Every second, the internet gains 11 new users. In the United States, 96% of the population has a cell phone, and 81% of Americans have a smartphone. The users carrying those millions of devices to live and work have a wide range of habits. Some connect their phones and laptops to open networks without a second thought and start working away. Some take advantage of all the little conveniences that developers bake into their apps and devices which can leave them vulnerable to attack. Others disable features that make their data vulnerable, connect to virtual private networks (VPNs), use apps that focus on privacy, and take other precautions to keep their data safe. For all the precautions, the one device most of us never think about may be the most expensive and hardest to secure: our cars.
Cars have evolved in ways that most drivers never consider. Infotainment systems have evolved in such way that make connection through a smartphone a necessity, especially if they are based on Android Auto or Apple CarPlay. Most of us happily connect our devices to the USB ports or Bluetooth in our cars to stave off the boredom on our drives to work, unaware that our cars are passively collecting our data with each passing mile.
Our vehicles keep logs of certain events, like when doors open, gear shifts, hard acceleration and braking, when we start or stop the engine, or when we have our seatbelts on or off. The type of information recorded depends on the make, model and trim level, or what options and accessories the vehicle is equipped with.
It is imperative that as access to vehicular data becomes more available, we take proactive measures to protect our privacy.
Like most security issues in technology, data is largely useless without a way to access and read it. One tool that has been developed to allow investigators to interpret and analyze vehicular data is Berla iVe, though it creates vulnerabilities.
In 2013, the Department of Homeland Security Cyber Security Division began working with the Berla Corporation, of Annapolis, Maryland, to develop iVe, a digital forensics toolkit that has opened the door for law enforcement to extract data from vehicles as part of criminal investigations.
While a car’s internal systems collect reams of data, devices that drivers connect to a car also offer evidence.
“What’s been helpful from that perspective are things like the cellphone’s locked and you can’t get in it, but they’ve connected the phone to the car, so it reveals some data about the phone. That’s been essential to investigations, to get them access to data that they wouldn’t typically have,” Berla CEO Ben LeMere states in an interview with AFCEA.
According to Berla, their software is available to “law enforcement, military, civil and regulatory agencies, and select private industry organizations,” so the pool of entities who might be able to access your information is limited. However, given the quality and quantity of the data stored, it’s important that we be aware of threats to our privacy. We may unthinkingly pair our phones with a rental car and unknowingly give that car’s system access to our text messages and phone call information. If that car is later involved in an investigation, our information is readily available to law enforcement without our consent or knowledge.
Virginia law provides protections for motorists; information gathered by a device on a vehicle can only be retrieved with a warrant or with the owner’s consent. However, complications arise when ownership of the vehicle changes or we sync our data with vehicles we don’t own. You continue to own your data until the vehicle is sold.
As some of this data is recorded from the time the vehicles roll out of the factory, a sale to a third party means we are also selling access to our private information. As these software suites become more readily available, the time will arise when the tools they provide will be available to a broader range of companies and industries.
As consumers, we should educate ourselves on what types of data our vehicles collect, while asking for a means to download, extract or delete our data during a sale. We should also consider amendments to the Virginia code to provide protection to drivers who are operating leased or co-owned vehicles, such as spouses when one party owns commonly shared vehicles. It is imperative that as access to vehicular data becomes more available, we take proactive measures to protect our privacy.