Imagine if your car could send messages about its speed and movements to other cars on the road around it. That’s the dream of the National Highway Traffic Safety Administration (NHTSA), which thinks of Vehicle-to-Vehicle (V2V) communication technology as the leading solution for reducing accident rates in the United States. But there’s a huge problem: it’s extremely difficult to have cars “talk” to each other in a way that protects the privacy and security of the people inside them, and NHTSA’s proposal doesn’t come close to successfully addressing those issues. EFF filed public comments with both NHTSA and the FTC explaining why it needs to go back to the drawing board—and spend some serious time there—before moving forward with any V2V proposal.NHTSA’s PlanNHTSA’s V2V plan involves installing special devices in cars that will broadcast and receive Basic Safety Messages (BSMs) via short-range wireless communication channels. These messages will include information about a vehicle’s speed, brake status, etc. But one big problem is that by broadcasting unencrypted data about themselves at all times, cars with these devices will be incredibly easy to track. All you would need is a device that could intercept these messages. NHTSA is aware of this huge privacy problem and tried to develop a plan to make it harder to link V2V transmissions with particular vehicles, while still including enough information for the receiver to be able to trust a message’s content. But NHTSA’s plan—which involves giving each car 20 rotating cryptographic certificates per week to be distributed and managed by a complicated public key infrastructure (PKI)—didn’t achieve either objective.The ProblemsOne of the fundamental problems with NHTSA’s plan is that assigning each vehicle a mere 20 identities over the course of an entire week will do the opposite of protecting privacy; it will give anyone who wishes to track cars a straightforward way to do so. NHTSA proposes that a car’s certificate change every five minutes, rotating through the complete batch of 20 certificates once every 100 minutes. The car would get a new batch of 20 certificates the next week. As we explained in our comments, while a human being might find it confusing or burdensome to remember 20 different identities for the same vehicle, a computer could easily analyze data collected via a sensor network to identify a vehicle over the course of one day. It would then be able to identify and track the vehicle for the rest of the week via its known certificates. The sensor network would have to complete this same process every week, for every new batch of certificates, but given how simple the process would be, this wouldn’t present a true barrier to a person or organization seeking to track vehicles. And because human mobility patterns are “highly unique,” it would be easy—in the case of a vehicle used in its ordinary way—to recognize and track a vehicle from week to week, even as the vehicle’s list of 20 assigned certificates changed.
Danger Ahead: The Government’s Plan for Vehicle-to-Vehicle Communication Threatens Privacy, Security, and Common Sense