By Maya Kushner, Esq.
Most of you know that planes have black boxes that record in-flight data such as aircraft speed and trajectory. But did you know that your car probably has a black box too? According to the National Highway Traffic Safety Administration (NHTSA), 96% of model year 2013 and newer cars already have a black box, or an Event Data Recorder (EDR) as it is known, and NHTSA is proposing a rule to make EDRs a requirement.
In theory, current EDRs (black box) do not record data continuously, but rather collect data in the seconds before, during, and after a crash. NHTSA would mandate that 15 specific variables are tracked, including: vehicle speed, engine RPM, whether airbags deployed, whether brakes were applied, and whether seatbelts were buckled in. However, what EDRs actually record varies from manufacturer to manufacturer and can include around 30 different variables. Many car manufacturers are not very forthcoming about their practices when it comes to powers they bestow upon their EDRs, so it is difficult to ascertain what exactly your EDR measures and when.
Black Box Safety System
Each car has a safety system, which makes decisions such as whether to tighten seatbelts, deploy airbags, or engage the anti-lock brakes; the EDR was originally designed as a diagnostic tool for manufacturers to measure how well this safety system was working. However, EDRs are now increasingly being used by law enforcement for accident reconstruction and forensic purposes, as well as by attorneys in civil and criminal cases that result from a car crash. For example in Maryland, the Office of the State’s Attorney for Montgomery County routinely uses EDR data when deciding whether to charge an individual with crimes like Manslaughter by Vehicle, as well as during prosecution of those crimes.
While the black box or EDR can be useful in reconstructing what transpired in an accident, there are a number of privacy concerns. There is currently no way to turn off or opt out of EDR tracking. The rule proposed by NHTSA would mandate the minimum timeframe and minimum variables to be recorded, but would not regulate the maximum extent to which a record may be made. In other words, neither the proposed rule nor any other law currently in place would prevent a manufacturer from setting EDRs to record data around the clock, and include data such as GPS coordinates, audio, and video of the passenger compartment.
There is also the question of who gets to see the data. Fifteen states, of which Maryland is not one, passed laws restricting access to EDR data to those who have the car owner’s permission or a court order. However, there is no national standard regulating access to EDR data, so in most cases the only prohibitive factor is cost. Currently, the only way to download the data is by plugging a Crash Data Retrieval system into the diagnostic port in the dashboard and these systems can cost between $2,000 and $20,000.
There are a handful of companies that currently manufacture a lock that can be plugged into the diagnostic port to prevent unauthorized access. If these become prevalent, we may see a number of Fifth Amendment type cases that decide whether an individual can or cannot be compelled to hand over the lock key to law enforcement, so police can access the diagnostic port.
On the other hand, these diagnostic port locks may become obsolete just as fast as they came into existence. As Emdenlaw has discussed in another article, police do not need to have the passcode to your smartphone to access its data. Similarly, as cars become more and more computerized, it is feasible to think that both police officers and hackers will be able to access EDR data remotely. Many other functions of modern cars have already been hacked in just such a manner. For example, in a recent “proof of concept” wireless carjacking in St. Louise, two “white hats” hacked into a car driven 10 miles away by their colleague, a senior writer for Wired magazine, and proceeded to make his car turn windshield wipers on and off, turn on air conditioning, and blast the radio at full volume, before disabling the engine entirely.