NHTSA: Auto safety bill could weaken privacy

David Shepardson
Detroit News Washington Bureau

Washington — The Federal Trade Commission and the National Highway Traffic Safety Administration said Tuesday a House GOP draft auto safety bill could substantially weaken the privacy and security of U.S. drivers, criticizing several proposals.

Last week, Republicans on the House Energy and Commerce Committee unveiled draft auto safety legislation that would make it unlawful to hack into a motor vehicle and would impose up to a $100,000 fine. It also would give automakers immunity from oversight from the FTC on privacy and security issues if they agreed to certain principles.

Maneesha Mithal, associate director of the division of privacy and identity protections, says in written testimony released ahead of a House Energy and Commerce Committee subcommittee hearing Wednesday that the bill has serious problems. Automakers would “receive substantial liability protections in exchange for potentially weak best practices instituted by a council that they control. The proposed legislation, as draft, could substantially weaken the security and privacy protections that consumers have today,” she said in his nine-page testimony released Tuesday.

The head of the National Highway Traffic Safety Administration, Mark Rosekind, said in separate written testimony that the proposals on privacy and cybersecurity may have “the opposite of their intended effect” and could “seriously undermine” the agency’s ability to ensure safety. “Ultimately, the public expects NHTSA, not industry, to set safety standards,” Rosekind’s testimony says.

He also criticized a proposal that would bar NHTSA from making an auto recall public until a manufacturer has a complete list of VIN numbers ready. He said that could prevent NHTSA from making public critical safety information for an extended period.

Earlier this year, Wired magazine uncovered security flaws in Jeep Cherokees that allowed a researcher to remotely control vehicle functions. That finding led to the recall of 1.4 million Fiat Chrysler vehicles. The FTC said the bill would prohibit “responsible researchers” from finding flaws. “By prohibiting such access even for research purposes, this provision would likely disincentivize such research to the detriment of consumers’ privacy, security and safety,” Mithal wrote.

Under the draft bill, automakers would be required to submit privacy policies for driver data to NHTSA and could be fined up to $1 million if they violate those policies — or $5,000 a day if they failed to submit the policies. If automakers submitted those policies, they would not be subject to oversight by the FTC.

Mithal said the bill would allow automakers to collect information about consumers through their websites with no oversight by FTC — even if they misrepresented privacy protections. Automakers could change privacy policies by simply notifying the National Highway Traffic Safety Administration.

The bill would make it unlawful to hack into a motor vehicle to gain access to the vehicle’s controls and impose up to a $100,000 civil penalty. NHTSA would be compelled to create an automotive cyber advisory council that would include all automakers that sell at least 20,000 cars a year, the Defense Department, the National Institute of Standards and Technology, NHTSA and others. At least half of the group members would need to be automakers.

The group would develop best practices for the industry that would be approved by a majority. The council would meet at least annually to update the recommendations. Automakers could then submit plans to comply with the best practices and would avoid oversight from the FTC if they took part.

The FTC said the group “will not encourage best practices robust enough to protect consumers.” Mithal said the group would mean that automakers “alone could decide what best practices would be adopted.” The draft does not mandate areas to set minimum standards, but merely suggests possible areas. The FTC also notes there is no requirement that the policies be updated as risks change.

Automakers would get immunity even if they made false claims about security provisions such as use of firewalls, encryption or other specific security features of their websites if the area was covered by the best practices policies.

Democrats have introduced sweeping auto safety reform legislation in both the House and Senate that would dramatically boost recall fines, give NHTSA broad new authority and substantial new funding to get unsafe vehicles off the road, impose new criminal penalties on auto executives that allow unsafe vehicles on the roads. A compromise highway bill considered by the Senate earlier this year would have tripled recall fines to $105 million from the current $35 million maximum.