Why autonomous vehicles might accelerate the theft of personal information

Commentary: As autonomous vehicles start to change the way states and cities think about transportation, agencies must think about the cybersecurity implications of the technology.

The impact autonomous cars will have on cities and communities is massive. But are we ready? 

One study found only 6 percent of U.S. city and regional transportation plans address the potential effects of driverless technology.

Self-driving cars stand to benefit societies by potentially reducing traffic accidents, creating better air quality and bringing more productivity to people’s days when they aren’t wasting time stuck behind the wheel. But there’s also a very notable worry that cities can’t afford to ignore. Autonomous cars wield the unintentional capability of introducing new ways for cybercriminals to wreak havoc on a city’s infrastructure and citizens’ personally identifiable information (PII). In a world in which we must now find ways to lock down all digital assets and information, a focus on cybersecurity in regard to self-driving technology is essential.

Government involvement in this technological and societal shift is growing. The SELF DRIVE Act is steering its way through the U.S. Congress. The bill, which would speed up the production and development of self-driving cars, passed the House in September, and earlier this month the Senate Commerce Committee unanimously approved it. It now heads to the full Senate for a vote. We may see self-driving cars on our streets very soon.


While this legislation would allow automakers to bypass regulatory hurdles and block states from imposing their own regulations, within it are provisions on cybersecurity and privacy, two areas that have huge implications on how autonomous cars could affect our everyday lives.

If passed, the bill would require autonomous-car manufacturers to present a robust cybersecurity plan that would include, among other things:

  • How the manufacturer would respond to a cyberattack or other unauthorized. intrusions, including spurious vehicle control commands.
  • A process for identifying foreseeable vulnerabilities from cyberattacks.
  • A process for taking preventive or corrective action to such vulnerabilities.
  • A designated employee in charge of cybersecurity for highly automated vehicles.
  • A process for limiting access to automated driving systems.
  • Employee training on cybersecurity.

The technology behind autonomous cars depends on connectivity with networks that provide real-time data on everything from global positioning to road conditions. So while the concept of driverless cars has captured our imaginations, the reality is that more connectivity opens new and different pathways for cyberattacks.

We often see consumer manufacturers get caught up in rabid market demand before fully integrating comprehensive security measures into their hot products. In the case of autonomous cars, lives will literally be at stake, so we should ensure that security concerns are adequately addressed before it’s too late. The SELF DRIVE Act outlines sensible measures all manufacturers should take before we let any autonomous cars loose on our streets.


On the privacy side, the SELF DRIVE Act would require manufacturers to tell consumers how they are gathering and using data on vehicle owners and occupants. However, manufacturers that de-identify, anonymize or encrypt this data are exempt from the privacy plan. In order to truly ensure data privacy, the bill should specify protections for the keys used to encrypt PII. Otherwise, manufacturers will be tempted to take the easy way out on data privacy by using weak encryption processes that won’t provide adequate protection of personal data.

Inherently, self-driving cars will create vast amounts of data. We know from other industries undergoing digital transformations that data is their single-most valuable asset — and sometimes their greatest liability. If autonomous-car manufacturers don’t secure the data their cars collect with encryption or another de-identifying method, they will have a hard time convincing consumers that they won’t be the latest industry targeted by the crafty cybercriminals that are almost always one step ahead.

Self-driving cars will surely offer unparalleled convenience and will benefit cities and communities in a number of ways, but the security risks are too great for us not to examine what manufacturers need to do  before consumers stoke a demand that’s too tempting to slow down. At this stage, city and state urban planners and IT professionals have an opportunity to anticipate the threats that autonomous cars might introduce and start preparing now. In that vein, their first action can be to advocate for the most comprehensive data encryption restrictions possible in regulatory frameworks like the SELF DRIVE Act or their jurisdictions’ own pieces of legislation.

Cars introduced safety risks the day they were invented. But now it’s their computer software, rather than their hardware, that warrants concern. It will take involvement from multiple parties — government officials, manufacturers and car owners — to make sure adoption is done right and people are protected from outsider threats.

Jim DeLorenzo is a Solutions Marketing Manager at Thales eSecurity.

This story was featured in StateScoop Special Report: Cybersecurity: 2017 - A StateScoop Special Report

Latest Podcasts