Hellen Beveridge CIPM CIPP/E FIDM Hellen Beveridge CIPM CIPP/E FIDM Privacy Lead, Data Oversight Ltd
Highway Patrol

Highway Patrol

This article was first published in the Spring 2019 issue of Data Protection Magazine

This year, after a period of car ownership dictated by the need to get multiple children, two large dogs and many, many bicycles into a single vehicle, we finally got rid of the monster, polluting diesel. Off to the scrap heap courtesy of one careless owner.

New cars come with lots of frills these days. Even before you have the key in your hand it is possible to check the progress of your purchase through whichever digital tool the manufacturer shares with you. Though how valuable this user experience is when your vehicle goes from ‘awaiting build slot’ to ‘on the ship’ in less than 30 minutes is debatable.

Given that my primary aim for owning any car that isn’t an Aston Martin DB9 is to get from A to B in good time and relative comfort, I didn’t pay a great deal of attention to how long it was taking the other half to ‘set up’ the vehicle once it arrived all shiny on our driveway. It involved the constant borrowing of my phone, key matching and a couple of evenings sat in the garage with the manual (should have been a red flag). That is until I was charging it at a service station 40 miles from home and he cancelled the session from the comfort of our living room. I should just say that he was just being nosy and pressed the wrong button on the App, and knew it wasn’t going to end well when he found he couldn’t turn it back on again remotely.

Electric cars mean no traipsing to the petrol station to fill up, but it does mean interacting with an emerging (and decidedly patchy) charging infrastructure. Who knew there were so many different providers, each coming with their own app and requests to access every file on your phone. Standing in the pouring rain, with the fast charge cable in your hand and a simple desire to plug in and head for a coffee, paying attention to complex consent questions isn’t a priority. In his book ‘Privacy’s Blueprint’, Woodrow Hartzog quotes Marx and calls this a form of “mandatory volunteerism” or “disingenuous communications that seek to create the impression that one is volunteering when that really isn’t the case”. 

When under pressure to get to the service we want, we agree to privacy invasive practices because we simply don’t have the time (or the patience) to work out whether there is an alternative.

For fleet managers there is an added headache. Vehicles now collect a plethora of personal data, including call data, contact lists, home addresses and location information. Anesh Chauhan, founder of Vehicle Data Clear (VDC), told Fleet News in November 2018 that “Vehicles are commonly transferred, sold or disposed of without proper consideration given to the data they may hold.” All of a sudden, linking your mobile phone to that holiday rental doesn’t seem quite such a good idea, particularly if you don’t know how to make sure it is all deleted when you take it back to the airport. Come to think of it – who is charged with deleting that information – and is there a ‘we take no responsibility’ clause that will have been slipped into the terms and conditions that no one has the time to read. Industry sources that represent fleet owners say that they should raise clearing data at the time of collection – going so far as to say it would be a leap to expect that fleets should take responsibility for erasing all the data. But if not them, who?

Tech leaders with their eye on the innovation prize say that users know what is being collected and how it is used, adding that most people don’t care anyway. But that absolutely isn’t true. Tim May, in his manifesto of the cypherpunk worldview, Cyphernomicon, talks about the ‘clueless 95%’. Taking this out of the revolutionary context espoused by this community, the phrase is an apt way of describing how the majority of individuals sleepwalk into giving up personal data in every aspect of their daily lives. 

Organisations that offer technology, whether this is for social or essential services, cannot sidestep their duties when it comes to data protection obligations.

Clearly, the earlier story of the car charging controlled from afar illustrates that the app in question was created with little emphasis on privacy engineering ethics. Subsequent investigation has shown that the only criteria needed to take ownership of the car and the App was to state that you were the keeper of the vehicle and the VIN number (visible through the windscreen). If someone beats you to it then you have to go through a long process with the manufacturer to get their consent to change things, which will include them emailing the previous primary user. It’s then up to you to reset your vehicle’s infotainment centre to factory settings to start all over again. Remember, this is an app which can: locate your vehicle at all times; control the heating settings; start and stop charging; see call history; etc. etc. For the majority of people this is brilliant, enjoyable technology…

Imagine however, how vulnerable this makes a victim of domestic violence, coercive control or stalking. Somehow, these scenarios seem to have bypassed the car designers in their pursuit of motoring excellence. With data collection now forming a large and integral part of every vehicle, it is time the manufacturers took a more serious approach to the risks they are creating.