Asked & Answered: Kathy Ossian on 'connected cars'

By Steve Thorpe

Legal News
Auto manufacturers increasingly offer “connected” features that allow drivers and riders to easily connect with everything available on the Internet. But those car companies are learning — sometimes the hard way — that features for customers can be opportunities for criminals. Kathy Ossian of Ossian Law PC in Ferndale focuses exclusively on Information Technology Law. Practicing law for three decades, Ossian has nearly 20 years of experience and expertise in IT Law. Formerly senior principal and chair of the Information Technology and Cyberlaw Section at Miller Canfield, she also served as a law clerk to U.S. District Judge Robert E. DeMascio.
Thorpe: Give us a quick and dirty definition of a “connected car.”
Ossian: A connected car has built-in wireless Internet access that allows the occupants to connect to the Internet, just as they would from their home, office or a coffee shop. Connected vehicles also allow automakers, suppliers and others to collect data through telematics (in-car communication/navigation systems) about traffic flow, accidents and other driving-related topics. The data can also reveal drivers’ Internet browsing habits and other information that is valuable from a marketing perspective. While there is strong consumer appeal to staying connected while driving, this raises some important privacy, security and safety concerns.
Thorpe: In 2015, are there any cars that aren’t connected? Are some more than others?

Ossian: Today, most luxury brands and a few non-luxury brands offer wireless Internet technology. The number of cars offering this technology is expected to increase dramatically over the next five years. Research firm Gartner, Inc. predicts that, by 2020, there will be 25 billion connected vehicles on the road. Of course, any car equipped with telematics is collecting a great deal of personal data. This fact prompted the Government Accounting Office to issue a report a couple of years ago on privacy practices relating to in-car location based services:
Thorpe: Retail, banking and credit card companies are excited about this development. What plans do they have?
Ossian: Retail, banking and credit card companies are looking forward to the day when in-car purchases become part of our routine. Because this could put personal information at risk, building security features into the design of vehicle systems makes sense. Visa has been working on a technology that allows a driver to use voice commands to notify a restaurant or store of an order and, upon the vehicle’s arrival, the goods are brought to the car. No credit card information is stored in the system itself but on a separate digital device, like a smart phone, watch or glasses that would identify the driver to the retailer. 
Thorpe: What are some of the privacy considerations of the connected car?

Ossian: Among the privacy considerations are:

• What use will auto makers, suppliers and others make of the multitude of data that our cars have been and are continuing to collect through telematics?

• Who is responsible for personal information being transmitted through in-car Internet usage?

• How will such personal information be protected?

• What data is or could be made available to the government?
Thorpe: Hackers are potentially able to seize control of major drive components, as Fiat Chrysler learned to its dismay this past summer. How did that unfold and what are the safety implications?
Ossian: In July, a Jeep was hacked through a vulnerability in its telematics system. The incident was “planned” in that the driver and the hacker were working together to demonstrate the issue. As of last month, Fiat Chrysler has recalled more than 1.4 million vehicles to receive a security patch to the in-car entertainment system that was the entry point for the hack. Given that the hackers were able to take over the car’s engine and transmission, without the patch, driver and passenger safety can be impacted. There are additional concerns over the number of Fiat Chrysler car owners who have not yet responded to the recall, so their vehicles remain at risk.
Thorpe: Is the law keeping up with these developments? To use an automotive metaphor, this seems to be a place where privacy law, commercial law and safety law collide at an intersection.

Ossian: In short, no. Like many other areas involving technology, the law is lagging behind. Standardization of systems, which could facilitate regulation and enforcement, clashes with OEM’s and supplier’s development of proprietary systems. Governments and regulators have been vocal, including the G-7 States (United States, Canada, France, Germany, Italy, Japan and the United Kingdom) and European Commissioner of Transport declaration on automated and connected driving focusing on development of technical regulations designed to ensure data protection and cyber security. The Federal Trade Commission, the National Highway Safety Administration and U.S. State Department are some of the federal agencies interested in the implications of connected cars. The regulatory roadmap for connected cars has yet to be plotted.

Subscribe to the Legal News!
Full access to public notices, articles, columns, archives, statistics, calendar and more
Day Pass Only $4.95!
One-County $80/year
Three-County & Full Pass also available