
Killing car privacy by federal mandate - necessity
https://freedom-to-tinker.com/2017/06/21/killing-car-privacy-by-federal-mandate/
======
kylec
Not only are there privacy implications in terms of what the vehicles will be
transmitting locally, vehicles also need to have a network connection as well
to receive new certificates and certificate revocations:

    
    
        Under the proposal, each message will be digitally signed. Each car
        will be provisioned with 20 certificates (and corresponding secret keys)
        per week, and will cycle through these certificates during the week,
        using each one for five minutes at a time. Certificates will be revocable;
        revocation is meant to guard against incorrect (malicious or erroneous)
        information in the broadcast messages, though there is no concrete proposal
        for how to detect such incorrect information.
    

This regulation will force all cars to be connected cars, and being connected
comes with its own security and privacy implications.

------
Spooky23
Car privacy has been dead for a decade or more between cashless toll systems,
cellular carriers and LPR. It's not coming back.

Sticking your head in the sand and pushing back against a system that is
necessary to protect the safety of the driving public as automated vehicles
become a thing is shortsighted.

Image recognition technology is such that you likely have a dozen or more
government and private entities noticing you. You can buy data from cell
carriers to know the average income of travelers on a road at a given time for
45 minute drive in urban and suburban areas.

Hell, I built a parking gate system for somebody with a raspberry pi and an
outdoor security camera sourced from EBay -- and I'm a dope with no unique
skill in these areas.

~~~
biafra
This is different. It is full surveillance everywhere, for every car and
everytime. Not just some roads with cameras. Whose pictures (at least in
Germany) are supposed not to be saved except for trucks.

~~~
Spooky23
It's there now.

In the US, I'm sure the FBI and DEA have realtime feeds of phone movements for
thousands or millions of phones. They had pervasive LPR surveillance a decade
ago.

~~~
ams6110
Perhaps. But you can put your phone on airplane mode or turn it off or just
leave it at home if you don't want it to be tracked.

~~~
mschuster91
You really believe a phone is truly switched off? Unless the main processor
kills the baseband power by GPIO, it is not - and baseband processors are a
fairly easy exploit target, much more so for a state-level threat.

~~~
edejong
I can leave it at home or buy a phone that has hardware validation processes
to ascertain its correctness when turned off (or the transmitter system is
disabled). I could put the phone in a Farraday cage or selectively raise the
noise level of certain broadcast ranges within a limited range. I could kill
the radio-IC and use a wifi mesh network. All of these measures are not
prevented by federal law.

Federally mandating trackers in a car is a completely different story. It will
be illegal to remove these trackers, so a basic liberty will be taken away.

------
zkms
Given how shoddy
([http://illmatics.com/Remote%20Car%20Hacking.pdf](http://illmatics.com/Remote%20Car%20Hacking.pdf))
automobile software is, the idea of safety-critical components parsing radio
broadcasts from other vehicles and acting upon that is very worrisome. I do
not trust vehicle software manufacturers to get this anywhere near right.

------
revelation
_None of them, however, permits tracking quite as cheaply, undetectably, and
pervasively_

This is a theme. Large swathes of privacy have been eroded simply because
technology allowed the Government to use principally legal methods on a much
greater and automated scale. And with the past an current government, there is
no particular push to reverse this.

The only help here has been the Supreme Court decision on warrantless GPS
trackers.

------
etimberg
This reminds me of the complete lack of security in ADS-B transmissions from
aircraft.

See an interesting DefCon talk from a few years ago:
[https://www.youtube.com/watch?v=CXv1j3GbgLk](https://www.youtube.com/watch?v=CXv1j3GbgLk)

~~~
kregasaurusrex
Not to mention the widespread availability of SDR chips in the RTL family
which can hear this data transmitted if you're reasonably close to an airport.

~~~
ubernostrum
So far as I'm aware, ADS-B wasn't designed to be private. In fact, something
of the opposite -- ADS-B was meant (in part) to provide notice of your
presence to other aircraft in the vicinity.

~~~
comboy
I think he means lack of any authentication. Messages could be signed by the
aircraft, by they aren't.

You can buy hackrf below $200 and transmit them yourself. If you feel like
breaking the law that is.

~~~
dom0
In Germany you can get up to ten years for doing that.

~~~
comboy
I definitely do not advocate doing at. It's just that Mallory usually doesn't
care about the law, so security should be based on something more.

~~~
qb45
Also relevant: war.

------
mnm1
"What about the safety benefits of proposed technology?"

Yes, what about the safety benefits of proposed technology? As in, what are
they? Until that paragraph I didn't even know this was supposed to be a safety
system, just a surveillance system. How is this supposed to increase safety?

Also, who is going to pay for these boxes and what will be the penalty for not
installing one?

This makes spying by Google and FB look mild by comparison.

~~~
ScottBurson
> How is this supposed to increase safety?

I guess the idea is to make it easier to build fully autonomous vehicles.

I think it's pointless, though. It will take decades to equip the entire US
auto fleet with these transmitters, and by that point, the vision and scene
analysis problems that currently give autonomous vehicles trouble will have
long since been solved anyway.

ETA: the PDF linked from the article [0] supplies a rationale. But it also
says that under the proposal, only new light vehicles would be required to
have the transmitter. I think my argument stands: by the time even 50% of the
cars have this, autonomous driving will be a solved problem.

[0]
[https://www.gpo.gov/fdsys/pkg/FR-2017-01-12/pdf/2016-31059.p...](https://www.gpo.gov/fdsys/pkg/FR-2017-01-12/pdf/2016-31059.pdf)

~~~
ambulancechaser
I think you've got your causation backwards; this is what will allow for
widespread autonomous adoption. This proposal is making sure that all cars are
speaking the same language and are talking to each other. I look at this as
the Federal Government standardizing the width of rail roads so that we could
get on with our business. But autonomous cars without intra-car communication
seems hampered. As to the vision and scene analysis, the proposal specifically
mentions that vision is limited by line of sight. This allows for cars to
communicate around corners and through other cars. This seems like a net boon
for all drivers that won't be rendered moot by a few cameras on cars.

~~~
ScottBurson
The median age of cars and light trucks in the US is around 9 years. That
means it will take 9 years for this system to reach 50% penetration, once it
becomes available at all, which is probably 3 years away at least. At the rate
things are progressing, do you really think autonomy won't be a solved
problem, or nearly so, in a dozen years?

I can see the attraction of this system from a strictly engineering point of
view -- it would be nice not to be limited by line of sight. But how many
collisions between vehicles have you ever heard of where the drivers literally
couldn't see each other until too late? I think these are pretty rare. Seems
like occlusion is more of a problem when pedestrians or cyclists are involved,
as they sometimes pop out unwisely from behind parked vehicles; but they're
not going to be wearing transmitters. Also, radar provides some ability to see
occluded vehicles; transmitters are not even the only solution to that
problem.

So, given the threat to privacy this system would represent, I don't see that
the benefits approach the costs.

------
SkyMarshal
My thoughts:

 _> The basic summary of the proposal, known as Dedicated Short Range
Communication (DSRC), is as follows. From the moment a car turns on and every
tenth of a second until it shuts off, it will broadcast a so-called “basic
safety message” (BSM) to within a minimum distance of 300m. The message will
include position (with accuracy of 1.5m), speed, heading, acceleration, yaw
rate, path history for the past 300m, predicted path curvature, steering wheel
angle, car length and width rounded to 20cm precision, and a few other
indicators. Each message will also include a temporary vehicle id (randomly
generated and changed every five minutes), to enable receivers to tell whether
they are hearing from the same car or from different cars._

Ok this could be useful, especially with autonomous vehicles hitting the road.

 _> Under the proposal, each message will be digitally signed. Each car will
be provisioned with 20 certificates (and corresponding secret keys) per week,
and will cycle through these certificates during the week, using each one for
five minutes at a time. Certificates will be revocable; revocation is meant to
guard against incorrect (malicious or erroneous) information in the broadcast
messages, though there is no concrete proposal for how to detect such
incorrect information._

Ugh, why do they need to be provisioned by a third party. Just let each car
generate its own random ephemeral keypairs per some time interval and sign
with those. You already said "Each message will also include a temporary
vehicle id (randomly generated and changed every five minutes)", so what's the
need for third party certificate provisioning.

~~~
forgottenpass
_Ugh, why do they need to be provisioned by a third party._

So the authorities know where to send the speeding tickets.

~~~
SkyMarshal
Traffic cameras, radar guns, and license plates already work pretty well for
that.

~~~
forgottenpass
They do work, but what if they could be cheaper and more effective?

A radio receiver is a cheap interface to implement and doesn't have the same
line of sight requirements. Such a system would offer a bigger speed trap
monitoring range, easier installation, and much more location flexibility.

Put one in every police vehicle. Get on a few interstate-adjacent radio
towers. Roadside battery-powered installations that can easily be moved on a
regular basis.

I wasn't trying to make a moral claim about the good/badness of speed traps.
Just that a broadcast vehicle position system that allows the state to easily
identify the vehicle will eventually be used for enforcing traffic law.

------
hajile
I'm betting that will cut down on speeders since automated ticketing will be
as easy as a receiver that matches the certificate with the car and
automatically issues a ticket.

~~~
Godel_unicode
Also it will enable passive average speed enforcement. "You were in LA and
Vegas, and exceeded the minimum time to legally travel there".

~~~
ambulancechaser
The ID is a randomly generated 4 byte integer. This is obviously not
identifying for law enforcement. I don't know about the certificates if they
could be identifying but I'm not seeing a way to track down an owner or
operator from this otherwise.

------
CalChris
The proposed message format isn't including car identity, at least that I can
tell.

[https://www.gpo.gov/fdsys/pkg/FR-2017-01-12/pdf/2016-31059.p...](https://www.gpo.gov/fdsys/pkg/FR-2017-01-12/pdf/2016-31059.pdf)

Without identity, how is this a massive invasion of privacy on the order of
Google and Facebook?

~~~
revelation
It is, messages are signed by a certificate rotated every 5 minutes.

So for 5 minutes you know precisely which car it is and then when the
changeover happens you just look for which certificate has disappeared and
which has newly appeared and do some fuzzy matching based on position and
heading. That is not remotely anonymous.

~~~
Godel_unicode
So anyone who can already follow a car can continue to follow a car. You're
aware that cars have a globally unique identifier painted on the outside
already, yes? And that identifier never changes and is trivially tied to the
owners identity? Let's try to maintain some perspective.

~~~
andmarios
The VIN isn't transmitted wirelessly though. The article mentions that it is
possible to build antennas that can extend the reception range by 2 to 3
orders of magnitude, so 300m (the proposed design range) may be stalked from
as far away as 30km (2 orders of magnitude) or even more.

Place strategically a few of these antennas and you can monitor a huge area.

~~~
Godel_unicode
License plate + state = GUID.

~~~
bendbro
Did you respond to the wrong comment? I don't think the parent commenter is
debating that a license plate identifies a vehicle.

~~~
Godel_unicode
Nope. I said GUID, they said VIN, I was clarifying that I was talking about
the license plate not the VIN.

------
djyaz1200
Big Auto Exec... "Hey we are years behind on self driving tech, what are we
going to do about it? How can we catch up? We're going to end up having to
license software from Tesla/Google?!"

Other Big Auto Exec... "Oh don't worry we'll just use our political influence
to change the rules to dramatically simplify the problem."

~~~
Godel_unicode
Self-driving car engineer: "detecting cars you can't directly see is a huge
problem, what are we going to do about this??"

Other Engineer: "just have the other car tell us. I know you like solving hard
general case problems, but come on. This solution is super obvious."

~~~
djyaz1200
Problem... this broadcast approach isn't particularly helpful unless all cars
have it. So to add this TCAS style solution to all cars might cost what?
$100/car in equipment alone? For all 263 million cars in the US that would be
$26 billion. Seems pricy when Tesla has a system today that solves this
problem without all that infrastructure, or the privacy concerns?

~~~
ambulancechaser
the broadcast system is certainly helpful if less than all cars have it. The
proposal estimates the cost per car at 100-300 dollars.

> Seems pricy when Tesla has a system today that solves this problem without
> all that infrastructure, or the privacy concerns?

Solves it for those cars, and certainly at an expense higher than 100-300
cars. And it will only get better as it gets information from other cars.

------
microcolonel
Woah, how did this even get on the table? It takes mere seconds to think of a
vast array of _genuine societal disasters_ that could come from this. This is
beyond clipper chip levels of stupid.

