Q&A: Sen. Ed Markey On Protecting Data Our Cars Are Sharing

Feb 9, 2015
Originally published on February 9, 2015 5:27 pm

Cars and trucks today are computers, and a new report overseen by Sen. Ed Markey, D-Mass., comes with a warning: As more vehicles have wireless connections, the data stored in them is vulnerable to stealing, hacking and the same invasions faced by any technical system today.

How safe are we in our connected cars?

Markey's office sent inquiries last year to 20 automakers, including Ford, Toyota and General Motors, asking what the companies were doing to secure the technology in their vehicles from cyberattack and how they manage personal data stored in cars. The report finds that while it hasn't happened yet, a hacker could remotely and wirelessly access a vehicle's computers through Bluetooth systems, OnStar systems, malware in a synced Android phone or even a malicious file on a CD in the stereo.

Automakers have insisted they're putting driver safety and security first; in November, two trade groups representing automakers unveiled a set of principles intended to protect security.

"Auto engineers incorporate security solutions into vehicles from the very first stages of design and production — and security testing never stops," Wade Newton, a spokesman for the Alliance of Automobile Manufacturers, said to the Detroit News. His trade group represents Detroit's Big Three automakers, Toyota, Volkswagen and others.

Markey spoke to NPR's Robert Siegel about the threats to motorists today, the threats to come and what should be done to protect us.


Interview Highlights

Your report documents how it is possible to enter the computer systems of a car and do things to the car. Does this happen in the real world yet?

Not yet, but it's proven that it can happen. But we're in a world where no one had ever thought that a hacker could get into all the health care records of the biggest companies in America, that they could hack into the defense systems of the country. We can wait until criminals don't need a crowbar to break into your car, that they'll just need an iPad, but we can begin right now to say to the auto manufacturers: Build in the security that makes that very difficult.

The auto manufacturers and sometimes third parties collect vast amount of data. What are automakers doing with that data?

This information is gathered about every single driver in the country as they're driving and parking. And it's gathered by the automotive industry. It's stored, but no one really knows the level of security that's built around that information, no one knows whether they give that information to third parties, no one knows what security the third parties build around that information. So I'm opening this question so we can begin the discussion of what are the safeguards that should be put on the books for the drivers in this country in the modern, post-combustion engine era.

OnStar assists us in an emergency. Most of the other functions we're talking about have to do with entertainment or convenience. Should motorists be prepared to sacrifice some amusement or convenience for security?

No, it's a false choice. It's the same choice that automotive manufacturers were trying to give to drivers back in the 1960s and 70s about air bags and seat belts. They were saying it was going to add dramatically to the cost of the vehicle and consumers would not want that. When in truth once they were given that additional protection people now automatically use those safety devices. Well we need the same kinds of safety devices for the information.

Are the insurance companies involved in this problem?

I think the information would be very interesting to insurance companies. It could help them to understand the individuals' driving habits. But it requires ultimately permission to be given to them by the driver. This should not be a decision that should be made by automakers. Perhaps it's even profitable for the auto industry to share that information with the insurance industry. But I don't think Americans should have their privacy compromised for the private gain of insurance companies or auto companies.

The CEO of Ford has said that Ford would disclose whatever information it collected. Is disclosure sufficient, or should there be a stronger guarantee than that?

I think it should be both. I think if a automotive manufacturer is able to build in Bluetooth and keyless entry and remote start and navigation and Wi-Fi, then they should also be able to build in software packages which protect privacy and safety of drivers. That's what this debate should be all about.

Copyright 2017 NPR. To see more, visit http://www.npr.org/.

ROBERT SIEGEL, HOST:

How safe are you in your car? Not when it comes to air bags or antilock brakes or your safety belts, but how secure are your vehicles computer systems and wireless technologies like Bluetooth? That's a question Massachusetts Senator Ed Markey has been asking, and it's one that he's put to manufacturers. And he's out with a report today that says if you are driving a newer car, then you are vulnerable. And he joins us from Capitol Hill. Welcome, Senator Markey.

SENATOR ED MARKEY: Thanks for having me.

SIEGEL: Your report documents how it is possible to enter the computer systems of a car and do things to the car. It's possible. Has it actually happened? Does this happen in the real world yet?

MARKEY: Well, not yet, although it's been proven that it can happen. But we're in a world where no one had ever thought a hacker could get into all of the health care records of the biggest companies in America - that they could hack into the defense system of our country. And we can wait until criminals don't need a crowbar to break into your car - that they'll just need an iPad - or we can begin right now to say to the automotive manufacturers, build in the security that makes that very difficult.

SIEGEL: Your concern has another dimension, which is that the auto manufacturers and, in some cases, third parties collect a tremendous amount of data. What are they doing with that data?

MARKEY: This information is gathered about every single driver in the country as they're driving and parking. But no one really knows the level of security that's built around that information. No one knows if they give that information to third parties. No one knows what security third parties build around that information. So I'm opening this question so that we can begin the discussion of what other safeguards that should be put on the books for drivers in our country in the modern, post-internal-combustion era.

SIEGEL: In your report today, you cite some research from 2011, research that demonstrated - and I'm quoting here - that "one could remotely and wirelessly access the vehicle's CAN" - controller area network, its computers - "through Bluetooth connections, OnStar systems, malware in a synced Android smartphone or a malicious file on a CD in the stereo." OnStar has some dimension of assisting us in an emergency. Most of the other functions we're talking about have to do with entertainment or a little convenience. Should motorists be prepared to sacrifice some amusement or convenience for security?

MARKEY: No. It's a false choice. It's the same choice that automotive manufacturers were trying to give to drivers back in the 1960s and '70s about airbags and seatbelts. They were saying it was going to add dramatically to the cost of the vehicle, and the consumers would not want that, when in truth, once they were given that additional protection, people now automatically use those safety devices. Well, we need the same kinds of safety devices for the information.

SIEGEL: Senator, when I try to imagine who would have any interest in my driving history and how fast I might drive or where I might go and what kind of roads, I can't think of too many, but insurers would be one. Are the insurance companies involved in this problem?

MARKEY: I think the information would be very interesting to insurance companies. It could help them to understand, you know, the individual's driving habits. But it requires, ultimately, permission to be given to them by the driver. This should not be a decision made by automakers.

SIEGEL: The CEO of Ford recently said that Ford would disclose whatever information it collected. Is disclosure sufficient, or should there be a stronger guarantee than that?

MARKEY: I think it should be both. I think if a automotive manufacturer is able to build in Bluetooth and keyless entry and remote start and navigation and Wi-Fi, then they should also be able to build in software packages which protect privacy and safety of drivers. That's what this debate should be all about.

SIEGEL: Senator Markey, thanks for talking with us about your report.

MARKEY: You're welcome. Thanks for having me on.

SIEGEL: Senator Ed Markey, Democrat of Massachusetts. Transcript provided by NPR, Copyright NPR.