Vehicle data security management regulations soliciting opinions and collecting driving information should obtain consent

Personal data requires safe driving lanes

  June 11 is the deadline for the State Cyberspace Administration of China to issue the "Several Provisions on the Management of Vehicle Data Security (Draft for Solicitation of Comments)" for public comments.

The document proposes that car data operators should adhere to the following principles when processing personal information and important data, including in-vehicle processing, anonymization, minimum retention period, accuracy range application, and default non-collection, etc.

  Car data operations involve multiple parties, including car companies, software providers, dealers, maintenance organizations, online car-hailing companies, and insurance companies.

If the core components of traditional cars are engines and gearboxes, smart cars rely more on information and chips on this basis.

With the advancement of technology, new questions have arisen one after another: Who exactly belongs to the control of traffic data?

How to protect our private information from being leaked?

  The "Draft for Comments" includes relevant institutions across the entire auto market and forms a good closed loop for auto data protection

  On May 10, a press conference of the Ministry of Public Security revealed that the current number of motor vehicles nationwide reached 380 million, with 465 million drivers. In the first quarter of this year, 9.96 million motor vehicles were newly registered, a record high over the same period.

According to data from the National Development and Reform Commission, by 2025, the penetration rate of smart cars in my country is expected to reach 82%, with the number reaching 28 million; by 2030, the penetration rate is expected to reach 95%, with the number reaching 38 million.

  "The camera has not yet been activated, but it may be used to improve future security features added in the software update." In response to the prompt on the display of a smart car, some car owners were worried, "I don't know when it will be turned on, nor Know where it will use my personal image when it is turned on."

  The automotive industry is transforming to intelligence. In order to support autonomous driving assistance systems, the current smart models released by car companies are generally equipped with sensing devices such as cameras and radars, and most of the smart cockpits are also equipped with driver status monitoring and in-vehicle voice systems.

At present, the models of many car companies have preset cameras in the car to recognize the driver's ability to take over.

These situations have caused many consumers to worry about personal privacy and data.

  "The "Draft for Comments" manages automobile data from three levels, one is national security, the other is public interest, and the third is personal information protection. A complete system of automobile data protection has been formed on these three levels. "Ouyang Rihui, deputy dean of the China Internet Economic Research Institute of Central University of Finance and Economics, believes that as the first management regulation issued in the field of automotive data security, this "Draft for Comments" covers the collection, analysis, storage, transmission, and query of automotive data. More detailed regulations are made for the whole process of, application, deletion, etc., which is of symbolic significance to the industry itself.

  "Automotive data involves multiple departments, including automotive design, manufacturing, and service companies, as well as maintenance organizations, insurance companies, dealers, etc., and the provisions include the entire chain of related institutions in the automotive market, which will form the protection of automotive data. A very good closed loop." Ouyang Rihui said.

  As the data subject, what rights do car owners have with regard to the body data and driving data of their own vehicles?

According to the "Draft for Comments", sensitive personal information includes the location of the vehicle, the audio and video of the driver or passenger, and the data used to determine illegal driving.

Sensitive personal information needs to be directly served to drivers and passengers, allowing vehicle owners to view it; if the driver requests deletion, the data operator should delete it within two weeks.

Unless it is really necessary, personal information and important data should default to not being collected, and the driver’s authorization is only valid for the current driving.

  Why is there a two-week deadline for deleting data?

"It is a very complicated process to find the data of the corresponding user, delete it accordingly, and confirm it after the deletion." Professor Yang Diange of School of Vehicle and Transportation of Tsinghua University believes that considering the development of smart cars, there may be hundreds of thousands of vehicles in the future. The data of tens of millions of vehicles is stored in a large database in the cloud, and this kind of distributed storage management is very complicated.

How long it takes to delete is awaiting further study. Whether it is two weeks or one week is not the most critical. The key is to protect personal data and privacy from infringement through laws and regulations.

  The "Draft for Comments" proposes that the processing of personal information and important data by automobile data operators insists on in-vehicle processing, and when it is necessary to provide it outside the vehicle, it should be anonymized and desensitized as much as possible.

At the same time, the operator must determine the data retention period based on the type of functional service provided; and determine the coverage and resolution of the camera and radar based on the data accuracy requirements required to provide the functional service.

  The control of driving data should belong to the individual in accordance with the law, but the actual ownership is relatively vague, and it is still really controlled by the car company

  On May 25th, Tesla announced that the company has established a data center in China and will continue to add more data centers. The data generated by all vehicles sold in the Chinese market will be stored in China, and the vehicle information query platform will also provide vehicle owners. open.

  In the past period of time, Tesla's driving data problem has caused a lot of controversy.

During the Shanghai Auto Show in April, a rights-defending vehicle owner accused his brakes of malfunctioning and said that the vehicle driving data claimed by Tesla was untrue. Then Tesla released the data one minute before the accident on April 22.

  The core of the dispute is EDR data (automotive incident data).

The system records the vehicle's operation and safety status information for a period of time before and after the collision accident, including vehicle speed, steering wheel steering angle, acceleration and brake pedal status, seat belt usage, vehicle braking system, etc., which is the basis for the analysis and identification of the cause of the accident. .

  In December 2020, the Chinese government issued a mandatory national standard "Automobile Incident Data Recording System", which requires all vehicles sold to be equipped with EDR recording equipment, but the standard will not be officially implemented until January 1, 2022.

  And behind this is related to the ownership of vehicle data.

Existing laws both at home and abroad attribute the control of driving data to individuals, but in fact, it is still the car companies that really control this part of the data. The ownership of the control of driving data is relatively vague, and the domestic regulations on data retrieval were once blank.

Prior to this, no domestic car company opened up data query permissions to users.

When a dispute arises, unless the enterprise voluntarily, the behavior of car owners requesting driving data is difficult to have legal support.

  However, the improvement of relevant laws and regulations has been accelerated.

On April 28, the National Information Security Standardization Technical Committee issued the draft standard "Safety Requirements for Data Collection by Information Security Technology Networked Vehicles" to solicit public opinions.

The draft aims to standardize the data processing-related activities of mass-produced passenger cars with networking capabilities, and puts forward safety requirements for data transmission, storage, and cross-border links.

  Similar to the "Draft for Comments", the draft clearly states that without the individual consent of the person being collected, the car shall not transmit data containing personal information outside the car through the network or physical interface; it is prohibited to transmit the audio, collected in the car cabin to the outside of the car. Video, image and other data and data obtained through their processing.

In addition, the draft also stipulates that the data of roads, buildings, terrain, traffic participants and other data collected from the environment outside the car through cameras, radars and other sensors, as well as data related to the location and trajectory of the vehicle, shall not be out of the country.

  Information security is the fourth major safety issue in the automotive field after active safety, passive safety, and functional safety

  Smart cars do not simply replace the engine with a battery, but integrate advanced technologies such as autonomous driving, smart cockpits, and Internet of Vehicles to completely change the way people travel.

For a period of time, Internet companies have joined in, making the domestic smart car competition increasingly fierce.

  Li Xiaoguang, Dean of Beijing Unmanned Science and Technology Research Institute, said that a driverless car can generate massive amounts of data per second. These data are valuable for car manufacturers, mobile operators, insurance companies, restaurants, hotels, and other service providers. Great value.

  In recent years, the safety of intelligent networked vehicles has attracted attention. This year, more than ten proposals from the National People's Congress and the People's Republic of China involve the safety risks of connected vehicles.

  "Since the beginning of this year, it has been monitored that more than 2.8 million malicious attacks have been launched against related companies and platforms such as vehicle companies, car networking information service providers, etc. The risks of platform vulnerabilities, communication hijacking, and privacy leaks are very prominent." September 2020 On the 5th, Zhao Zhiguo, director of the Cyber ​​Security Administration of the Ministry of Industry and Information Technology, said.

A special survey in 2019 found that 85% of key components have security vulnerabilities, and nearly 60% of enterprises lack automated network security monitoring and response capabilities.

  At present, the development of domestic car networking network security is still in its infancy, and network attacks are developing in the field of car networking.

According to data, there were only 80 publicly reported cybersecurity attacks on intelligent networked vehicles in 2018 and 155 in 2019.

  A smart car is a mobile network node.

As a mobile data collector and transmitter, it can obtain the identity of the car owner, movement trajectory, driving habits, address book bound to the mobile phone's Bluetooth, conversations, etc., where the car owner drives, people, places, things, and things are all at a glance .

After the car is connected to the Internet, the above-mentioned security risks become more prominent.

  "Information security is the fourth major security issue in the automotive sector after active security, passive security, and functional security. The information security of intelligent networked vehicles may not only cause economic losses to enterprises and personal privacy leakage, but may also cause serious consequences for personal safety. , And even cause public security issues that threaten the country.” said Zhu Lifeng, secretary of the party committee and chairman of the China Power Industrial Internet Co., Ltd.

  Regarding the hidden network security risks of smart cars, in order to avoid causing social public safety problems, experts suggest that the research and development of vehicle safety protection technology should be strengthened, and better firewalls should be designed to avoid hacker attacks. At the same time, relevant behaviors need to be strictly enforced at the legislative level. Add punishment.

  Strictly control cross-border data transmission to protect data security

  It has become the legislative consensus of various countries to protect the security of data exiting the country.

The "Draft for Solicitation of Comments" requires that personal information or important data should be stored in China in accordance with the law, and if it is really necessary to provide it overseas, it should pass the data exit security assessment organized by the national cybersecurity and informatization department.

  How to understand the path of exemption left by "really needed"?

Big data is an important foundation for the iteration of smart car functions, and the data support is really needed in the development process.

Some analysts said that about 60% of my country's smart car data is stored overseas, and security issues are imminent.

  In this regard, Yang Diange explained that most of my country's smart car R&D centers are located in China and there is no cross-border data transmission, but a small number of foreign-funded enterprise R&D centers are located abroad, and this problem exists.

Because a few foreign-funded companies have hundreds of thousands of vehicles with data collection capabilities in China, and the collection time is long, the proportion of the amount of data that a single company has overseas is very large.

"No matter how much is transmitted, as long as there is cross-border data transmission, geographic information and spatial surveying and mapping problems, such data needs to be strictly managed."

  Strict management suggests what risks are behind it?

Yang Diange further explained that smart cars will collect road environment data during driving. If information involving military restricted areas or national defense and military units is taken, national security will be affected. Therefore, this type of information needs to be strictly controlled.

  Smart cars are equipped with a series of cameras and sensors to monitor the road environment to realize smart driving, which inevitably involves data collection and storage.

  A car company's official website shows that its product is equipped with 8 cameras, which surround the body and can cover a 360-degree field of view, with a maximum monitoring distance of 250 meters, in addition to 12 ultrasonic radars.

According to the company's privacy statement, the company collects a lot of information generated by vehicles, including safety-related data and camera images, as well as some images or short videos used to improve the safety features of autonomous driving, such as lane lines and street signs.

  It is understood that car companies generally do not upload the images continuously acquired by the camera to the cloud due to concerns about the excessive amount of data.

These images are generally processed locally, and the characteristic points such as the size of the building and the position relative to the vehicle are screened out before being transmitted.

In the cloud, car companies will reconstruct high-precision maps from these feature points for use in autonomous driving functions or in the cloud for AI training.

  Industry insiders pointed out that China strictly controls map collection, and companies need to have qualifications to implement it.

But in fact, all car companies are collecting data more or less.

  At present, the pattern and ecology of the automobile manufacturing industry are quietly changing, from engine and body design to intelligence, connectivity, and new energy.

The new development trend poses new challenges to the protection of automobile data.

More attention should be paid to the supervision of data collection, analysis, transmission and utilization in the process of participating in the design, production and use of automobiles by the Internet platform, which has become a top priority.

  "Under this standard, companies can use innovative technologies and methods to better carry out research activities such as unmanned driving. In this way, the entire industry will have clear boundaries, clear directions, and the effective use of enterprise independent management and independent innovation capabilities. , Effectively promote the rapid development of my country's intelligent networked vehicles, thereby forming a good trend of coordinated development of information security and technological progress." said Cui Dongshu, secretary general of the National Passenger Car Market Information Association.

  It is worth noting that the issue of information and data security is not unique to the automotive industry.

On June 11, the day after the "Data Security Law of the People's Republic of China" was voted and passed, the State Cyberspace Administration of China issued a notice saying that it has recently targeted the people’s complaints about illegal acquisition of apps, over-range collection, and excessive claims that infringe on personal information. Phenomenon, the network information department organized a test and found that 129 apps including Keep, Toutiao, and Tencent News collected and used personal information in violation of laws and regulations.

All relevant companies indicated that they will actively rectify and reform.

  Protecting the security of personal information requires the joint efforts of all parties.

(Our reporter Guan Xiaopu)