Data leakage from cars is more terrifying than smart phones, so who should the data be saved by?

【PCauto】On the morning of January 1, 2025 (local time in the U.S.), a Cybertruck exploded outside the Trump International Hotel in Las Vegas.

Shortly thereafter, Elon Musk exemplified a textbook approach to public relations. Many media outlets implied that the explosion was the result of a malfunction in Cybertruck. In response, Musk immediately expressed his opinion at X, proclaiming it was a terrorist attack, and "All vehicle telemetry was positive at the time of the explosion."

His statement implied that the explosion was not attributable to a malfunction of Cybertruck. A subsequent investigation by FBI verified that the explosion was caused by explosives within the car, such as fireworks. Following FBI's findings, Musk indicated his intention to pursue legal action against those media outlets that misled the public.

However, immediate inquiries arose regarding how Musk remotely accessed the Cybertruck without a search warrant.

Musk refrained from providing a direct response. However, some others gave the answer.

It seems reasonable that, since the advent of smartphones, it has become customary for companies to have access to users' personal information and data.

Data is more likely to be exploited by malicious actors

In this explosion outside the Trump International Hotel, Musk presented a commendable example for data use: an individual utilized Cybertruck to commit a crime, and Tesla helped FBI to resolve the case more swiftly, which was reasonable.

In comparison to Musk's positive involvement, it is noteworthy that many individuals tend to betray user data for benefits. Therefore, while automakers collect considerable amounts of user information, this likewise engenders substantial risks related to data breaches. In fact, the ramifications of automotive data leakage can often eclipse those stemming from smartphone data breaches.

Recently, Volkswagen accidentally disclosed the data of 800,000 vehicles, including geographical locations, owner identities, and travel trajectories. Among the information that was leaked were the movements of two German politicians, one of whom regularly visited a nursing home to see his father, as well as a military camp. Additionally, the real-time locations of 35 patrol cars from the Hamburg police department were compromised.

Prior to Volkswagen's incident, in 2022, the Chinese automaker NIO also experienced a significant data breach, resulting in extortion demands for USD 2.25 million or the equivalent in Bitcoin. This data breach involved 228,000 records of NIO employees, including that of the CEO, alongside 3,990,000 user identity records and 65,000 user addresses. The data was sold by the blackmailers in batches at a price of 0.15 Bitcoin.

However, this situation constitutes more than a mere data breach. Automotive cameras also pose serious privacy concerns. In a related incident in 2024 in China, a HiPhi female car owner experienced a violation of privacy when an inappropriate video recorded by her vehicle's interior camera was widely disseminated. HiPhi officials later denied any potential for unauthorized recording or remote retrieval of the video. Nevertheless, other car owners mentioned that HiPhi vehicles could access recorded videos from other vehicles through its social features.

Leaked data may allow others to predict your actions and intentions

For instance, regarding the data breaches involving Volkswagen's 800,000 vehicles, terrorists could easily deduce the movements of those two German politicians on a Wednesday afternoon, facilitating targeted attacks. They might also calculate the expected arrival times of the 35 Hamburg police patrol cars at a crime scene, thereby enabling them to evade capture.

To put it in a way closer to our lives, automakers can record instances of users exceeding speed limits, evaluate potential danger regarding user behavior, and communicate such information to insurance companies for premium adjustments. They could also supply car wash companies with information on users’ locations and visit frequencies for targeted marketing purposes.

This is not merely alarmist. At least some subscription services have already begun exploiting user data. Some companies, upon acquiring access to user data, initiate strategies to exploit user value and amplify social wealth.

The one holds data holds the power

Consider a hypothetical scenario: TOYOTA sells over 10 million vehicles globally each year, establishing itself as the largest automotive group. In Thailand, TOYOTA commands a market share exceeding 38.3%, adding approximately 247,000 new TOYOTA vehicles on Thai roads annually.

Assuming that every TOYOTA vehicle is equipped with GPS technology and that TOYOTA can continuously monitor their GPS trajectories, the company's understanding of Thai road conditions could surpass that of the Department of Highways (DoH) and the Department of Rural Roads (RTA).

TOYOTA could even discern which roads a Hilux can go that a Yaris cannot, or assess road conditions based on vehicle passage speeds, thus making TOYOTA's proposals for infrastructure improvements more effective than those put forth by the DoH and RTA. Over time, TOYOTA would accumulate considerable influence.

It is critical to emphasize that this is just a hypothetical scenario. A government would be unlikely to permit a foreign automotive company to operate in such a way.

Particularly in China, local governments have prohibited Tesla vehicles from entering government offices and military installations due to concerns that Tesla's extensive camera systems could capture sensitive information and transmit it back to the United States, along with precise GPS coordinates. This represents a significant national security concern, especially given Tesla's status as an American company.

Even if Tesla use the data to develop its autonomous driving system rather than communicate it to the U.S. government, both China and the Chinese people would not expect Tesla's autonomous systems being more knowledgeable about the locations of military facilities, nor would they favor a car manufacturer holds sway over government planning decisions.

When a corporation possesses extensive societal data, its capacity to influence decision-making may exceed that of governmental entities, akin to online retailers having a closer understanding of their customers than those customers' own families. In this way, corporations may wield more power than governmental institutions. This power is not conferred by the citizenry or leaders; rather, it is amassed through the existence of information barriers.

Data access should be entrusted to the government

As modern vehicles increasingly incorporate Vehicle-to-Everything (V2X) communications and applications—vast amounts of data has emerged—ownership of data will inevitably gravitate toward certain organizations. According to the Coase Theorem in economics, data will end up in the hands of whoever can exploit it optimally.

For common people, fragmented data makes no sense. However, consolidating that data within companies or government entities significantly alters its value. Between these two options, it is preferable for the government to retain ownership of the data. It is advantageous for law enforcement to employ data in apprehending criminals more effectively than for corporations to devise strategies for extracting financial gain from consumers.

How to protect data well?

At this point, I express my gratitude for not being employed by the government, as this poses an exceptionally complex challenge. I can only cite examples of how various nations address data security.

Germany has set a benchmark in data protection legislation that serves as a valuable reference. The Federal Data Protection Act (BDSG) mandates that companies handling user data appoint Data Protection Officers, who function as government-appointed supervisors tasked with enforcing the BDSG.

In terms of enforcement, the Chinese government excels in two significant areas. Firstly, it mandates that Apple retain user data within China. Secondly, the Chinese government imposed fines totaling 8.026 billion RMB (approximately RM 4.93 billion) on the ride-hailing platform DiDi for excessive data collection, involving numerous addresses and travel trajectories that posed national security risks.

However, as global terrorist threats escalate, Germany's perspective on data is undergoing a transformation, increasingly aligning with China's approach. Germany is progressively revising the BDSG to enhance governmental collection and utilization of citizens' personal data, thereby bolstering law enforcement capacities. The palpable benefits, as exemplified by Musk's collaboration with FBI in investigating the Cybertruck explosion case, have already become evident.