Resist the Technopanic: Embracing the Connected Car Despite the Hype of Cyber Attack
In an earlier blog I discussed how the advent of vehicle connectivity has created new possibilities for intrusion into consumer privacy rights, and the role of automakers in protecting that privacy. But that was just the tip of the iceberg. A separate and distinct issue arising from the advent of the “connected car” is an accompanying rise in fears that hackers will access the multiple wireless points of entry into a vehicle’s computer system, infect it with malware, take control of the car, and potentially “pose serious safety hazards should they be exploited nefariously.” Because so-called “connected cars” may be vulnerable to such cyber attack, the media and political responses have often been kneejerk reactions of panic and hysteria. But many analysts, experts, and journalists urge the public to slow down, breathe, and allow the landscape to take shape before allowing such “technopanic” to set in.
Modern advances in automobiles have drastically increased not only the presence of technology in connected cars, but also the remote connections between the connected car and the Internet (and Internet of Things, which is the term used for the totality of connected smart devices). Indeed, a recent Accenture report indicates that technology—not horsepower—is now the most important selling point (at 39%) of car buyers worldwide. Technology to make cars more connected is an estimated $11.3 billion business. Some of this technology can or must be connected to via a wired connection. For example, a user can connect to either (1) the car’s electronic control units (“ECUs”) that control the car’s computers and form an internal wired network; or (2) the car’s Onboard Diagnostic (OBD-II) connection, which is a plug that any mechanic or user can plug into to get diagnostic or other data from the vehicle. But more advanced electronic systems present in newer cars also can fully connect to the Internet and then be accessed wirelessly via Wi-Fi, RFID, or Bluetooth. Newer ECUs and event data recorder (“EDRs”)—the ‘black box’ in every car—can collect data and transmit it wirelessly. Entertainment systems, navigation systems and GPS, hands-free cell-phone operations, and satellite radio also provide wireless access points. Some new cars offer Wi-Fi hotspots, while others—such as OnStar (General Motors), SafetyConnect (Toyota), and Sync (Ford) offer remote telematics systems that transmit data wirelessly. And now the rise of Vehicle to Vehicle (“V2V”) transmission presents the further potential of spreading viruses and malware from one vehicle to another, just like a virus on a laptop.
The rise of this technology of the connected car and its associated fear of cyber attack have given rise to a type of hysteria—often generated by media and by politicians—that scholars have called “technopanic,” which is an “intense public, political, and academic response to the emergence or use of media or technologies . . . .” Scholars generally see technopanic as a variant of “moral panic,” which occurs “when a segment of society believes that the behavior or moral choices of others within that society poses a significant risk to the society as a whole.” By extension, a technopanic is therefore “a moral panic that centers around societal fears about a specific contemporary technology (or technological activity) instead of merely the content flowing over that technology or medium.”
In February 2015, two ‘technopanic’ reports—one public and one political—essentially virtually implied that the Rise of the Terminator is nigh and we are all, generally speaking, doomed to suffer at the hands of cyber attacks. First, on February 8, 2015, 60 Minutes aired a feature titled “Nobody’s Safe on the Internet,” which focused on the potential hacking of connected cars and other devices within the Internet of Things. Dan Kaufman—a former game developer who now works for the Department of Defense to invent technology to prevent internet hacking—related his fears regarding the security of devices on the Internet of Things: “There is no real security going on. Connected homes could be hacked and taken over.” This in turn leads to fears that hackers could potentially get into a connected refrigerator, garage door opener, or more importantly a connected car, which contains between 30 and 50 computers and is basically “a computer on wheels.” Kaufman demonstrated how a hacker could take over a car and activate the windshield wipers and horn, and control the braking to force the car to run over some orange cones. Lesley Stahl’s reply: “I cannot—oh my God. I can’t operate the brakes at all. Oh, my word. That is frightening.” The implications of the demonstration included the potential that hackers could cause widespread mayhem at will.
The next day, February 9, 2015, the office of Senator Edward J. Markey (D-Mass) released a report titled “Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk” (the “Markey Report”) identifying perceived risks and proposing new safety standards for connected cars. The Markey Report is based on questions to 16 major automakers about (1) how driver information is collected and protected; and (2) the vulnerabilities of connected cars to hackers. Markey himself summarized the report: “Drivers have come to rely on these new technologies, but unfortunately the automakers haven’t done their part to protect us from cyber-attacks or privacy invasions. Even as we are more connected than ever in our cars and trucks, our technology systems and data security remain largely unprotected.” The essence of the Markey Report is that as connected cars evolved into wheeled computers connected to the Internet of Things, they become vulnerable to the exact same threats and attacks as laptops and smartphones, albeit ones that weigh over a thousand pounds and hurtle along at high speeds.
Reactions to the 60 Minutes special and the Markey Report were mixed. On the one hand, some journalists applauded them, with one saying that although the Markey Report was “frightening” it was also a general “call to action” for the auto industry. On the other hand, other experts and analysts urge us to resist the technopanic and “take a deep breath,” calling the Markey Report “similarly panicky and sometimes humorous.” Another analyst says of the 60 Minutes special that the “threat of car hacking has largely been overblown by the media—there’s been only one case of a malicious car hack, and that was an inside job by a disgruntled former car dealer employee.” Even though there is “little doubt that vehicles can be as vulnerable as any other connected device,” hackers simply don’t have the financial incentive to hack a connected car, as opposed to hacking bank and credit card accounts. So although it’s not “the apocalypse that you hear about,” it certainly is “a surefire way to get the attention of the public and policymakers.”
Many analysts and experts argue against technopanic, insisting that it would be “lunacy” to think that “innovators in this space are completely oblivious to these threats, simply don’t care enough to address them, and don’t have any plans in motion.” Despite Dan Kaufman’s technopanic insistence that “there is no real security going on” by manufacturers, automakers “know that (1) nobody wants to own or use devices that are fundamentally insecure or dangerous; and (2) if they sell such devices to the public, they are in for a world of hurt once the trial lawyers see the first headlines about it.” Discussions abound as to whether “auto manufacturers could be the first defendants to be held strictly liable for such criminal attacks, under a theory that “defects” in the car allowed the hacker to gain access.” Many believe this would be inappropriate, because it would essentially make automakers insurers, which is the absolute liability that strict liability was designed to avoid. Other discussions focus on the role of the consumer, including whether the consumer “will become a target for fault apportionment if it is found that the consumer failed to update security software or used easily hacked passwords or downloaded malware from unsecure sites.” And again, this is just the tip of another iceberg.
Ultimately, the majority of analysts, journalists, and bloggers believe that while the 60 Minutes special and the Markey Report certainly raise valid points about the vulnerabilities of connected cars and draw “welcomed attention to the issue for all stakeholders,” the technopanic scare tactics are “overblown,” and any reactionary legislation “has to be balanced with a sensible approach to the problem of car security . . . not one driven by hysteria.” Automakers and working towards creating not only connected cars, but connected cars that are safe for consumers. In turn, consumers are beginning to get over the “technopanic” caused by this new rise in technology. It is only a matter of time until it comes together.
For more information or if you would like to talk about the issues of emerging technology in connected cars, please contact me at firstname.lastname@example.org, or else post a comment below and let’s start a conversation.
 Liam Felsen, As The “Connected Car” Speeds Up Development Of Data-Collecting Technology - Are Automakers Committed To The Protection Of Privacy?, January 2015, available at http://www.fbtauto.com/publications-item-25.html.
 Cheryl Dancey Balough and Richard C. Balough, Cyberterrorism on Wheels: Are Today’s Cars Vulnerable to Attack,” American Bar Association Business Law Today, Nov. 2013, available at http://www.americanbar.org/publications/blt/2013/11/02_balough.html.
Accenture News Release, Strong Interest in New In-Car Technologies by Consumers in Emerging Economies Could Influence Demand, Accelerate Rollout of Next-Generation Connected Vehicle Technologies, Accenture Research Indicates, December 2, 2013, available at http://newsroom.accenture.com/news/strong-interest-in-new-in-car-technologies-by-consumers-in-emerging-economies-could-influence-demand-accelerate-rollout-of-next-generation-connected-vehicle-technologies-accenture-research-indicates.htm.
 Keith Naughton, Putting the Mobile into Automobile, Jan. 8, 2015, available at http://www.businessweek.com/articles/2015-01-08/ces-auto-show-web-connected-cars-are-stars-of-2015.
 Adam Thierer, Parents, Kids, & Policymakers in the Digital Age: Safeguarding Against “Techno-Panics,” INSIDE ALEC (Am. Legislative Exch.Council, D.C.), July 2009, at 16, 16–17 [hereinafter Safeguarding Against Technopanics], available at http://www.pff.org/issues-pubs/articles/090715-against-technopanics-adam-thierer-Inside-ALEC.pdf.
 Christopher J. Ferguson, The School Shooting/Violent Video Game Link: Causal Relationship or Moral Panic?, 5 J. INVESTIGATIVE PSYCHOL. &OFFENDER PROFILING 25, 30 (2008).
 Adam Thierer, Ongoing Series: Moral Panics/Techno-Panics, The Technology Liberation Front, available at http://techliberation.com/ongoing-series/ongoing-series-moral-panics-techno-panics/.
 Lesley Stahl, DARPA: Nobody’s Safe on the Internet, CBS News, February 8, 2015, available at http://www.cbsnews.com/news/darpa-dan-kaufman-internet-security-60-minutes/.
 Id. The “Internet of Things” is generally defined as the internet made up of connected devices.
 Office of Senator Ed Markey (D-Mass), Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk, Feb. 9, 2015, available at http://www.markey.senate.gov/imo/media/doc/2015-02-06_MarkeyReport-Tracking_Hacking_CarSecurity%202.pdf.
 Judith Bitterli, New Concerns for Connected Car Hacks, Feb. 16, 2015, available at https://now.avg.com/new-concerns-for-connected-car-hacks/.
 Adam Thierer, Don’t Hit the (Techno-)Panic Button on Connected Car Hacking & IoT Security, Feb. 10, 2015, available at http://techliberation.com/category/the-precautionary-principle/.
 Doug Newcomb, Congress, ’60 Minutes’ Exaggerate Threat of Car Hacking, Feb. 9, 2015, available at http://www.forbes.com/sites/dougnewcomb/2015/02/09/60-minutes-joins-car-hacking-hype/.
 Id. (“This was made evident by a recent announcement regarding a security flaw in BMW’s ConnectedDrive telematics system. ADAC, the German equivalent of AAA, found it was possible to send messages to the embedded SIM card that provides a cellular connection for ConnectedDrive to lock and unlock a car’s doors. The potential problem affected about 2 million BWM vehicles, but the automaker quickly responded by pushing out an over-the-air security patch for the compromised system.”).
 Thierer, Don’t Hit the (Techno-)Panic Button, supra at note 15.
 Todd B. Benoff, Automakers Should Not Be Held Strictly Liable for V@V Hacks, Law360, October 29, 2014, available at http://www.law360.com/articles/591695/automakers-should-not-be-held-strictly-liable-for-v2v-hacks.
 H. Michael O’Brien, The Internet of Things: The Inevitable Collision with Product Liability, Feb. 2, 2015, available at http://www.productliabilityadvocate.com/2015/02/the-internet-of-things-the-inevitable-collision-with-product-liability/.
 Newcomb, supra note 16.