August 22, 2017

Killing car privacy by federal mandate

The US National Highway Traffic Safety Administration (NHTSA) is proposing a requirement that every car should broadcast a cleartext message specifying its exact position, speed, and heading ten times per second. In comments filed in April, during the 90-day comment period, we (specifically, Leo Reyzin, Anna Lysyanskaya, Vitaly Shmatikov, Adam Smith, together with the CDT via Joseph Lorenzo Hall and Joseph Jerome) argued that this requirement will result in a significant loss to privacy. Others have aptly argued that the proposed system also has serious security challenges and cannot prevent potentially deadly malicious broadcasts, and that it will be outdated before it is deployed. In this post I focus on privacy, though I think security problems and resulting safety risks are also important to consider.

The basic summary of the proposal, known as Dedicated Short Range Communication (DSRC), is as follows. From the moment a car turns on and every tenth of a second until it shuts off, it will broadcast a so-called “basic safety message” (BSM) to within a minimum distance of 300m. The message will include position (with accuracy of 1.5m), speed, heading, acceleration, yaw rate, path history for the past 300m, predicted path curvature, steering wheel angle, car length and width rounded to 20cm precision, and a few other indicators. Each message will also include a temporary vehicle id (randomly generated and changed every five minutes), to enable receivers to tell whether they are hearing from the same car or from different cars.

Under the proposal, each message will be digitally signed. Each car will be provisioned with 20 certificates (and corresponding secret keys) per week, and will cycle through these certificates during the week, using each one for five minutes at a time. Certificates will be revocable; revocation is meant to guard against incorrect (malicious or erroneous) information in the broadcast messages, though there is no concrete proposal for how to detect such incorrect information.

It is not hard to see that if such a system were to be deployed, a powerful antenna could easily listen to messages from well over the 300m design radius (we’ve seen examples of design range being extended by two or three orders of magnitude through the use of good antennas with bluetooth and wifi). Combining data from several antennas, one could easily link messages together, figuring out where each car was parked, what path it took, and where it ended up. This information will often enable one to link the car to an individual–for example, by looking at the address where the car is parked at night.

The fundamental privacy problem with the proposal is that messages can be linked together even though they have no long-term ids. The linking is simplest, of course, when the temporary id does not change, which makes it easy to track a car for five minutes. When the temporary id changes, two consecutive messages can be easily linked using the high-precision position information they contain. One also doesn’t have to observe the exact moment that the temporary id changes: it is possible to link messages by a variety of so-called “quasi-identifiers,” such as car dimensions; position in relation to other cars; the relationship between acceleration, steering wheel angle, and yaw, which will differ for different models; variability in how different models calculate path history; repeated certificates; etc. You can read more about various linking methods in our comments; and in comments by the EFF.

Thus, by using an antenna and a laptop, one could put a neighborhood under ubiquitous real-time surveillance — a boon to stalkers and burglars. Well-resourced companies, crime bosses, and government agencies could easily surveill movements of a large population in real time for pennies per car per year.

To our surprise, the NHTSA proposal did not consider the cost of lost privacy in its cost-benefit analysis; instead, it considered only “perceived” privacy loss as a cost. The adjective “perceived” in this context is a convenient way to dismiss privacy concerns as figments of imagination, despite the fact that NHTSA-commissioned analysis found that BSM-based tracking would be quite easy.

What about the safety benefits of proposed technology? Are they worth the privacy loss? As the EFF and Brad Templeton (among others) have argued, the proposed mandate will take away money from other safety technologies that are likely to have broader applications and raise fewer privacy concerns. The proposed technology is already becoming outdated, and will be even more out of date by the time it is deployed widely enough to make any difference.

But, you may object, isn’t vehicle privacy already dead? What about license plate scanners, cell-phone-based tracking, or aerial tracking from drones? Indeed, all of these technologies are a threat to vehicle privacy. None of them, however, permits tracking quite as cheaply, undetectably, and pervasively. For example, license-plate scanners require visual contact and are more conspicuous that a hidden radio antenna would be. A report commissioned by NHTSA concluded that other approaches did not seem practical for aggregate tracking.

Moreover, it is important to avoid the fallacy of relative privation: even if there are other ways of tracking cars today, we should not add one more, which will be mandated by the government for decades to come. To fix existing privacy problems, we can work on technical approaches for making cell phones harder to track or on regulatory restrictions on the use of license plate scanners. Instead of creating new privacy problems that will persist for decades, we should be working on reducing the ones that exist.

Comments

  1. The intended purpose of greater safety and the presence of “misbehavior” reporting, security and misbehavior authorities, and storage of data for several days gives me pause concerning how this could grow to be a revenue generator in the hands of law enforcement for speeding vehicles. If the intent is simply to make the roads safer, storage of data after the car is turned off would not be needed.

  2. Hm, I actually like this proposal. I’m post privacy, in the sense of being someone who has concluded that privacy is a technological impossibility and therefore a lost cause. The requirement for cleartext is something I see as a feature rather than a bug. What peeves me off royally, far more than the amount of data I’m shoveling to the data brokers with “my” devices, is that there isn’t a legible copy of that data stream for my own use, in self discovery, or what was meant by “quantified self” in a more innocent time, before that term (along with “sharing economy”) got brutally co-opted. My casus belli these days, rather than privacy (or even transparency, which unfortunately has become a weasel word) is information asymmetry, more precisely, the amelioration and preferably neutralization of it. I’m personally more comfortable (actually, less uncomfortable) with data about me being accessible to the world at large than available to paying clients under the understanding that it’s proprietary data. Plus I like the idea of the world of traffic analysis being opened to open source/open data/pubwan types and not just purveyors of “secret sauce” solutions to emerging industries like semi-autonomous vehicles, optimization of logistics, etc.

    Don’t get me wrong, I do see a downside to this. Most importantly, the security concerns. Understandably, many people place some value on the largely empty phrase “privacy policy” because it promises that access to personal data will be vetted, so supposedly it will be aggressively kept out of the hands of cybercriminals. If it’s put into the hands of narrowcasters and precision-target marketers, well, at least they’re not criminals, and as they say, TANSTAAFL. Also, even post-privacy me wants some trips to be discreet. I’m thinking I can live with plaintext geotelemetry being either allowed or required, if a hard off switch is provided. But since the “selling point” of this is helping “emergency services,” we can be pretty sure that’s one feature which will be disallowed. Honestly, just the stated reasons are reason enough for a NO vote from me. But I do sorely wish there were a place in the world for an internet of nonproprietary things, that communicate with the world at large, and generate data that somehow manages to be actionable without being monetized. I know, I know, information wants to be valuable. (Sigh)

  3. Fazal Majid says:

    For the sake of completeness, Tire Pressure Monitoring Systems (TPMS) are another wireless automobile technology susceptible to abuse.

  4. Eric Hellman says:

    Here’s an example of how the proposed vehicle to vehicle DSRC standard might be used for law enforcement.

    State A has strict firearm registration laws. Neighboring state B has many stores which sell firearms, and hosts gun shows where customers from state A are known buy firearms. State A also has toll roads and bridges that allow it to collect and identify DSRC vehicle IDs (for law enforcement purposes only, of course). An informant stations a DSRC receiver near state A gun stores and gun shows, and using vehicle track and timing data, determines vehicles that are likely to have participated in firearms transactions involving transportation of firearms across state border. Police in state A are then easily able to investigate possible unregistered firearms.

    Given this scenario, I think that there might be opposition (and perhaps some support) from some politically influential organizations to the DSRC standard.

    • Eric Hellman,

      State A infringes on one’s constitutional right to own a firearm, citizens attempt to legally purchase a firearm in another state (who accepts their out of state ID, I’m assuming?). The police then set up a dragnet, catching hundreds (or thousands) of innocent people that they need to harass and waste their time on to potentially investigate this terrible crime of exercising your constitutional rights.

      Sounds great, I’m sure we’ll be seeing that soon, and it will be disabled on my car immediately.

  5. dimitris says:

    This has nothing to do with safety. It’s the Elon Musk Subsidy Rule of 2017, aka how crappy-in-real-life-environments “self”-driving algos need each and every one of us to tell them where we are 10 times a second, so that Elon’s net worth climb doesn’t get impeded by liability claims.

  6. Keep it Simple says:

    So… we are concerned about safety. Why don’t we use the money to build better and safer roads.

    Who pays for the creation and maintenance of the infrastructure needed to listen to this data every 300m along every highway and byway in America? We have places in America that do not even have cell phone coverage.

    Require an emergency transmitter in all vehicles like currently used in a private and commercial aircraft. The small device could transmit a signal to an Iridium satellite when the car impacts something or the air bags deploy.

    • Leonid Reyzin says:

      You are misunderstanding the NHTSA proposal: it is intended for vehicle-to-vehicle (V2V) communications, so that cars and/or drivers can use this data to avoid collisions. Receivers along roads are not being proposed by NHTSA. Our fear is that such receivers will be installed despite not being proposed, especially in densely populate areas. This would create the privacy problems that we describe.

      • Keep it Simple says:

        Thank you for the clarification.

        I agree with the privacy issues outlined above. I am also concerned about false positives, either injected or due to internal error that could cause me to endanger my passengers by steering erroneously away from a non-accident. The bottom-line is that I do not trust some system on my car to tell me where other cars are or will be in the future.

        Be a driver. If someone cannot be a safe driver then take their license. Driving a car is not a “right.” We need to get the drunk, stoned, senile, immature, crazy, stupid and/or overly aggressive people off the road. And mandatorily retire cars that no longer meet safety standards.

        I still believe investing in better roads, law enforcement and driver training trumps this technology.

    • RE: “You are misunderstanding the NHTSA proposal: it is intended for vehicle-to-vehicle (V2V) communications, so that cars and/or drivers can use this data to avoid collisions.”
      So all moving objects will be equipped, including pedestrians, wildlife, and falling rocks?

      We understand how the technology is being presented, but it will be abused. The State cannot be trusted.

      It is also necessary to point out why this is being proposed. There was a proposal a few years ago for cars to collect data on where they traveled, and the data would be available so that car owners could be taxed on the basis of how much they drove. This was shot down because the data being collected was far more detailed than the intended purpose and because the purpose was counter productive (e.g. taxing electric cars and fuel efficient cars the same as SUVs). Having failed to create that privacy mess, they now offer this. NO SALE.

  7. Brett Fattori says:

    So, modify the proposal and use line-of-sight (LOS) to pass the information. With LOS the transmitter & receiver would be physically located on the car. The transmitter broadcasts all of the information to the car in front of or behind to pick up, thus eliminating the use of radio. Because it’s direct, and it occurs between (usually) moving vehicles, there would be tremendous danger to try and collect these maliciously.

    I’m sure Google could modify their cars to collect and aggregate the info in-situ, but I doubt that would be high on their plans.