The Cybersecurity Implications Of Driverless Cars (Video Content)

self

Driverless cars have gone from science fiction to fact. While in many respects driverless cars are in their infancy, they are already seen on roadways. For instance, Google's driverless car was reported to have driven over a million miles as of June 2015 1; Tesla's autopilot software increasingly enables Tesla drivers to rely more heavily on their car's operating system to perform driving manoeuvres; 2 and most recently, Uber started offering customers in downtown Pittsburgh the ability to summon driverless cars.3

Early known details about how driverless cars function suggest they will rely heavily on the collection of information in order to understand the surrounding environment and to safely navigate from point A to point B. Driverless cars collect information in various ways, sometimes using their own devices, and sometimes by obtaining information shared with them by other vehicles, connected devices or infrastructure. These vehicles are also expected to collect tremendous amounts of information for safety and even passenger entertainment reasons (as will be discussed further below).

From a cybersecurity perspective, driverless cars present a number of unique considerations, challenges and risks. While many of the issues at play are not necessarily unique to driverless cars, these connected vehicles collect massive amounts of information by design and travel into areas that may often increase the risk of inadvertent disclosure. Moreover, these vehicles may be used to cross borders and enter jurisdictions that require the protection of information in materially different ways.

As the technology continues to develop, manufacturers are encouraged to build sound privacy and cybersecurity practices into the foundation of the design. The former Information and Privacy Commissioner of Ontario, Dr. Ann Cavoukian, describes privacy by design as follows:

The Privacy by Design approach is characterized by proactive rather than reactive measures. It anticipates and prevents privacy invasive events before they happen. [Privacy by Design] does not wait for privacy risks to materialize, nor does it offer remedies for resolving privacy infractions once they have occurred − it aims to prevent them from occurring. In short, Privacy by Design comes before-the-fact, not after. 4

This paper examines the privacy and cybersecurity issues concerning driverless cars in the context of the Canadian legal framework applicable to private sector organizations. Manufacturers and developers are urged to seriously consider Dr. Cavoukian's privacy by design philosophy at this early stage of the driverless car.

What are driverless cars and how do they collect information?

A driverless car (also referred to as "autonomous vehicle", or "AV") is generally defined as a motor vehicle with a system that performs dynamic driving tasks with limited human assistance. 5 AVs are generally understood using the following spectrum: Level 0 (no automation), Level 1 (driver assistance), Level 2 (partial automation), Level 3 (partial automation), Level 4 (high automation) and Level 5 (full automation). 6 The Ontario Ministry of Transportation further describes an AV as a driverless or self-driving car that is capable of detecting the surrounding environment using artificial intelligence, sensors and GPS coordinates.

Driverless cars continuously collect information about the environment around them using a variety of sources — including radar, a laser surveying technology called Lidar and three-dimensional maps. To do so, a car's computer utilizes wireless networks to transmit data about the car's surroundings in real time. That data would then go back to the car's computer and possibly also to an external central hub controlled by the manufacturer. With respect to storage of the collected data, one of the options being pursued by various automakers is cloud storage. 7

Driverless cars must also be able to interact and exchange data with one another in real time. Technology is being developed that would enable driverless cars to communicate with one another and the surrounding infrastructure through sensors that broadcast information. 8 Communication between driverless cars is often referred to as vehicle to vehicle ("V2V") communication. V2V-enabled cars reportedly broadcast a 320-byte message to nearby vehicles up to 10 times per second with basic information including position, acceleration and brake status. 9

The key data source for driverless cars...