Legendary golfer Tiger Woods was driving a Genesis GV80 when he suffered a horrific rollover crash that resulted in his hospitalization and surgery on his leg. The Genesis features the same technology many vehicles have today, which allows drivers to sync their phones to the cars to make phone calls, send texts and listen to music.

Should Woods have done that with the Genesis he was loaned, Andrea Amico said a lot of personal information about the golfer could have been gleaned from an examination of the car's systems. It could be anything from a list of the famous people listed in Woods' contacts to perhaps details about a deal with Nike that had not been made public yet.

It's a high-profile example of the many privacy questions surrounding connected vehicles. Amico has made it a goal to raise awareness about the potential issues when storing data in an automobile. One of the ways he aims to accomplish this goal is through a company he founded in 2019.

Privacy4Cars is a technology company that produces an application to help drivers wipe personal data from a vehicle. The company produces offerings for both consumers and wholesalers, service providers and dealerships. Amico said Privacy4Cars has a 99.7% completion rate when used to remove data from a vehicle. He compared it to the traditional method of having a professional manually wipe the information themselves, which he said only results in a compliance rate of 30%.

Amico said the back-end component of the app helps car dealers, wholesalers and service providers demonstrate their commitment to removing data from connected vehicles. 

"We have an entire compliance engine and reporting engine so that you can see the car, what steps were followed, by whom, when was it done and which systems were reset," Amico said. "We bring it all up in a certification and a warranty and then we publish it in a number of places to provide shared visibility over what happened. This is the way in which companies can have not just a policy, but confidence the policy has been applied and they have the receipts to prove they are doing the right thing."

The application is only one part of what Privacy4Cars does in the automotive space. Amico said the organization is also committed to raising awareness around data in connected cars. Privacy4Cars has done this by reaching out to the media, expanding its efforts to include Canada and Europe. Amico said his organization has worked with nonprofits and even reached out to members of U.S. Congress to inform lawmakers of issues that may require their attention.

Amico said Privacy4Cars needs to perform all these activities because knowledge in this area is sorely lacking, and it isn't just the drivers who need an education.

"I’m not just talking about individuals," Amico said. "I’m also talking about industry people. We spend a lot of time doing education on what happens when you sync your phone. What people don’t realize is when you do that, you create a mini clone of your phone stored locally in your car. The data you find ranges from, for older vehicles that have just Bluetooth, your contacts, your call logs, a copy of text messages plus a lot of metadata that allows you to be reidentified as a user. Newer cars have a lot more stuff. We’ve seen calendar entries, browsing history, the apps they use on their phone and the photos they are taking." 

So what can be done to protect the information stored in these connected vehicles?

Back in 2015, the Driver Privacy Act of 2015 was passed as part of the $300 billion Highway Deal. The bill prohibits anyone but the owner from accessing data in a vehicle except under specific circumstances. Amico points out the bill only covers the information collected from a car's electronic data recorder.

A car's EDR is only one small avenue for how a car can collect data on its driver, and Amico believes the bill could be expanded upon once it is eventually revisited.

"Congress took action in 2015, but they just focused on one of the 60 to 150 computers in the car," Amico said. "I’m not sure why the other 99% got left out, but the Highway Bill is due for re-up and so that could be a very good initiative to do to expand the same rights and protections to all the other devices in the car, not just the EDR."

Revisions of the bill may also have to tackle who owns the data within the car. The Driver Privacy Act states the data is "the property of the owner or lessee of the vehicle in which the recorder is installed, regardless of when the vehicle was manufactured."

This creates a problem in cases similar to the one Woods faced. Amico said since the car was loaned to Woods, any data uploaded to the vehicle would be the property of Genesis. This discrepancy is one Amico called a "sticky situation" and must be addressed in future iterations of the bill. 

Congress may play a part in protecting drivers' privacy, but for Amico, they are only one piece of the puzzle. For data concerns to be assuaged, Amico feels it ultimately needs to take a village.

"Our view is that the traditional view of saying ‘this is a problem that manufacturers and their tier-one suppliers have’ is not accurate," Amico said. "This is like saying that the privacy of computers is a problem for Dell and Intel. It takes an entire ecosystem and right now we have this very siloed view of who is responsible for finding a solution. Everyone is responsible. Consumers should be informed and should be able to do things on their own, but also the industry, at different layers, should set multiple safety nets to ensure the protection of their personal information." 

Photo by Arteum.ro on Unsplash