House Republicans are working on legislation that aims to make cars and trucks more secure from hackers. But federal regulators warned at a hearing Wednesday that the bill could have the exact opposite effect.
“The proposed legislation, as drafted, could substantially weaken the security and privacy protections that consumers have today,” testified Maneesha Mithal, the head of the Federal Trade Commission’s Division of Privacy and Identity Protection.
Internet-connected cars can provide exciting new features for drivers, but they can also be susceptible to cyberattacks. Fiat Chrysler had to recall more than a million vehicles earlier this year after the company discovered a software flaw that could allow hackers to gain remote control over the engine and steering. Privacy advocates have also expressed alarm about the amount of personal information that car companies can collect.
A draft bill released last week by the Republican leaders of the House Energy and Commerce Committee aims to improve vehicle security and give consumers more control over their personal information. The bill would direct the National Highway Traffic Safety Administration to create an advisory council to craft cybersecurity standards for car companies. Anyone who accesses a car’s electronic systems “without authorization” could face a $100,000 fine under the legislation. And the bill would require car companies to create privacy policies and file them with the Transportation Department.
But the regulators warned that the bill would gut existing consumer protections. Under the legislation, companies with privacy policies that meet minimum standards would be immune from FTC privacy lawsuits. “Under this proposal, manufacturers can satisfy the requirements of this section without providing any substantive protections for consumer data,” Mithal argued at the hearing of the Commerce, Manufacturing, and Trade Subcommittee. “For example, a manufacturer’s policy could qualify for a safe harbor even if it states that the manufacturer collects numerous types of personal information, sells the information to third parties, and offers no choices to opt out of such collection or sale.”
She also warned that the section authorizing fines for car hackers could penalize researchers who are just testing a car for security holes. The vulnerability of the Fiat Chrysler cars, for example, was first exposed by cybersecurity researchers. “By prohibiting such access even for research purposes, this provision would likely disincentivize such research, to the detriment of consumers’ privacy, security, and safety,” Mithal said.
Mark Rosekind, the administrator of the NHTSA, argued the bill would allow industry lobbyists to dominate the council in charge of cybersecurity standards. “Ultimately, the public expects NHTSA, not industry, to set safety standards,” he said.
Democrats also blasted the bill, claiming it would only weaken consumer protections. “Instead of pursuing a bipartisan approach, the majority chose to prepare this legislation behind closed doors,” said Rep. Frank Pallone, the Energy and Commerce Committee’s top Democrat.
Republicans defended their legislation, but also acknowledged that it is a work in progress.
“The staff discussion draft that we will review today is a starting point,” said Energy and Commerce Chairman Fred Upton, a Michigan Republican. “It includes proposals intended to foster greater vehicle and roadway safety for motorists now and in the years to come. Some pieces, like having a corporate officer responsible for safety compliance, aren’t new. Other ideas, like how to best ensure cybersecurity, may need to further evolve.”
We want to hear what you think about this article. Submit a letter to the editor or write to letters@theatlantic.com.