[ISN] This Car Can Talk. What It Says May Cause Concern.

From: InfoSec News (isn@private)
Date: Tue Dec 30 2003 - 07:29:43 PST

  • Next message: InfoSec News: "[ISN] The future of security"

    http://www.nytimes.com/2003/12/29/technology/29car.html
    
    By JOHN SCHWARTZ
    December 29, 2003
    
    Last year, Curt Dunnam bought a Chevrolet Blazer with one of the most 
    popular new features in high-end cars: the OnStar personal security 
    system. 
    
    The heavily advertised communications and tracking feature is used 
    nationwide by more than two million drivers, who simply push a button 
    to connect, via a built-in cellphone, to a member of the OnStar staff. 
    A Global Positioning System, or G.P.S., helps the employee give verbal 
    directions to the driver or locate the car after an accident. The 
    company can even send a signal to unlock car doors for locked-out 
    owners, or blink the car's lights and honk the horn to help people 
    find their cars in an endless plain of parking spaces. 
    
    A big selling point for the system is its use in thwarting car 
    thieves. Once an owner reports to the police that a car has been 
    stolen, the company, which was started by General Motors, can track it 
    to help intercept the thieves, a service it performs about 400 times 
    each month. 
    
    But for Mr. Dunnam, the more he learned about his car's security 
    features, the less secure he felt. A research support specialist at 
    Cornell University, he is concerned about privacy. He has enough 
    technical knowledge to worry that someone else - say, law enforcement 
    officers, or even hackers - could listen in on his phone calls, or 
    gain control over his automotive systems without his knowledge or 
    consent. Any gadget that can track a carjacker, he reasons, can just 
    as readily be used to track him.
    
    "While I don't believe G.M. intentionally designed this system to 
    facilitate Orwellian activities, they sure have made it easy," he 
    said.
    
    OnStar is one of a growing number of automated eyes and ears that 
    enhance driving safety and convenience but that also increase the 
    potential for surveillance. Privacy advocates say that the rise of the 
    automotive technologies, including electronic toll areas, 
    location-tracking devices, "black box" data recorders like those found 
    on airplanes and even tiny radio ID tags in tires, are changing the 
    nature of Americans' relationship with their cars.
    
    Beth Givens, founder of the Privacy Rights Clearinghouse, said the car 
    had long been a symbol of Kerouac-flavored freedom, and a haven. "You 
    can talk to yourself in your car, you can scream at yourself in your 
    car, you can go there to be alone, you can ponder the heavens, you can 
    think deep thoughts all alone, you can sing," she said. With the 
    growing number of monitoring systems, she said, "Now, the car is Big 
    Brother."
    
    James E. Hall, a transportation lawyer and former chairman of the 
    National Transportation Safety Board, said the monitoring systems 
    presented a subtle blend of benefit and risk. "We are moving toward a 
    kind of automobile that nobody's ever known," he said. "It's mostly 
    good news, but there are negative things that we will have to work 
    through."
    
    Mr. Dunnam said he had become even more concerned because of a federal 
    appeals court case involving a criminal investigation in Nevada, in 
    which federal authorities had demanded that a company attach a wiretap 
    to tracking services like those installed in his car. The suit did not 
    reveal which company was involved. A three-judge panel in San 
    Francisco rejected the request, but not on privacy grounds; the panel 
    said the wiretap would interfere with the operation of the safety 
    services.
    
    OnStar has said that its equipment was not involved in that case. An 
    OnStar spokeswoman, Geri Lama, suggested that Mr. Dunnam's worries 
    were overblown. The signals that the company sends to unlock car doors 
    or track location-based information can be triggered only with a 
    secure exchange of specific identifying data, which ought to deter all 
    but the most determined hackers, she said. 
    
    As for law enforcement, the company said it released location data 
    about customers only under a court order. "We have no choice but to be 
    responsive to court orders," Ms. Lama said. 
    
    Other information systems being added to cars can be used for tracking 
    as well. Electronic toll systems are convenient for commuters, but the 
    information is increasingly being used to track movements. When police 
    were trying to track the car of Jonathan P. Luna, an assistant United 
    States attorney who was killed earlier this month, they pulled the 
    records of his charges on his E-ZPass account, which led them to 
    Pennsylvania, where his body was found. Such records have also been 
    used in civil cases like child custody disputes.
    
    Of all of the new automotive technologies, none presents a more 
    complex set of benefits and risks than the "black box" sensors that 
    have already been placed in millions of cars nationwide. The latest 
    models capture the last few seconds of data - like vehicle speed, 
    seatbelt use and whether the driver applied the brakes - before a 
    collision.
    
    Such detailed reporting of accidents raises privacy concerns, said 
    experts at Consumers Union, which has filed comments with the federal 
    government warning about possible violations of privacy. Sally 
    Greenberg, senior product safety counsel at Consumers Union, said her 
    group recognized the potential safety benefits of the reporting but 
    wanted the government to "proceed with caution." 
    
    People's cars have already started turning their owners in. Scott E. 
    Knight, a California man, was convicted last year for the killing of a 
    Merced, Calif., resident in a March 2001 hit-and-run accident; police 
    tracked him down because the OnStar system in his Chevy Tahoe alerted 
    OnStar when the airbag was set off. 
    
    Transportation experts say that if these sensor systems can provide 
    crucial information for emergency aid workers and for vehicle 
    research, lives will be saved. The federal government is considering 
    rules that would standardize the information that black boxes provide, 
    along with ways to gather the information.
    
    The Institute of Electrical and Electronics Engineers Standards 
    Association is working to develop a worldwide standard for black 
    boxes. Tom Kowalick, who is co-chairman of the effort, calls the 
    program "quite simply a matter of life and death for millions of motor 
    vehicle crash victims."
    
    Mr. Hall, the former federal official, is the other co-chairman of the 
    effort, and he agreed that the technology should be used to detect 
    dangerous car models. The privacy concerns can be minimized, he said, 
    by applying the technology to commercial vehicles and fleets. "There 
    are enough vehicles out there," he said, "to amass evidence, to 
    provide you with the type of information you need without having to 
    even address the subject of the privately owned vehicles right now."
    
    Surveillance technologies are easy to buy and even easier to abuse, 
    privacy experts say. Paul A. Seidler was arrested last year in 
    Kenosha, Wis., after he installed a tracking device in an 
    ex-girlfriend's car. According to the police report, the 
    ex-girlfriend, Connie Adams, complained that "she could not understand 
    how the defendant always knew where she was in her vehicle at all 
    times." 
    
    Police inspected her 1999 Chevrolet Cavalier and found a small black 
    box near the radiator that beamed the car's position to Mr. Seidler's 
    computer. In June, Mr. Seidler was sentenced to nine months in jail 
    for stalking Ms. Adams.
    
    The use of location tracking is growing. Law enforcement agents have 
    used similar devices to chart suspects' travels, and a California 
    company now offers a similar device so that parents can monitor their 
    teenagers' driving. 
    
    Last year a small rental car company in New Haven, Acme Rent-a-Car, 
    angered customers by using global positioning to fine them $150 for 
    speeding. The state's department of consumer protection declared the 
    fines illegal - but not the tracking. The company appealed the 
    consumer agency's action, but in July a state judge rejected the 
    appeal.
    
    Ian Ayres of Yale University, a law professor who has examined the 
    issue, predicted that regardless of what happened with Acme, "within a 
    decade all our car insurance companies will be offering us discounts 
    if we will commit to Acme-like contracts - if we agree not to speed." 
    and the use of tracking technology will grow "even if they don't give 
    us a discount," he said, because "all the parents will want these 
    boxes in their cars to know whether their kids are speeding." 
    
    In fact, one of the largest insurance companies in the United States, 
    Progressive Auto Insurance, has already tested policies in Texas that 
    tied insurance rates to car usage as monitored by global positioning. 
    
    Tires, too, can tell on drivers. This year, Michelin began implanting 
    match-head-sized chips in tires that can be read remotely. The company 
    started using the chips to provide manufacturing information that 
    could help spot failure trends and to comply with a federal law 
    requiring close tracking of tires for recalls. But privacy activists 
    fear that the chips, which can be loaded with a car's vehicle 
    identification number, would allow yet another form of automated 
    vehicle tracking. "You basically have Web browser 'cookies' in your 
    tires," said Richard M. Smith, an independent privacy researcher.
    
    Aviel D. Rubin, the technical director of the Information Security 
    Institute at Johns Hopkins University, said that every new technology 
    with the potential to invade privacy was introduced with pledges that 
    it would be used responsibly. 
    
    But over time, he said, the desire of law enforcement and business to 
    use the data overtook the early promises. "The only way to get real 
    privacy," he said, "is not to collect the information in the first 
    place."
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Dec 30 2003 - 10:22:58 PST