In the rapidly evolving landscape of automotive technology, where data collection is instrumental in enhancing safety and performance, a crucial dilemma arises — how to strike a harmonious balance between the advantages of data utilization and the imperative to safeguard user privacy. In an insightful conversation with Davi Ottenheimer, Vice President of Trust and Digital Ethics for Inrupt, we explore the intricate challenges and potential solutions that confront the auto industry at this crossroads.
Harnessing the Power of Distributed Data Models
The evolution of data breach laws in the United States since 2003 has provided a backdrop for innovations in privacy-preserving data collection. Reflecting on the past, Ottenheimer notes a shift towards processing data locally on edge devices, a paradigm that proved effective in the 1990s. However, the current trend of centralized processing models with massive data stores raises concerns reminiscent of past imbalances and predicts potential disasters, such as breaches of confidentiality and integrity. Ottenheimer advocates for the adoption of exciting distributed data models in the automotive industry, offering immediate integration opportunities across various facets, from infotainment to real-time sensors.
Empowering Users through Transparent Communication
Ensuring transparent communication with users about the data collected and its usage is paramount. Ottenheimer proposes a shift to a user-centric data storage model where owners can not only see the data collected but also monitor its use through configurable consent. Drawing an analogy with putting steering wheels in the hands of car owners, he emphasizes the inconsistency of collecting user data in an opaque harbor under automaker control while allowing cars to venture onto the open road. To build trust, Ottenheimer argues, automakers should place data in the hands of users, fostering a sense of ownership and control.
Strengthening Defenses Against Cyber Threats
In response to the growing specter of cyber threats, Ottenheimer challenges the prevailing approach of centralizing sensitive data, deeming it “too big to be safe.” He advocates for a paradigm shift towards distributed defenses, empowering data owners with greater control over vehicle data storage, transmission, and processing. Ottenheimer warns that without immediate innovation in personal data storage architecture, data integrity breaches will inevitably worsen, posing a significant risk to the auto industry.
Safeguarding Autonomous Vehicle Data
As autonomous vehicles become increasingly prevalent, safeguarding the massive amounts of generated data becomes a paramount concern. Ottenheimer likens autonomous vehicles to small data centers on wheels and underscores the need for robust measures akin to those applied in the data center industry. Drawing parallels with PCI DSS as a successful model for data center safety, he suggests that specific personal data privacy protections should be enforced, akin to emissions tests for vehicle safety.
The Regulatory Catalyst for Responsible Data Practices
Regulations, Ottenheimer argues, play a pivotal role in shaping responsible data practices. Comparing them to instigators of innovation, he asserts that baseline safety requirements need to be elevated to spur further advancements. Companies, in turn, can stay ahead by studying harms, understanding baseline safety requirements, and applying lessons from other industries. Ottenheimer advocates for transforming the automobile ownership experience to resemble managing healthcare or financial accounts, where data possession and control are paramount.
Collaborating for Ethical Data Usage
In the pursuit of innovation, Ottenheimer proposes that the auto industry should collaborate with experts in digital ethics, citing Inrupt as an example. By adapting mandatory data security standards to be more prescriptive about protecting user data, collaboration with ethical digital ethics experts can drive technical solutions that meet or exceed ethical guidelines. Ottenheimer emphasizes the importance of personal data stores with open interoperability architecture, positioning the auto industry for safe and trusted AI and addressing a spectrum of cybersecurity threats.
In this dynamic landscape, the automotive industry stands at a critical juncture, facing the challenge of reconciling data-driven innovation with the imperative to uphold user privacy and security.
Automotive Industries caught up with Davi Ottenheimer to shed light on the path forward, advocating for a user-centric, distributed, and ethically grounded approach to data practices in the automotive sector.
Automotive Industries: How can the auto industry balance the benefits of data collection for improving safety and performance with the need to protect user privacy?
Ottenheimer: Data breach laws in the US since 2003 opened the door to innovations in balancing privacy with data collection purposes (including safety). About a decade ago, for example, better balance came when data was processed locally by an edge device (endpoints) instead of centrally (services), a lesson learned previously in the 1990s with rapidly innovating midrange and microsystems. Car companies today heading into giant centralized processing models with centralized data stores, gambling on provider network links, are repeating known imbalances with predictable disasters ahead (massive breaches of confidentiality and integrity). That’s an easy example, exciting distributed data models are ready and able today for the auto industry to integrate immediately into everything from infotainment and personalization to real-time sensors and systems.
Automotive Industries: What steps should automakers take to ensure transparent communication with users about the data they collect and how it will be used?
Ottenheimer: The simple answer is automakers should immediately move into a data storage model where users see data collected and can monitor use through consent that is configurable. My father used to say a ship is safe in harbor but that’s not what ships are built for. Automakers need to put data in owners’ hands the same way that they put steering wheels in owners’ hands. It’s inconsistent to collect all user data back in an opaque and distant “harbor” always under automaker control, yet their cars are being designed to leave the factory and go out on the open road. To ensure transparent communication with users, put the data in the possession of users.
Automotive Industries: In a landscape of increasing cyber threats, how can the auto industry fortify its defenses to prevent unauthorized access to sensitive vehicle data?
Ottenheimer: Pulling all sensitive data into a centralized datastore initially was couched in “too big to fail” beliefs of the “data lake” movement, before it was repeatedly proven an opposite state of “too big to be safe”. The biggest breaches in history have been mistaken for increasing cyber threats when it was more a case of predictable disasters that were allowed to grow without proper regulation. Even if the winds grew marginally stronger, it was more of a problem of ever larger bridges being built without sound engineering practices that led the industry into “increasing” disasters. Instead of pushing everyone’s data into a single silo, the auto industry should be adopting distributed defenses where data owners are more in control of vehicle data stored, transmitted and processed. In particular, data integrity breaches will only get much worse if automakers don’t start innovating immediately in personal data storage architecture.
Automotive Industries: As autonomous vehicles become more prevalent, what measures should be in place to safeguard the massive amounts of data generated by these vehicles?
Ottenheimer: Measures to safeguard massive amounts of data should start with a premise that people already know very well the risks of data on the web – the entire amount of data generated on the web through all its data centers being much larger than autonomous vehicles – yet often people lack proper motivation (economics) to execute on well-known solutions This is a question really about all data generated by any environmental sensors anywhere on the web, like asking does safety of ground penetrating radar data change if it’s in a car or not? Autonomous vehicles are small data centers on wheels. There’s a metadata safety issue of running any data center itself, while also safeguarding everything being generated, stored, transmitted and processed inside or outside of it. The data center is a useful analogy for those of us who regularly work with them, especially those who test a data center for safety, but I fear most people don’t know what such a reference means. PCI DSS is a great example of how data centers were made safer because the industry said a very clear technical baseline was a requirement to operate at all. In that sense, a lot of cars on the road today lacking specific personal data privacy protections could be denied a permit to operate just like how we block them when they fail emissions tests. No TLS 1.2 or above? No permit to operate.
Let me also add an important tangent, an elephant in the room if you will, about national security. Autonomous vehicles are like explosive loitering munitions, which at any time can be commanded en masse to cause catastrophic harm (e.g. tampered sensor algorithms could mean 10s of thousands of directed munitions impacting a small target area). Even more potent a threat to national security, however, is that the loitering munitions are highly tuned surveillance systems, which resemble snipers in how they are always watching. Safeguarding generated data by these snipers brings into scope the kind of high confidentiality risks associated with highly funded organized crime, global corporations and nation-states that deploy agents. And then it also brings into scope integrity risks, such that data could be manipulated for powerful political agendas including acts to deny freedom or liberty.
Automotive Industries: What role do regulations play in shaping responsible data practices in the auto industry, and how can companies stay ahead of evolving privacy laws?
Ottenheimer: Regulations are the instigators of innovation. When we set a baseline of safety, for example, we start thinking hard about staying above that baseline. We could innovate even more towards best practices, like requiring five-point seat belts to replace the “user-ease” innovation that made a three-point so successful. But without regulation pushing automakers towards such innovation, we’ll likely stay in three-point baseline mode forever, if you see what I mean. Data practices currently fall below baseline, and that’s the problem. Regulators of privacy rights need to turn the dials up on personal data control the way that doctors after the 1950s pushed so hard for mandatory seat belt installation and use. Companies can stay ahead fairly easily, by studying harms and looking at the baseline safety requirements, which have been around now for decades. Think of opening a bank account versus opening a car door. You get to see all your bank transactions, get regular statements, and there’s an absolute emphasis on integrity of the data. The auto industry needs to present the automobile ownership experience more in terms of opening a healthcare or financial account where transactions are in a user’s view and address data possession and control.
Automotive Industries: In the pursuit of innovation, how can the auto industry collaborate with experts in digital ethics, like Inrupt, to establish ethical guidelines for data usage?
Ottenheimer: The auto industry should adapt its mandatory data security standards and requirements (e.g. ISO/SAE 21434 and UN WP.29) to be more prescriptive in how to protect user data in terms of confidentiality and integrity. This will spark necessary collaboration with software developers like Inrupt who provide technical solutions that meet or exceed ethical guidelines. When talking about threats to data (harms) then really users should be protected within the vehicle, when they communicate in and out of the vehicle, within the data service (e.g. cloud) and whenever they connect services (e.g. apps). Having a personal data store with an open interoperability architecture (W3C Solid) provides controls that not only directly addresses this spectrum of cybersecurity threats, but also positions the auto industry for safe and trusted AI (prevention and detection of integrity breaches).
1 thought on “Navigating the Crossroads: Balancing Data Innovation and Privacy in the Automotive Industry”