hands.  Even better would be for some kind of official certificate to be issued as proof that this has taken place.

This may well happen.  A recent report from the Flourish consortium – including insurer Axa, engineer Atkins and law firm Burges Salmon –  highlighted the fact that if access to vehicle data is restricted due to security concerns, this will then limit some of its opportunities, for example  alerting emergency services immediately following an accident.

However, the consortium also recommended  that the UK government makes it clear who is allowed to have access to the vehicle data.  Who actually “owns” it?   The government is planning a bill on autonomous and connected cars, and is now expected to include draft legislation around data ownership issues as part of this.

Flourish summed this up as follows:

“Data collection is the cornerstone of the operation of connected and autonomous vehicles, and the importance of ensuring that this data can be used is clear.  The use of this data will inevitably raise the issue of data protection and protection of privacy. An appropriate balance between these sometimes competing considerations will need to be found so that the UK can appropriately exploit the potential opportunities in the use of this data.”

It is to be hoped that, alongside the march of the Internet of Things, the ethical issues of data ownership and security are also considered carefully.   This would enable drivers to reap all the benefits of connected cars whilst at the same time being protected from unlawful access to their personal data.