On July 21, 2015 Senators Edward J. Markey (D-MA) and Richard Blumenthal (D-CT) introduced the Security and Privacy in Your Car (SPY Car) Act of 2015 that would direct NHTSA and the FTC to establish federal standards to secure cars and protect drivers’ privacy. The SPY Car Act also establishes a rating system — or “cyber dashboard”— that informs consumers about how well the vehicle protects drivers’ security and privacy beyond those minimum standards.
The SPY Car Act includes the following cybersecurity and privacy provisions, as well as the establishment of a rating system, or “cyber dashboard”:
1. Cybersecurity Standards
NHTSA, in consultation with the FTC, should develop standards that prevent hacking into vehicle controls systems. These performance standards should require:
- Hacking protection: All access points in the vehicle should be equipped with reasonable measures to protect against hacking attacks, including isolation of critical software systems, evaluated using best security practices, such as penetration testing. These measure are to be adjusted and updated as a result of the evaluations
- Driving data security: All collected information should be secured to prevent unauthorized access—while stored onboard the vehicle, in transit from the vehicle to another location, and in offboard storage or use
- Hacking mitigation: The vehicle should be equipped with technology that can detect, report and stop hacking attempts in real-time
2. Cyber dashboard
NHTSA, in consultation with FTC, should establish a “cyber dashboard” that displays an evaluation of how well each automobile protects both the security and privacy of vehicle owners beyond those minimum standards. This information should be presented in a transparent, consumer-friendly form on the window sticker of all new vehicles and is required 2 years after final regulations are prescribed.
3. Privacy standards
The FTC, in consultation with NHTSA, should develop privacy standards on the data collected by vehicles. These standards should require:
- Transparency: Owners being made explicitly aware of collection, transmission, retention, and use of driving data
- Consumer choice: Owner’s ability to opt out of data collection and retention without losing access to key navigation or other features (when technically feasible), except for in the case of electronic data recorders or other safety or regulatory systems
- Marketing prohibition: Personal driving information may not be used for advertising or marketing purposes without the owner clearly opting in