An Uncertain Framework: Privacy and Data Security Regulation Advances Long After Transportation Technology

It’s time to be honest with ourselves: a lot of us love the convenience of facial recognition software (FRS) especially when it comes to unlocking our cell phones. There is officially no reason to get Cheeto dust on your screen while you Instagram stalk your former high school classmates before that ten-year reunion. But FRS does not begin and end with hands-free cell phone features. FRS is becoming increasingly common in various modes of transportation, including your personally owned vehicle as well as public transit and mobility hubs. 

Understanding where FRS is in modes of transportation and how the data is being used may not be intuitive. When I talk about FRS in transportation I am largely referring to the collection and storage of biometric data (i.e. pictures or videos of your face) to perform some type of task such as fatigue detection, unlocking a door, accessing preset temperature and music settings, security features, or payment on transit. Most of the data a vehicle collects and stores is about the vehicle itself, however there is a growing market for data about you as the driver or user. This data is valuable for selling insurance, developing new technology, and creating more convenient user experiences. This data may also enhance safety features.

However, safety isn’t just about people’s physical safety. People’s privacy and social safety are important as well. Your physical safety in various modes of transportation is much more clearly regulated, while your data privacy is less so. The unregulated collection and storage of biometric data is growing quickly and will likely catch lawmakers on their heels. This problem is further complicated by a few things. First, it is unclear exactly who will have access to the data, and the storage and collections of biometric data by private companies is significantly different from government entities. Second, many studies have concluded that FRS has inherent racial and gender biases. And third, connectivity has simultaneously created a need for data collection as well as a lucrative incentive to collect and distribute data. 

Before considering the greater implications of FRS in transportation, it is helpful to understand exactly how FRS works. Put simply, there are four steps. First, the software uses a camera to detect a face. Second, the software analyzes the face. Third, the software converts the image to data using each person’s unique facial geography. Finally, the last step is to find a match in the database, which means images need to be stored somewhere to generate a match. As you probably already assumed, this is where the overwhelming majority of privacy concerns are relevant. 

Returning to the aforementioned point about who will access the data, storage is crucial and lawmakers are hastily trying to make sense of who needs access to biometric data. The Driver Privacy Act of 2015 protects personal information collected by a car’s event data recorder (EDR) by expressly stating the data collected by the EDR belongs to the owner of the car and access to the data must be warranted or consented. (There are a list of exceptions to this rule, most of which are outside the scope of this blog, but it is important to note that this right is not absolute). This is just one example of an existing source of transportation data privacy laws, however technology has advanced significantly since 2015. The constant progression of technology forces lawmakers to constantly reconsider privacy rights; legislation targeting the data collected by EDRs includes data such as pre-crash dynamics, system statuses, or driver inputs. Pre-crash data are almost assuredly less private than images of the user’s face. 

This heightened sensitivity makes the uncertainty much more concerning. After all, where is the biometric data being stored anyway? The short answer is we don’t exactly know. With little regulation, there is no universal procedure and no easy way to check. From a constitutional law perspective, the fundamental right to privacy analysis only applies to government action, which means strict scrutiny is not applied in instances where private entities are storing the data. 

One immediate consideration to the unanswered collection and storage questions is how the uptick in FRS will impact women and people of color. Joy Buolamwini and Timnit Gebru published a 2018 study demonstrating how FRS is less effective when recognizing Black women’s faces as compared to white men’s faces. The results were not close. After studying three different FRS programs, the researchers concluded that the software incorrectly recognizes white men approximately 0.8% of the time and Black women anywhere from 20% to 34% of the time depending on the program. Obviously this is disturbing because it reflects a lack of diversity in engineering, but the disparity also offers a sobering dose of reality regarding who exactly will be harmed by incorrect matches, insecure storage, and uncertain legal parameters. 

The steady advancement of technology is making laws such as the Driver Privacy Act of 2015 either obsolete or incomprehensive. As previously mentioned in this blog post, biometric data is extremely lucrative and various modes of transportation are collecting it now more than ever. There are very few studies on FRS compared to other types of data, such as geographic location. Using geographic location as an example, marketing material concludes that car location is not only collected in higher volumes than cell phone location data, but that it is also among the most valuable to car manufacturers. We all know cell phones are collecting our location data (every time you use your iPhone to Google the nearest PetSmart the phone asks permission to use your location), but it is easy and convenient to turn those settings off on a phone. With a car, turning off your location may mean you cannot access the GPS. Disabling those features is probably not an option at all on public transit.

Now mentally replace location with biometric data. You can always disable FRS on your cell phone, but certain features will be unusable without biometric data. It is more difficult and less convenient to disarm these features in the context of mobility because the safety, comfort, and entertainment benefits are substantial. Relatedly, connectivity is another reason to simultaneously avoid turning off the smart features of a vehicle while also worrying about privacy. Not only will cars need to communicate with each other as well as surrounding infrastructure as we move farther into the world of automation, but carmakers and infrastructure planners are also considering capitalizing on connected technology to run radio ads while vehicles pass corresponding billboards for example. As I mentioned, this is a lucrative technological concept.

So what can be done? Some experts believe corporate social responsibility can play an overwhelming role in data security. This may be part of the solution considering there is growing pressure on manufacturers to garner public trust. If regulation is the answer, there are a few relevant agencies. NHTSA is tasked with assuring safety in passenger vehicles while the FTC is responsible for bringing action against companies engaging in unfair practices such as data security and privacy concerns. In June of 2017, these two agencies co-hosted a workshop to discuss privacy and security issues related to connected and automated vehicles. Though there is much work to be done, small steps have been taken and the agencies have expressly acknowledged the relevant challenges.

In terms of legislation, the Driver Privacy Act needs to be tuned up to reflect advancements in technology over the last several years. Though Congress has not passed any recent legislation about transportation users’ privacy, the House Energy and Commerce Committee progressed a privacy bill in July of 2022, which is the first time ever that federal consumer privacy bill has advanced past its committee. This bill even includes a few civil rights sections to protect against discriminatory uses of data. However, this bill is still far from good law.

Law is reactionary and changes much more slowly than the technology it seeks to regulate. Despite the lack of legal framework, the transportation sector is collecting more data than ever before and all signs point to exponential growth. A combination of corporate social responsibility, agency regulation, and legislation will be necessary to protect privacy and data security before irreparable harm is caused to consumers who have little recourse.