Skip Navigation
BlackBerry Blog

Autonomous Vehicles, Privacy, and the Future

FEATURE / 04.02.18 / Aaron Bryson

In recent news, a self-driving car hit and killed an Arizona woman and made headlines. Our hearts go out to her and her loved ones. Uber has been very cooperative with law enforcement, the investigation, and they are determined to figure out what went wrong and how to fix it.

Uber has correctly decided to suspend its autonomous vehicles until the technology can be assessed and improved, thus preventing or reducing the chance of another accident. This is the first known lethal accident that involved an autonomous vehicle and a pedestrian.

This accident has created a lot of questions as we explore and test new autonomous technology that is designed to increase the safety of our roads. By removing drivers from the equation and even the entire steering wheel, the idea is that machine learning software can and will drive better than humans.

When a traffic accident occurs, the drill is pretty standard. Question everyone, look at the facts, and try to determine who is at fault. But what happens when there is no driver of the vehicle?

There are essentially two scenarios:

  • A product liability lawsuit alleging the manufacturer of the car/technology or company that installed the technology is responsible for the incident by putting the product into the marketplace.
  • A negligence lawsuit against the driver for failing to take control when the technology failed - but what if there is no steering wheel or driver?

Both scenario possess very different legal elements, defenses, and burdens of proof. There is also a difference between self-driving vehicles and vehicles which possess driver assistance technology (i.e. lane assist, automatic braking, etc.)

The law has not kept up with technology, and it will be forced to evolve and adapt very rapidly. There are things that will need to be updated in the vehicle code and highway and transportation codes. However, this goes way beyond state and federal laws and encompasses international law as well, such as the EU General Data Protection Regulation (GDPR).


The French Data Protection Authority (CNIL) issued its Connected Cars Compliance Pack in October 2017, which serves as a toolkit for ensuring that connected cars (for personal use) are compliant with French data protection requirements. Using an innovative approach that is both practical and technical, the CNIL has elaborated multiple possible scenarios.

It highlights the following principles in particular:

  • Information can be provided by various means (e.g., contract, driver’s manual, car computer, standardized icons) depending on whether it is essential information.
  • Pseudonymization instead of anonymization can be used as a guarantee of confidentiality, allowing service providers to produce statistics on the basis of legitimate interest but not necessarily with prior consent.
  • Any data processed for a legitimate interest is not subject to portability.

Similarly, the Federation Internationale De L’Automobile (FiA) has a lot to say about car data.

Unfortunately, all too often we see scenarios play out where the law is forced to rapidly adapt without proper consideration for the ramifications of its societal, economic, and environmental factors. This typically results in a blanket ban on the technology or certain use-cases.

In the case of a technology that is well suited to reduce risk on the road, one could argue that such a hasty move to ban the technology would forever leave us with the status quo. However, this technology is rapidly evolving and will surpass a human’s capability for consistent safe driving. Rapidly evolving privacy regulations and the difficulty of changing mindsets within well-established businesses are a challenge.

The National Transportation Safety Board has sent a team to investigate the incident and Uber is cooperating. If this technology succeeds, hopefully, these accidents will cease to exist or become incredibly rare. The National Transportation Safety Board and autonomous vehicle manufacturers cannot possibly scale to handle these kinds of situations without the aid of technology, efficient processes, and a very low number of accidents.

Companies like Waymo, Uber, GM, and others continue their autonomous vehicle (AV) testing around the world. These companies must have a law enforcement interaction plan. This plan should outline everything from how law enforcement should interact with an autonomous vehicle for the purposes of pulling one over, disabling features when necessary, etc.

This plan must address how law enforcement can collect accurate, adequate, relevant, and non-excessive data from the vehicle. In order for that to be a reality, the vehicles must be engineered with data privacy and security in mind – and not just road safety.

Currently, there is no standard for autonomous vehicle data, sensors, interfaces, or engineering. The way one vehicle operates and makes decisions is entirely different than that of another manufacturer who built their autonomous vehicles using different hardware and software.

The manufacturer will need vehicle data as part of their feedback loop to continually advance the technology. Autonomous cars will encounter situations their designers did not plan for and the feedback will be essential to prevent a recurrence.

Manufacturers may use data transmitted by these vehicles (i.e. vehicle speed, battery life, computer diagnostics, sensor telemetry, etc.) to develop more efficient, safer and more advanced vehicles. This data may be fed into big data or machine learning engines to improve the car’s future capability.

The Future

Connected and autonomous vehicles will change the relationship between customers and the vehicle manufacturers. Historically, vehicle manufacturers had sporadic interactions with their customers, primarily through their dealerships.

As connected cars become more ubiquitous, manufacturers will have to deal directly with consumers 24/7 around the world. The continuous connectivity and data that flows automatically from each vehicle has major implications on the privacy strategy of the company.

This is particularly true in the case where manufacturers are responsible for compliance, regulations, and legal requests to obtain vehicle data. These companies will have to learn how to process large volumes of data and manage the concerns of customers with respect to how that data will be used, stored, shared, and secured.

New players will emerge who want access to customer data in return for new services and products (e.g. insurance, advertisers, marketers, engineering, etc.). This will change the OEM ecosystem forever. Car manufacturers have a long history of working with third-parties and outsourcing components and services to partners, while others are kept in-house.

As the connected car ecosystem evolves, these companies will scramble to find the right partners and third-parties to provide new services and components. In the event of a data violation or autonomous accident, it is ultimately the manufacturer that will bear the brunt of the damage and liability. Proper vendor risk management will become more important because the risk profile is changing.

Manufacturers must integrate privacy into their culture and processes with a holistic data privacy strategy - this is key to protecting customer data. Manufacturers must be proactive with ever-evolving global privacy regulations to ensure their products are compliant with international expectations.

Vehicle manufacturers must use privacy-by-design principles for a pragmatic approach. Privacy and security must become a core part of the brand. Appointments and policies that acknowledge the importance of protecting the privacy of their customers begin in the Boardroom.

Keeping customer data safe will mean bringing both legal, compliance, and cybersecurity teams into a bold new position within the company. This will present new challenges of culture and integration. Legal teams are generally disconnected from the development of products and services. Situations occur where engineers have been hard at work for months before the legal team becomes aware that a project is not viable from a legal perspective.

Similarly, when security and privacy are not considered early in the development lifecycle cybersecurity and compliance teams can also become a roadblock when they discover vulnerabilities and compliance issues. This creates friction among teams and undermines relationships. The different teams will need to be completely re-shaped and integrated within connected-car teams.

Finally, brands must make this complicated ecosystem an easy-to-understand experience for the customer to be successful. What good would all of this be without consumers adopting the technology?

Here’s Some Food for Thought:

  • What do you think of the recommendations provided by FiA and CNIL?
  • How do you think the law and manufacturers can work together?
  • Should autonomous technology data and/or video recordings be accessible to law enforcement without a warrant? Under what conditions? Can the owner decline to share the data just as they may decline to allow to have their property searched?
  • How do you prevent the abuse risk for this data? How do you protect that data?
  • Should a vehicle be impounded until such a warrant can be obtained? How long is a reasonable time frame to hold someone’s vehicle?
  • Should there be some mechanism, via the hardware or the car's firmware perhaps that would allow law enforcement to get some basic data helpful to the crash or incident?  Which pieces of data should be made available by the manufacturer? From what time period?
  • Does collected data trump eyewitness’ statements and information provided by people?
  • If autonomous vehicles are safer, shouldn’t owners have a drastically reduced insurance bill? How should an insurance premium be affected in the rare case of an autonomous accident?

Let us know what you think via Tweet to @CylanceInc or wherever you find this article posted on social media - thanks! 

Aaron Bryson

About Aaron Bryson

Red Team Director at Cylance

Aaron Bryson has worked in the information cybersecurity field in startup companies, Fortune companies, and the DOD. He has led red and blue teams, risk and fraud teams, development and engineering teams. His positions have ranged from penetration tester to CISO. Aaron has a passion for software security because software runs the world.