Survey of Automotive Privacy Regulations and Privacy-Related Attacks 2019-01-0479
Privacy has been a rising concern. The European Union has established a privacy standard called General Data Protection Regulation (GDPR) in May 2018. Furthermore, the Facebook-Cambridge Analytica data incident made headlines in March 2018. Data collection from vehicles by OEM platforms is increasingly popular and may offer OEMs new business models but it comes with the risk of privacy leakages. Vehicular sensor data shared with third-parties can lead to misuse of the requested data for other purposes than stated/intended. There exists a relevant regulation document introduced by the Alliance of Automobile Manufacturers (“Auto Alliance”), which classifies the vehicular sensors used for data collection as covered and non-sensitive parameters.
This paper reviews existing privacy standards as well as ongoing efforts in the automotive domain, and surveys the landscape of automotive privacy-related attacks which can be classified into three categories: driver fingerprinting, location inferencing and driving-behavior analysis. These three categories are derived from the aforementioned guidelines of covered information. Based on this survey, we define a Privacy Score (PS), quantifying the risk associated with each vehicular sensor. Sensors contributing to multiple privacy attacks will be assigned a higher PS. Furthermore, combinations of sensors used in privacy attacks must be considered and assessed in the PS metric as some attacks cannot be mounted using a single independent sensor alone.
