Elon Musk has said Tesla will co-operate with regulators around the world on data security to ensure that information collected by the company’s vehicles is stored and processed safely. The growing number of connected vehicles on the roads means cars are increasingly being targeted by hackers, but a lack of strong legislation means many automakers have yet to prioritise the issue.
Speaking via video link at the World New Energy Vehicle Congress on the southern Chinese island of Hainan, Musk said Tesla stood ready to work closely with regulators in China and beyond. “With the rapid growth of autonomous driving technologies, data security of vehicles is drawing more public concerns than ever before,” he said.
While Musk’s comments were probably driven at least in part by some scrutiny Tesla has faced in China, they speak to a bigger challenge facing car companies in the era of connected vehicles.
What data does Tesla collect?
Earlier this year Tesla announced it would be storing all car data generated in China at local data centres. Reuters reported this followed fears about data privacy, with staff at Chinese government agencies told not to park their Tesla’s in office car parks due to the cameras on the vehicles.
Though Tesla does collect data on driver activity, Roger C Lanctot, director of automotive connected mobility at Strategy Analytics, says it holds relatively little personally identifiable information (PII) when compared to other carmakers. “A lot of competing automakers are obsessed with collecting contextual data so they can deliver contextually relevant information to drivers,” he says. “Musk and Tesla aren’t really into that. What they do want to capture is a whole payload of data around features like autopilot or battery performance so that they can analyse it, particularly in the event of something catastrophic like a crash happening.”
While this data can be valuable to hackers, it does not put drivers personal information at risk, Lanctot says. “It’s the sort of information that can be easily collected and stored securely within a geography,” he says. “There have been enough examples of Tesla drivers going beyond cellular coverage and not being able to unlock or start their vehicles to tell me that they’re not collecting a great deal of personal information about drivers.”
Cybersecurity for connected cars: regulation required
With 470 million connected vehicles expected to be on the roads by 2025, it is no surprise they are proving popular targets for cybercriminals. Cloud servers, where data is stored and processed, were the second most popular vector of attack for cybercriminals targeting vehicles in 2019, according to a report from auto cybersecurity company Upstream Security.
This risk means automotive cybersecurity is big business, and the market is expected to be worth $4bn by 2025. Despite this, regulation in this area remains scarce, and Lanctot says car companies remain under few obligations when it comes to how they collect, store and use customer data. "It's a real legitimate problem and I'm not sure the regulators are up to the task [of dealing with it]," he says. "It's something of a Wild West right now when it comes to PII - it's ill-defined and there's an assumption that not a lot of it is being collected, and that there are sufficient opt-in procedures in place, which I would question."
Carmakers in Europe, Japan and Korea are bound by rules set by the World Forum for Harmonization of Vehicle Regulations (WP.29), a UN working party designed to put vehicle standards in place around the world. Its rules on cybersecurity mandate that all carmakers must monitor connected vehicles 24/7 from a vehicle security operations centre, so that action can be taken in the event of a breach.
The US has not signed up to this rule, though many of its car companies comply with it anyway for reputational reasons, while China also remains outside its remit. However, last week China's industry ministry published a notice asking carmakers to increase cyber and data security oversight over connected vehicles, suggesting Beijing recognises the severity of the issue.
Lanctot says until more regulation is put in place, he doesn't expect carmakers to prioritise data protection and security. "If you're an automaker you're going to prioritise things which generate revenue," he says. "This is not revenue generating, it's more of an obligation, which is why it will probably require regulatory intervention. I don't anticipate a solution coming soon, but there is a recognition [at policy-making level] that a problem exists."