Serves the Commercial Small Fleet Market of 10 – 50 Vehicles

Auto Focus

Who Controls Your Vehicles’ Data?

In the name of security, an automaker’s alliance is advocating denial of third-party access to the OBD-II port. Is this going too far?

September 27, 2017, by - Also by this author

For generations, farmers would plant, manage, and harvest crops based on assessments of the seasons, weather, and soil, their machinery, tools, and workforce. Upon harvest, farmers would deliver their yield to various markets and plan for the next season. How this wisdom was applied would make or break a farm.

No one questioned who “owned” that collective wisdom. The tractor manufacturers, tool makers, ledger binders, almanac publishers, and farmers’ markets would not have thought to have the rights to access that information. There were many circumstances in which the farmer would’ve shared his wisdom — but it was his choice to make.

Today, in this brave, new ecosphere that churns out 1.7 megabytes of new information per second — in which farmers’ tools, whereabouts, and market intelligence are tracked and connected — numerous entities are claiming control of the data farmers generate. The farming industry is not alone.

The data collected and transmitted from vehicles, which already dwarfs fighter jets in lines of code, will increase a thousand-fold on the path to autonomy. From engine diagnostics and entertainment preferences to geo-location mashed with everything, vehicle-produced data is being used to manage sales and service routes, tailor insurance premiums, understand parts performance, and offer emergency services, among other things.

In the process, this data is also being monetized. And that revenue will one day dwarf returns from new vehicle sales. But who “owns” this data, and who has a right to it?

To date, control of, and access to, vehicle data has been addressed in U.S. law only with respect to vehicle event data recorders (EDRs or “black boxes”). In 2015, Congress clarified that EDR data is owned and controlled by the owner of the motor vehicle. An autonomous vehicle bill introduced earlier this month does not address data control.

However, growing concerns over vehicle safety and the security of personally identifiable information (PII) throw a monkey wrench into the data control and access equation. In 2016, the U.S. Department of Transportation’s National Highway Traffic Safety Administration (NHTSA) issued non-binding guidance to protect vehicles from cyberattacks. Understanding the robust market of aftermarket devices that connect to cars via Bluetooth, USB, or the OBD-II (on-board diagnosis) port, the guidance calls for the automotive industry to “consider the incremental risks that could be presented by these devices and provide reasonable protections.”

These cybersecurity vulnerabilities are real, evidenced through OBD-II devices that have been demonstrated to lack basic security protocols. How do we mitigate these vulnerabilities while allowing fair access?

Last year, the European Automobile Manufacturers Association (ACEA) published a position paper on this issue. Citing cybersecurity concerns, the paper asserts that vehicle manufacturers reserve the right to limit access to data via the OBD interface, except for diagnosis, repair, and maintenance of the vehicle when it is stationary.

The paper proposes a new system that provides for data access from a web server maintained by the auto manufacturer or a neutral server maintained by a third party. These access points would be governed by an agreement between those seeking access to the data and the vehicle manufacturer.

The paper goes further in introducing a financial stipulation: “Service providers who use vehicle data for commercial purposes shall compensate vehicle manufacturers for all costs incurred … and, where appropriate, for the market value of the data.”

A working group convened by the European Union raised red flags here. In qualitative assessments of ways to access vehicle data, the group found that, of all the issues studied, the automaker-server solution posed the highest risk to “fair and undistorted competition.”

While these discussions remain theoretical in large part, BMW has been proactive in moving forward with a switch to a server-based system (maintained by BMW) that denies access to OBD ports for non-diagnostic purposes.

While BMW’s new platform is configured so that “The customer alone decides whether or not a company receives their data,” the press statement makes clear that “Third-party access to the vehicle, which greatly increases the risk of hacking, is avoided.”

Neither BMW nor any automaker is advocating denial of vehicle data to any third party — the movement is to deny access to data through the OBD port. However, the implications of an outright ban on OBD port access are numerous, as a myriad of services and business processes depend on this access to function.

Automakers are now service providers, competing directly with traditional services offered by rental, leasing, fleet management companies, and even insurance. In this light, eliminating direct access in favor of a system controlled by automakers must be scrutinized carefully, particularly as standards on OBD port safety and compatibility continue to evolve.

There are no bulletproof solutions, yet. In farming, the Agricultural Data Coalition was created to help farmers better manage their data. The group advocates creation of “a neutral, independent, farm-centric data repository where farmers can securely store and control the information” that farmers collect from their devices.

Could this be a path for the auto industry and others? Whatever the solution, it will take a coalition of stakeholders — fleet owners, aftermarket services, industry associations, and automakers — to work toward solutions that strike the right balance between security, privacy, functionality, and fair access.

Comment On This Story

Email: (Email will not be displayed.)  
Comment: (Maximum 10000 characters)  
Leave this field empty:
* Please note that comments may be moderated.

Fleet Incentives

Determine the actual cost of owning and running a vehicle in your fleet. Compare vehicles by class and model.


Fuel Management

Bernie Kanavagh from WEX will answer your questions and challenges

View All


Fleet Tracking And Telematics

Todd Ewing from Verizon Connect will answer your questions and challenges

View All


Fleet Management And Leasing

Jack Firriolo from Merchants will answer your questions and challenges

View All


Sponsored by

A vehicle commonly built on a car platform but with features of a sport-utility vehicle.

Read more

Author Bio

Chris Brown

sponsored by

Executive Editor

Chris is the executive editor of Business Fleet Magazine and Auto Rental News. He covers all aspects of the fleet world.

» More

More From The World's Largest Fleet Publisher