*This article is reposted from autocarweekly public account.
Author: Financial Industry Old Li
On May 7th, Tesla revealed that it is developing an online information system platform for all car owners to query data on car-machine interactions, which is expected to be launched later this year. This is the first time Tesla has publicly announced its landing measures for information security after the video leak incident. Previously, Tesla Vice President Tao Lin had announced the launch of local storage of data, but no progress has been seen since.
The monitoring video from Tesla’s in-car camera has aroused great concern among users and the industry about the privacy and information security of smart cars. In fact, information security issues are not unique to Tesla, but are common in the industry.
To address this issue, car companies need to propose user-friendly solutions, and relevant departments need to establish standards and laws for the collection, transmission, storage, and application of information for smart cars, and strengthen industry supervision. Old Li is also a smart electric car owner and a “transparent person”. Today, he will discuss with everyone how smart electric cars steal our data assets, and how we can avoid data privacy.
How can car owners become “transparent people”
When it comes to information security, people think of the Internet, especially big data killing and push, in which Internet companies collect data and push information based on user preferences, making everyone a “transparent person”. Popular e-commerce platforms use big data for targeted pricing, while DiDi’s pricing killing is also based on big data. In addition, some apps guide users to open their microphones to collect voice information.
Compared to Internet information security, smart cars are worse because they not only affect user privacy but also involve national security. Once smart car data crosses borders, not only car owners but also the country will become “transparent”.
Every smart car is a “data planet”, and the owner is the master of this planet. After the vehicle runs, it generates data continuously. Tesla collects over 200 pieces of information from its in-car computer alone, while Waymo’s autonomous driving dataset, released in 2019, contains millions of fields.
This big data combines with external data to form a data lake. Through big data analysis, users become “transparent people”. For example, Old Li visited a data center of a domestic Internet giant in 2019 and deliberately asked the other party to input his name and phone number. After analysis, many of Old Li’s private information was displayed on the screen, including personal credit reports, vehicle insurance, and e-commerce purchase records, many of which had no real relation to the company. As smart car data collection improves, in the future, car companies will also obtain more data like Internet companies.Currently, intelligent vehicle data mainly includes in-vehicle data and external data. As the name suggests, in-vehicle data is data generated inside the intelligent vehicle, mainly related to user privacy, including vehicle driving data, images of drivers and passengers, and sound data. The leaked video of Tesla collected driver and passenger image data. Additionally, as mentioned by Lao Li, the in-vehicle microphone function can also store conversations that users have in the car.
External data not only involves user privacy but also national security, which is the biggest difference between intelligent vehicle terminals and mobile terminals. The interaction between intelligent vehicles and the external environment can generate location data, sensor data, and V2X interaction data. Especially for advanced autonomous driving, machine learning requires a large amount of data support. Only through selecting special data can algorithms be iterated. Therefore, autonomous driving cars collect massive amounts of external data, such as Tesla’s 8-way camera system and high-precision positioning devices. They not only understand users’ driving trajectories but also draw high-precision maps through SLAM methods. From this perspective, it is reasonable that Tesla is not allowed to enter special areas.
Some users may wonder how their data is transmitted to the cloud without their knowing. This is a good question, and Lao Li reminds everyone that, except for Tesla, other brands of intelligent electric vehicles currently do not have the ability to transmit data back to the cloud in real-time. Generally, auto companies use three methods to enable data transmission to the cloud. The first is traditional 4G network traffic, the second is external Wi-Fi transmission, similar to how smartphones connect to Wi-Fi, and the third is through charging stations. Charging stations can read vehicle data and transmit it to the cloud after connecting to the internet.
Currently, the state is also collecting battery data from vehicles continuously. In order to regulate power batteries, the Ministry of Industry and Information Technology has commissioned Beijing Institute of Technology to develop and operate the National Monitoring and Management Platform for New Energy Vehicles. All new energy vehicles in China must transmit information to auto companies according to standardized requirements, and auto companies then transmit the data to local regulatory platforms, ultimately transmitting the data to the national platform. This is a typical application model of intelligent vehicle big data, and user dynamics are monitored within the regulatory process.
The ownership of data assets is the core issue of whether car owners become “transparent individuals.” Here, Lao Li discusses with everyone who the data assets of intelligent vehicles belong to.Currently, there are no laws in China specifically addressing the protection of privacy for intelligent vehicle data. However, with reference to the General Civil Law and other relevant domestic internet laws, the vehicle cabin is considered a non-public space, and users have a broad range of rights, including the right to be informed about data collection, the right to make decisions related to data, and the right to ownership of the data.
In the United States, the Automobile Safety and Privacy Act protects user data privacy rights primarily in two ways: by requiring manufacturers to clearly define the scope of data collection and inform consumers, and by maintaining consumer ownership of data and requiring consumer consent for its use.
Companies such as Tesla, Nio, and XPeng have also recognized the issue of data ownership. However, many manufacturers have their own interests and place data privacy clauses in lengthy app user agreements, which can be easily overlooked by consumers. If the overall agreement is not accepted, certain vehicle functions will not be available. As a result, some privacy-minded vehicle owners have resorted to covering interior cameras with tape after starting their vehicles, a solution born of necessity.
From the perspective of the author, we hope that the automotive industry can further improve product functionality to protect individual rights in three areas:
First, manufacturers should clearly inform users about data acquisition fields, including mandatory data required by the state to function properly.
Second, for non-essential data, users should have decision-making power, enabling them to control features such as in-car cameras.
Third, users should have ownership of their data and must provide consent to upload local data to the cloud.
It is clear that in-car data falls within the realm of user privacy and falls under legal protection, but outdoor data cannot be considered private user data. According to the General Civil Law of China, the state has the right to be informed about data in public places, and technologies such as the “SkyNet” system are important applications of this principle. For the government, protecting public data only requires ensuring data security.
Although automotive companies can improve product functionality by respecting user privacy and protecting user rights, it does not guarantee user privacy security. Data collection and application cycles are generally lengthy, with several stages including acquisition, local storage/deletion, data transfer, cloud storage/deletion, and application. Data at every stage is vulnerable to attacks.The videos of Tesla owners were stolen by hackers during the cloud storage process, resulting in the disclosure of users’ privacy. If the data collected in China crosses borders, a large amount of domestic data will flow to overseas, posing a threat to national security. Looking ahead into the future, with self-driving cars being operated by robots, once these cars are controlled, they will cause social panic like “time bombs”. The recent Tesla brake incident is just a microcosm of vehicle loss of control.
Users are powerless to solve the data security problem, and it requires joint efforts from national regulatory authorities and car companies to protect the safety of data in all aspects of its life cycle through various means.
At the data collection stage, regulatory authorities should establish corresponding standards and regulations, screen out data that threatens users and the country, and have users handle data that poses a threat to them. Therefore, in the opinion of Lao Li, if a car company can solicit the collection right of data privacy fields from users at this time, it will definitely promote the formation of a good social public opinion.
In addition, for data that poses threats to the country, geographic information fences should be implemented in areas related to national security such as military affairs to prevent the collection of sensitive data from the source. This point can also be inferred from the Wall Street Journal report: “The Chinese government has begun to restrict the use of Tesla cars by military, sensitive industry state-owned enterprises and important agencies personnel, fearing that the car may leak national security information.”
In the storage, transmission, and application stages, the industry should establish data desensitization standards. Local data stored should desensitize any user and national security related information during transmission. The desensitized data obtained by the company can only be used within the fields permissible by law such as algorithm iterations. After the holiday, NIO released a report on their user data on Labor Day, which involved a large amount of user information. We are unsure whether this information was desensitized or not, but the users do have the right to know.
In the cross-border stage, according to Article 37 of China’s Cybersecurity Law, “operators of key information infrastructure that collect and generate personal information and important data in the course of operation within the territory of the People’s Republic of China shall store such information in the territory.” The local storage of intelligent car data facilitates national data supervision and eliminates cross-border data problems.In the smartphone industry, Apple has established the iCloud data center in Guizhou, China. Tao Lin, Vice President of Tesla, also stated during a roundtable forum organized by China’s National Development and Reform Commission that the data collected by Tesla in China will strictly comply with China’s laws and regulations on data management and achieve local storage. Although Tesla is somewhat secretive about how it handles user data, in face of the big issue of national security, Tesla has a clear understanding of it, indicating the importance of smart car data.
During the growth phase of computers and smartphones, the development of information security regulation has been improving. Currently, the global smart car industry is not yet mature, and smart car data security is a problem that all countries need to face.
Under the premise of not affecting user rights and industry development, car companies should strengthen self-discipline, the industry should enhance guidance, and the government should strengthen supervision. As Mrs. Li has learned, relevant regulatory departments have already been conducting work related to data security. For car companies, it is better to take action than wait, to solve data security issues with practical actions, not only to make users feel safe but also to seize opportunities and enhance corporate social responsibility.
This article is a translation by ChatGPT of a Chinese report from 42HOW. If you have any questions about it, please email bd@42how.com.