You might be surprised to learn that the vast majority of new cars sold in the United States contain a device that continuously monitors the driver’s behavior and vehicle performance. This so-called “black box” or Event Data Recorder (EDR) records at least the last several seconds of vehicle and driver data before a crash, ostensibly for use by crash investigators. Last month, the National Highway Traffic Safety Administration (NHTSA) proposed rules that would mandate EDRs in all new cars and light trucks.
While we agree that EDRs can serve a valuable forensic function, we are concerned that the NHTSA’s proposed rules fail to address driver and car-owner privacy in a meaningful way.
The proposed rules are open for public comment due by next Monday, February 11. EFF plans to submit our own formal comments to the NHTSA, but we also wanted to give our supporters a preview of our concerns so that any of you who are so inspired can share your own views with the NHTSA. You don’t have to be a lawyer or an engineer, and in fact comments are best submitted online. You can even submit comments anonymously.
What do black boxes record?
Under the proposed rules, EDRs will be mandatory in all light vehicles (cars and trucks that are required to have front airbags) sold in the United States that are manufactured on or of after September 1, 2014. EDRs will collect technical data (including vehicle speed, engine throttle position, brake use, driver safety belt status, air bag warning lamp status, and changes in velocity) continuously while the vehicle is in operation. Then, once a “crash” is detected (airbag inflation or an extreme change in velocity), at least five seconds of data will be recorded and “locked.” While EDRs are not required to record audio or video, location information, or data such as hours of service for commercial operators, nothing in the regulation prohibits the collection of those data either.
- The NHTSA states that it is agency policy “to treat EDR data as the property of the vehicle owner.” That’s not enough. There needs to be a clear statement, both in the regulation itself, and in the owners manual, that any data recorded by the EDR are the sole property of the vehicle owner, and that the owner may expect that the EDR data remain private except if he or she consents to its disclosure.
- The NHTSA needs to put a cap on the amount of data recorded. The proposed rules set a minimum duration of 5 seconds prior to a crash for the recording of 15 required and 28 optional “data elements.” However, because no maximum duration is specified, and modern automotive electronics packages include large amounts of digital storage, there is nothing to prevent the long-term collection of data. There needs to be a ceiling to the EDR collection requirements, not just a floor.
- The rules must prohibit the disclosure of EDR data for purposes other than crash recovery. Modern automotive electronics are capable of surprising feats, for instance emailing you when your car thinks its time for an oil change. While the technology is impressive, the data that an automaker’s value-added services relies upon should be kept separate from the data legally mandated data to be collected by the EDR. EDR data is simply too sensitive to be broadcast to any third party by the vehicle itself.
- The proposed rules must contain a requirement that the data recorded by the EDR be accessible via a published, free, and public standard, or at minimum, free for personal use, i.e. by the car modder community. Under the current draft, the NHTSA proposes that a commercial imaging tool be made available. A requirement that manufactures sell a closed, proprietary tool to access data owned by the consumer isn’t enough.
- The NHTSA needs to explicitly prohibit the collection of audio, video, and location data by EDRs. The agency states that such data isn’t collected. That’s not enough.
- Finally, consumer must be clearly informed of what data are being collected. The proposed regulation mandates that each new car’s owner’s manual include a boilerplate notice stating that an EDR is present and that “various systems” are being monitored. That’s not enough. Any EDR data collection beyond the minimum requirements of the regulation needs to be fully and clearly disclosed to the consumer. For instance, while the NHTSA is careful to state that EDRs are not required to collect location data, nothing prohibits automakers from including a location data element in the EDR. If they do, that’s something the consumer needs to know. Likewise, if the EDR records 5 minutes of data prior to a crash (or 5 days, or 5 months), instead of the mandated 5 second minimum, the consumer needs to know that as well.
The agency will hold open its comment period through Monday, February 11. Join EFF and tell the NHTSA that you think it needs to take privacy seriously in the EDR rules.