Automotive Black Box Standard Gets Privacy Update
Developing IEEE standards doesn’t happen with a clap of the hands, a puff of smoke, and instant perfection. And the results, which can be years in the making, aren’t set in stone. Each IEEE standard is reviewed at least every five years and can be amended at any time. Case in point: the new IEEE 1616a-2010 standard, an amendment to IEEE 1616 Standard for Motor Vehicle Event Data Recorders (MVEDRs), of 2005, was the first universal standard for so-called black boxes for cars and light trucks. It was reaffirmed and amended this year and is effective until 2015. After that, like all IEEE standards, it must be reviewed and either reaffirmed, revised, stabilized (after which it’s only reviewed once per decade), or withdrawn.
Like the black box recorders in trains and airplanes, those for cars record and preserve information about the vehicle’s control settings and behavior in the seconds leading up to and following a crash. That information can then be used to help understand what caused the crash, but often only if the car owner releases the data.
IEEE Std. 1616-2005 defined 86 data elements, including acceleration in several directions, speed, engine RPM and throttle setting, and steering angle, as well as seat positions, safety-belt status, and air-bag deployment. Subsequently, reacting to this standard, the U.S. National Highway Traffic Safety Administration (NHTSA) issued its rule 49 CFR Part 563: Event Data Recorder to take effect in 2012. It does not make MVEDRs mandatory, but, taking a page from IEEE Std. 1616-2005 it does require that if installed by vehicle manufacturers the recorders store and report at least 15 essential data elements, and that the car companies make tools for retrieving EDR data commercially available. The NHTSA rule refers to IEEE 1616 without giving it the force of law; IEEE and others are petitioning NHTSA to change this when the rule is finalized, and a bill is now before Congress to do so.
Standards development can be a long process because of the array of technical issues to consider, plus the spectrum of stakeholders. But developing IEEE Std. 1616-2005, for example, took only two years thanks to an intensive effort by a working group of 139 volunteers from industry and government.
ALL ARE INVITED
The IEEE Standards Association maintains an open development process. Membership in IEEE is unnecessary for participation in the working group’s development activities, but it is required for the final balloting. Several participants joined IEEE at that stage for Std. 1616a-2010. The working group considered the needs of car owners, automakers, mechanics, crash data researchers, telematics system operators, connector makers, the insurance industry, law enforcement and other government agencies, and others.
“Even before the standard was final, the National Transportation Safety Board (NTSB) issued a recommendation to IEEE, encouraging continuation of IEEE’s work on MVEDR standards,” says IEEE Member Tom Kowalick, cochair of the project. That led to the formation of a new working group, 1616a. This group began tackling car owners’ privacy and consumer-protection and data-security concerns, issues largely irrelevant to the black boxes in trains and planes. The original standard had barely mentioned the privacy issue, because initially it was uncertain how the information in automobile black boxes would be accessed.
“It was only well into the creation of IEEE Std. 1616-2005 that the diagnostic link connector (DLC) was designated as the download connector for in-vehicle networks,” Kowalick says.
That connector, present on all cars sold in the United States since the 1996 model year, had been used only for on-board diagnostics, but it will now be used to access the MVEDR data. Once that was acknowledged, the group could develop specifications for a lockout system to block the connector against unauthorized access, adopted in March 2009 as IEEE 1616a,Standard for Motor Vehicle Event Data Recorder Connector Lockout Apparatus (MVEDR/CLA). Only vehicle owners would have the key, or codes, to the lockout, giving them sole control over their data. That should prevent data tampering and protect data from misuse, according to Kowalick.
Auto technicians also use the DLC for resetting a car’s operating parameters, as well as diagnosing its ills. It provides access not just to the recorder but also to the vehicle’s entire in-vehicle network, which can include as many as 70 electronic control units. Unfortunately, that has made the DLC a prime target for tampering.
“With today’s electronic tools, going through the DLC is the most common way to tamper with car systems and read recorded data,” Kowalick says. That can jeopardize the car owner’s privacy because many of the control units and the signal bus for the vehicle’s controller area network can retain data for longer periods than the mere seconds captured by MVEDR. What’s retained varies from one automaker to another, but it could include GPS-marked destinations or other information that an owner might want to keep private.
Also, thieves could change a car’s recorded vehicle identification number (VIN) stored on the area network. That would immediately prevent telematics services such as General Motors’ OnStar from locating a stolen car or turning off its engine before it could be taken to a chop shop or have its VIN plaques and etchings changed. In rare cases, data tampering could make the car’s owner look more or less culpable in an accident. By preventing unauthorized access, the lockout can help establish a chain of custody for evidence.
There’s still the possibility of data tampering by owners, for odometer fraud or other purposes.”The next logical step is determining how we can tell if data has been tampered with,” says Dennis Bodson, who chairs the standards committee of the IEEE Vehicular Technology Society, which sponsored the work on MVEDR standards. Bodson, an IEEE Life Fellow, says that will be the subject of a separate standard.
MORE WORK AHEAD
As cars acquire more drive-by-wire electronic sensors and systems, there will be more data to capture and control, calling for additional standards. And if the Motor Vehicle Safety Act of 2010 passes, making MVEDRs mandatory by 2015, “there will be up to 200 million light vehicles with unprotected EDRs,” Kowalick says. “Several companies are already offering ways for the unscrupulous to tamper with digital odometer readings or even erase crash data. A recent IEEE conference highlighted automotive vehicle network hacking.”
Meanwhile the IEEE Std. 1616 working group remains very active, continuing to communicate and increase in numbers.
“We want to define and standardize every data element in a motor vehicle,” Kowalick says.”We welcome everyone with technical expertise who wants to participate, and we value their contribution.”