Request for Comments "Connected Cars - Workshop, Project No. P175403"
RE: Connected Cars Workshop and P175403. Thank you for taking public comments on this important issue. I would like to suggest that consideration be given to addressing the long-term patching of security holes in electronic car systems. How will a new sixteen year old driver whose first car is a 11 years old be protected against security exploits that could endanger her safety if the manufacturers support for the technology in this vehicle has long ended? Today, we are telling Samsung Galaxy S4 owners that no new security patches will be issued for your phone. Get a new one. It's not so easy to replace a car every three years. We're seeing Android and Apple phone software integrated into new vehicles--so that exploited Galaxy S4 phone might infect that car if it's a trusted device in this emerging world of interconnected devices. I'm also concerned about the third-party software libraries and development controls used in these new vehicles which are being written by non-U.S. programmers and encapsulated so that the code is a black box (think libraries like JQuery). I propose that products be evaluated against a set of security best-practice standards and that automotive manufacturers would assess their vehicles against the standard to say it's EnergyStar 1.0 compliant--but in this situation you could call it SecurityStar 1.0 compliant. Over time, the new 1.5, 2.0 and other standards would be released. Buyers of older vehicles would have a sense of what level of technology security applies to that vehicle, and perhaps there needs to be a way for consumers to disable the car's remote access technologies to prevent someone from remotely exploting the car if the manufacturers aren't going to patch it forever. I know someone who has a Samsung refridgerator and Samsung Support refuses to tell them how to disable the wireless broadcast to prevent the neighbor kids from downloading the Samsung app and putting the device on defrost. Samsung told them not to worry about it. Consumers shouldn't have to become security experts--so such a Standard--along with FTC public service message campaigns to build awareness, will help people simplify security choices. Once these devices get older, new exploits will make them vulnerable and consumers should not have to dispose of devices into landfills when the manufacturer decides to quit supporting it. Always-connected IOT devices will be exposed even if the consumer is unaware. If you havent already, I recommend you engage the a security organization such as ISC2. There are talented people like Mano Paul at GM who works in this space, advises industry on full development lifecycle electronic security and can contribute greatly to this discussion. With regard to data, I believe consumers should be allowed to opt-out of what data their car collects and stores. Consumers own this data, and they should not be presented with an "expensive" choice such as a manufacturer who says that if you opt-out of data collection and sharing, then most of your technology features will be unable to function. I recently loaded an audio book CD into a loaner car and the when I removed the CD I found that the car had automatically copied the CD contents to the car's hard-drive without my knowledge. This sort of content vacuuming by companies is too aggressive. Consumers should not be playing "defense" when it comes to opting-out of data collecting. For example, we should not have to constantly restate our privacy preferences, such as occurs on Facebook, every time the company has "improved" the user interface and corporate viewpoint on how data is categorized/classified. Opt-out means Opt-Out.