5-Anon: Data Privacy for Connected Vehicles
Problem Statement
Automobile manufacturers are re-inventing themselves to become increasingly similar to software driven companies. Connected vehicles, as these new generations of vehicles are called, collect data about the car by design, capturing information about the driver, ride, and its surroundings. According to AAA, an average connected vehicle generates up to 5100 TB of data within a year of operating.
This information about the car owner information is received by vehicle manufacturers. While data points involving vehicle diagnostics, powertrain and emission related information may not be alarming on an individual level – these data points, when combined with other information about the vehicle, reveal critically sensitive and personal data about the vehicle owner.
To compound this issue, car manufacturers often share this information with third parties, like data brokers, and threaten the identity disclosure of drivers. As the data is shared with other entities, car owners are at an extremely high risk of their collected data being breached in the event of security incidents. What’s even greater, vehicle manufacturers do not easily allow customers the flexibility and control over data collection measures!
To sum up, connected vehicles collect data by design about the vehicle, driver, driving dynamics, and its surroundings, and this data collection is not clearly mentioned to the users upon vehicle purchase. To make matters worse, vehicle manufacturers do not easily allow customers the flexibility and control over data collection measures. So, what options do drivers have to protect their privacy? What can vehicle manufacturers do to raise confidence in vehicle owners about the data custody that they have?
5-Anon Solution
To solve this privacy challenge, we have created 5-Anon, an end-to-end data anonymization SDK that helps to restore honest control of collected data between the car owner and the car manufacturer. The car owner is given the option to privatize their collected data via privacy settings directly within the on-board computers in their vehicles. The car manufacturer will provide appropriate anonymization algorithms to the user's vehicles in compliance with the user defined privacy settings, ensuring anonymized data is collected by the car manufacturer.
5-Anon consists of the following 3 libraries:
- Privacy Analyzer
- Calculates privacy metrics - probability of disclosures
- Execures on Server/Storage end
- Parameterization Processor
- Creates rules for data anonymizaiton
- Execures on Server/Storage end
- Anonymizaiton Processor
- Applies the rules on the data making it anonymous
- Executes at the edge
With this approach, car owners and car manufacturers have an honest partnership regarding the data collected: the data ingested by the car manufacturer remains usable for research and development purposes while protecting users against privacy threats. This allows car manufacturers to integrate effective data privacy processes, which will improve compliance with future car privacy standards.
Why care about the solution?
- Car owner: Privatize their data such that third party entities can NOT use it against vehicle owners
- Car manufacturer: Meaningful data gathered that can still be utilized for R&D purposes
- Public Trust between owners and data managers is recognized as one of the largest barriers to true autonomous vehicle interoperability.
Application Security
To mitigate some of the risks identified during threat modeling, we implemented encryption to secure privacy settings on the car and database on the server end. To implement secure communication between car and car manufacturer’s cloud, TLS certificate was installed on car manufacturer’s webserver and certificate pinning was implemented on the edge processes. When car manufacturers add authentication capabilities to the car infrastructure, we can enable those to enhance security around the data privacy settings and the raw data.
Final Deliverable
- Source Code
- Demo
- Threat Models
- White paper
- 5-Anon Documentation
FAQs
Q: Does this technology tamper with the components that need to communicate in my car?
A: No. The 5-Anon solution was intentionally designed to address sensitive data at its point of origin, but does not intercept nor obfuscate data that is being sent and received throughout the vehicle’s critical components.
Q: Will using 5-Anon’s services violate any laws regarding obstructing information?
A: No. The 5-Anon solution is compliant with legal situations, like the execution of subpoenas, where data may still be requested.
Q: If I drive an economy car with fewer features than other vehicles, will 5-Anon still benefit me?
A: Yes. All vehicles capture minimal data from critical components in your car that are necessary for the vehicle to function. 5-Anon works by addressing the most critical pieces of information, so whether you’re driving an economy sedan or luxury SUV, 5-Anon is applied in the same way to preserve your privacy.
Acknowledgements
- Dr. Sekhar Sarukkai and Ryan Liu, Capstone Instructors
- Eric Lybeck, Toyota
- Katelyn McCauley, Google
- Tom Prevot, Joby Aviation