Mandatory Car 'Black Boxes' Proposed: Privacy Questions

Who Is Hacking U.S. Banks? 8 Facts

Is the country ready for black box data recorders inside consumers' automobiles?

The National Highway Traffic Safety Administration (NHTSA) last week issued a notice of proposed rulemaking in the Federal Register, proposing that as of Sept. 1, 2014, all cars should be fitted with event data recorders (EDRs).

"The agency is issuing this proposal because we believe that, without a regulation, EDRs will remain absent from the estimated 8% of the current light vehicle fleet that lacks an EDR," according to the Federal Register listing. "We believe that requiring all light vehicles required to have frontal air bags to be equipped with EDRs would help improve vehicle safety for consumers, while imposing relatively limited costs on the automobile industry."

Consumers have until Feb. 11, 2013, to comment on the proposal. Already, however, the consumer rights group Electronic Privacy Information Center (EPIC) warned that EDRs "record detailed information about drivers, which can be made available to insurance companies, the police, and others," and recommended that "commentators urge the agency to 'strengthen privacy safeguards'" for data captured by any such devices.

[ Ready for driverless cars? Read Google Autonomous Cars Get Green Light In California. ]

But the NHTSA, in its proposal, suggested that any related data privacy safeguards would have to come via laws enacted by Congress -- none currently exist -- or state legislatures. "While these issues are of continued importance in the public discussion on the use of EDR technology, as an agency, we do not have the statutory authority to address many of these privacy issues because they are generally matters of State and Federal law that we do not administer," said the NHTSA proposal.

To date, about a dozen states have passed laws governing how EDR data can be used. Most state laws require automotive manufacturers to disclose to new buyers when a vehicle contains an EDR, and also limit how collected data may be used or shared. Colorado law, for example, "prohibits the release of event data unless the data is released to a motor vehicle safety and medical research entity or data processor in order to advance motor vehicle safety, security, or traffic management," unless the release of that information is ordered by a court, or else the vehicle's owner simply consents to it being used.

This isn't the NHTSA's first foray into EDR standards. Notably, the agency created an EDR regulation in 2006, and it went into effect on Sept. 1, 2012. But although that regulation specifies how recorders should capture and store information -- as well as "crash survivability" requirements -- it doesn't mandate the installation of EDRs.

Why bother capturing vehicle data? According to the NHTSA, having access to EDR data could improve vehicle safety both now and in the future, not least by allowing the agency to examine the effectiveness of the latest safety features. "It is important to have EDR data relating to the crash experiences of vehicles with these advanced safety systems so that the agency can, at the earliest possible time, gather enough information about emerging advanced technologies to conduct reliable analyses and make policy judgments," said the proposal.

"Additionally, the agency's experience in handling unintended acceleration and pedal entrapment allegations has demonstrated that EDR data from a particular vehicle model can have significant value to both the agency and the vehicle's manufacturer to identify and address safety concerns associated with possible defects in the design or performance of the vehicle," it said.

Recent breaches have tarnished digital certificates, the Web security technology. The new, all-digital Digital Certificates issue of Dark Reading gives five reasons to keep it going. (Free registration required.)