FPF Comments on NHTSA’s V2V Rulemaking

Yesterday, the Future of Privacy Forum submitted written comments to the Department of Transportation and National Highway Traffic Safety Administration in response to their Notice of Proposed Rulemaking on Vehicle to Vehicle Communications.

FPF commends NHTSA for its work to introduce a Vehicle to Vehicle (V2V) Communications system that takes privacy seriously in both the design and implementation of the system. We agree that great gains in road safety can result from broad-scale application of crash avoidance technologies like V2V. Overall, FPF supports NHTSA’s approach to consumer privacy and the seriousness with which NHTSA has engaged this topic, working with partners to design a system that includes multiple technical, physical, and organizational controls to help limit potential privacy impacts on consumers. In our comments, FPF describes measures that could help clarify or bolster these privacy safeguards.

FPF is encouraged by NHTSA’s “privacy by design” approach to building this system, by taking privacy into account throughout the entire engineering process from the earliest design stages to the operation of the system. We also commend NHTSA for working with partners in order to implement layers of technical, policy and physical controls to mitigate potential privacy impacts of the V2V system; we agree that the proposed rule’s ongoing privacy risk analysis is a crucial component of the V2V system.

FPF recommends that NHTSA:

1. improve the contemplated privacy notice in terms of content, usability, and delivery mechanisms, and undertake the proposed consumer education efforts;
2. retain the proposed rule’s approach to defining Personally Identifiable Information—an approach that is consistent with the Federal Trade Commission and other Federal entities’ definitions;
3. work with other regulators and partners to identify any protective technical or legal control that could limit third party collection, aggregation, or sale of V2V data, including considering encryption or higher Pseudonym Certificate rotation rates;
4. consider what sorts of consumer privacy controls are appropriate (e.g. opt-out), when such choices are appropriate, and how such choices can be presented in the context of the operators’ relationships with vehicles and service providers;
5. ensure oversight and accountability mechanisms for the security entity within the proposed rule’s credential management system;
6. continue to study and mitigate the residual privacy risks created by the proposed rule.

This NPRM is an important step toward safer roads, and our analysis indicates that the proposed Rule includes thoughtful, careful privacy protections in a complex system. We urge the Administration to consider our recommendations and outstanding questions to improve the final regulation. We thank NHTSA for recognizing the importance of privacy in the context of V2V technologies, and look forward to remaining engaged as the rulemaking advances.

Read the full comments here.