This article summarises several issues that affect us specifically (Tesla facial recognition; several lawsuits are pending in US courts and in Germany) and generally in terms of this thread and data ethics.
"JUSTIN LING - SECURITY - JUL 1, 2022 7:00 AM
Is Your New Car a Threat to National Security?
Putting sensor-packed Chinese cars on Western roads could be a privacy issue. Just ask Tesla.
STARTING THIS WEEK, Teslas
won’t be welcome in the Chinese resort town of Beidaihe. The electric cars are strictly banned on the streets of the coastal city for the next two months, as senior Communist leadership descends on the city for a secret conclave.
It’s not the first time, either. The city of Chengdu barred Teslas in advance of a June visit from President Xi Jinping, Reuters reported, while some military sites have
similarly forbade Elon Musk’s flagship product. While no official reason was released, the bans seem to be out of concern that the vehicles’ impressive array of sensors and cameras may offer a line of sight into meetings of Beijing’s senior leadership.
It’s a curious move. China is, increasingly, one of the most connected countries in the world—Chinese industry has even tried to brand Chengdu as the “5G Joy City,” where locals are encouraged to stream their daily lives.
Tesla may be one of the most popular electric vehicle brands in China, with upwards of a
half-million vehicles on the roads, but it is not itself Chinese. The firm has acquiesced to Beijing’s data localization demands, setting up a dedicated data center in China, but it cannot shake the characterization that it is a foreign company—and, therefore, a national security threat.
It’s not a concern unique to Xi’s government. As Chinese automakers gear up for a big push into the West, anxieties are already mounting as to how those vehicles could phone their robust trove of data home.
The future of transport is certain to be electric and autonomous vehicles. They could also be the future of espionage.
NATIONAL ANXIETY ABOUT the surveillance powers of new modes of transportation is hardly novel.
In 1913, the French army seized the German-made Z-4 airship after it flew off course in thick fog and landed on French soil. Paris ordered that “any photographs of French fortified places taken en route would also be seized,”
The New York Times reported at the time.
Through the Cold War, both sides of the Iron Curtain addressed the question of expanding aerial surveillance capabilities by signing the Open Skies Treaty—opting to provide clear rules on how and when both NATO and Warsaw Pact countries would spy on each other from the skies, even regulating the flight path for these surveillance missions, instead of attempting to stop them outright.
Consumer vehicles are just a recent addition to the national security equation. But thanks to the globalized economy and modern product development, they are perhaps the trickiest challenge yet.
As it stands, Teslas are arguably the most connected and widespread of a new generation of vehicles. Not only do they hoover up a massive amount of data on the driver—from call logs to on-board browser history to average speed and route history—but their outward-facing sensors and cameras can relay a considerable amount of information about the surrounding world.
David Colombo, a 19-year-old German programmer, proved earlier this year that accessing incredibly sensitive data on Tesla users wasn’t just possible—it was fairly easy. Using a third-party application with access to Tesla’s API, Colombo got into the systems of more than two dozen Teslas around the world, controlling their locks, windows, and sound systems and downloading a huge bundle of information.
“I was able to see a large amount of data. Including where the Tesla has been, where it charged, current location, where it usually parks, when it was driving, the speed of the trips, the navigation requests, history of software updates, even a history of weather around the Tesla and just so much more,” Colombo
wrote in a Medium post published in January that detailed his exploits.
While the specific vulnerabilities Colombo took advantage of have been patched, his hack demonstrates a huge flaw at the core of these smart vehicles: Sharing data is not a bug; it’s a feature.
The amount of data Tesla collects and uses is just the tip of the iceberg. We have yet to see fully autonomous vehicles or the much-vaunted “smart cities,” which could see 5G-enabled roads and traffic lights.
In the near future, cars will not only collect information about their driver and passengers, but the vehicles, pedestrians, and city around them. Some of that data will be necessary for the car to function properly—to reduce collisions, better plan routes, and improve the vehicles themselves.
“The United States and Europe have been asleep at the wheel,” says Tu Le, managing director of Sino Auto Insights. The US, Canada, and Europe may continue to be the world leaders in producing traditional vehicles, but that lead
won’t hold for long. Whether it’s
cobalt mining,
lithium battery innovation, 5G-enabled technology, or large data analytics, Le says China has been several steps ahead of its Western competitors.
“All those seemingly unrelated things are converging into this smart EV,” Le says.
Of course, not all of Beijing’s success came honestly. Chinese nationals have been accused of
pilfering intellectual property from American companies to bolster China’s growing industry. Le says that sort of espionage certainly helps, but it’s not the main reason for Beijing’s exploding growth in the automotive sector.
The West, meanwhile, has been sluggish in adopting local data and privacy protections.
As it stands, Le says, Chinese electric vehicles are roughly three years away from hitting American streets in a major way. “They’re already in our backyard, and we haven’t done anything yet,” he argues.
It’s not just about regulating Chinese vehicles once they arrive, either. As Colombo’s hack showed, domestic vehicle manufacturers need to step up their security game as well. Many manufacturers push software and firmware updates for various aspects of their vehicles over the air.
“Think about the danger when an update is sent to hundreds of thousands of cars wirelessly,” wrote Alexander Poizner, CEO of UK-based cybersecurity firm Parabellyx,
in a 2021 blog post. He posed a hypothetical: “What if China used malware to disrupt traffic in Taiwan as a prelude to a military attack?”
Insufficient regulation has led to a total lack of consistency, as Poizner noted: “There is no single standard around cybersecurity for either autonomous vehicles or the infrastructure to support these across the automotive industry.” But cybersecurity standards aren’t the only area where the US is coming up short.
“Policymakers are struggling at the highest level,” says Marjory Blumenthal, senior fellow and the director of the Technology and International Affairs Program at the Carnegie Endowment for International Peace, a global think tank based in Washington, DC.
Nevertheless, Washington’s instincts may be quite similar to Beijing’s. In the past, the United States and its allies have opted to simply ban Chinese products from sensitive areas—from the country’s unsuccessful
TikTok ban to its considerably more effective effort to
exclude Huawei technology from 5G infrastructure. America’s allies have followed suit in blocking Huawei from the backbone of their next-generation mobile systems, including Australia, Canada, and the United Kingdom.
In 2018, the Trump administration moved to slap tariffs on the Chinese automotive sector, arguing that the foreign competition threatened to undermine America’s domestic industry, thus harming a research-and-development pipeline into the US military. “It is imperative that related R&D remain within the United States, be conducted by American-owned firms, and that the United States Government take measures to secure the long-term viability of domestic R&D in the automotive sector,” reads a 2019 Commerce Department report. (The tariffs were later abandoned.)
Such a protectionist move would likely kneecap major Western automakers, which are currently vying for new market share in China. Beijing has made it clear that any protectionism in the West would be met with retaliatory measures.
There are certainly concerns that curtailing how vehicle data can be collected, analyzed, and transferred could limit research and development of automotive companies looking to keep up with their Chinese competitors, Blumenthal says. Canada and the European Union do have more expansive and consistent privacy laws that offer a clearer road map for companies headquartered there, unlike the United States. “The data questions are less well explored in this country, given that we don’t have a monolithic privacy regime,” Blumenthal adds.
As companies hustle to build out these new systems, Blumenthal says, they will be collecting a huge volume of information. “That then raises the question of how much is stored? Where is it stored? For how long is it stored?” she says. Governments need to regulate these areas, she adds, and worry less about China’s panopticon model.
There may be grand claims about what China hopes to do with its unparalleled heap of data, but Blumenthal says she’s not convinced that China’s system will be better simply because it captures more data. “I’m not ready to buy that.”
As the technology matures, she says, companies may figure out how to reduce the noise in that data, collecting only what is necessary to improve safety, make routes more efficient, and inform innovation.
Creativity in determining how those algorithms work may ultimately mean more than the data feeding into it, she says.
Le says there’s a desperate need for clarity—rules about what data can be freely exploited, what data needs to be anonymized, and what needs to be held within a country’s borders. “We’re over-relying on the tech industry to say, ‘Oh, we’ll keep it safe for you,’” he says.
“We might look back in 10 years and see it’s the frog-boiling scenario,” Blumenthal says of the auto industry’s increasingly sophisticated data collection. Or, she adds, “we’ll have a scenario where people are adapting to all the behavioral monitoring in the world.”
But there’s a note of optimism. While legislative fixes to address vehicle data collection have wallowed in Congress, Blumenthal points to the National Highway Traffic Safety Administration’s efforts to modernize its policies to keep up with the times. “As they do that, it might be reasonable to assume that they could add privacy there,” she says.
China may be a walled garden for this technology, but the West has a history of determining the
rules of the road collectively. “There is a framework of international standard-setting—and in the last two to three years you’ve seen an increase in standard-setting,” Blumenthal says.
How the world handles the data at the heart of these smart vehicles will ultimately determine the urgency of security concerns. Clear, consistent rules across the major economies could allay espionage fears and decrease the likelihood that competitors will set out to hack each others’ vehicles. Strong encryption, privacy protections, and other data regulations could help prevent the weaponization of drivers’ personal vehicles.
With the right constraints in place, the data collected by these vehicles could limit espionage and national security threats while significantly reducing crash fatalities and speeding up research and development.
Cooperation with Beijing could accelerate that process. Bitter competition could slow it all down."
https://www.wired.com/story/china-cars-surveillance-national-security/