A Congressional measure that supposedly increases the security of "connected" cars could actually make drivers less safe, a Federal Trade Commission official cautioned today.
In testimony before the House Energy and Commerce Committee, FTC Associate Director Maneesha Mithal said the committee's draft bill “could substantially weaken the security and privacy protections that consumers have today.”
The committee's bill would provide a fine of up to $100,000 for anyone who hacks into a connected car. The problem, Mithal said, is that the measure could discourage researchers who hack into cars to find vulnerabilities and then inform the car companies of those vulnerabilities.
Mithal also said in prepared testimony that the proposed "safe harbor" for auto manufacturers who submit privacy policies to the Department of Transportation was possibly too broad, allowing manufacturers a safe harbor from FTC enforcement actions even for privacy policies that significantly limit consumer protections, and even if they do not follow the terms of the privacy policies they submit.
In addition, the safe harbor would prevent the FTC from taking action related to privacy issues beyond a manufacturer’s cars, including its use of consumer data collected from its websites, Mithal said. Finally, the safe harbor would allow manufacturers to make changes to privacy policies that would apply retroactively to consumer data that was collected previously.
Mithal's testimony also expressed concern with provisions of the draft legislation regarding the creation of a council to develop cybersecurity best practices for the industry.
Specifically, the council, which would operate by a simple majority, would include enough industry representatives so that they could act without support from government or consumer advocates on the council.