Imagine if your car could send messages about its speed and movements to other cars on the road around it. That’s the dream of the National Highway Traffic Safety Administration (NHTSA), which thinks of Vehicle-to-Vehicle (V2V) communication technology as the leading solution for reducing accident rates in the United States. But there’s a huge problem: it’s extremely difficult to have cars “talk” to each other in a way that protects the privacy and security of the people inside them, and NHTSA’s proposal doesn’t come close to successfully addressing those issues. EFF filed public comments with both FTC explaining why it needs to go back to the drawing board—and spend some serious time there—before moving forward with any V2V proposal.

NHTSA’s Plan

NHTSA’s V2V plan involves installing special devices in cars that will broadcast and receive Basic Safety Messages (BSMs) via short-range wireless public key infrastructure (PKI)—didn’t achieve either objective.

The Problems

One of the fundamental problems with NHTSA’s plan is that assigning each vehicle a mere 20 identities over the course of an entire week will do the opposite of protecting privacy; it will give anyone who wishes to track cars a straightforward way to do so. NHTSA proposes that a car’s certificate change every five minutes, rotating through the complete batch of 20 certificates once every 100 minutes. The car would get a new batch of 20 certificates the next week. As we explained in our highly unique,” it would be easy—in the case of a vehicle used in its ordinary way—to recognize and track a vehicle from week to week, even as the vehicle’s list of 20 assigned certificates changed.

NHTSA seems to presume that no one will make long-term, systematic efforts to track vehicles. But this presumption is incredibly naïve. We have learned the hard way that both the government and private companies will go to great lengths to track vehicles—just look at the proliferation of Automated License Plate Readers (ALPR). V2V will make these tracking efforts easier, by making it significantly cheaper to get more reliable information about a vehicle’s whereabouts, more of the time, in more situations, in a clandestine manner, without requiring a line-of-sight to a vehicle’s license plate.

There are other fundamental problems with NHTSA’s plan. First, NHTSA proposes the creation of a new public key infrastructure (PKI) to solve a problem that PKIs simply cannot—and were never intended—to solve, demonstrating a serious misunderstanding of the technology. The sole purpose of a distributed PKI system is to determine who or what produced a validly signed message. A PKI system, for example, cannot establish that the content of the message is “safe” and truthful and therefore the reliable basis for decisions. But NHTSA’s plan suggests that use of a PKI would enable vehicles to assess whether messages it receives are “safe” in this way. This will create widespread—and potentially quite dangerous—confusion about the level of confidence that should be placed in the contents of a validly signed message. NHTSA’s failure to understand the inherent limits of PKIs is deeply troubling.

Second, NHTSA’s envisioned PKI is much larger and more complicated than anything in existence, yet it fails to account for known—and considerable—technical challenges presented by smaller systems. For instance, in the SHA-1. NHTSA proposes a more complicated PKI, which would issue orders of magnitude more certificates, without even attempting to address the fundamental functional challenges that we already know exist.

Third, NHTSA’s plan for dealing with “bad actors” is to revoke their certificate and push out certificate revocation lists (CRLs) to all vehicles participating in the system. But this just won’t work. Not only will after-the-fact revocation be too late to prevent the first—and potentially catastrophic—attack, but sending out CLRs to every single vehicle participating in the system would take a tremendous amount of data. CRL distribution in the WebPKI has received widespread criticism for being extremely traffic-intensive and inefficient, and the CRLs NHTSA envisions would be orders of magnitude larger than the largest CRLs used in the WebPKI—we’re talking gigabytes of data being distributed to each car in the United States on a regular basis.

What’s more, the plan opens cars up to an entirely new surface of attack while failing to address serious security concerns, putting people at risk of potentially grave harm.

And the plan makes absolutely no sense from a cost-benefit perspective. Because V2V only works when laid out in detail by Brad Templeton, Chairman Emeritus of EFF’s Board and a developer of and commentator on self-driving cars, “[V2V’s] cost is high, and those resources could be much better spent.” For this reason alone, NHTSA needs to move on from its outdated and backwards looking proposal.

We’ve made sure both NHTSA and the FTC heard our concerns loud and clear. Since submitting comments to the FTC, we’ve been invited to participate in a Jeremy Gillula will be there to explain why the FTC should put the brakes on NHTSA’s misguided and potentially disastrous plan.

EFF is not alone in our concern over NHTSA’s V2V plan. Many organizations have filed comments expressing their own concerns with the troubling proposal. We hope NHTSA heeds these warnings—for the good of all of us.