FCC Asked to Be V2V Cybersecurity, Privacy Traffic Cop

Public Knowledge has asked the FCC not to let vehicle-to-vehicle (V2V) communications systems launch until it finds a way to protect them from hackers, and they have the support of a couple of powerful senators.

On June 1, the FCC issued a public notice seeking comment on sharing in the 5.9 GHz band, including setting a January 2017 deadline for completing testing of sharing in the band.

Cable operators have been pushing for more 5 GHz spectrum to fuel their WiFi hotspots, the industry's primary mobile broadband play.

Public Knowledge is not targeting the proposal to share DSRC (Dedicated Short Range Communications) and WiFi spectrum in its petition, and the senators—Ed Markey (D-Mass.) and Richard Blumenthal (D-Conn.)—aren't getting into that debate either, according to a source speaking on background.

But what they are worried about is the associated commercial applications of DSRC that could threaten the safety, privacy, and cybersecurity of vehicles, and more importantly their occupants.

Related: Senators Press Wheeler on 5.9 GHz Testing

Public Knowledge has petitioned the FCC to open a rulemaking to impose "adequate cybersecurity and privacy protections before allowing automakers to activate any DSRC systems" and has sought an emergency stay of any DSRC operations in the 5.9 GHz band.

Public Knowledge says that the cybersecurity and privacy issues behind its effort are independent of the issue of sharing the band with WiFi and is necessary "whether or not the Commission allows operation of unlicensed devices in all or part of the DSRC band on a non-interfering basis."

In 1999, the Commission authorized an allocation of 75 MHz for “Dedicated Short Range Communication” (DSRC).

"Envisioned as part of a broader 'Intelligent Transportation Service' network that paralleled the emerging public Internet, the auto industry and the Department of Transportation urged the FCC to adopt DSRC rules that enabled both noncommercial life and safety applications, and commercial applications such as mobile payments to gas stations, remote management of rental cars, and other undetermined commercial services," Public Knowledge told the FCC.

"Unfortunately, the Commission did not at that time consider the implications of DSRC either for privacy or cybersecurity. The ability of DSRC units to monitor and report detailed personal information about location and driving habits of individuals raise enormous concerns for personal privacy. When coupled with storage of financial information and purchasing information through future mobile payment applications, or the use of DSRC streaming capability for delivering advertising or entertainment, the substantial risk DSRC creates to personal privacy grows exponentially."

Sens. Markey and Blumenthal agree—they cited the petition in their letter and said they were pleased by it—but want the FCC to consider going even farther.

In a letter to FCC chairman Tom Wheeler this week, they said the FCC should consider reserving that DSRC spectrum for V2V safety systems "and not commercial applications that may make vehicles more vulnerable to safety, cyber, and privacy threats."

They identified some of those non-public safety commercial applications as paying for tolls or parking or drive-through restaurant meals or gas.

Among their concerns is those could be entry points for hackers to spread malware to one car, then to other vehicles and systems or allow them to commandeer cars and cause them to crash.

But they are also concerned about targeted marketing, saying businesses could collect and analyze, without the driver’s knowledge or consent, information—where a vehicle goes and how long it stays there (a sort of real highway version of tracking web surfers on the info highway)—and target ads to them via dashboard consoles, in-car entertainment systems, or digital billboards.

Among the "robust" privacy and cybersecurity protections they want the FCC to implement are mandate that anyone licensed to use DSRC, including commercial entities, submit privacy and cybersecurity plans to the FCC, require them to periodically update such plans, and require breach notifications.

Markey and Blumenthal want an answer from the FCC by Aug. 25.

John Eggerton

Contributing editor John Eggerton has been an editor and/or writer on media regulation, legislation and policy for over four decades, including covering the FCC, FTC, Congress, the major media trade associations, and the federal courts. In addition to Multichannel News and Broadcasting + Cable, his work has appeared in Radio World, TV Technology, TV Fax, This Week in Consumer Electronics, Variety and the Encyclopedia Britannica.