For generations, farmers would plant, manage, and harvest crops based on assessments of the seasons, weather, and soil, their machinery, tools, and workforce. Upon harvest, farmers would deliver their yield to various markets and plan for the next season. How this wisdom was applied would make or break a farm.
No one questioned who “owned” that collective wisdom. The tractor manufacturers, tool makers, ledger binders, almanac publishers, and farmers’ markets would not have thought to have the rights to access that information. There were many circumstances in which the farmer would’ve shared his wisdom — but it was his choice to make.
Today, in this brave, new ecosphere that churns out 1.7 megabytes of new information per second — in which farmers’ tools, whereabouts, and market intelligence are tracked and connected — numerous entities are claiming control of the data farmers generate. The farming industry is not alone.
The data collected and transmitted from vehicles, which already dwarfs fighter jets in lines of code, will increase a thousand-fold on the path to autonomy. From engine diagnostics and entertainment preferences to geo-location mashed with everything, vehicle-produced data is being used to manage sales and service routes, tailor insurance premiums, understand parts performance, and offer emergency services, among other things.
In the process, this data is also being monetized. And that revenue will one day dwarf returns from new vehicle sales. But who “owns” this data, and who has a right to it?
To date, control of, and access to, vehicle data has been addressed in U.S. law only with respect to vehicle event data recorders (EDRs or “black boxes”). In 2015, Congress clarified that EDR data is owned and controlled by the owner of the motor vehicle. An autonomous vehicle bill introduced earlier this month does not address data control.
However, growing concerns over vehicle safety and the security of personally identifiable information (PII) throw a monkey wrench into the data control and access equation. In 2016, the U.S. Department of Transportation’s National Highway Traffic Safety Administration (NHTSA) issued non-binding guidance to protect vehicles from cyberattacks. Understanding the robust market of aftermarket devices that connect to cars via Bluetooth, USB, or the OBD-II (on-board diagnosis) port, the guidance calls for the automotive industry to “consider the incremental risks that could be presented by these devices and provide reasonable protections.”
These cybersecurity vulnerabilities are real, evidenced through OBD-II devices that have been demonstrated to lack basic security protocols. How do we mitigate these vulnerabilities while allowing fair access?
Last year, the European Automobile Manufacturers Association (ACEA) published a position paper on this issue. Citing cybersecurity concerns, the paper asserts that vehicle manufacturers reserve the right to limit access to data via the OBD interface, except for diagnosis, repair, and maintenance of the vehicle when it is stationary.
The paper proposes a new system that provides for data access from a web server maintained by the auto manufacturer or a neutral server maintained by a third party. These access points would be governed by an agreement between those seeking access to the data and the vehicle manufacturer.
The paper goes further in introducing a financial stipulation: “Service providers who use vehicle data for commercial purposes shall compensate vehicle manufacturers for all costs incurred … and, where appropriate, for the market value of the data.”
A working group convened by the European Union raised red flags here. In qualitative assessments of ways to access vehicle data, the group found that, of all the issues studied, the automaker-server solution posed the highest risk to “fair and undistorted competition.”
While these discussions remain theoretical in large part, BMW has been proactive in moving forward with a switch to a server-based system (maintained by BMW) that denies access to OBD ports for non-diagnostic purposes.
While BMW’s new platform is configured so that “The customer alone decides whether or not a company receives their data,” the press statement makes clear that “Third-party access to the vehicle, which greatly increases the risk of hacking, is avoided.”
Neither BMW nor any automaker is advocating denial of vehicle data to any third party — the movement is to deny access to data through the OBD port. However, the implications of an outright ban on OBD port access are numerous, as a myriad of services and business processes depend on this access to function.
Automakers are now service providers, competing directly with traditional services offered by rental, leasing, fleet management companies, and even insurance. In this light, eliminating direct access in favor of a system controlled by automakers must be scrutinized carefully, particularly as standards on OBD port safety and compatibility continue to evolve.
There are no bulletproof solutions, yet. In farming, the Agricultural Data Coalition was created to help farmers better manage their data. The group advocates creation of “a neutral, independent, farm-centric data repository where farmers can securely store and control the information” that farmers collect from their devices.
Could this be a path for the auto industry and others? Whatever the solution, it will take a coalition of stakeholders — fleet owners, aftermarket services, industry associations, and automakers — to work toward solutions that strike the right balance between security, privacy, functionality, and fair access.