Grabbing the wheel early: moving forward on cybersecurity and privacy protections for driverless cars.

Author:Lee, Chasel

TABLE OF CONTENTS I. INTRODUCTION 27 II. BACKGROUND 29 A. Today's Driverless Car Revolution Has Made Great Advances, but State Governments Have Only Begun to Touch the Issue 30 B. The Rapid Advance of Driverless Car Technology Has Created and Magnified Problems Regarding Cybersecurity and Privacy 31 C. Despite Cybersecurity and Privacy Concerns Surrounding Driverless Cars, There Is Currently a Dearth of Applicable Federal or State Law to Address These Concerns 34 D. Existing Cybersecurity and Privacy Laws Are Ill-Suited to Regulate Driverless Cars 40 III. A NEW COHERENT REGULATORY REGIME IS NEEDED TO GUIDE AND FOSTER THE DRIVERLESS CAR REVOLUTION 43 A. Given the Interstate Nature of Driverless Cars and Communications, Cybersecurity, and Privacy Pertaining to These Vehicles, Foundational Regulation Should Take Place at the Federal Level 43 B. Within a Federal Framework, States Should Be Allowed to Experiment with Some Regulation, and Private Industry Should Be Allowed to Engage in Some Self-Regulation 47 IV. NEW CYBERSECURITY AND PRIVACY REGULATIONS ARE NECESSARY TO PROTECT CONSUMERS AND PROMOTE FUTURE GROWTH 48 A. Cybersecurity Concerns Regarding Driverless Cars Should Be Addressed Through Regulatory Action 49 B. New Privacy Laws, Regulations, and Guidance Are Also Needed to Address Concerns Specific to Driverless Cars 51 V. CONCLUSION 52 I. INTRODUCTION

On October 9, 2010, the New York Times revealed that Google had been secretly testing driverless cars for almost a year. (1) This project, consisting mainly of modified Toyota Priuses, had already logged over 140,000 miles. (2) Resembling the company's Street View cars, seven prototypes had been twisting through San Francisco's steep and curvy Lombard Street, traversing the streets of the company's suburban hometown of Mountain View, and speeding down scenic Highway 1 to Los Angeles over 400 miles away. (3) The cars detected and announced upcoming crosswalks, could be driven cautiously or aggressively at the occupant's discretion, and had several mechanisms for the occupant to take manual control. (4)

While the driverless car concept has been tested since the 1920s with varying levels of success, news of Google's foray into autonomous vehicles electrified the world. (5) With the concept reintroduced into the popular consciousness, public and industry interest in driverless cars has grown immensely and allowed autonomous vehicles to gain mainstream traction. Since the New York Times article was published, Google has added more features, the vehicles have ventured farther, and the prototypes have been tested by various audiences, including the blind. (6) Hoping to grab a head start in this nascent market and garner publicity, traditional car companies such as Toyota and Audi have joined the fray by developing driverless car prototypes and incorporating automated parking functions into existing cars. (7) Tesla has also contributed its own innovations, such as transforming traditional human-controlled vehicles to autonomous cars simply via software updates to the car's onboard computers. (8) The company has already begun testing full-fledged self-driving cars in California and elsewhere since late 2016. (9)

Despite the optimistic outlook on the technological development of driverless cars, difficult legal and policy issues lurk in the background and emerge at every turn. For example, the 2010 New York Times article noted potential liability concerns between vehicle manufacturers and human passengers in cases of car crashes. (10) Other writers have discussed outdated state laws presuming human control of the car. (11) Additional concerns have turned on safety problems, whether arising from current

technological limitations (such as bike lanes or left turns in oncoming traffic), the inability of vehicles to deal with certain weather conditions, and unpredictable driver behavior. (12) Transparency and reporting of malfunctions and other incidents to authorities, especially when crashes occur, have become salient issues. (13) Also, ethics has become a major flashpoint in the driverless car debate, as software programmers must now grapple with situations such as the Trolley Problem, (14) which would now be decided by artificial intelligence and engineer-preset choices rather than human proclivities or simple error. (15)

Driverless cars also raise questions involving cybersecurity and privacy. (16) By their nature, driverless cars must collect and process a substantial amount of data to determine their surroundings, find the best route to a destination, and interact with other vehicles (autonomous or otherwise). (17) Among other conceivable privacy implications, this data collection raises numerous issues regarding the location of the vehicle, actions by passengers within the car, and common destinations. (18) Cybersecurity concerns include how and what data is stored onboard and for how long, how and what data is shared with others, and what defensive mechanisms are used to protect this data from hackers. (19) Does the consumer have control over what data is collected or shared? More importantly, can governments access this data, and if so, how? (20)

This Note explores the legal aspects and ramifications of cybersecurity and privacy issues regarding driverless cars. Section II of this Note proceeds with a brief discussion of the history of driverless cars, focusing especially on the developments made in the past ten years, before exploring the history of cybersecurity and privacy law in the United States and its relation, or lack thereof, to driverless cars. Section II will also examine legislative and regulatory efforts aimed at driverless cars, such as those recently launched by the National Highway Traffic Safety Administration (NHTSA). (21) This Note proposes in Section III that privacy and cybersecurity concerns should be analyzed, addressed, and regulated under a federal framework, while allowing the states and private industry leeway to engage in experimentation and innovation regarding regulation and promulgation of standards. Lastly, Section IV proposes that regulators collaborate with major players in the industry to craft new rules under their existing authority and set uniform consumer protection baselines for the private sector to follow. This legal regime would apply to both government surveillance and actions by private parties, such as manufacturers and third-party agents.


    Despite the breakneck speed of driverless cars' technological advances, legislation and regulation are still plodding along at a glacial pace. Legislators and regulators, seemingly blindsided by the surge of recent public interest in driverless cars, are still slowly figuring out the path forward to foster innovation and incorporate consumer protections. (22) However, the current situation stems from the trajectory of development of driverless cars and the ossified nature of American cybersecurity and privacy laws.

    1. Today's Driverless Car Revolution Has Made Great Advances, but State Governments Have Only Begun to Touch the Issue.

      For the most part, research into driverless cars was an under-the-radar affair in the 20th century. The history of driverless cars begins in the 1920s, when daring entrepreneurs built radio-controlled prototypes, the precursor to today's radio-controlled toy cars. (23) In 1958, General Motors (GM) tested a customized Chevrolet using pick-up coils to sense inductive signals from wires embedded in a test road to propel and turn itself. (24) The 1960s saw the Stanford Cart, a rudimentary buggy with a video camera and a remote control, while the 1970s ended with the first truly autonomous car, a Japanese model equipped with two cameras and analog computers and guided by an elevated rail. (25) The 1980s witnessed German aerospace engineer Ernst Dickmanns and his team build various models with cameras and microprocessors that could navigate in standard European traffic, and the 1990s saw roboticists at Carnegie Mellon University drive NavLab 5, a Pontiac minivan with cameras and an onboard computer, almost 3000 miles from Pittsburgh to Los Angeles in a trip called "No Hands Across America." (26) Prototypes slowly incorporated numerous advances such as installing cameras to use visual-based cues rather than wire loops locating induced signals, using increasingly sophisticated onboard computers, and integrating GPS for navigation. (27)

      The driverless car revolution in the United States had a major breakthrough in March 2004, when the U.S. Department of Defense, through the Defense Advanced Research Projects Agency (DARPA), held a Grand Challenge for fully autonomous cars in the California desert. (28) While no vehicles in that year's challenge succeeded in the mission, (29) it created a budding community interested in the concept of self-driving cars and revealed the staggering amount of work needed to bring the idea to fruition. (30) This coming-together of disparate, formerly scattered groups of inventors, programmers, designers, and innovators saw its first taste of success in 2005, when DARPA held its second Grand Challenge. (31) That year, five vehicles successfully completed the event, with one team winning a $2,000,000 prize. (32)

      The Grand Challenge laid the groundwork for the current rush of developments. Self-driving vehicles began to climb mountains and navigate urban-like environments. (33) They began to cross countries and continents, even (almost) getting ticketed by traffic police. (34) In 2011, Nevada became the first state to pass laws allowing autonomous vehicles to drive on public roads. (35) Other states, including California and Michigan, have since followed Nevada in passing or implementing laws and regulations permitting the same. (36)

    2. The Rapid Advance of Driverless Car Technology Has Created and Magnified Problems Regarding Cybersecurity and Privacy.

      As driverless cars gain prevalence in our cultural...

To continue reading