Data protection in connected vehicles

Under the heading "Internet of Things" (IoT), a number of application levels are described in the automotive industry that are intended to enable efficiency, particularly in manufacturing as well as in traffic. If one also takes into account developments in the area of Industry 4.0, it mostly revolves around efficient applications and analyses of correlated information. However, where the journey with networked vans and passenger cars is heading is shown, for example, by accident reports about vehicles equipped with distance sensors. Because drivers apparently relied only on their autopilots, they were even injured in slow-moving traffic. - How can drivers protect themselves from incorrect information?

The international standard ISO/IEC 27001 (see box) provides key data on information technology deficiencies and even improper type testing. ISO 27001 is structured in the same way as ISO 9001, but does not include business processes, but rather measures to ensure information security.

Legal hurdles
Technologically, the sharing and analysis of data should help make life smoother and more convenient for a company as well as for customers. This concept is not groundbreakingly new. However, in times of digital transformation, the security sphere of resource-defined or personalized moving objects is a highly complicated matter. Even executive forces show gaps in interpretation as to which areas belong to data security and which to IT security. The Swiss Data Protection Act (DSG) Art. 11 VE DSG guarantees the security of personal data. However, the Federal Council only issues minimum requirements.

Art. 18 para. 1 ("Data protection by technology ... ") is already more precise in the wording, when it says: "The controller and the processor are obliged to take appropriate measures which, from the time of planning the data processing, reduce the risk of violations of personality or fundamental rights and prevent such violations".

Despite this protection against misuse, many legal details in the information sector remain vague. For example, in the so-called prototype protection under ISO 27001:2005, emblems, signage and other information indicating specific facilities of a company are already subject to rigorous data and information protection.

However, such sources of information and analogue orientation points are preferred by road users and the police - although car video interfaces are increasingly being used for checks and evaluations, not least for legal evidence.

Security standards such as ISO/IEC 27001 help to detect and avoid information technology loopholes in networked PWs.

Intelligent vehicles - playground for cyber spies?
Interacting objects are increasingly shaping our business and work objectives. The real revolution in connected, intelligent vehicles lies in the fact that the granularity of data is multiplying. Current studies underline that highly scaled installations of 5G infrastructures will become reality by 2020.

In 2020, every global citizen will own an average of 1.5 devices (including M2M modules) - whereby the "connected cars", the networked vehicles possibly equipped with adapted social media and infotainment programs, are not yet included in the calculation.

Greater storage capabilities and increased processing speeds are providing information - gradually in real time - that can either be mapped into a main memory or read in without database access. This benefits a number of internal and external stakeholders in the automotive industry.

It is becoming increasingly evident in which complex areas information technology challenges and opportunities lie: Basically, the system units communicating with each other must be able to speak the "same language". This requires uniform communication systems (central codes) that can be used and interpreted correctly by all participants. In some cases, however, sensitive gaps exist in many "smart" car devices.

Whether it's the remote opening of vehicle doors, Bluetooth interfaces, integrated cellular modems, manipulated firmware updates - sensors, audio CDs and other drive elements of a vehicle: networked cars offer loopholes for cyber spies. Insiders became aware of this in 2015 when the ADAC insurance company demonstrated a hack of the BMW online system ConnectedDrive.

A bug in the software, which has since been corrected by BMW, would have enabled thieves with sufficient technical skill to unlock and open the doors of 2.2 million BMW vehicles worldwide via mobile communications. Symantec, a US software company, also points to di-verse points of attack in connection with smart vehicles.

Basically, a distinction is made between remote attacks and physical attacks (direct attacks) on the car. According to Symantec, it is not a remote attack if someone sends malicious code or modifies the CAN bus (Controller Area Network) for networking the ECU (Electronic Control Unit) integrated in the vehicle.

Experts speak of a remote attack when the anti-theft protection, the navigation system or the tire pressure display are manipulated in car systems controlled by the ECUs.

Pioneering technologies
Safety and diagnostic functions are of-ferently the most important criterion for around 75 percent of car buyers, ahead of other electronic tools in vehicles, underlines the "Connected Car Industry 2016 Report".

Leading car OEMs could have sold an average of 1.4 million connected cars per month by the end of 2016, the recently published report continues. However, where there are beneficial installations such as the internet in the car, controversial legal lines could be drawn in the near future.

For the automotive industry, fundamental trends are already emerging for the "Internet of Things" in networked vehicles:

• Companies such as Google, Baidu - and in Switzerland the SBB and Swiss Post - are making efforts to develop their own vehicles that can drive autonomously.
• The Internet of Things is becoming increasingly mobile and public. However, this will require the coordination of countless data.
• OEMs such as Audi, Daimler, BMW and Tesla are developing assistance systems. They already offer corresponding equipment variants today.
• The Internet of Things also requires widespread wireless data and interfaces.

Other exponents of the supplier industry such as Bosch or Continental are working intensively on corresponding sensory features. As innovation drivers of the IoT, they are working with various developers from the IT sector to bring new technologies to the road. Projects at Bosch on the subject of RFID already show a high degree of implementation for the public.

Radio Frequency IDentification (abbreviated: RFID ) is an automatic identification process that will have various applications. It is a contactless communication technology that transmits information for the identification of persons, animals, goods and merchandise.

Communication within a company (warehouse/logistics concepts) is clearly the most advanced scenario in the industry. Furthermore, it is about the integration of suppliers and business partners into the processes - the most prominent activity here is certainly the RAN project (RFID Automotive Network), which was funded by the BMWi and whose results are being further developed in the working group at the Verband der Automobilindustrie e. V., VDA.

Current conflicts
The public perception is still one of analogous accident prevention and "common insurance campaigns" that drivers should keep their hands on the wheel. With regard to intelligent navigation, communication, distance and camera assistants and potential sources of distraction, Swiss traffic law still remains vague.

With so-called dashcams, which are used by truck drivers, for example, to show and assess speeds and distances, drivers run the risk of self-incrimination in the event of a traffic violation. Not only insurance companies, but also police traffic patrols in particular advocate the use of dashcams or similar devices. On the other hand, the Federal Data Protection and Information Commissioner (FDPIC) sees violations of privacy in the case of camera recordings of people.

According to a FDPIC guideline, the police alone may only record if they observe a concrete violation of traffic regulations or at least have a reasonable suspicion.

If you now voluntarily install so-called residual distance recorders (abbreviation: RAG) or accident data storage devices (abbreviation: UDS) in vehicles, you agree per se to hand over relevant information (civil evidence) to investigating authorities during and after a traffic accident in order to determine human or technical failure.

The conflicts of interest that are circulating in digitalised road traffic and in the use of highly automated vehicles are proof that a valid legal reform - in the case of companies, a corresponding certification - must be introduced. Finally, the quality and manipulability of the recording devices must always be critically questioned, for example with regard to their formats, their standardisation - also with regard to any inadequate security points.