Not only are there privacy implications in terms of what the vehicles will be transmitting locally, vehicles also need to have a network connection as well to receive new certificates and certificate revocations:
Under the proposal, each message will be digitally signed. Each car
will be provisioned with 20 certificates (and corresponding secret keys)
per week, and will cycle through these certificates during the week,
using each one for five minutes at a time. Certificates will be revocable;
revocation is meant to guard against incorrect (malicious or erroneous)
information in the broadcast messages, though there is no concrete proposal
for how to detect such incorrect information.
This regulation will force all cars to be connected cars, and being connected comes with its own security and privacy implications.
Car privacy has been dead for a decade or more between cashless toll systems, cellular carriers and LPR. It's not coming back.
Sticking your head in the sand and pushing back against a system that is necessary to protect the safety of the driving public as automated vehicles become a thing is shortsighted.
Image recognition technology is such that you likely have a dozen or more government and private entities noticing you. You can buy data from cell carriers to know the average income of travelers on a road at a given time for 45 minute drive in urban and suburban areas.
Hell, I built a parking gate system for somebody with a raspberry pi and an outdoor security camera sourced from EBay -- and I'm a dope with no unique skill in these areas.
This is different. It is full surveillance everywhere, for every car and everytime. Not just some roads with cameras. Whose pictures (at least in Germany) are supposed not to be saved except for trucks.
In the US, I'm sure the FBI and DEA have realtime feeds of phone movements for thousands or millions of phones. They had pervasive LPR surveillance a decade ago.
You really believe a phone is truly switched off? Unless the main processor kills the baseband power by GPIO, it is not - and baseband processors are a fairly easy exploit target, much more so for a state-level threat.
I can leave it at home or buy a phone that has hardware validation processes to ascertain its correctness when turned off (or the transmitter system is disabled). I could put the phone in a Farraday cage or selectively raise the noise level of certain broadcast ranges within a limited range. I could kill the radio-IC and use a wifi mesh network. All of these measures are not prevented by federal law.
Federally mandating trackers in a car is a completely different story. It will be illegal to remove these trackers, so a basic liberty will be taken away.
> Car privacy has been dead for a decade or more between cashless toll systems, cellular carriers and LPR. It's not coming back.
None of these things are remotely similar to legally mandated broadcasting of your location multiple times per second. They do not constitute a reason to sacrifice privacy for some nebulous safety gains.
I'm not a privacy zealot by any stretch, nor a car engineer, but it's not really clear that this system will actually do much to improve safety anyway.
This won't be widespread for 20 years and the data quality coming out of cars will be very mixed.
It seems pretty ridiculous to invest in this rather than allocating funds to things that are both useful immediately and in the long term, like actually painting lane markings everywhere.
Given how shoddy (http://illmatics.com/Remote%20Car%20Hacking.pdf) automobile software is, the idea of safety-critical components parsing radio broadcasts from other vehicles and acting upon that is very worrisome. I do not trust vehicle software manufacturers to get this anywhere near right.
None of them, however, permits tracking quite as cheaply, undetectably, and pervasively
This is a theme. Large swathes of privacy have been eroded simply because technology allowed the Government to use principally legal methods on a much greater and automated scale. And with the past an current government, there is no particular push to reverse this.
The only help here has been the Supreme Court decision on warrantless GPS trackers.
Not to mention the widespread availability of SDR chips in the RTL family which can hear this data transmitted if you're reasonably close to an airport.
So far as I'm aware, ADS-B wasn't designed to be private. In fact, something of the opposite -- ADS-B was meant (in part) to provide notice of your presence to other aircraft in the vicinity.
"What about the safety benefits of proposed technology?"
Yes, what about the safety benefits of proposed technology? As in, what are they? Until that paragraph I didn't even know this was supposed to be a safety system, just a surveillance system. How is this supposed to increase safety?
Also, who is going to pay for these boxes and what will be the penalty for not installing one?
This makes spying by Google and FB look mild by comparison.
I guess the idea is to make it easier to build fully autonomous vehicles.
I think it's pointless, though. It will take decades to equip the entire US auto fleet with these transmitters, and by that point, the vision and scene analysis problems that currently give autonomous vehicles trouble will have long since been solved anyway.
ETA: the PDF linked from the article [0] supplies a rationale. But it also says that under the proposal, only new light vehicles would be required to have the transmitter. I think my argument stands: by the time even 50% of the cars have this, autonomous driving will be a solved problem.
I think you've got your causation backwards; this is what will allow for widespread autonomous adoption. This proposal is making sure that all cars are speaking the same language and are talking to each other. I look at this as the Federal Government standardizing the width of rail roads so that we could get on with our business. But autonomous cars without intra-car communication seems hampered. As to the vision and scene analysis, the proposal specifically mentions that vision is limited by line of sight. This allows for cars to communicate around corners and through other cars. This seems like a net boon for all drivers that won't be rendered moot by a few cameras on cars.
The median age of cars and light trucks in the US is around 9 years. That means it will take 9 years for this system to reach 50% penetration, once it becomes available at all, which is probably 3 years away at least. At the rate things are progressing, do you really think autonomy won't be a solved problem, or nearly so, in a dozen years?
I can see the attraction of this system from a strictly engineering point of view -- it would be nice not to be limited by line of sight. But how many collisions between vehicles have you ever heard of where the drivers literally couldn't see each other until too late? I think these are pretty rare. Seems like occlusion is more of a problem when pedestrians or cyclists are involved, as they sometimes pop out unwisely from behind parked vehicles; but they're not going to be wearing transmitters. Also, radar provides some ability to see occluded vehicles; transmitters are not even the only solution to that problem.
So, given the threat to privacy this system would represent, I don't see that the benefits approach the costs.
The most basic safety feature is that cars can tell each other when they're braking, so your car can start braking the same millisecond, not when you happen no notice things.
Maybe the car should emit some sort of electro magnetic radiation signal that can be detected with a sensor. It could be emitted when breaking. It could even be part of the visible spectrum so we could see it as light. Some sort of breaking light or maybe just break light. Too bad no one thought of this earlier.
Are any of the TCP congestion control algorithms dependent on a router's TCP receiving messages that are trusted by the router to be originating from upstream routers based on an authentication scheme that the router manufacturers trust to deliver anti-DDOS safety features?
It's my understanding that these broadcasts are supposed to aid other vehicles with their predictions in self-driving scenarios. I'm not necessarily against some sort of protocol for self driving cars to communicate with one another for this purpose, but the proposed solution seems to be severely lacking in basic security.
You seem surprised, but this is an indicator that you're not reading a good article. They are covering something and don't even accurately describe the proposal by NHTSA. But thankfully they link to the proposal itself. So here's the summary:
> This document proposes to
establish a new Federal Motor Vehicle
Safety Standard (FMVSS), No. 150, to
mandate vehicle-to-vehicle (V2V)
communications for new light vehicles
and to standardize the message and
format of V2V transmissions. This will
create an information environment in
which vehicle and device manufacturers
can create and implement applications
to improve safety, mobility, and the
environment. Without a mandate to
require and standardize V2V
communications, the agency believes
that manufacturers will not be able to
move forward in an efficient way and
that a critical mass of equipped vehicles
would take many years to develop, if
ever. Implementation of the new
standard will enable vehicle
manufacturers to develop safety
applications that employ V2V
communications as an input, two of
which are estimated to prevent
hundreds of thousands of crashes and
prevent over one thousand fatalities
annually.
As to your questions,
> what about the safety benefits of [the] proposed technology? ... How's this supposed to increase safety?
From the executive summary, the benefit of this is that it provides more information without requiring line of sight to other vehicles. It can "see" through cars allowing it to perceive dangerous situations around corners and behind other cars. It provides more information like breaking force and path prediction so that more corrective action can be taken. If vehicles are updating each other with steering inputs and break inputs along with path prediction its hard to not envision how this could increase safety. A car can react to emergency breaking far far faster than a human can.
From the linked proposal, there's a whole section VII Estimated costs and Benefits. Section D there is Estimated Benefits with subsections 1. Assumptions and Overview 2. Injury and Property Damage Benefits 3. Monetized Benefits 4. Non-Quantified Benefits. From the monitized annual benefits section,
> Table VII–38 provides the
undiscounted annual fatal equivalents,
monetized benefits, and property
damage and congestion savings of the
proposed rule from the year 2021 to
2060. As shown, by Year 5 the proposed
rule is estimated to save 129 to 169 fatal
equivalents totaling approximately $1.3
to $1.6 billion annually. Approximately
12 percent of the monetized savings,
$176 to $237 million, are from the
estimated reduction of property damage
and congestion. By the year 2060, with
V2V fully deployed, the proposed rule
is estimated to save approximately 5,631
to 7,613 fatal equivalents annually.
Finally, the total associated monetized
annual savings would range from $54.7
to $73.9 billion. Of these savings, $7.7
to $10.6 billion is estimated to be
property damage and congestion
savings.
> Also, who is going to pay for these boxes
Section VII (Estimated Costs and Benefits) B (Quantified Costs) 1. (Component Costs) has your answers! Physical hardware is estimated to add $245.79 for one radio and $347.18 for two radios with an estimated $17.80 installation fee. The added weight is expected to add $0.19 - $6.97 in fuel costs per year. Summarizing "The cost per new vehicle would range from $135 to $301...". As to the who, presumably the consumer.
> What is the penalty for not installing one?
From Section I (Executive Summary) the wording is that "to require all new light vehicles to be capable of Vehicle-to-Vehicle ("V2V") communications, such that they will send and receive Basic Safety Messages to and from other vehicles. This seems to be a regulation aimed at manufacturers, and non-compliance would probably come from marking the fleet of manufactured cars as not road legal.
It sounds like most of the security/privacy objections revolve around the ID. If the purpose is safety, why even bother to broadcast an ID? All you need to know for safety purposes is that a large hunk of metal and glass at distance D is approaching or receding at velocity V and angle theta.
Would eliminating the ID component of the proposal satisfy the critics?
> Would eliminating the ID component of the proposal satisfy the critics?
I'm not a critic and I have no idea.
As to the rest, just about everything we do in interaction has an ID. This comment will have an ID. I as a hacker news user will have an ID. My cellphone and its sim card both have id's. My google account somewhere has an ID. These are just the requirements of data persistence.
As to this system for cars, in humans we call this object permanence. We track things with our eyes and maintain that a thing we were aware of has moved to a new location. Removing IDs seems to remove this fundamental notion of how we think. "Car x was here but now is here" seems like we have knowledge of the scene; there was 3400 pounds going 72 mph to the left of us earlier, now there's 3200 pounds going 71 mph in front of us. How many cars are in this scene? Did a care move in front of you and brake or have you encountered another car and lost track of the first one?
And from the proposal,
> Finally, the Temporary ID is a fourbyte
string array randomly-generated
number that allows a receiving device to
associate messages sent from the same
device together.
So its a random number generated every five minutes and that "[a]dditional research is being conducted to further investigate the ability or limitation of the five minute time period to mitigate the potential for tracking and protect privacy".
How many cars are in this scene? Did a care move in front of you and brake or have you encountered another car and lost track of the first one?
The updates are sent at 10 per second, aren't they? The basic concept of inertia will let you keep track of what cars are around you for collision-avoidance and even ad-hoc communication purposes. A car simply can't warp in or out at timescales faster than that.
You don't need to know that the cars you're tracking are the same ones you were tracking five minutes ago. There's no safety application for an ID feature.
>The basic summary of the proposal, known as Dedicated Short Range Communication (DSRC), is as follows. From the moment a car turns on and every tenth of a second until it shuts off, it will broadcast a so-called “basic safety message” (BSM) to within a minimum distance of 300m. The message will include position (with accuracy of 1.5m), speed, heading, acceleration, yaw rate, path history for the past 300m, predicted path curvature, steering wheel angle, car length and width rounded to 20cm precision, and a few other indicators. Each message will also include a temporary vehicle id (randomly generated and changed every five minutes), to enable receivers to tell whether they are hearing from the same car or from different cars.
Ok this could be useful, especially with autonomous vehicles hitting the road.
>Under the proposal, each message will be digitally signed. Each car will be provisioned with 20 certificates (and corresponding secret keys) per week, and will cycle through these certificates during the week, using each one for five minutes at a time. Certificates will be revocable; revocation is meant to guard against incorrect (malicious or erroneous) information in the broadcast messages, though there is no concrete proposal for how to detect such incorrect information.
Ugh, why do they need to be provisioned by a third party. Just let each car generate its own random ephemeral keypairs per some time interval and sign with those. You already said "Each message will also include a temporary vehicle id (randomly generated and changed every five minutes)", so what's the need for third party certificate provisioning.
They do work, but what if they could be cheaper and more effective?
A radio receiver is a cheap interface to implement and doesn't have the same line of sight requirements. Such a system would offer a bigger speed trap monitoring range, easier installation, and much more location flexibility.
Put one in every police vehicle. Get on a few interstate-adjacent radio towers. Roadside battery-powered installations that can easily be moved on a regular basis.
I wasn't trying to make a moral claim about the good/badness of speed traps. Just that a broadcast vehicle position system that allows the state to easily identify the vehicle will eventually be used for enforcing traffic law.
I'm betting that will cut down on speeders since automated ticketing will be as easy as a receiver that matches the certificate with the car and automatically issues a ticket.
The ID is a randomly generated 4 byte integer. This is obviously not identifying for law enforcement. I don't know about the certificates if they could be identifying but I'm not seeing a way to track down an owner or operator from this otherwise.
It's a tool that will be used to raise revenue (tax $/mile/minute) and drive people away from personally owned vehicles to a more expensive robot Uber future.
It is, messages are signed by a certificate rotated every 5 minutes.
So for 5 minutes you know precisely which car it is and then when the changeover happens you just look for which certificate has disappeared and which has newly appeared and do some fuzzy matching based on position and heading. That is not remotely anonymous.
So anyone who can already follow a car can continue to follow a car. You're aware that cars have a globally unique identifier painted on the outside already, yes? And that identifier never changes and is trivially tied to the owners identity? Let's try to maintain some perspective.
The VIN isn't transmitted wirelessly though. The article mentions that it is possible to build antennas that can extend the reception range by 2 to 3 orders of magnitude, so 300m (the proposed design range) may be stalked from as far away as 30km (2 orders of magnitude) or even more.
Place strategically a few of these antennas and you can monitor a huge area.
It seems as anonymous as current highway usage and vision. You can see a car while they are within eye-sight. In this proposal, your car can receive data about the other car while they are within about 300m. Once gone they are gone. I'm not seeing the leap to tracking and the loss of anonymity.
When using a better receiving antenna and demodulators and stuff and extending the range to 3000m, maybe you start to see the problem? It's 300m minimum for cars to see each other, which presumably is intended to work with reasonably cheap receivers. Chances are you can put one somewhat more advanced receiver somewhere in an average city and be able to track all vehicle movements.
Big Auto Exec... "Hey we are years behind on self driving tech, what are we going to do about it? How can we catch up?
We're going to end up having to license software from Tesla/Google?!"
Other Big Auto Exec... "Oh don't worry we'll just use our political influence to change the rules to dramatically simplify the problem."
Problem... this broadcast approach isn't particularly helpful unless all cars have it. So to add this TCAS style solution to all cars might cost what? $100/car in equipment alone? For all 263 million cars in the US that would be $26 billion. Seems pricy when Tesla has a system today that solves this problem without all that infrastructure, or the privacy concerns?
Woah, how did this even get on the table? It takes mere seconds to think of a vast array of genuine societal disasters that could come from this. This is beyond clipper chip levels of stupid.
