Public Values, Private Infrastructure and the Internet of Things: The Case of Automobiles

Privacy and Security

Article Snapshot


Kenneth A. Bamberger and Deirdre Mulligan


Journal of Law and Economic Regulation, Vol. 9, No. 1, pp. 7-44, 2016


Many devices intended to connect to the Internet of Things (IoT) have security flaws. Over-the-Air (OTA) update systems are important to fix these flaws. This paper sets out four principles that should be respected in designing OTA systems.

Policy Relevance

Respect for values such as competition and privacy should be built in to OTA systems.

Main Points

  • The IoT has emerged with little attention to the risks of equipping devices with connectivity and computerized controls; hackers able to compromise credit card systems and vehicles will easily be able to hack into toasters.
  • Industry groups are considering self-regulation for IoT devices; the proposal includes a requirement that product software be updated remotely, or that consumers by notified of problems; with automobiles, administrative agencies already possess regulatory authority over the transportation sector.
  • By 2020, analysts expect as many as 250 million “connected cars”—automobiles connected to external networks—on the road.
    • Today, such cars have about 100 million lines of software code.
    • Software controls automobile security and safety systems, including locks, airbags, seatbelts, and anti-lock brakes.
    • Mechanisms must be available to patch flaws in these systems quickly.
  • Individuals delay making software patches and are slow to bring cars to dealerships for recalls; only forced OTA updates will successfully address security and safety concerns effectively.
  • The automobile industry lags behind in developing OTA update capabilities.
    • OTA systems can open new channels for hacker attacks.
    • Updates may require more bandwidth and power than many IoT devices provide.
  • The profit motive will spur firms to offer new features through OTA updates, but the mechanisms will not support privacy, security, or safety, and may limit competition; software features might restrict the ability of independent car repair shops to work with automobiles.
  • The government must promote cybersecurity for the IoT.
    • Cybersecurity should be recognized as a public good.
    • In the automobile sector, private and public stakeholders should clarify cybersecurity goals within a participatory framework.
    • Cybersecurity and values such as competition should be designed in to IoT systems, not added on as an afterthought.
  • The National Highway Traffic Safety Administration (NHTSA) addresses technological concerns with automobile connectivity but has failed to consider values such as privacy and competition.


Get The Article

Find the full article online

Search for Full Article