A Look at the Legal Environment for Driverless Vehicles (2016)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

61 court ruled that the Fourth Amendment’s search and seizure restriction “protects people, not places.”474 Katz and decisions following it suggest that the privacy expectations of people using driverless vehicles would be protected under the Fourth Amendment. Although older court decisions sometimes described privacy expectations of people in motor vehicles as ranging from very low to virtually absent,475 people in vehicles do have constitutionally protected reasonable expectations of privacy. In Delaware v. Prouse476 the U.S. Supreme Court observed, An individual operating or traveling in an automobile does not lose all reasonable expectation of privacy simply because the automobile and its use are subject to govern- ment regulation. Automobile travel is a basic, pervasive, and often necessary mode of transportation to and from one’s home, workplace, and leisure activities. Many people spend more hours each day traveling in cars than walking on the streets. Undoubtedly, many find a greater sense of security and privacy in traveling in an automobile than they do in exposing themselves by pedestrian or other modes of travel. Were the individual subject to unfettered governmental intrusion every time he entered an automo- bile, the security guaranteed by the Fourth Amendment would be seriously circumscribed. As [this Court has] recog- nized, people are not shorn of all Fourth Amendment pro- tection when they step from their homes onto the public sidewalks. Nor are they shorn of those interests when they step from the sidewalks into their automobiles.477 In Fourth Amendment cases, this reasonable expectation of privacy in vehicles is subject to a num- ber of exceptions to the usual search warrant require- ments, as discussed above in Section V.B. In evaluat- ing the reasonableness of privacy expectations, vehicles on roads are frequently contrasted with homes, where privacy expectations are very high,478 as if vehicles and homes were at opposite ends of a wide spectrum of reasonable expectations of privacy. However, that does not mean that individuals’ infrastructure (V2I). With dozens of cars communi- cating with each other, when an accident does occur in this space, it may be impossible to resolve fault, or even cause. It may be appropriate, then, to move to an entirely different system for compensating injuries. Something along the lines of the National Vaccine Injury Compensation Program may be appropriate. VII. PRIVACY AND SECURITY LAWS Privacy and security laws will affect the design and operation of driverless vehicles both on the road and as part of the cyber infrastructure. These laws include measures protecting personal information, regulating surveillance, preventing interference with personal choices, as well as requiring physical, network, and information security requirements. Ultimately, a wide variety of privacy and security laws are certain to apply to driverless vehicles. At present, privacy laws are numerous and varied. Security laws are less developed. Increased com- plexity with regard to both applicable privacy laws and security requirements is nearly certain by the time driverless vehicles are in widespread use. A. Expectations of Privacy in Driverless Vehicles Driverless vehicle users will expect that both pri- vacy and security will be protected when they use driverless vehicles. In an era in which vehicles are often associated with surveillance, car hacking, tar- geted advertising, privacy breaches, and Big Data, legal protection for privacy expectations in driver- less vehicles will depend in part on the extent to which courts and legislatures recognize such pri- vacy expectations as reasonable. “Reasonable expectation of privacy” expresses a norm used to determine whether privacy protections should apply in a wide variety of legal contexts from criminal procedure469 to tort law,470 as well as in stat- utes471 and administrative regulations.472 The modern legal concept of reasonable expectations of privacy is usually based on the 1967 United States Supreme Court decision, Katz v. United States,473 in which the 474 Id. at 351–52. The Supreme Court rejected basing Fourth Amendment warrant requirements solely on loca- tion and interference with property rights. Although the defendant’s conversations took place in a public location, the Court insisted “what he seeks to preserve as private, even in an area accessible to the public, may be constitutionally pro- tected.” Id. The “reasonable expectations of privacy” analysis was suggested by Justice Harlan in his concurring opinion. 475 See United States v. Knotts, 460 U.S. 276, 103 S. Ct. 1081, 75 L. Ed. 2d 55 (1983). The Supreme Court in United States v. Jones, __ U.S. ___, 132 S. Ct. 945, 181 L. Ed. 2d 911 (2012), distinguished Knotts as limited to “beeper” technol- ogy. Jones, 132 S. Ct. at 951−52. 476 Delaware v. Prouse, 440 U.S. 648, 99 S. Ct. 1391, 59 L. Ed. 2d 660 (1979). 477 Id. at 662–63. 478 Kyllo v. United States, 533 U.S. 27, 121 S. Ct. 2038, 150 L. Ed. 2d 94 (2001) (involving the use of a thermal imaging device from a public vantage point to monitor the radiation of heat revealing a marijuana growth inside a person’s home). 469 See text accompanying notes 355–378, supra. 470 See e.g., Sanders v. Am. Broad. Co., 20 Cal. 4th 907, 978 P. 2d 67, 85 Cal. Rptr. 2d 909 (1999) (discussing pri- vacy expectations of a car crash victim). 471 For example, the federal Foreign Intelligence Sur- veillance Act, 50 U.S.C. § 1801 (2012) and California’s version at § 1708.8 of the California Civil Code, CAl. Civ. Code § 1708.8 (West 2009). 472 Department of Homeland Security Regulations that Support Anti-Terrorism by Fostering Effective Tech- nologies, 6 C.F.R. §§ 25.1–25.9 (2012). 473 389 U.S. 347, 88 S. Ct. 507, 19 L. Ed. 2d 576 (1967). Katz excluded from evidence in a criminal prosecution defendant’s conversations recorded by law enforcement from outside a public phone booth located on a public street.

62 place. One of the central issues posed in Jones was whether the defendant had reasonable privacy expectations protected by the Fourth Amendment as he drove his wife’s car around the Washington, D.C., area for a month with a hidden government-installed GPS tracking device capturing every move the vehi- cle made. The decision in United States v. Jones sug- gests that, unless a warrant is first secured, remote tracking of a driverless vehicle would interfere with reasonable expectations of privacy protected under the Constitution.489 Intrusions into a driverless vehicle’s internal systems to collect evidence of crim- inal activity would also appear to deserve similar Constitutional censure.490 Recent court decisions interpreting the Fourth Amendment have paid increasing attention to enhanced expectations of privacy in the contexts of roadways,491 of vehicles,492 and of technologically enhanced searches.493 Since driverless vehicles will involve all of these contextual factors, privacy expecta- tions in driverless vehicles are probably reasonable. B. Privacy Laws Although privacy laws may change somewhat by the time driverless vehicles become available, laws protecting personal information and communica- tions, as well as controlling surveillance, will protect the privacy of people using driverless vehicles. 1. Personal Information Privacy Laws A growing number of personal information laws will apply to driverless vehicles.494 In particular, driverless passenger cars that transport individual people will inevitably generate considerable per- sonal information. Examples of personal informa- tion associated with driverless passenger vehicles will include information about vehicle ownership, registration, and vehicle insurance information. Driverless passenger cars will generate real-time location information about people using driverless cars, as well as records of past travel patterns. expectations of privacy in driverless vehicles are unreasonable or unworthy of legal protection.479 After Prouse, in Indianapolis v. Edmond,480 the United States Supreme Court decided that, absent a judicial warrant, stopping every vehicle on a roadway for general law enforcement purposes constitutes an unreasonable seizure for the purposes of the Fourth Amendment.481 According to the Court, part of the purpose of the Fourth Amendment is to protect politi- cal liberty. The Court said that the Fourth Amend- ment “draw[s] the line at roadblocks designed pri- marily to serve the general interest in crime control,” because such indiscriminate searches represent a dangerous step toward authoritarian government.482 Later, in Arizona v. Gant,483 Justice Stevens warned against “undervalu[ing] the privacy inter- ests at stake. Although we have recognized that a motorist’s privacy interest in his vehicle is less sub- stantial than in his home,” the privacy interest of motorists “is nevertheless important and deserving of constitutional protection.”484 The Court expressly rejected “[a] rule that gives police the power to search a vehicle whenever an individual is caught committing a traffic offense, when there is no basis for believing evidence of the offense might be found in the vehicle.”485 A rule allowing such a search would be unacceptable because it “creates a serious and recurring threat to the privacy of countless indi- viduals.”486 People who use driverless vehicles should enjoy similar privacy protections against unreason- able searches of their vehicles.487 Since then, in United States v. Jones,488 the United States Supreme Court protected privacy interests in data about a vehicle-user’s movement from place to 479 Dorothy J. Glancy, Privacy on the Open Road, 30 ohio n. U. l. rev. 295, 295–99 (2004). 480 Indianapolis v. Edmond, 531 U.S. 32, 121 S. Ct. 447, 148 L. Ed. 2d 333 (2000). 481 Id. at 48. 482 Id. at 42. 483 Arizona v. Gant, 556 U.S. 332, 344, 120 S. Ct. 1710, 173 L. Ed. 2d 485 (2009). The case involved a vehicle search incident to an arrest. 484 Id. at 344. 485 Id. 486 Id. 487 Since under Katz, “people not places” are protected under the Fourth Amendment, a driverless vehicle not as- sociated with people would not be accorded similar pri- vacy protection. 488 United States v. Jones, __ U.S. __, 132 S. Ct. 945, 181 L. Ed. 2d 911 (2012). The Court’s decision in Jones held that a Fourth Amendment “search” occurred when law enforcement agents attached a tracking device to a vehicle and then used the device remotely and continu- ously to follow a suspect’s vehicle on public roadways. Id., 132 S. Ct. at 949. 489 In a later decision involving a warrantless search of a smart phone, Chief Justice Roberts, writing for a unani- mous court, emphasized that expectations of privacy are enhanced by the scale and pervasiveness of personal information revealed. Riley v. California, __ U.S. __, 134 S. Ct. 2473, 189 L. Ed. 2d 430 (2014). 490 See Jones, 132 S. Ct. at 958 (Alito, J., concurring). The concurring opinions in Jones are particularly emphatic about this point. 491 E.g., Gant, 556 U.S. 332. 492 E.g., Jones,132 S. Ct. 945. 493 E.g., Kyllo, 533 U.S. 27. 494 See Glancy, Privacy in Autonomous Vehicles, supra note 210, at 1173–78 (providing an extended analysis of these laws).

63 vehicles.499 In the absence of operational regula- tions that permit the general public to operate driverless vehicles beyond the testing phase, it is difficult to predict either specific DMV driverless vehicle recordkeeping requirements or the privacy protections for personal information associated with driverless vehicles. b. Fair Information Practices (FIPs) and Personal Information Protection from Privacy Breaches.— Additional state privacy statutes require fair infor- mation practices500 as part of existing consumer pro- tection laws that will apply to protect the privacy of people who own and use driverless vehicles. Forty- seven states have already enacted privacy breach statutes.501 These statutes, which are variably called “data breach,” “security breach,” or “privacy breach” laws, typically protect “personal information,” usu- ally defined as a person’s name combined with the person’s SSN, driver’s license or state ID number, account numbers, or other personal information.502 Privacy protection extends to improper disclosures of this personal information through unauthorized access, such as hacking, and other types of data losses, including negligence.503 Under a number of these privacy breach statutes, encrypted personal information is exempt from breach notification requirements.504 If personal information is improp- erly disclosed by any covered public- or private- sector entity, each individual whose personal infor- mation was disclosed must be notified of the data loss. Such privacy breach notifications have sub- stantial negative consequences—both in terms of monetary and notification costs505 and in terms of Other types of driverless vehicles, such as trucks and buses, may generate somewhat less private data about specific human persons and more data about corporations or other entities that own or use these driverless vehicles. a. Drivers Privacy Protection Act.—One of the fed- eral privacy statutes that will govern personal infor- mation associated with driverless vehicles is the federal Drivers Privacy Protection Act (known as the DPPA).495 This federal statute protects an individu- al’s personal information contained in motor vehicle registration and licensing records held by state motor vehicle departments (DMVs).496 Disclosure of DMV personal information without the written con- sent of the subject of the information is prohibited unless an exception applies. This federal law regu- lating the privacy of DMV vehicle records will apply to owners of driverless vehicles licensed and regis- tered by state departments of motor vehicles. In 2013 the United States Supreme Court reaf- firmed the importance of privacy protection pro- vided by the DPPA in a case involving plaintiffs’ lawyers who improperly obtained North Carolina DMV registration records containing vehicle pur- chasers’ names and addresses. The lawyers illegally used that information to send direct mail advertise- ments to potential plaintiffs in a class action against vehicle dealers.497 A number of states have enacted laws similar to the DPPA to protect personal information held by their departments of motor vehicles even more extensively than DPPA.498 It is possible that these laws could be extended also to protect information of people who use driverless vehicles, if records of such driverless vehicle use (for example in driver- less vehicle ride services) are required to be main- tained by state departments of motor vehicles. Drivers required to be present in test versions of driverless vehicles, as well as persons involved in collisions with these test vehicles, are among the subjects of DMV records related to driverless 495 18 U.S.C. §§ 2721–2725 (2012). 496 The United States Supreme Court upheld the DPPA against a Tenth Amendment challenge in Reno v. Condon, 528 U.S. 141, 120 S. Ct. 666, 145 L. Ed. 2d 587 (2000). The DPPA is an interesting example of federal preemption of state DMV laws that did not offer such privacy protection. 497 Maracich v. Spears, __ U.S. __, 133 S. Ct. 2191 (2013). 498 See The Drivers Privacy Protection Act (DPPA) and the Privacy of Your State Motor Vehicle Record, eleCTroniC PrivACy info. CenTer (2015), https://epic.org/privacy/drivers/ (“States were required to comply with the minimum require- ments of the DPPA by September 1997. Many states are more restrictive than the federal rules.”). 499 See, e.g., CAl. Code regs., tit. 13, §§ 227.00–227.52 (2015) (“Autonomous Vehicles.”) Section 227.44 of the Code of Regulations provides for accident reporting requirements. 500 See Robert Gellman, Fair Information Practices: A Basic History (Feb. 11, 2015), http://www.bobgellman.com/ rg-docs/rg-FIPShistory.pdf. 501 Security Breach Notification Laws, nAT’l Conf. of sT. legislATUres (June 11, 2015), http://www.ncsl.org/ research/telecommunications-and-information-technol- ogy/security-breach-notification-laws.aspx (providing a state-by-state summary, as of June 2015, of enacted and introduced breach legislation). In addition, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have enacted legislation requiring notification to indi- viduals of security breaches of information involving personally identifiable information. Id. 502 Id. 503 Id. 504 Id. See, e.g., flA. sTAT. § 501.171 (2014); CAl. Civ. Code § 1789.81.5 (West 2014). 505 Ponemon insT., 2014 CosT of dATA breACh sTUdy: UniTed sTATes (2014), http://essextec.com/sites/default/ files/2014%20Cost%20of%20Data%20Breach%20Study. PDF. According to the Ponemon Institute study, in 2013, the average cost for each lost or stolen record contain- ing sensitive and confidential information was $201 per record. Id. at 5. The total average cost paid by organiza- tions was $5.9 million. Id. at 2.

64 222 of the Telecommunications Act of 1996 provides privacy protection for what the Act calls “consumer proprietary network information” (CPNI).508 The Act defines CPNI as “information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecom- munications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship,” as well as informa- tion contained in conventional telephone bills.509 The FCC has been aggressive in enforcing CPNI privacy protections,510 as they apply to mobile wireless Inter- net access providers. In March 2015, the FCC adopted its “Open Inter- net Order”511 that classifies mobile as well as fixed broadband Internet access service as a telecommu- nications service regulated under Title II of the Communications Act. Under Title II, CPNI privacy protections apply. How this new Open Internet Order affects wireless communications to and from vehicles is somewhat uncertain, because the FCC apparently intends not to apply the new Open Inter- net Order to communications services that are not “Basic Internet Access Services.” The FCC Order refers to “limited-purpose devices such as automo- bile telematics” as an example of the type of non- basic Internet services that the FCC has decided to continue to monitor, rather than regulate as Title II telecommunications services. There is substantial controversy over consumer privacy aspects of the FCC Open Internet Order as it applies to Internet services. For example, the Fed- eral Trade Commission (FTC) contends that the FTC has primary jurisdiction over Internet privacy matters. Although FCC vehicle communications pri- vacy issues appear to be temporarily in abeyance, it is very likely that there will be enhanced privacy regulation of vehicle communications over the Inter- net as driverless vehicles become generally avail- able to consumers. c. Federal Trade Commission Act—The Federal Trade Commission protects consumer privacy and security under its Section 5 authority over “unfair or deceptive acts or practices in or affecting harm to business reputation.506 Over time, these laws have tended to become increasingly strict. They will apply to driverless vehicle manufacturers, sell- ers, ride service companies, and indeed, all entities that collect personal information associated with driverless vehicles. It is not certain whether in the future Congress will enact a national privacy breach statute, or whether state legislatures will specifically adapt their privacy breach laws to information associated with driverless vehicles. If national legislation is enacted to federally regulate driverless vehicles, national privacy protections for personal informa- tion related to driverless vehicles would probably be included in that legislation. 2. Communications Privacy Laws A number of federal communications statutes will protect the privacy of communications to and from driverless vehicles. The specific communica- tions technologies used in a driverless vehicle will determine how communications privacy laws will apply to that particular driverless vehicle. a. Electronic Communications Privacy Act.—The Electronic Communications Privacy Act (ECPA)507 will prohibit unauthorized interception of most elec- tronic communications to and from driverless vehi- cles. There has been considerable congressional inter- est in replacing the 3-decades-old ECPA with a communications privacy statute more in sync with 21st-century communications technologies. Although such legislation has not been passed by both houses of Congress, some form of revised electronic communica- tions privacy legislation is likely to be enacted eventu- ally, perhaps by the time driverless vehicles become generally available. To the extent that particular wireless characteristics of driverless vehicle commu- nications appear to require separate legal protection or regulation, it may become necessary to enact a sep- arate regulatory system to protect the privacy of com- munications associated with these vehicles. b. Telecommunications Act of 1996—Consumer Proprietary Network Information (CPNI)—Section 506 See, e.g., Press Release, Semafone, 86% of Custom- ers Would Shun Brands Following a Data Breach (Mar. 27, 2014), https://www.semafone.com/86-customers-shun- brands-following-data-breach/. In a survey of 2000 respon- dents, 87 percent of customers responded they would avoid brands following a data breach of credit or debit card person- al data. Id. Where data breaches involved home addresses or telephone numbers, 83 percent of customers replied that they would not likely do business with the privacy-breaching organization again. Id. 507 Electronic Communications Privacy Act, Pub. L. No. 99-508, 100 Stat. 1848 (1986) (codified as amended at various provisions of Title 18 of the United States Code (2012)). 508 47 U.S.C. § 222 (2012). 509 47 U.S.C. § 222(h)(1)(A) (2012). 510 For example, in 2014 Verizon agreed to a Consent Decree amounting to $7,400,000 to settle FCC com- plaints about misuse of customers’ private informa- tion. In the Matter of Verizon, FCC Order File No.: EB- TCD-13-00007027 (Sept. 2, 2014). 511 fed. Comm. Com., “Protecting and Promoting the Open Internet” GN Docket No. 14-28, Report and Order on Remand, Declaratory Ruling, and Order, March 12, 2015.

65 personal information security and physical security from stalkers, many of these issues also involve security, Section VII.C, infra. a. Private-Sector Tracking.—There are at pres- ent relatively few laws that apply to private sector tracking and surveillance based on driverless vehicles. However, there have been heated policy discussions about tracking the locations and trav- els of individuals through ride service companies, such as Uber. Uber has been a particular focus of surveillance privacy concerns.517 Uber’s controver- sial 2015 “Privacy Statement”518 is both shorter than earlier versions and far more transparent about the wide scope of detailed user information collected and shared by Uber. A driverless vehicle version of this type of on-demand ride service would present similar opportunities for surveil- lance of users. b. Law Enforcement and National Security Sur- veillance.—Some laws that protect communica- tions privacy also authorize government intercep- tion and electronic surveillance, provided a warrant, or at least an administrative order, is secured. For example, in addition to protections against interception of wireless communications, the Electronic Communications Privacy Act (ECPA) provides for enhanced law enforcement access to communications and records related to driverless vehicles.519 For example, driverless vehicles that have access to public telephone networks or the Internet will be subject to the Communications Assistance for Law Enforcement Act (CALEA).520 CALEA requires commerce.”512 The Commission has been active in both studying and bringing enforcement actions against Internet companies that promise privacy and security of personal information, but fail to pro- vide it.513 In January 2015, the Commission issued a staff report in which both connected and driverless vehicles are discussed as examples of the Internet of Things that require privacy protection.514 In March 2015, the Commission established an Office of Technology Research and Investigation (OTRI) to research technology issues regarding “privacy, data security, connected cars, smart homes, algorithmic transparency, emerging pay- ment methods, big data, and the Internet of Things” (emphasis added).515 The Office will con- duct research regarding such devices as connected cars with Mobile Wireless communications that are connected to the Internet. The FTC’s Chief Technologist, Ashkan Soltani, describes a broad array of “investigative research on technology issues involving all facets of the FTC’s consumer protection mission, including privacy, data secu- rity, connected cars” (emphasis added).516 In short, the FTC expects to play a major role in consumer privacy aspects of driverless vehicles. 3. Surveillance Privacy Potential use of a driverless vehicle, or personal data derived from a driverless vehicle, for surveil- lance of a person (or persons) associated with the vehicle will depend on the electronic systems and technologies contained in the vehicle. Concerns about surveillance focus on tracking an individual’s movements and location either by private-sector entities or by government law enforcement and national security agencies. In matters related to 512 15 U.S.C. § 45 (2012). 513 fed. TrAde Comm’n, ProTeCTing ConsUmer PrivACy in An erA of rAPid ChAnge: reCommendATions for bUsinesses And PoliCymAkers (2012) https://www.ftc.gov/sites/default/ files/documents/reports/federal-trade-commission-report- protecting-consumer-privacy-era-rapid-change-recomm endations/120326privacyreport.pdf. The United States Court of Appeals for the Third Circuit ruled in favor of such an FTC enforcement action in FTC. v. Wyndham Worldwide Corp., No. 14-3414, 2015 U.S. Dist. LEXIS 14839 (3d Cir. Aug. 24, 2015). 514 fed. TrAde Comm’n, The inTerneT of Things: PrivACy And seCUriTy in A ConneCTed World (2015), https://www. ftc.gov/system/files/documents/reports/federal-trade- commission-staff-report-november-2013-workshop- entitled-internet-things-privacy/150127iotrpt.pdf. 515 Ashkan Soltani, Booting up a new research office at the FTC, TeCh@fTC blog (Mar. 23, 2015), https://www. ftc.gov/news-events/blogs/techftc/2015/03/booting-new- research-office-ftc. 516 Id. 517 Controversy over a program, which Uber once called “God’s View” of its users, is instructive. Peter Sims, a tech- nology writer, discovered that his location was secretly being tracked by Uber and asked in a blog post “can we trust Uber?” Peter Sims, Can We Trust Uber?, MEDIUM (Sept. 26, 2014), https://medium.com/@petersimsie/can-we- trust-uber-c0e793deda36.). Eventually, Senator Al Franken sent an inquiry to Uber, which reacted by having a “pri- vacy audit” conducted by a major Washington, D.C., law firm and stating that “God View” of Uber patrons was no longer used. See Douglas Macmillan, Will Uber’s Pri- vacy Updates Satisfy Congress?, WAll. sT. J. (Feb. 2, 2015, 2:09 PM), http://blogs.wsj.com/digits/2015/02/02/will-ubers- privacy-updates-satisfy-congress. 518 Uber Privacy Statement, Uber (effective July 15, 2015), https://www.uber.com/legal/privacy-proposed/users/en. 519 With regard to unencrypted DSRC basic safety mes- sages to be transmitted in the clear, the ECPA does not apply at all. 18 U.S.C. § 2510(16) (2012) (providing that such broadcast unencrypted communications—e.g., the DSRC Basic Safety Message—are “readily accessible to the gen- eral public” and therefore not protected under the ECPA). 520 See 47 U.S.C. §§ 1001–1010 (2012).

66 material to a criminal investigation.527 Court deci- sions have taken varied approaches to permitting law enforcement access to mobile device informa- tion held by telecommunications carriers under the Stored Communications Act.528 National security access to driverless vehicle data is governed by the Foreign Intelligence Sur- veillance Act (FISA)529 and portions of the USA PATRIOT Act. Although the controversial Section 215 of the PATRIOT Act (used as a basis for collect- ing telephone metadata) has expired, national security surveillance will continue under existing law and executive orders. These surveillance activi- ties would likely find driverless vehicles productive sources of information about a person of interest’s past locations as well as real-time whereabouts.530 A Wall Street Journal opinion piece about driver- less vehicles concluded with an apt warning: “The privacy revolt that civil libertarians imagine they are seeing over the silly issue of telephone meta- data [Section 215] will be nothing when the Ameri- can people discover how much of their freedom, autonomy and privacy will be sacrificed to enable the wonders of self-driving cars.”531 c. Location Privacy Legislation.—By the time driverless vehicles become available to consumers, it is likely that privacy legislation designed to protect information about an individual’s location will be enacted. Already, federal legislation532 restricts the Department of Transportation from using fiscal year 2015 funds “to mandate global positioning sys- tem (GPS) tracking in private passenger motor vehi- cles without providing full and appropriate consid- eration of privacy concerns” under the Administrative telecommunications carriers to assist law enforcement in gaining access to telecommunications networks.521 In 2005, the FCC, which has jurisdiction to prescribe “such rules as are necessary to implement” CALEA requirements,522 extended CALEA’s reach to Voice over Internet Protocol (VoIP) and facilities-based broad- band.523 As a result, driverless vehicles using Wireless Mobility applications will have law enforcement access built into their communications systems. In contrast, driverless vehicles that communicate only over DSRC V2V closed safety networks appear likely to avoid having to comply with CALEA access by law enforcement. As currently designed, V2V communications take place over ad hoc, private, closed networks that do not interconnect with public telephone systems or the Internet.524 However, if DSRC V2V were expanded to V2I (e.g., with Internet communications to traffic management centers), these communications would probably be intercon- nected with public Internet or telephone systems. Such communications connected with telephone or Internet networks would be subject to CALEA law enforcement access requirements.525 The Stored Communications Act526 will facili- tate law enforcement access to driverless vehicle communications. Such access to stored data related to communications often only requires a subpoena or a “2703(d) order” based on a reason- able belief that the records are relevant and 527 See id, specifically 18 U.S.C. § 2703(d). 528 See Zachary Ross, Bridging the Cellular Divide: A Search for Consensus Regarding Law Enforcement Access to Historical Cell Data, 35 CArdozo l. rev. 1185 (2014) (discussing the disagreement among courts with regard to 18 U.S.C. § 2703(d) orders). 529 A Foreign Intelligence Surveillance Act (FISA) order under 50 U.S.C. § 1801 (2012) could authorize interception of connected vehicle communications involving foreign powers or agents of foreign powers. 530 See Stephen Vladeck, Forget the Patriot Act – Here Are the Privacy Violations You Should Be Worried About, foreign PoliCy (June 1, 2015), http://foreignpolicy.com/ 2015/06/01/section-215-patriot-act-expires-surveillance- continues-fisa-court-metadata/ (“America hasn’t even begun to have a meaningful debate about curtailing the government’s right to spy on citizens.”). (Must register to view article.) 531 Holman W. Jenkins, Jr., When Robo-Cars Crash, It’s Your Fault, WAll sT. J. (June 9, 2015), http://www.wsj.com/ articles/when-robo-cars-crash-its-your-fault-1433891675. 532 Fiscal Year 2015 Consolidated and Further Continu- ing Appropriation, Pub. L. No. 113-235, Div. K, § 417, 128 Stat. 2130 (2015). 521 47 U.S.C. § 1002(a)(1) (2012). CALEA requires every “telecommunications carrier” to ensure that equipment, facilities, or services that provide a customer or subscriber with the ability to originate, terminate, or direct communications are capable of—expeditiously isolating and enabling the government, pursuant to a court order or other lawful authorization, to intercept, to the exclusion of any other communications, all wire and electronic communica- tions carried by the carrier within a service area. Id. 522 Id. at 14. 523 See Communications Assistance for Law Enforce- ment Act and Broadband Access and Services, 20 FCC Rcd. 14989, 14993 (2005). 524 NHTSA reAdiness rePorT, supra note 216, at xviii. 525 Communications Assistance for Law Enforcement Act and Broadband Access and Services, 20 FCC Rcd. 14989, 14993 (2005). The 2005 FCC order extending CALEA to VoIP and facilities-based broadband notes three factors that cause a network to be subject to CALEA compliance: 1) electronic communication switching or transmission; 2) replacement for local telephone service; and 3) the public interest in CALEA’s application. The sec- ond factor, known as Substantial Replacement Provision (SRP), has in the past been most important. However, the third factor, public interest in CALEA’s application, might be a basis for applying CALEA. 526 18 U.S.C. §§ 2701–2712 (2012).

67 endangering the vehicle, its contents, and those around it. Driverless vehicle communications (dis- closing, for example, the vehicle’s location or intended destination) can be intercepted. Bogus information can be sent to misdirect a driverless vehicle. Both sensors and actuators can be disabled or taken over by remote commands. The notorious hacking of a Jeep Cherokee by security researchers, who remotely took control of vehicle systems, such as steering, illustrates the reality of such threats.534 The unpre- dictability of future avenues of attacks against driv- erless vehicle systems makes guarding against such threats difficult to anticipate and to block. Although legal policy questions about how best to assure the security of driverless vehicles have been asked, there is, as yet, no legislation or regula- tion requiring specific types or levels of security for driverless vehicles. The absence of such security assurance appears to be among the reasons why the California DMV delayed adoption of opera- tional regulations to permit driverless vehicles to be operated by the public in California. Of the many unknowns about laws that will apply to driverless vehicles, security laws are among the most obscure. Technical aspects of secu- rity for driverless vehicle systems are not at pres- ent well understood, despite the fact that they are vitally important. According to a Utah State Uni- versity researcher, Ryan Gerdes, “[s]ecurity in this [driverless car] realm really just hasn’t been touched…. Vehicle communication can be jammed, sensors can be jammed, and attackers could try to do just about anything to cause the system to be unsafe.”535 Technical policy questions about how best to provide security for autonomous cars are only just beginning to be asked. Answers, which can be turned into legal rules and standards, will need to be in place before driverless vehicles can safely travel on public roads. Interrelationships between security and privacy with regard to personal information are reflected in existing regulatory activities by the Federal Trade Commission (FTC) discussed above. The Commis- sion has brought a series of groundbreaking enforce- ment actions against lax information security as Procedure Act. This statutory provision prohibits use of federal funds for certain aspects of driverless vehicle development that involve location tracking using GPS signals. Since most experimental driver- less vehicles depend on GPS systems, the provision appears to apply to existing driverless automated and connected vehicle funding. Further location privacy protection legislation is likely at both the federal and state levels. For example, the “Geolocation Privacy and Surveil- lance Act” (GPS Act), S. 237 (2015) and H.R. 491 (2015), was reintroduced in the 114th Congress by Senator Ron Wyden and Representative Jason Chaffetz. The GPS Act would prohibit businesses from disclosing geographical tracking data. It also provides guidelines for when and how geolocation information can be accessed and used. The pro- posed legislation requires government agencies to have probable cause warrants to obtain geoloca- tion information. In addition, Representative Zoe Lofgren has reintroduced the “Online Communica- tions and Geolocation Protection Act,” H.R. 983, that contains provisions similar to the GPS Act, as well as safeguards for online communications. Because driverless cars will be tempting sources of location information, location privacy legislation specific to driverless vehicles is possible. In any event, additional legislation is likely to be enacted to protect location information about individuals or to restrict collection or disclosure of geolocation infor- mation from mobile devices, including vehicles, without the user’s consent. C. Security Laws Related to privacy laws discussed above, security laws set standards for data, network hardware, and other security. Cybersecurity is the term often used in regard to securing digital technologies, such as those in driverless vehicles, against external threats. Driverless vehicles will become part of the nation’s critical transportation infrastructure. Currently under development, standards for cybersecurity in this context will need to be in place and reflected in legal requirements. Driverless vehicles will depend on automated con- trol systems that are particularly vulnerable to sophisticated malware, such as Stuxnet, which was used against Iranian network control software in 2010.533 Such security threats aimed at automated control systems can jam these control systems, 533 The Stuxnet virus became infamous in 2010 because of its unprecedented ability to use network controllers to destroy physical infrastructure. See Kim Zetter, An Unprec- edented Look at Stuxnet, The World’s First Digital Weapon, Wired (Nov. 3, 2014), http://www.wired.com/2014/11/count- down-to-zero-day-stuxnet/. 534 Greenberg, supra note 194. 535 Press Release, Utah State Univ. Coll. of Eng’g, Secu- rity Questions Abound as Autonomous Vehicles Emerge (Aug. 19, 2014), http://www.engineering.usu.edu/htm/ news/articleID=25775 (discussing how “the multi-disci- plinary research group will address driverless vehicle system security from bumper to bumper”); see also Alexis C. Madrigal, When Cars Are as Hackable as Cell Phones, ATlAnTiC (Sept. 8, 2014), http://www.theatlantic.com/ technology/archive/2014/09/when-cars-are-as-hackable- as-cell-phones/379734/.

68 Technical research is under way regarding these and other driverless vehicle security issues.540 How- ever, security standards are not yet in place.541 In 2014, the Alliance of Automobile Manufactur- ers and the Association of Global Automakers estab- lished a program to collect and share information about existing or potential cyber-related threats and vulnerabilities in motor vehicle electronics or net- works. They established a formal Information Shar- ing and Analysis Center (called an Auto-ISAC). In January 2015, Alliance spokesperson Wade Newton reported, “The industry is in the early stages of establishing a voluntary automobile industry sector information sharing and analysis center—or other comparable program—for collecting and sharing information about existing or potential cyber-related threats.”542 Whether this effort will produce signifi- cant security breakthroughs remains to be seen. In the meantime, the National Institute of Stan- dards and Technology (NIST) has considered secu- rity issues of this type for some time. For example, guidance useful for security management for driver- less vehicles is available in the 2013 comprehensive update to NIST’s Security and Privacy Controls for Federal Information Systems and Organizations.543 A 2015 proposed update to NIST’s Guide to Indus- trial Control Systems (ICS) Security544 provides tai- lored guidance regarding specialized security needs in such industries as vehicle manufacturing. Appen- dix G to the Guide interrelates updated Industrial Control System security guidance with the 2013 Security and Privacy Controls.545 Although this NIST guidance focuses on federal information sys- tems management, it suggests some of the types of security standards that will need to be in place for driverless vehicles. Copyrighted software provides important opera- tion and control systems for advanced vehicles, including driverless vehicles. Security for this soft- ware programming is itself protected in part by “unfair trade practices.” A number of successful enforcement actions have been brought against companies that collected personal information over the Internet but failed to secure it.536 Because driv- erless cars will be consumer products, they will be subject to FTC scrutiny with regard to the security of personally identifiable information as part of pri- vacy protection. If NHTSA eventually adopts requirements that all new passenger cars and light trucks have embedded DSRC devices, security requirements for the resulting V2V ad hoc communications networks will be essen- tial. A “Readiness Report” accompanying NHTSA’s 2014 Advance Notice of Proposed Rulemaking, regard- ing requiring DSRC equipment as a Federal Motor Vehicle Safety Standard, sketched a security manage- ment system. The described Public Key Encryption (PKI) security certificate management system537 may not be sufficiently robust. Vehicle security experts dis- agree about whether NHTSA’s proposed security management system is sufficient. Moreover, the sys- tem outlined by NHTSA in its Readiness Report is not proposed for vehicles beyond passenger cars and light trucks. Other vehicles, including heavy trucks and buses, are likely to use DSRC. They also will require strong security requirements for the safe operation of such vehicles, as well as their data exchanges with passenger cars and light trucks. In addition to communications security, the potential for external control over and manipulation of driverless cars presents distinct security chal- lenges. Experimenters have gained extensive remote access to automated vehicle functions in conven- tional vehicles.538 Several strategies have been used to seize control over autonomous cars remotely, including 1) providing bogus input information that misdirects the autonomous car to take a particular action or actions; or 2) taking over autonomous car operations through malware or remote control.539 536 See LabMD, Inc. v. FTC, 776 F.3d 1275 (11th Cir. 2015); FTC. v. Wyndham Worldwide Corp., No. 14-3414, 2015 U.S. Dist. LEXIS 14839 (3d Cir. Aug. 24, 2015). Accord- ing to the National Law Journal, the FTC had settled 53 of these security-breach privacy cases through January 2015. Jenna Greene, FTC Stakes Claim As Data Security Cop, nAT’l L.J. (Jan. 23, 2015), http://www.nationallawjournal. com/id=1202715977568/FTC-Stakes-Claim-As-Data- Security-Cop. 537 NHTSA reAdiness rePorT, supra note 217. 538 John Markoff, Researchers Show How a Car’s Elec- tronics Can Be Taken Over Remotely, N.Y. Times (Mar. 9, 2011), http://www.nytimes.com/2011/03/10/business/ 10hack.html. miller & vAlAsek, supra note 203. 539 sen. ed mArkey, TrACking & hACking: seCUriTy & PrivACy gAPs PUT AmeriCAn drivers AT risk 3 (2015), http:// www.markey.senate.gov/imo/media/doc/2015-02-06_ MarkeyReport-Tracking_Hacking_CarSecurity%202.pdf. 540 Id. 541 Id. at 2. 542 Andy Greenberg, Senate Report Slams Automak- ers for Leaving Cars Vulnerable to Hackers, Wired (Feb. 9, 2015), http://www.wired.com/2015/02/heres-full-senate- report-shaming-automakers-security/. 543 nAT’l insT. of sTAndArds And TeCh., U.s. deP’T of CommerCe, seCUriTy And PrivACy ConTrols for federAl informATion sysTems And orgAnizATions (2013), http:// nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST. SP.800-53r4.pdf. 544 nAT’l insT. of sTAndArds And TeCh., U.s. deP’T of CommerCe, Guide to Industrial Control System (ICS) Security (2015), http://csrc.nist.gov/publications/Pubs- Drafts.html#SP-800-82-Rev.2. 545 Id. at app. G.