Connected/Automated Vehicles Privacy Issues 53 rd Annual Transportation Law Workshop Thomas J. Bamonte (@TomBamonte) General Counsel July 14, 2014
May 26, 2015
Connected/Automated Vehicles Privacy Issues
53rd Annual Transportation Law Workshop
Thomas J. Bamonte (@TomBamonte)General Counsel
July 14, 2014
2
Overview
3
Overview of Highway Tolling• Toll highways/bridges in over 30 states• 2,900 miles of tolled interstates in 21 states• 5+ billion trips handled annually• Tolls = approx. 30% of federal gas tax revenue• Industry moving to “all electronic tolling” (AET) • AET makes tolling a more viable alternative to gas tax funding
4
U.S. Toll Highway Network
5
Mechanics of Electronic Tolling
6
Growing Transponder Account Customers
7
Pay-by-Plate Customers
8
Trip Data Collection
9
Emerging Tolling Methods
10
Toll Violation Enforcement: ALPR
11
HOT Lane Enforcement
12
Continual Video Coverage
13
“Black Box” Event Data Recorders
• Capture crash-related datao Pre-crash vehicle dynamics
and system status o Driver inputs o Vehicle crash signature o Restraint usage/deployment
status o Post-crash data such as the
activation of an automatic collision notification system
• Installed in most vehicles—NTHSA mandate forward
14
Highway User Information Collected
Customer Account• Home address• Personal
financial information
• (Non)payment information
Vehicle ID –license plate
and VIN
Vehicle Occupant
Data
Travel Pattern Data• Time, place,
direction, vehicle
• Speed derived• Years of data
Vehicle Operation & Event Data
15
Current Protections of Tollway User Privacy• Contract: Transponder
customer agreements• Customer account and trip
data shielded from general disclosure; use allowed –o When conducting tolling
businesso In response to court order
(e.g., warrant)o When aggregated (e.g., studies)o High data protection standards
in place (e.g., PCI compliance)
16
State Law Protections
Customer account
information & trip data =
FOIA exception
Mandated privacy policies & data security requirements
Laws governing ownership & use of event
data recorders
General data security &
breach notice requirements
ALPR regulation
17
Federal Law Protections
• Drivers Privacy Protection Act
• Various consumer law protections
• Federal legislation introduced to protect locational privacy—including vehicles
• Jones & Riley decisions
18
Emerging Privacy Challenges
Vehicle as Cellphone on Wheels
19
Vehicle as Data Generator
20
Vehicle Data Mining and Rewards
Drivewise by Allstate Dash.by
21
Driver Fitness Monitoring
22
Vehicle-to-Merchant Data Mining/Use
Google Car as platform for searches
Vehicle displays targeted advertising
from nearby merchants
• iBeacon for automobiles
Consumer data privacy issues similar
to other devices/platforms
23
Vehicle-to-Infrastructure Data Mining
Highway authorities may have interest in harvesting datao Safety: Identify vehicles
behaving erratically
o Payment: Identify vehicles for toll payment
o Enforcement: Identify stolen vehicles or vehicle involved in commission of crime
o Identify: Hazardous situations (e.g., swerving around object) and communicate downstream
o Traffic management: Immediate notice of slowdowns and congested areas
24
Challenges: Unrelenting Gaze
• ALPR deployed widely but not regulated
• GPS data uploaded from smartphones
• 24/7 video surveillance• Peering inside cars with infrared• M2M data sharing• Will surveillance state/economy
prompt a consumer backlash?
25
ConclusionsTransportation lawyers will have to become
privacy law experts
Highway authorities becoming more like utilities w/ associated consumer business issues
Toll highway authorities have head start on managing customer relationships & protecting trip data
Highway travel subject to intensive surveillance
Patchwork of state laws may be reflective of limited public concerns about privacy to date
That may change. . . .
26
Established PrinciplesCustomer account and trip data shielded from general disclosure; use allowed:
When conducting tolling business
In response to court order (e.g., warrant)
When aggregated/made anonymous (e.g., studies)
High data protection standards (e.g., PCI compliance)
Vehicle data belongs to vehicle owner
No transfer of data to 3d parties w/out consent
27
Lessons• Highway authorities are
increasingly high-volume consumer businesses with concrete
• Connected vehicle raises multiple privacy concerns not addressed by existing toll authority-customer framework
• Managing the technologies that put vehicle travel under an unrelenting gaze pose pressing challenges in near future
28
What Lies Ahead: Connected Vehicles• Connected vehicle applications
provide connectivity:o Among vehicles to enable crash
preventiono Between vehicles and the
infrastructure to enable safety, mobility and environmental benefits
o Among vehicles, infrastructure, and wireless devices to provide continuous real-time connectivity to all system users