Averting Digital Auto Safety Hazards
Clarification of data ownership and access rights are critical to ensuring future driver safety.
The car of the future will collect a wide range of data. Ownership and usage of those data must be clarified, and legal and technical characteristics have to be established in order to ensure data protection, data security, vehicle safety, and a fair market. On these issues, DSI has carried out stakeholder workshops with the automotive sector, mobility digital startups, automotive insurers, and vehicle inspectors and, on this basis, has developed the following recommendations.
The right to personal data collected in the vehicle should be first due to the customer (owner or driver, depending on the context). Customers should be transparently informed about the collected types of data and the depth of the data collection to decide how to make the data accessible, to whom, and for what purpose. Data should be bundled into understandable packages based on types and use context. On the other hand, the rights to strictly vehicle-related technical data – in which a person is not directly identifiable, which are produced by and in technologies of the vehicle, which fulfill essential functional and safety-relevant functions, and which the vehicle manufacturers or associated original equipment manufacturers (OEMs) are most capable to understand and process – should be given to the vehicle manufacturers or the OEMs first, in order to achieve a clear and effective distribution.
In order to enable a large and fair market as well as the broad development of the automotive and mobility market, all service providers and third-party providers should be in an equivalent, fair, appropriate, and non-discriminatory position to offer their services to respective data owners. This is the only way to ensure a high level of innovation in the automotive and mobility sectors. When using the data, service providers and other third-party providers must ensure their security and data protection in accordance with applicable national law. Decisions regarding the wishes of service providers or third parties for special access to data or specific surveys of data to enable new business models should be made by vehicle manufacturers in order to ensure the safety and integrity of the vehicle’s overall architecture. These decisions must be factually justified and independently verifiable. Because of the security implications, it is particularly important that service providers and third parties do not receive “write” access to vehicle systems, except through explicit bilateral agreements with vehicle manufacturers or OEMs for purposes of maintenance and diagnostics in the garage via the on-board diagnostics (OBD) interface on the parked vehicle. Third-party software in the vehicle must not have direct access to the controller area network (CAN bus).
For data that is critical for data protection, data security, or vehicle safety, access must be explicitly managed in order to establish responsibility and accountability as well as to ensure a correct implementation of technical standards. A centralized, technical management of the data transmission by OEMs is conceivable for these data types, but the service providers working with these data should not be placed at a disadvantage to the OEMs. An automotive platform could be a different or complementary measure of warranty.
For data types with relevance to auto safety and security, the state should define – in consultation with insurers, inspectors, and law enforcement authorities – whether and in what form these data must be collected and deposited and in what manner and under what conditions access to these data may take place, provided that such data are relevant for accreditation processes, accidents, thefts, manipulations, or similar processes that necessarily involve external parties. For highly automated vehicles (level 3 and above), transparent, cross-manufacturer standards are required for a set of relevant data to be recorded, for the data formats to be used, and for access to these data. For the implementation of the handling of relevant data in practice, a model of an independent data trustee can ensure that the raw data is encrypted and treated impartially and that access is only possible with legitimate interest, taking into account legal requirements. Such a model could also be considered for the provision of other personal data.
In order to consistently achieve the desired goals despite technical and legal complexity, it is necessary to guide technical and regulatory development via principles that address future automotive concepts and architectures. After consultation in the stakeholder workshops, DSI proposes the following principles:
1. Privacy by design: The privacy of private data should be made architecturally, not only legally. The underlying technical concept shall be “trustworthiness” not “trust.”
2. Privacy by default: As described, personal or person-generated data should fi rst belong to the driver/owner of the vehicle.
3. Security by design: The security of critical functions should also be secured architecturally and “trustworthy.” The underlying technical concept, whenever possible, should be provable security, not assured security.
4. “Safety First” principle for IT security: If data or informational processes have implications for safety, the risk must be considered high – regardless of the probability of attack – and safety requirements must be met according to this risk expectation.
5. Consistency of safety and security requirements: Standards and assumptions expressing the reliability of safety-functions must be applied in the exact same quantitative expression – “one-to-one” – to the security of the systems carrying these functions.
Originally published as “Recommendations for safety, security and data policy in automotive IT” as part of the Industrial & Policy Recommendations (IPR) Series published by the Digital Society Institute of ESMT Berlin, http://dsi.esmt.org