Privacy Concerns in the Connected Car Ecosystem

hi everyone my name is richie gotham today i'm going to be talking about privacy concerns in a connected car ecosystem let's start with the very basics here what is privacy privacy is essentially that it there are all legal definitions out there but in the very simple terms privacy is my right to be left alone it's having the decision uh you know being in control to basically know how your personal information uh will be used who do you want to share it with so when we talk about personal information that would be anything which can be used to uniquely identify you your date of birth your email address your political views uh or sensitive personal information

like your photo id your biometrics anything which has a more which is very personal to you and can uniquely identify an individual by itself or in the combination next we have this slide where we are talking briefly about the recent privacy and security incidents which have happened over in the automotive sector there are few glaring figures out here uh first and foremost there were about 200 automotive cyber incidents reported in year 2020 alone uh this is in stark contrast to the statistics we have for 2019 where there were only about 93 incidents reported next up is 36 of the incidents in 2020 involved data preachers and privacy breaches so this is where our focus area

is that earlier where the focus was more about you know cyber security getting the cyber hacks securing your systems ensuring privacy around your data security triad now it also has an implications from the privacy perspectives as well so this is what the threat scenario at this point looks like and then the top threads let's say which kind of hit the automotive sector is your web server attacks your prone vulnerabilities in the inherent vulnerabilities i'd say in the ot systems so that is where is the most uh high severity risk which are lying and which have been capitalized by hackers uh more than once i'd say so now you know let's probably we are living in a very connected world

we are sharing a lot of our data out there typically when we use our phones and you look up your google history it shows you all the list you know sites which you have visited uh which all places you visited so far how many air miles cards you have generated in last few weeks and this is getting all these data from you know your search from your telecom operator and so a lot of data about our own personal data is out there so let us go through this example to understand what a connected vehicle ecosystem look like and how it is impacting our privacy and what is the future of connected car uh let's go through a typical day for a

mike mike is a school teacher and you know living in these pandemic times he generally drives down to pick food from his favorite restaurant now that once he's in his car now his car is talking to all these apple devices he had us home uh those are home intuition devices you know all these alarms uh for him to get to know if there is any burglary or any theft happening back in the house home video surveillance you know uh he has a baby back home he wants to you know you know keep monitor monitor you know how things are in the nursery uh then you know if he has car theft alarms to report you

know if there is any theft which is happening if he meets with an accident then there are systems which kind of report back to the accident reports so all these devices are you're continuously in contact with all these devices even while you're away from home now as he moves on further on the road he is coming to an area where there are a lot of shops and restaurants now now as he's passing by all these shop owners starts to give him these notifications on you know customized offers there is a sale going on based on his past history you know he's shopped with them before and now that combined with the location data they have as this car is passing by

they can give him more customized offer so he can see all these menus on his uh in his car from the comfort of his car you know all these different offers are popping up uh he moves further ahead on the road and he unfortunately gets a flat tire now typically like in back old days you would call some kind of a you know road assistance but now the car has an automated sensor and it picks up the input right away that you know they have a flat tire and it automatically sends out the uh alert to the road assistance no road assistance folks arrive they are fixing his tire and he's still sitting comfortably in

the comfort of his car listening to his favorite spotify playlist so all of this is happening without any physical you know interaction from him and now and so if you look at this he basically has no idea you know what data is being shared with these people how his data has been used and what is you know the basic life cycle around the data and and if all of this information is based on his geolocation right from that very parameter of his year location they can also determine now he's had this flat tire and then different insurance companies can analyze his you know driving patterns he has a dash cam out and you know where

whatever he's talking gets recorded and his driving patterns get analyzed how often he's breaking is he a rash driver you know how many speeding tickets has been issued to him so all this all this connection between you know what the government has and insurance agencies have so all this data is and there's a lot of profiling which is happening on this data and there's no way for mike to know how basically his data is being used who it is being shared to how it even for the fact how it has been collected from so this example you know tells us a lot about like we might not realize but then there's a lot of personal information

which for us which is going out there and at all the time pretty much this is something which we we do realize that you know we need these things for the ease of convenience but having a control over how your data is being used is somewhat where the concern of the privacy kind of comes in this slide gives us a more i'd say a deeper view of you know what are the different aspects of you know connected vehicle ecosystem what types of data it deals with your vehicle and safety data your driving patterns your location your personal information your health information and then all the consumer insights like we spoke about uh insurance providers are using your

this data and then your shop owners are pushing you these customized offers uh typically the communication channel is the wireless connectivity but then there are different data sources you know the data is coming from the telematics from telemetry from the infotainment platforms from the gps units from your onboarding sensors to even your smartphones your smartwatch all of these uh so there's no boundary for us any longer those network boundaries are kind of disappearing and this data flow is shared with your equipment manufacturer and it is going to the government it's going to the third party so there are a lot of unknown there's a this is a lot complex system then it from where you know the

traditional days from where we started and now as we're moving into the age of internet of things we are looking at connected cars we're looking at autonomous cars privacy has kind of become the focal point of discussion okay now let's look into what all kind of uh data personal data specifically is this is this car collecting for us so you know you have a camcorder which is an electronic data recorder they captured if you get into any accidents and these recordings can then be used to claim insurance but what we don't realize is that they are recording every set of the conversations until unless you don't have your microphone turned off they also record all the

conversations you are having within the car and next then if you're visiting any hospital or any trauma center any of these sensitive areas it stores your location it stores your navigation history you know right from the time to what is the physical location to how what is your driving pattern to how much distance you can generally you generally travel and it can map out quite a extensive profile of a user based off on these informations also it is also since this car is connected to the multiple electronic home devices it gives out your details like where is your office located who are who's the typical your family member information uh and so forth so this is typically is the

personal data which gets collected for you when without even realizing when you're traveling in the car let's talk about how the collected personal data is used uh one of the most uh i'd say uncontrolled use of the data is you know when this data now gets shared with these third parties or from these oems typically when you're going in you're buying the car you're signing this policy and you know there's a small checkbox right there and it says agreeing to terms and conditions and yes and does not specifically list out how your data is being used so what your data is being used for is to upsell to get you know generate these algorithms that

are so complex for us to predict that you know based on now you're driving that's how often you break this much time you go for a maintenance check this is where you know your periodic cycle of your service looks like this data can help insurance companies to you know make a customer profile and then that's where your insurance premiums can start going up so this is predictory marketing and manipulation they start upselling you more products uh you typically go out there you have a flat tire and then there's a road assistance folks coming in fixing your tires and then you know next thing you know they're saying they have a problem with your cooling system

and then you know uh one something the battery is you know not operating at its optimum and different other things which you probably never know exist in your cars and all those problems suddenly surface and they can tell all this because they have access to a plethora of our data then car manufacturers what they can do is you know they can use this data to direct your cars right to the you know a more preferred maintenance shop or even build an autonomous fleet we've heard about tesla hack where you know it started off with drivers suddenly not having it's not is no longer in control of his car what if something like this can be

materialized and hacker is able to generate an autonomous fleet thus compromising you know the central so monitoring system itself another use of the misuse of the data i'd say potentially would be advertisement you know you are getting all these location specific ads location preferences which kind of influence our shopping behaviors and our patterns so you know customer is no longer neutral and you're without even knowing it's an unbiased unconscious influence which is being pushed off because you have all this information being pushed out to you and the decision which we make is kind of then influenced in a way so let's understand the key privacy risk one of the major privacy risk which we see around here is the

high exposure all of these things are so connected they if there is an incident which is happening it's not a standalone incident your device is also connected to your uh systems back home and somehow if your vehicle gets compromised and you know an attacker is able to intercept all these communications with all these peripherals you're able to make so the impact of this privacy breach is more much more substantial next is the uncontrolled data flow once the information is out of your bonds once you've signed on that privacy policy and you don't know how your data is collected who it has been shared with there's always a situation where we call a function creep because

now you no longer have the ownership around it you cannot tell where is your data flowing to how is that being used and then there's a very large attack vector because when you talk about ot systems traditionally cyber security started picking up and data security is more focused around web-centric attacks but and ot and iot systems are not as adequately covered so there's a lot of attack vector out there for hackers which they can use to basically exploit the system

so there's a misuse of your location data which can potentially be used to you know survey the individuals or give them a more targeted approach and then there's a part of the legal framework uh the privacy regulations have been around for a while but they were focused on personal data security but now with more of the ot threat surfacing new laws are starting coming in the picture which also do take into account the machine to machine communication and any personal data which is being put out there as a part of these interactions last but not the least we'll briefly touch upon the driver's safety we're all talking about you know securing a system ensuring your privacy but

this works hand in hand with ensuring that the drivers the ones who are the end users the ones who operate these systems are more well informed they use it as per what would be an acceptable use so for us it's important to understand our car you whenever you're going out buying it there research look about the product take some time go through that user manual see all those features just try to understand get comfortable and on what data is being collected and when you're buying uh you know look for the reasons you know that justification why do they need data uh limit the data to its necessary use uh give consent only you know based on

what is needed you can opt out look for those check boxes where you can opt out so this is the part of where you gotta have to understand you gotta have to be aware of the things how it's flowing next comes the avoiding e you know one of i'd say the best way to avoid any privacy preachers is to not enter very accurate locations you're gonna you want to go to your house right enter your and the address is 2469 unit just enter your neighbor's address or maybe you know a landmark which is uh more prominent out there in that sense you can also reach the location your destination but you will also be able to maintain the confidentiality of

the data the exact office addresses the exact home addresses those uh need not go there you're probably just putting out the building's name or nearest landmark coffee shop that can be one other way to circumvent uh the you know the disclosure of this information next up let's let's making a habit of deleting the navigation history from time to time uh this is specifically more important in the cases you know when we are you know reselling our vehicle or renting returning a rented car you know you don't want to return a car which from which the other person can absolutely make out from where you went what was your trip like where you stayed over what were your stops

they do not want that kind of information to get out and last but not the least is being aware of your rights privacy for most of the people when we are buying the vehicle what we look at is okay we want to buy this we want to use all the features but we do not take into account that you know there is a lot of third parties involved here you are sharing this information with the manufacturer with all these right sharing applications then renting applications now we have destination assist which you know you can call them up and they can set the location for you and then there is your cam recorders which come in so being aware of

all these different areas where your information you know the type of data which these folks are collecting and then how it is being collected how it has been used looking at the path forward for the businesses we those when we are looking at you know even those manufacturers the first point would be to embed the privacy and security in your project in the product development phases we've always seen you know the product is developed it's out and that's when the security and the privacy tangent is being built into it which is much more ineffective than having security further earlier ahead in the core and then designing the process which is all inclusive of it and

another thing is having make privacy a boardroom agenda if cyber security was your agenda a few years back privacy should be a concern areas now there are so many upcoming regulations coming up we have european union gdpr global data protection regulation which controls and the regulate which is which kind of like lists out how personal data can be used and what is the and controls the entire privacy structure of that then there's the california privacy act the european data protection board recently did publish the guidelines which talks about the personal data in the context of connected vehicles and then there is always the best practices documents coming in from the lands of automotive manufacturers so this is something that you gotta have

to either incorporate privacy at the product level in a secure system which is more focused around all the tenants of data security which ensures your confidentiality integrity availability because once it's secure then you can enforce the privacy measures by developing a mature consent management practices giving customers you know and options to opt out it just don't make everything you know an opt-in condition and providing accurate notices giving them you know a scope that's what gdpr is pretty much all about ensuring transparency ensuring the accountability of your information ensuring that you have control over your data and last but not the least to look at data in the entire ecosystem so the data is not just the data which is coming in

from the car but then you know it's also going to the manufacturer that is also going to these different databases are just sitting at so looking at the entire life cycle right from collection to how it's been maintained to store it all the way to disposal so this is pretty much it that i have uh be i'll have open the flow to any questions if we have but that's about everything thank you so much