FrameworkforSecurityandPrivacyin AutomotiveTelematics SastryDuri,MarcoGruteser,XuanLiu, PaulMoskowitz,RonaldPerez,MoninderSingh,Jung-MuTang IBMThomasJ.WatsonResearchCenter 19SkylineDrive Hawthorne,NewYork10532 mobilecommerceservicesmaybedelivered.Theservicesbeing delivered today on a regular basis and projected for the near ABSTRACT future include navigation information, emergency roadside Automotive telematics may be defined as the information- assistance, location-based services, delivery of digital intensive applications that are being enabled for vehicles by a information such as e-mail, entertainment, diagnostics and combination of telecommunications and computing technology. prognostics, and pay-for-use rental and insurance. These Telematics by its nature requires the capture of sensor data, applicationsareenabledbythecollectionanduseofdatawhich storageandexchangeofdatatoobtainremoteservices.Inorder mayincludeinformationonthelocationofavehicleasafunction forautomotivetelematicstogrowtoitsfullpotential,telematics of time, emergency situations including accidents and personal datamustbeprotected.Dataprotectionmustincludeprivacyand healthemergencies,diagnosticdataonthemanysystemswithin security for end-users, service providers and application the vehicle, services and entertainment that are selected by the providers.Inthispaper,weproposeanewframeworkfordata vehicle occupants, the demographics of the driver and protectionthatisbuiltonthefoundationofprivacyandsecurity passengers,andthebehaviorofthevehicledriver. technologies. The privacy technology enables users and service providerstodefineflexibledatamodelandpolicymodels.The Wecancomparethegrowingautomotivee-commercetelematics security technology provides traditional capabilities such as industrywiththatoftheWeb.Thegrowthofe-commerceonthe encryption, authentication, non-repudiation. In addition, it World Wide Web has been limited by the reluctance of provides secure environments for protected execution, which is consumers to release personal information. In “Building essentialtolimitingdataaccesstospecificpurposes. ConsumerTrustinOnlineEnvironments”[1]theauthorsfindthat “Fully94percentofWebusershavedeclinedtoprovidepersonal informationtoWebsitesatonetimeoranotherwhenaskedand CategoriesandSubjectDescriptors 40percentwhohaveprovideddemographicdatahavegonetothe D.4.6 [Operating Systems]: Security and Protection – Access trouble of fabricating it”. If potential automotive telematics controls,Informationflowcontrols users sharetheconcernsofWebusers,thenalargesegmentof thepotentialtelematicsmarket,perhapsasmuchasfiftypercent GeneralTerms maybelost. Security. Thereisasignificantpotentialforthemisuseofcollecteddata. Endusersorconsumersmaysubstitutefalsedataorhackintoin- Keywords vehicle applications. Telematics service providers and AutomotiveTelematics,Privacy,PrivacyPolicies,Security application providers may sell consumers’ data to third parties withoutthepermissionoftheconsumers.Although,thereareno current US regulations in place to “safeguard” the information collected,certainexistingEuropeanregulations,andpendingUS 1. INTRODUCTION and European statutes may soon impose strict controls on the collection, use, and storageofinformationaboutindividuals.In Automotive telematics may be defined as the information- general, telematics applications will be successful if providers intensive applications that are being enabled for vehicles by a knowthatthedatathattheyreceiveisaccurateandifendusers combination of telecommunications and computing technology. knowthattheirprivacyisassured.Thus,datamustbeprotected. The automobile is, in effect, a computing platform to which Users must be assured that their privacy is respected and the Permission to make digital or hard copies ofallorpartofthisworkfor security is in place to protect data from being divulged to personalorclassroomuseisgrantedwithoutfeeprovidedthatcopiesare unauthorizedentities.Dataprotectionconsistsofprovidingboth notmadeordistributedforprofitorcommercialadvantageandthatcopies bearthisnoticeandthefullcitationonthefirstpage.Tocopyotherwise,or privacy and security protection. Our goal is to achieve that republish,topostonserversortoredistributetolists,requirespriorspecific protectionwhileenablingthesharingofdata. permissionand/orafee. WMC’02,September28,2002,Atlanta,Georgia. Privacyprotectiontodayatafundamentallevelrequiresauserto Copyright2002ACM1-58113-000-0/00/0000…$5.00. trustserviceproviderstohandlepersonaldataaccordingtostated terms. There isacertaindegreeofgoodwillthatisatstaketo Figure1AutomotiveTelematicsSystemOverview prevent a service provider from using the data in an detail proposed data protection framework, and conclude the inappropriatemanner.However,therearenosafeguardsinplace paperwithasummaryofourwork. to prevent inappropriate use of data; and no protection from insiderabuse. 2. AUTOMOTIVETELEMATICS Likewise, there are no protections to assure a vehicle userthat APPLICATION applicationsthatarerunninginthecararesecure.Kingpinand Figure 1 shows an overview of a typical automotive telematics Mudge [2][3]analyze the susceptibility of portable devices, application. Cars shown in the picture are equipped with a primarily PDAs, to attack by malicious code. They make the wireless communication device, variety of sensors, and a car pointthatyoucannothaveasecureapplicationwithoutasecure computer that has a display, sufficient memory, storage, and foundation.AswithPDAs,itiskeytothefutureofautomotive processing to run complex embedded applications and telematics that end users, telematics and application service middleware.Thecarcomputerinterfacestocarbusandothercar providersbeassuredofthesecurityoftheirsystemsfromend-to- sensors, for example, Global Positioning System (GPS) sensor, end. Security is a broadtermencompassingmanyconceptsand andcollectscarengineperformancedata,safetyinformation,and elements including confidentiality/secrecy (including privacy), carlocation. integrity, and availability [15]. Security and privacy threats to Caruserssubscribetoatelematicsserviceprovider(TSP)toget systemssimilartothoseusedandbeingproposedforautomotive variety of services from application service providers (ASP) telematicsinfrastructureshavebeenstudiedforquitesometime whichincludePay-for-UseInsurance,Information,andCarCare (e.g., see [16,23]). Here, our security focus willbeonassuring andEmergencyAssistanceasshowninFigure1.Inordertoget the privacy and integrity of telematics information – user data, services from a ASP, a car user needs to send some or all the vehicledata,timeandlocationinformation,andevenexecutable information collected by the car computer to the ASP. In the software–thatisgeneratedorstoredin,ortransmittedto/from, setup shown above each car transmits data as necessary to thein-vehicleclientplatformduringitslifecycle. telematicsserviceproviderwhichthenprovidesdatatodifferent Inthefollowingsectionsofthispaperweprovideadescriptionof ASPsasneeded.Inthiscase,thetelematicsserviceprovideracts an automotive telematics application and a scenario, the asaserviceaggregatorandadatabroker.Inadditiontothedata challengesposedbyautomotivetelematicsdata,andanoverview transmitted by cars the TSP stores user preferences and user ofprivacytechnologyusedintheproposedframework.Wethen subscriptionstoservices. AsshowninFigure1differentASPsneeddifferentuserdataand use it for different purposes. The Pay-for-Use Insurance ASP needsuseridentificationdata,GPSdata,milesdriventocompute premiumsandperformriskanalysis.TheInformationASPneeds 2.1.2 Driving-DataAggregation userlocation,anduserpreferencestosendbackinformationon That evening when Jane starts her car, she is pleased to see a local attractions. The data identifying user need not be sent to message appear on the navigation screen- “PFU” system now this service provider. The Car Care and Emergency Assistance running - press # 1 for charges incurred this month”. Jane ASP needs car engine performance and safety information on presses # 1, only to see the message “Cumulative Charges for regularbasis,andcarlocationincaseofemergency. January 2003 - $0.00”. Of course, she has yet to drive any distance.Shetries#1againafterreturninghome.Thistimethe 2.1 PayforUseInsuranceScenario screen reads “Cumulative Charges for January 2003 - $1.00”. The following scenario,takenfromthepointofviewofauser, Jane does a quick calculation; at 5 cents per mile, her yearly illustrates how a customer may choose among a set of privacy insurancebillforthe15,000milesthatshenormallydriveswill policiesandhowdatamaybeaggregatedbyatelematicsservice beonly$750.Thisrepresentsasavingsofmorethan$250per providerandusedtocalculatethecustomer’sbill. yearoverherpreviousinsurancerates. 2.1.1 Enrollment AsJanedrives,herdataisaccumulatedattheCarAidcenterina Janeisaworkingprofessionalwhousesherautomobileonlyto trustedcomputingsystemthatisnotdirectlycontrolledbyGiant. commute a short twenty miles to work and for local shopping. CarAidisatelematicsserviceproviderthatdeliversavarietyof She uses a rental car for company business trips.Thus,sheis services to Jane’s vehicles: emergency assistance, navigation, interestedinthenewpay-for-use(PFU)programthatisoffered concierge services. Monthly reports on total mileage for urban by her insurance company, Giant Inc. The description of the andsuburbanareaswhereJanehasdrivenaresentbyCarAidto program that she received in the mail indicates that she can the Giant billing computer. Specific location information is enrollbycallingan800numberorbyusingthecompany’sweb divulged to