In the car from A to B, authorities surveillate with you
Any Internet of Things device can be tracked, traced, hacked and intercepted by police or judicial authorities as part of the fight against crime. Connected cars in particular are increasingly in the interest of investigative agencies. Don't criminal investigations spill over into surveillance?
This article in six points:
Internet-connected cars offer investigative agencies new ways to keep an eye on criminals, but basically every motorist. Several European collaborations and research projects exist in the field of vehicle-based crime fighting, usually also involving the Dutch police.
eCall automatically dials 112 in case of an accident. Almost universally, it is argued that under normal circumstances, the mandatory emergency assistance system in cars would not transmit data and could not be tracked. However, eCall works no differently to a phone: the built-in SIM card constantly connects to transmission towers, allowing the location of vehicles to be probed at all times.
In the Netherlands, a national register for technical vehicle data is currently being considered because investigative agencies find requesting such data from car manufacturers time-consuming and cumbersome. If they have certain crucial data of all connected cars with a Dutch license plate in their own hands, they will be able to act much faster.
Forensics is increasingly focusing on cars. The ability of investigative agencies to read encrypted vehicle data broadens the possibilities of solving criminal cases, but target shifting cannot be eliminated.
There is also considerable interest among investigative agencies in the cyber-technical possibility of remotely stopping cars. Hacking a vehicle and taking over its controls is technically entirely possible, as numerous (benign) hacks have shown. However, as part of a high-speed digital break-in of a fleeing vehicle as part of a wild chase with the aim of safely pulling it over - this is a different matter and not yet a reality.
The sophisticated cameras that connected cars are equipped with film nonstop around the vehicle. Normally, those images are not stored, but self-driving taxis in the United States do. Police there make grateful use of what amounts to camera surveillance on wheels. To solve criminal cases, they are increasingly requesting the images.
Where espionage is central to our previous article, we focus in this piece on the related topic of surveillance. Espionage usually targets specific individuals or objects abroad. Surveillance is rather about keeping an eye on (groups within) the (own) population. That cars connected to the internet offer all kinds of opportunities to do so, we illustrate with the help of six developments. Developments in which investigating and prosecuting criminal offences is the starting point, but in which the use of resources for completely different purposes than originally intended is always lurking. In many of the initiatives and projects discussed, the Dutch police play a role.
1. Emergency call system eCall
1 April 2018 marks a turning point in the history of the automobile in Europe. From that date, all new vehicles were required to have connected are because of the introduction of eCall, the system that automatically calls 112 in case of an accident. Without the internet, no eCall.
If the airbags deploy as a result of an impact, a 'minimum set of data' (MSD) arrives at the 112 centre via the voice link. That set consists of the vehicle identification number, car make, fuel type, number of occupants, location and direction of travel. The message does not contain any personal data or other information. eCall works over the GSM network and also establishes a voice connection between the occupants and the 112 centre using microphones and speakers in the car. This allows victims to explain their situation to the dispatcher. Using an in-car button, occupants can also activate eCall themselves if necessary.
eCall saves lives, but throws motorists' privacy up for grabs. It took about 10 years to introduce the system, and that long journey had everything to do with privacy. For the first few years, the European Commission planned to introduce eCall on a voluntary basis: it would be up to motorists to activate the system or not. Due to a lack of progress, a full obligation was eventually chosen.
Much has been made of the fact that in addition to the mandatory 112-calling variant of the system, car manufacturers can also allow their customers to opt for assistance and/or added service from private parties (private eCall) via the same hardware, with or without payment. It has more than once led to strange situations where, on behalf of different parties, different tow trucks turned up for the same crashed car. Commercial Private eCall is disabled by default.
Official documents and almost everywhere else claim that, as long as there is no accident, eCall in the standard 112 configuration does not transmit data, is not traceable and cannot be permanently tracked. The system is 'dormant' as the European Association for Emergency Services (EENA) calls it. Slumber mode, in other words. It goes without saying that eCall does not communicate unnecessarily with the emergency number: that would not add anything and no emergency centre is waiting for it. However, this does not alter the fact that the built-in SIM card does constantly seek and make contact with GSM masts, and at these masts leaving the IMEI number of the eCall system. IMEI is a kind of serial number of a mobile device. In this respect, eCall behaves exactly like a mobile phone.
This means that a car's location can always be probed via mobile network transmission towers (if only because many a car manufacturer has eCall integrated with other vehicle telematics functions). Mobile network operators are required to retain a lot of data so perhaps such a poll can be conducted after the fact. However, no publicity is given to this in official documents. So this is misleading, to say the least.
The European Data Protection Supervisor (EDPS) has also weighed in on this issue. In its recommendations from 2013 regarding privacy in eCall, this authority expresses concerns in several areas, but repeatedly expresses satisfaction with the alleged fact that motorists could not be tracked. The crucial role of telecom operators is incomprehensibly outside the scope of the eCall legislation, and (as a result?) also outside the EDPS recommendations. The so-called Mobile Network Operators do, of course, appear in more technical papers which deal with the operation and testing of eCall (a process that also involved two people from the Dutch police), but even these do not otherwise deal with the transmission of IMEI data.
In probably the most thorough and immediately disconcerting privacy analysis of eCall (published in 2016 in the legal monthly Traffic law) denounces privacy lawyer Tijmen Wisman The role of the European Commission which - in the person of Neelie Kroes - to questions from the European Parliament, first admitted wholeheartedly that cars are constantly connected to mobile phone masts, only to deny this flatly later after taking a U-turn (search the article for the names 'Hania', 'Sargentini' and 'Kroes'). ECall scanning for mobile networks should have been enshrined in legislation, argues Wisman, who is also critical of all sorts of other privacy issues, which we will leave out here (read the analysis!). From his argument, though, a few more concluding quotes that don't lie:
With eCall ''every car will be equipped with surveillance equipment that allows locating, eavesdropping and disabling cars from a distance.'' [...] eCall, in its current form, goes a long way to lowering the threshold for the state to record car travel movements, as well as to record calls. [...] eCall should not be viewed in isolation but seen as another step towards a surveillance system that is slowly permeating all aspects of the private sphere. The most effective protection of the right to privacy is to give citizens free choice over the installation of this kind of technology in the private sphere.''
What if you expressly do not want to use eCall for privacy reasons? Like a Brit who was looking for a new car some years ago, and wrote to manufacturers asking if eCall could be removed. He shared the answers on this forum. Remarkably, BMW and Porsche stated that eCall could be "disabled". In other cases, the answer was: no, it cannot. Normally, manufacturers will not sell cars in which a component required by the type approval is missing or not working properly.
It is captured that motorists should not be able to deactivate eCall (only technical staff can do this as part of maintenance or repair). You have to be of good engineering mind if you want to screw the system out of the car yourself, insofar as it would be at all clear where in the vehicle eCall is hidden, apart from the corresponding button in the interior that you can push yourself.
Then finding the right antenna and deactivating it isn't exactly advisable either, if you don't want to accidentally disrupt all kinds of other forms of communication and navigation in the car. A modern car can, because of all the communication technology on board up to twenty antennas have. These will also be crammed less and less all together in the shark fin on the roof, but in different (invisible) ways be spread across the car.
eCall urgently in need of update
To avert a major problem with eCall the European Commission is working Incidentally, currently on a legislative path to bring the system technically up to date, as eCall specifications are based on outdated 2G/3G technology, which is being phased out by telecom providers. How eCall should be updated or swapped into cars, and who will have to bear the cost of doing so, is still unclear.
2. National register of technical vehicle data
Once an EU country uses eCall for other purposes that fall under that country's sovereignty, the protection of EU law can no longer be invoked, Wisman writes. This privacy advocates feared function creep appears to be taking shape in the Netherlands in the form of a national register of technical vehicle data.
After all, as police (with or without the approval of a magistrate judge), you can have access to eCall-IMEI data held by telecom companies, but if you don't have an overview of the corresponding SIM cards, vehicle identification numbers (VIN numbers), license plates, and so on, identification of suspects, among other things, remains difficult and you still can't do much. Certainly not at a moment's notice. That kind of data is also usually not in the name of the driver or owner of the car, but of the fleet manager, importer or car manufacturer. Especially in the latter case, that almost always amounts to laborious international legal assistance requests for the police. And manufacturers are seemingly less likely to hand over data than investigators would like.
A vehicle register would speed up and simplify data acquisition. The desire for this is first expressed in the annual report 2021 from RIEC-LIEC, the organisations fighting criminal undermining in the Netherlands:
''[...] the need for a (national) register for (technical) vehicle data such as e-SIM and/or IMEI data. Such a registry would, among other things, eliminate the need to requisition this information from car manufacturers in lengthy and complex procedures and make this information available more quickly for immediate assistance, investigation and prosecution. The petitioners are awaiting the response of the relevant ministries.''
In the RIEC-LIEC annual report 2022 can be read next:
''[...] Moreover, the response to an administrative signal on the need for a (national) register for (technical) vehicle data such as e-SIM and/or IMEI data, which had been submitted to the Minister of Justice and Security, the Minister of Economic Affairs and the Minister of Infrastructure and Water Management by the end of December 2021, was received at the end of June.''
Nothing else can be found online about this. Enquiries with the Ministry of Justice and Security reveal that it is exploring the possibilities for a possible register and the (privacy) aspects involved, together with the Ministry of Infrastructure and Water Management, RIEC-LIEC, the police and the RDW. In any case, according to J&V, the legal possibility of deploying this search tool is limited to serious crime.
For now, the register is only a conceptual desire, but the chances of its introduction are real. Whether there will be an internet consultation on this in due course and whether the Lower House will consider it is not yet clear.
Also in Europe, for the purpose of accident analysis, vehicle inspections and law enforcement, there are proponents of EU-regulated access to vehicle data. Among others, the European traffic policy network Roadpol, the European Traffic Accident Investigation and Analysis Union (EVU) and the German industrial inspection body DEKRA advocate this.
3. ETSI - Lawful Interception
Linking VIN numbers to IMEI numbers and vice versa is currently a hot issue. The European Telecommunications and Standardisation Institute (ETSI) is also involved. ETSI makes technical standards. If products fully comply with such standards, they function among themselves and are interchangeable. ETSI does not deal with the legal frameworks for allowing or requiring products to be used. For that, the (political) legislative process exists at EU and/or national level.
Many car manufacturers are members of ETSI. Dutch members include mainly companies, some universities and again TNO and the police. The institute has numerous working groups. One of those working groups - the Technical Committee Lawful Interception - focuses partly on developing 'interfaces' for lawful interception and reading of vehicle data by law enforcement agencies - in most cases the police. The most recent report thereon (August 2023) gives concrete examples of how this works and the aspects involved.
One of the vice-chairmen of the relevant committee is Mark Lastdrager, whose company Eve Compliancy Solutions provides systems and services for tap services for telecom companies and ISPs, and possibly also for the police and judiciary, but that is not clear. Just last month, Lastdrager spoke at a Event of the Dutch Management Organisation of Internet Providers (NBIP) on developments in Lawful Interception (LI) and Lawful Disclosure (LD). Whereas LI involves tapping live communications (whatever form they take), LD involves requisitioning retained information. In the Netherlands, public communication service providers are obliged to cooperate in this under Article 13 of the Telecommunications Act.
Anyone else who has already very long on the Lawful Intervention committee of ETSI sits, is Koen Jaspers of the Platform Interception Decryption & Signal Analysis, part of the Ministry of Justice and Security. Among the participating organizations of that working group further includes, for example, the US company SS8, a major provider of lawful intelligence solutions, and NTAC, part of the British intelligence agency GCHQ. Also of note: the Irish iTrust Ethics, which says it will ensure that law enforcement agencies are also mindful of the public interest and the rights of individuals.
4. Cyclopes - Automotive Digital Forensics
A European partnership to combat cybercrime was established in 2021: Cyclopes. From the Netherlands, the police, TNO and the Dutch Institute for Technology, Safety & Security (DITSS) have joined this network. One of the spearheads is automotive digital forensics: the extraction, securing and analysis of vehicle data by law enforcement agencies to deal with traffic accidents and for the investigation and prosecution of crimes. It is a branch of forensics that in recent years has been strong rise which police forces, among others, are in talks with car manufacturers about. Every so often, Cyclopes holds workshops about, the following upcoming month.
Data streams from connected cars are encrypted, you can't just access them as an outsider without administrative access and the right equipment. For Cyclopes participants, the first task was to identify which diagnostic tools there are to software, data flows and 'event data recorders' (say the black box) from cars. For the enthusiast, below are some such tools:
- Auto-Intern: VCDS
- Berla: Berla iVe System
- BMW: ISTA
- Bosch: Bosch CDR
- Covesa: DLT Viewer
- Diagnostic Technology Richter: Autel Maxisys MS906
- GCHQ: CyberChef ('The Cyber Swiss Army Knife')
- Mercedes Benz: XENTRY
- Scorpio-LK LTD: Tango key reader
- Volkswagen: ODIS
Should the forensic capabilities in this area at any point be deployed much more widely than for countering (cyber) crimes alone, new (and dubious) surveillance scenarios could easily emerge. Think, for instance, of roadside alcohol or car checks, which would then also involve tapping data from the vehicle and, based on this, the police could stumble upon violations (recorded speeds that are too high) or suspicious things (certain routes travelled or locations affected).
We have seen often enough in recent decades at home and abroad that (much of) what is technically possible in terms of surveillance ends up being transposed (and sometimes retroactively) into law. If the police are allowed check Whether your car is in roadworthy condition, you have no alcohol in your blood while behind the wheel, your driving licence and ID are in order, you are not transporting anything that is not allowed and you do not happen to be suspected of something or have a debt outstanding with the tax authorities, it is not a very crazy thought that reading (certain) vehicle data could one day be added to that list of powers could be added. Precisely also because vehicle data is so an awful lot can be derived. 'If you blow for a moment, we will read the data from your car with this device in the meantime...'
5. Front Line Policing, Vehicle Stopping
Within the European Network of Law Enforcement Technology Services (ENLETS, in which the Dutch police have participated since its establishment in 2008), European police forces, at the initiative of the Netherlands, exchanged experiences between September 2013 and September 2015 regarding the cyber-technical possibility of remotely stopping cars. To this end, under the heading 'Front Line Policing, Vehicle Stopping' worked on a 'technological solution' for all cars destined for the European market.
Such a universal solution has not materialised (as yet). Hacking a car and take over the controls is all technically possible, as numerous (benign) hacks show. That, however, normally takes time and preparation. As part of, say, a wild chase that comes out of nowhere, digitally breaking into a fleeing vehicle in no time with the aim of disabling it - that is something else. Especially if that also has to be done in a safe manner, taking into account other traffic, as would obviously be a requirement. Just try stopping a getaway car racing along the left lane of the A2 at 200 kilometres per hour on the hard shoulder five lanes away. Witness ENLETS the desire exists to be able to do this, but for now this is fiction rather than reality. Vehicle-to-vehicle communication technology (V2V) between different car brands is also not yet advanced enough, let alone introduced.
Computer Crime Act
For several years at least, the power of police and the judiciary to hack (groups of) Internet-of-Things devices has been regulated in the Computer Crime Act. (The General Intelligence and Security Service (AIVD) and the Military Intelligence and Security Service (MIVD) are also authorised to penetrate IoT devices.) There is no restrictive list of devices in respect of which the police may use the hacking power. So also connected cars, their infotainment systems and associated servers can be a target. But especially if the police expect to find data there that is relevant to the detection of serious crimes, not to take over the controls of moving cars, which will require additional legislation. Privacy First, by the way, made a case in connection with connected cars in 2016 concerns about the Computer Crime Act.
6. Cameras in cars
Whereas using a PC or phone involves a potential invasion of your own privacy in particular, connected cars additionally constitute a potential invasion of the privacy of others because they film the environment. Theoretically, with access to one per cent of connected cars, you could already have virtually the whole world real-time mapping. Cameras in cars are ideally suited for spying, as we see in our previous article showed, as well as for surveillance.
Why are cars equipped on all sides with advanced cameras which provide 360-degree views and dozens of up to hundreds of metres away be able to watch? Because all kinds of driving assistance systems such as lane-keeping assistance and parking assistance depend on it. So that motorists don't get drunk behind the wheel or fall asleep during a drive, based on new European legislation From the middle of next year, the driver of the car filmed. This is already the case in many new models.
Video surveillance on wheels
In principle, camera images are not stored or forwarded, although they can be (more on this in a subsequent article). The question is whether this will remain the case in the long run and especially with cars becoming increasingly autonomous. A look at the United States shows where it could end up. In San Francisco, Los Angeles and Phoenix, a large number (Bugs-plagued and traffic-clogging) self-driving taxis from Waymo (Google) and Cruise nonstop crisscross the city. While filming and all, because without camera footage providing information about the surroundings, those autonomous vehicles won't move a metre forward. The taxis' passengers are also monitored from the beginning to the end of a ride filmed.
The taxis are in fact surveillance cameras on wheels, because both the images from inside and outside the vehicle can serve as evidence in criminal cases. They are increasingly commandeered by the police to solve crimes. If you start filming and save the footage (which in the case of taxis, at least for some time), you are one police request or court order away from (having to) give up that footage. That is in the Netherlands with, for example smart doorbells no different. Privacy organisations in America are concerned about the state of affairs. It is another step towards a surveillance state. What if law enforcement agencies soon demand to be able to watch live footage? Or they surreptitiously acquire a digital route to the car cameras by virtue of their hacking powers?
Automatic number plate recognition
If the car does not film its surroundings, the surroundings, for that matter, film the car. The Netherlands, for instance, has Automatic Number Plate Recognition (ANPR): above motorways, high-resolution cameras continuously record the license plates and thus the locations and travel movements of millions of cars. Under the ANPR legislation those data are stored for four weeks in a central police database for purposes including investigation and prosecution, regardless of whether one is suspected of anything. Since, in Privacy First's view, this is totally unnecessary, disproportionate and also ineffective, the foundation has been litigating against ANPR for years. Meanwhile, there has been a proceedings on the merits.
The developments we discussed in this article place the title of an earlier piece in this article series - 'European Data Regulation to give motorists final say over their own data' - yet in a different light. Motorists will finally be stronger in front of car manufacturers and other commercial parties in a few years' time. Better much too late than never. But when you consider the possibilities governments will have - with or without the intervention of a magistrate and on the basis of 'lawful interception' - to get their hands on vehicle data and break into cars digitally, any motorist who cares about privacy will lose heart.
Next time, in relation to cameras in cars, we will take a closer look at privacy, after which we will shift the focus to connected cars and smart mobility.