Survey of Automotive Privacy Regulations and Privacy-Related Attacks 2019-01-0479

Privacy has been a rising concern. Triggered by the Facebook-Cambridge Analytica scandal, the European Union has established a privacy standard called General Data Protection Regulation (GDPR) in May 2018. Unfortunately, privacy in vehicles is still a niche research area with little effort/progress made so far. Data collection from vehicles by OEM platforms is increasingly popular and may offer OEMs new business models at the risk of potential privacy leakages. Vehicular sensor data shared with third-parties can lead to misuse of the requested data for other purposes than intended. The only relevant existing regulation document so far is non-voluntary guidelines introduced by the Alliance of Automobile Manufacturers (“Auto Alliance”) which classify the vehicular sensors used for data collection into covered and non-sensitive parameters. This paper provides an overview of existing privacy standards as well as ongoing efforts in the automotive domain and surveys the landscape of automotive privacy-related attacks which can be classified into three categories: driver fingerprinting, location inference and driving behavior analysis. These three categories are derived from the aforementioned guidelines of covered information. Based on this survey, we define a Privacy Score (PS), quantifying the risk associated with each vehicular sensor. Sensors contributing to multiple attacks will be assigned a higher PS. Furthermore, combinations of sensors used in privacy attacks must be considered and assessed in the PS metric since some attacks cannot be made using a single independent sensor. Based on the PS, recommendations for protecting certain sensor data against misuse at third-party entities are made and discussed.