Policy-makers and insurance companies will be faced with new, never-before-seen challenges as driverless vehicles become widespread. Removing the human from the driver seat requires new considerations for changes to current transportation-related policy and laws.
DATA PRIVACY AND CYBERSECURITY
Although self-driving vehicles have the potential to drastically reduce accidents, travel time, and the environmental impacts of road travel, concerns remain that could delay widespread adoption. Of particular concern are data privacy and security risks.
Understanding the Threats
The numerous points of entry into a connected and (fully) automated vehicle’s (CAV’s) computer system provide thieves and cyber terrorists multiple opportunities to take control of vehicles. For example, in 2010, more than 100 drivers in Austin, Texas found their cars disabled or the horns honking out of control, after an intruder hacking into an auto dealer’s computer system (Poulsen, 2010). Additionally, in 2015, two cybersecurity researchers hacked into a vehicle’s internal network and paralyzed it on a highway (Greenberg, 2016). While hackers like these can control non-AV through entry points like internal network systems, entertainment systems, hands-free cell-phone operations, and satellite radio, self-driving vehicles are even more vulnerable to attacks, because they have all of those entry points plus many more (Paisner, 2017). Cybersecurity is probably an overlooked area of research in the development of CAVs, even though many threats and vulnerabilities exist, and more are likely to emerge as the technology progresses to higher levels of automated mobility.
CAVs use what researchers call a cyber-physical system, with components in the “real” and virtual worlds. The safety stakes are as high as these systems are hard to protect. CAVs will be vulnerable to those that regularly disrupt computer networks, like data thieves of personal and financial information, spoofers who present incorrect information to a vehicle, and denial-of-service attacks that move from shutting down computers to shutting down cars. In addition, new threats unique to automated vehicles themselves emerge—hackers who would take control over or shut-down a vehicle, criminals who could ransom a vehicle or its passengers, and thieves who direct a self-driving car to relocate itself to the local chop-shop, for example. Finally, there are security threats to the wide-ranging networks that will connect with AV—the financial networks that process tolls and parking payments, the roadway sensors, cameras and traffic signals, the electricity grid, and even our personal home networks (MCity, 2018).
The automotive industry has addressed the issue of cybersecurity of AVs by creating a series of Automotive Cybersecurity Best Practices (2nd Auto-ISAC Cybersecurity Summit, 2018). The Automotive Information Sharing and Analysis Center issued the Automotive Best Practices, which guide how individual companies can implement the previously released “Enhance Automotive Cybersecurity” principle. The Automotive Best Practices covers organizational and technical aspects of vehicle cybersecurity, including governance, risk management, security by design, threat detection, incident response training, and collaboration with appropriate third parties. The Automotive Best Practices prompt participating members to enhance the security of self-driving vehicles by managing cybersecurity at the product level.
The federal government has also issued non-binding guidance to the motor vehicle industry for improving cybersecurity issues of AVs. The NHTSA first issued guidelines in October 2016. In an effort to reduce the probability of a successful cybersecurity attack, those cybersecurity best practices promote a layered approach to vehicle cybersecurity. For example, the NHTSA suggests that the automotive industry creates a culture of leadership where they can handle increasing cybersecurity challenges, mechanisms for information sharing, a documented process for responding to incidents, and more.The NHTSA has also warned that if the industry does not follow the guidelines, cybersecurity vulnerabilities will likely occur, and that such vulnerabilities may be considered safety defects compelling a recall. In September 2017, the NHTSA updated its guidelines from version 1.0 (NHTSA, 2016) to 2.0 (NHTSA, 2017). This updated version puts more emphasis on the importance of responding to incidents than the first version. The following table is a summary of NHTSA guidelines (Paisner, 2017).
|System Safety||Follow a robust design and validation process based on industry standards.|
|Operational Design Domain||Define and document the Operational Design Domain (ODD) for each self-driving vehicle available for use on public roadways. The ODD should include, at a minimum, roadway types, geographic area, speed range, environmental conditions, and other domain constraints.|
|Object and Event Detection and Response||Have a documented process for assessment, testing, and validating of the self-driving vehicle’s capabilities.|
|Fallback (Minimal Risk Condition)||Have a documented process for transitioning to a minimal risk condition when a problem is encountered or the self-driving vehicle cannot operate safely. Fallback strategies should take into account that human drivers may be inattentive, under the influence of alcohol or other substances, drowsy, or otherwise impaired.|
|Validation Methods||Develop validation methods to appropriately mitigate the safety risks associated with their self-driving vehicle approach|
|Human Machine Interface||Consider and document a process for the assessment, testing, and validation of the vehicle’s HMI design|
|Vehicle Cybersecurity||Follow a robust product development process that includes a systematic and ongoing safety risk assessment for each self-driving vehicle, the overall vehicle design into which it is being integrated, and when applicable, the broader transportation system. Document how your entity incorporates vehicle cybersecurity considerations into self-driving vehicles, including all actions, changes, design choices, analyses, and associated testing.|
|Crashworthiness||Consider incorporating information from the advanced sensing technologies needed for self-driving vehicle operation into new occupant protection systems that provide enhanced protection to occupants of all ages and sizes.|
|Post-Crash Self-Driving Vehicle Behavior||Consider methods of returning self-driving vehicles to a safe state immediately after being involved in a crash, such as shutting off the fuel pump, removing motive power, moving the vehicle to a safe position off the roadway, disengaging electrical power, and other actions that would assist the self-driving vehicles.|
|Data Recording||Establish a documented process for testing, validating, and collecting necessary data related to the occurrence of malfunctions, degradations, or failures in a way that can be used to establish the cause of any crash.|
|Consumer Education and Training||Develop, document, and maintain employee, dealer, distributor, and consumer education and training programs to address the anticipated differences in use and operation of self-driving vehicles from those of the conventional vehicles.|
|Federal, State, and Local Laws||Document how your entity intends to account for all applicable Federal, State, and local laws in the design of their vehicles and self-driving vehicles.|
Source: Paisner, 2017
Long-term Data Privacy and Cybersecurity
Much work is still to be done on both data privacy and cybersecurity in the realm of AVs. As most developers of automated vehicle technology are working in pursuit of best-case scenarios, with a focus on optimizing vehicle performance, they may tend to overlook the specific and new issues that relate to automated vehicles. It’s crucial to create a thorough risk assessment approach and build long-term security solutions. So far, an initial step has been made by researchers who developed an assessment approach that can identify potential security breaches and the hackers behind them (MCity, 2018).
Extensive research into CAV technology and its impacts on various aspects of planning, engineering, and economics has been conducted. However, there are some gaps in this comprehensive study which that cannot fully be studied until we reach a certain market penetration and usage of AVs on roads.
There is only limited federal regulation of C/AV transportation, as noted by attorney-at-law Lisa Loftus-Otway in a forthcoming book on smart transportation, “there are questions about the most useful role of states and local governments in overseeing this new technology,” (Loftus-Otway et al, 2018, pg. 14).
Land use impacts
Transportation and land use are highly interconnected. Large-scale projects can have immense effects on valuations and land use patterns. However, it is difficult to directly quantify the impact of transportation projects on land use.
AVs provide a convenience of traveling for drivers, a decrease in the value of travel time (VOTT), and reduced congestion. Due to this, planners may face challenges of undesired sprawl in developments.
Urban Form and the Public Realm
There are not many studies related to the changing urban form due to multiple modes of transport (in terms of signage, street parking, etc.) With AVs and SAVs, there will likely be an increase in empty re-positioning trips. These will also be done to reduce parking costs and share a single car among household members. Therefore, there might not be a need for large parking garages around the city. This space can be redesigned through effective land use policy.
Defining law enforcement practices for cases of liabilities, licensing and privacy are major concerns for the integration (fully) automated vehicles (AVs) on the road.
The Importance of New Liability Laws
Since AVs vary in levels of integrated automation, human drivers and automation components may share control of the vehicle. Therefore, this issue requires careful legislative considerations. Through assessing Texans’ opinions on C/AVs, Bansal and Kockelman found that legal liabilities are the second biggest concern in adopting self-driving vehicles (Bansal and Kockelman, 2017, pg. 11). They note, “in light of the limited federal regulation of C/AV transportation, there are questions about the most useful role of states and local governments in overseeing this new technology” (Kockelman and Boyles, 2018, pg. 14).
NHTSA created a new term, highly automated vehicle (HAV) and reset its stratification to mirror the global industry reference for the six levels of automated driving. The model state policy articulated in 2013 states that motor vehicle liability and insurance rules are responsibilities of the State. NHTSA stated that these general areas of responsibility should be unchanged for HAVs. Kockelman and Boyles summarize the elements of a model state framework. It recommends that “states should consider how to allocate liability among HAV owners, operators, passengers, manufacturers, and others when a crash occurs,” (Kockelman and Boyles, 2018, pg. 206). However, “if responsibility is legislated to be mainly on the manufacturers and the federal government, manufacturers may avoid the insecurity of a state-by-state-legal liability patchwork,” (pg. 212).
Current Liability Laws
Under the current tort law, operators of vehicles must behave “reasonably” while driving. When they fail to do so, they can be held liable for the damages they cause. This is not always the case of course; in crashes that are the result of design defects of a vehicle, the plaintiff can sue and recover against the manufacturer of the defectively designed vehicle as well as the operator if the latter was also negligent. In the new world of AVs, however, product liability claims against manufacturers will become the rule rather than the exception. If a C/AV is a potential cause of a crash and the C/AV was operating in automated mode, the manufacturer will be joined as a defendant in the litigation and the primary claims brought against the manufacturer will be complex product liability causes of action. For platooned vehicles, the CAV industry could face a risk of tort liability for large scale, multiple car accidents that is beyond the existing risk of auto product liability claims (Kockelman et al. 2016 pg. 47).
In order to determine fault or liability in a HAV collision, one needs access to the HAV’s proprietary machine learning, data, and algorithms. As noted in the legal chapter of the forthcoming book by Kockelman and Boyles on smart transport, “Legislators and agencies need to evaluate carefully whether mandating access to proprietary data is fair and/or necessary. If this problem is solved now among the stakeholders, it can save everyone time and money later on. If responsibility is legislated to be mainly on the manufacturers and the federal government, manufacturers may avoid the insecurity of a state-by-state-legal liability patchwork,” (Kockelman and Boyles, 2018, pg. 212).
Current Liability Standards
“Several states impose special insurance requirements on C/AVs before they can be tested or deployed on public roads. Both California and Nevada, for example, impose a $1–5 million insurance requirements before allowing testing of AVs on public roads. Michigan, by contrast, does not impose additional insurance requirements on AVs for testing or deployment purposes. Florida, Nevada, and the District of Columbia have liability protection for post-sale conversion of vehicles to AVs. Liability protection is given to OEMs whose vehicles are converted to C/AVs. California, has no explicit mention of such liability protection” (Kockelman and Boyles, 2018, pg. 227).
Criticisms of AV Ethics and Decision-Making
Goodall (2014) examines various criticisms of machine ethics and automated vehicles. It highlights concerns regarding the decision-making of AVs in cases of ethically complex decisions, particularly prior to a crash.
They include the following:
- Regardless of fault, an automated vehicle should behave ethically to protect not only its own occupants, but also those at fault.
- Crashes requiring complex ethical decisions are extremely unlikely.
- In level 2 and 3 vehicles, a human will always be available to take control, and therefore the human driver will be responsible for ethical decision making.
- Humans rarely make ethical decisions when driving or in crashes, and automated vehicles should not be held to the same standard.
- Overall benefits outweigh any risks from an unethical vehicle.
The design of AVs would face the classical dilemma, first proposed by philosophers Philippa Foot, is called the Trolley Problem: You see a runaway trolley moving toward five tied-up (or otherwise incapacitated) people lying on the tracks. You are standing next to a lever that controls a switch. If you pull the lever, the trolley will be redirected onto a side track and the five people on the main track will be saved. However, there is a single person lying on the side track. Should you do nothing and allow the trolley to kill the five people on the main track, or pull the lever, diverting the trolley onto the side track where it will kill one person? (Foot, 1967)
We would hope AV operating programs would choose the lesser evil, but it would be an unreasonable act of faith to think that programming issues will sort themselves out without a deliberate discussion about ethics, such as which choices are better or worse than others. Is it better to save an adult or child? What about saving two or three adults versus one child? We don’t like thinking about these uncomfortable and difficult choices, but programmers will need to instruct an automated car exactly on how to act for the entire range of foreseeable scenarios, as well as lay down guiding principles for unforeseen scenarios. So programmers will need to confront this decision, even if we human drivers never have to in the real world. And it matters to the issue of responsibility and ethics whether an act was premeditated (as in the case of programming a robot car), or reflexively without any deliberation (as may be the case with human drivers in sudden crashes). Ethics by numbers alone seems naïve and incomplete; rights, duties, conflicting values, and other factors need to come into play (Lin, 2013).
See the policy page for more information.
AUTOMATED VEHICLE TECHNOLOGY
(Fully) Automated vehicles (AV) is a disruptive, society-changing technology, not just for planning and placemaking, but for employment; social engagement; mobility; and a range of physical, social, and economic factors. Transportation agencies, local and regional, network operators, private vendors, and stakeholders must all prepare to accommodate and benefit from these technologies that will fundamentally change the urban fabric and interaction patterns. Too many regulations could hinder the AV adoption and development while too few regulations on AV may not regulate well on the AV manufacturers and could lead to danger on roads.
Survey results for Texans shown below, enumerate their attitudes toward self driving vehicles. Such surveys can help shape the policies for the region.
Source: (Bansal and Kockelman, 2017)
Public policy imperatives for AVs
Source: (KPMG, 2016)
The USDOT does not currently have a comprehensive plan outlining the overall goals or a plan to monitor progress. The DOT recently formed a group to lead policy development in the future but has not announced a detailed time frame or scope of work. The NHTSA’s Federal Automated Vehicles Policy (FAVP), issued on September 20, 2016, represents a significant step in the development of a federal regulatory framework to guide the development of automated vehicle technologies (Malley and Reindl, 2016). The FAVP is a comprehensive document, over 100 pages in length, addressing many facets of the regulation of automated vehicles (NHTSA, 2016). The policy consists of four parts:
Part 1: Vehicle Performance Guidance for Automated Vehicles. It has the greatest practical significance because it sets forth a “Safety Assessment” that manufacturers are expected to perform prior to the testing or deployment of automated vehicles on public roads.
Part 2: Model State Policy for Automated Vehicles. In general, the federal government (through the NHTSA) regulates the safety of the vehicles themselves, while state governments regulate the use of those vehicles—e.g., registration of vehicles, licensing of drivers and operation of the vehicles.
Part 3: NHTSA’s Current Regulatory Tools. It summarizes existing NHTSA regulatory authorities and describes how those authorities can be applied to address the introduction of automated vehicle systems.
Part 4: Potential New NHTSA Regulatory Tools. NHTSA identifies a range of potential new regulatory tools that could be adopted, recognizing that its existing tools may not be well-suited to the rapid pace of innovation in automated vehicle technologies.
NHTSA encourages collaboration and communication between State, Federal and local governments and the private sector as AV technology develops (Transpogroup, 2017). For topics like equity, VMT, technology, land use, safety, GHG, and goods, movement and services, “NHTSA has the authority to identify safety defects, allowing the Agency to recall vehicles or equipment that pose an unreasonable risk to safety even when there is no applicable Federal Motor Vehicle Safety Standard (FMVSS),” (NHTSA, 2016 p.7). Furthermore, “in 2016, NHTSA adopted the SAE J3016 definitions as their standard. These were issued as policy and not regulations. States retain their responsibilities for vehicle licensing, registration, traffic laws and enforcement and motor vehicle insurance and liability. NHTSA continued preemption for interpretations, exemptions, notice, and rule-making and enforcement authority. Manufacturer responsibility to determine their system according to SAE J3016 standard,”(Kockelman and Loftus-Otway, 2017).
Policy Principles for AVs
Policies regarding AVs must inform the following topics:
- Mobility, connectivity, access
- Social and Environmental equity
- Energy, Sustainability, and Research and Development
- Safety and Security
- Data and decision making
- Economics and Fiscal Planning (APA, 2018)
A vehicle driven by a computer on public roads opens the possibility of many insurance and liability issues. California law (CIS 2013) requires 30 seconds of sensor data storage prior to a collision to help establish fault, assuming that the AV has been programmed and tested properly (Kockelman et al. 2016). Liability, security, and privacy concerns represent substantial barriers to widespread AV technology implementation. These issues should be addressed through regulations to give manufacturers and investors more certainty in development, as “without clear legal language saying otherwise, the person using the AV is still considered the driver and would have the same legal obligations as any other driver in the state,” (CSG, 2016 p. 5). Liability standards should strike the balance between assigning responsibilities to manufacturers without putting undue pressure on their product (Fagnant and Kockelman, 2015 p. 16).
Travel demand simulation results suggest that traveler behaviors will change significantly once AVs are available. Over 60% of CAV owners would prefer empty repositioning to on-site parking, in order to avoid parking costs. However, empty repositioning adds empty-VMT (vehicle-miles traveled) to the network and makes transit use less attractive (Liu et al., 2017). Consequently, the TxDOT, cities, and counties should consider constraints on all empty-vehicle travel, unless it is by an operator managed fleet that is held to a maximum share of VMT driven empty (e.g., 10 percent, with lines for additional empty driving) and time- and location dependent (congestion-based) road pricing should be adopted (using the GPS and DSRC that connected vehicles require). SAVs will bring rather dramatic changes in vehicle ownership and travel patterns. They can add large numbers of empty, but relatively short, repositioning trips to reach the next travelers (Kockelman et al. 2016 p. 2).
Credit-Based Congestion Pricing
Credit-based congestion pricing (CBCP) can be a novel strategy proposed as a policy. A revenue-neutral policy where road tolls are based on the negative externalities associated with driving under congested conditions, its generated tolls are returned to all licensed drivers in a uniform fashion, as a sort of driving “allowance.” Essentially, the “average” driver pays nothing, while frequent long-distance peak-period drivers subsidize others, in effect paying them to stay off congested roads. (Kockelman and Kalmanje, 2005 p. 1)
This is a major concern with the storage of data. Below are various recommendations for cybersecurity
|Transparency||Provide consumers with accessible, clear, meaningful data privacy and security notices/agreements which should incorporate the baseline protections outlined in the White House Consumer Privacy Bill of Rights and explain how Entities collect, use, share, secure, audit, and destroy data generated by, or retrieved from, their vehicles|
|Choice||Offer vehicle owners choices regarding the collection, use, sharing, retention, and deconstruction of data, including geolocation, biometric, and driver behavior data that could be reasonably linkable to them personally|
|Minimization, De-Identification and Retention||Collect and retain only for as long as necessary the minimum amount of personal data required to achieve legitimate business purposes, and take steps to de-identify sensitive data where practical, in accordance with applicable data privacy notices/agreements and principles|
|Data Security||Implement measures to protect data that are commensurate with the harm that would result from loss or unauthorized disclosure of the data|
|Integrity and Access||Implement measures to maintain the accuracy of personal data and permit vehicle operators and owners to review and correct such information when it is collected in a way that directly or reasonably links the data to a specific vehicle or person|
|Accountability||Take reasonable steps, through such activities as evaluation and auditing of privacy and data protections in its approach and practices, to ensure that the entities that collect or receive consumers’ data comply with applicable data privacy and security agreements/notices.|
As the NHTSA notes, “manufacturers and other entities should have a documented process for testing, validation, and collection of event, incident, and crash data, for the purposes of recording the occurrence of malfunctions, degradation, or failures in a way that can be used to establish the cause of any such issues,” (NHTSA, 2016 p. 17).
Texas’ leadership in CAV testing allows it to play a leading role in influencing the development of the technology. Recommendations, including short-term, mid-term and long-term practices for shaping legislative policy on CAVs, position Texas as a national leader in using the market to encourage even smarter technological innovation (Kockelman et al. 2016).
Source: (Kockelman et al. 2016 p. 66)
As noted in the legal section of a 2016 study sponsored by the TxDOT, “the speed and nature of the transition to a largely AV system are far from guaranteed; they will depend heavily on purchase costs, as well as licensing and liability requirements. Nevada has already processed AV testing licenses (on public roads) for Google, Continental, and Audi, subject to certain geographic and/or environmental limitations (e.g., the autonomous operation only on the state’s interstates, for daytime driving free of snow and ice). On February 26, 2018, the Office of Administrative Law of California approved the driverless testing regulations. Both licensing requirements from California and Nevada include a minimum of 10,000 autonomously driven miles and documentation of vehicle operations in a number of complex situations” (Kockelman et al. 2016).
Nevada’s legislation contains 23 lines of definitions and broad guidance to its DMV, while California’s is more detailed and with specific direction to their DMV (to establish safety and testing specifications and requirements). Without a consistent (or at least congruent) licensing framework and safety standardization for acceptance, AV manufacturers may face regulatory uncertainty and unnecessary overlap. (Fagnant and Kockelman, 2015 p. 12)
Source: (Bloomberg Aspen, 20xx p. 47)
Initial Issues, Challenges, Questions
- Legal articles have primarily focused on privacy, liability, cyber security & constitutional protections. State open records request that these issues, on which there are no case law yet, are all raised as concerns for AVs.
- NHTSA & FTC have noted they are reviewing hacking and privacy of consumer data in HAVs- Federal statutes also provide penalties under the Computer fraud and Abuse Act, Digital Millennium Copyright Act, Wiretap Act, & Patriot Act.
- In the privacy realm, three areas have been identified as needing changes to law:
- Autonomy privacy (i.e. an individual’s privacy under 4th amendment to the U.S. Constitution e.g. illegal search & seizure);
- Personal information privacy, and
(Kockelman and Loftus-Otway, 2017 slide 47)
Specific Recommendations for TxDOT Headquarters and Divisions
Sources: Kockelman and Loftus-Otway, 2016
Near-term (through 2021)
- Road markings to facilitate lane departure warning, traffic jam assist and platooning.
- Signage development for CAVs that detects and interprets road signs.
- Construction/detours for re-routing CAVs when needed.
- Lane management: Including the introduction of CAV-only lanes on freeways & city streets.
- Nighttime rules of the road for CAVs.
- SAV integration for facilitating optimal operation.
- Developing & enforcing regulations of empty driving
- Roadway design amendments to incorporate CAV design requirements.
- Tolling & demand management for alternative revenue generation & congestion control.
Long-term (2031 and beyond)
- Construction & maintenance design pertaining to construction automation, incident response, etc.
- Rural signage & rural road design to transition CAVs from urban environments
- Smart intersections allowing for a greater level of optimization than is possible with existing traffic signals.
- Charge users for miles traveled in state. Incentivize less congested routes. This will encourage users to choose routes based on value of personal time. Empty driving should be prohibited or strongly limited. (Kockelman and Loftus-Otway, 2017)
- Regulations for vehicle inspections to audit malfunctioning devices. Regulations to monitor the technological advances.
- State should work with MPOs & consultants to adopt agent-based models of travel demand and traffic. (Kockelman and Loftus-Otway, 2017)
- “Policies for smarter system management, including incentives for ride-sharing and non-motorized travel, route guidance and credit-based congestion pricing.” (Kockelman and Loftus-Otway, 2017)
- Each State should have a CAV policy to encourage general adoption. Pilot programs are preferable.” (Kockelman and Loftus-Otway, 2017)
- Modernize traffic data. “Develop and implement robust data-sharing requirements for new vehicle technology to improve the quantity and quality of data collected, and to reduce the millions of dollars spent annually on technologically primitive data collection, both from regular traffic operation and from traffic crashes”. (NACTO, 2016 p. 2)
- “APA supports efforts to eliminate or sharply reduce municipal and off-street parking requirements with the growing incorporation of AVs into the national transportation system and permit the reuse of parking structures as active land uses”. (APA, 2018 p.2)
- “To produce more consistency in the protection of privacy, the legislature could limit the private information on citizens that must be disclosed through the Open Records Act”. (Kockelman and Loftus-Otway, 2016)