1 of 19

Connected Vehicle Cloud Architecture

Design for personal data protection and interoperability

DD Month 2024

| 1

13 September 2022 |

2 of 19

Agenda

Open discussion on what is needed to enable automotive as a cohesive, cross industry ecosystem, empowering end users and enabling services

W3C Automotive Privacy Principles Group - another collaboration between W3C and COVESA
State of the Industry
Liabilities and issues with current approach
Importance of Privacy and User Data Rights
Relevant laws and regulations
Importance of accurate and beyond the car personal data
Design goals
Benefits to separation of roles
Possible Information Architectures

3 of 19

Assignments

Philippe/Ted - archicture proposals

Liz - importance of safety, regulations

Kara/all - balancing privacy with enabling business

Ansgar/Liz/Ted/all - industry trends / observations

Ted/Philippe - role separation, silo flaws

All - work on invitees - more involved for weekly meetings and ones (decision makers) for workshop

| 3

4 of 19

State of the Industry

Silo approach - per OEM

No consistent data model
Mismatched protocols
No widespread interoperability only one off partnerships
Lack of portability for vehicle owner and services
Lack of transparency to vehicle owner
In North America usually consent buried in initial purchase agreement, in Europe often consent required per drive
Inability or unwillingness to make individual exceptions

Consent for data collection either missing, blanket default with notice only or OEM specific, turning silo into a tower
Often poor user experience and limited services*

5 of 19

How to achieve great UX, Security & Privacy?

User-Centric Design

Understand the needs of the individual users, balancing security measures with ease of use. Implement user-friendly interfaces for privacy settings, allowing users to easily control what data is shared and with whom
Transparent communication of privacy and security features to build trust without overwhelming the user with technical details

Seamless Authentication

Use biometric methods (e.g. fingerprint, facial recognition). This is standard with smartphones, well known and thus easy to use
Single Sign-on Integration in the vehicle. Here FIDO and existing SSO standards can be used

Provide good HMI

Design intuitive interfaces using the HCD approach. Voice control could be part of this, especially while driving. Modern LLMs could be a good option, but today it is not clear how to make them safe -> more research is required.

Balance UX and Security

A good balance between user experience and security is not only possible but necessary. By integrating security seamlessly into the UX it’s possible to protect user data without compromising convenience and enjoyment of using the vehicle.

User-Centric Design Approach

Empathy for Users: Understand the needs and preferences of users, balancing security measures with ease of use. Implement user-friendly interfaces for privacy settings, allowing users to easily control what data is shared and with whom.
Transparent Communication: Clearly communicate privacy and security features, so users are aware of how their data is protected. This builds trust without overwhelming the user with technical details.

2. Adaptive Security Levels

Context-Aware Security: Implement security mechanisms that adapt based on the context (e.g., driving vs. parked). For instance, require stronger authentication when accessing sensitive information but minimize interruptions during driving.
Customizable Security Settings: Allow users to choose their desired level of security, with default settings that protect them without requiring complex configurations.

3. Minimize Data Collection

Data Minimization: Collect only the data necessary for the service to function effectively. By reducing the amount of data collected, you minimize potential risks while simplifying the user experience.
Edge Computing: Process data locally in the vehicle rather than sending it to the cloud, reducing the amount of data transmitted and stored externally, thereby enhancing privacy.

4. Seamless Authentication

Biometric Authentication: Use biometric methods (e.g., fingerprint, facial recognition) for seamless yet secure authentication. These methods provide high security while being quick and easy for the user.
Single Sign-On (SSO) Integration: Integrate with existing SSO services so users can log in once and access multiple systems without repeatedly entering credentials, improving both security and convenience.

5. Regular Security Updates

Automatic Updates: Ensure the vehicle's system can receive and install security updates automatically with minimal disruption to the user. This keeps the system secure without requiring user intervention.
OTA (Over-the-Air) Updates: Use OTA updates to keep the vehicle’s software current, protecting against new vulnerabilities without the need for users to take action.

6. Privacy by Design

End-to-End Encryption: Implement strong encryption for data both at rest and in transit. This ensures that even if data is intercepted, it remains inaccessible to unauthorized parties.
Anonymization and Pseudonymization: Whenever possible, anonymize or pseudonymize data to protect user identity while still allowing data analysis for improving services.

7. User Feedback Loop

User Feedback Mechanisms: Continuously gather user feedback on privacy and security features. Use this feedback to iteratively improve the balance between security and user experience.
Educational Interfaces: Educate users about the importance of privacy and security within the UI. Empower users to make informed decisions about their data without feeling overwhelmed.

8. Redundancy and Reliability

Fail-Safe Mechanisms: Implement fail-safe mechanisms that maintain the security and privacy of user data even in the case of a system failure. Ensure that these mechanisms do not degrade the user experience.
Data Recovery and Backup: Ensure data is securely backed up and can be recovered in case of a system failure, without compromising user privacy or experience.

9. Human-Machine Interaction (HMI)

Intuitive Interfaces: Design intuitive interfaces that make it easy for users to understand and manage their data security. Use visual cues and simple language to guide users through privacy settings.
Voice-Controlled Security Features: Enable voice-activated commands for security features, allowing users to manage their data without taking their eyes off the road or going through complex menus.

10. Regulatory Compliance

Compliance with GDPR and Other Regulations: Ensure that the vehicle’s data handling practices comply with relevant privacy regulations (e.g., GDPR). Compliance builds trust and demonstrates a commitment to user privacy.
Audit and Transparency: Regularly audit data security practices and be transparent about how user data is handled and protected.

Conclusion

Balancing UX and Security: Emphasize that achieving a balance between user experience and security is not only possible but necessary. By integrating security seamlessly into the user experience, it’s possible to protect user data without compromising the convenience and enjoyment of using the vehicle.

6 of 19

Infotainment Industry Trends

OEM owned CarOS (e.g. MBOS) vs. CarPlay & Android Automotive OS

Some OEMs gave up developing own system (e.g. Ferrari https://www.reddit.com/r/technology/comments/1dj2fvy/ferrari_is_removing_builtin_navigation_in_favor/?rdt=50330)
Android Automotive is widely used platform
Apple announced next generation CarPlay architecture with fully integrated interface for all screens -> vehicle state will mostly stay in the car (https://developer.apple.com/videos/play/wwdc2024/10111/)

Apps use more vehicle information to provide services

Within the car (e.g. in vehicle Android Apps in MBUX or Automaker Apps in CarPlay NG)
Remote Apps for controlling car functions like remote parking, burglary notification etc.)

Car-sharing vs. car-owning

Features and service for car-sharing grow with demand
Requires individual profiles for cross-car use (https://www2.deloitte.com/content/dam/Deloitte/de/Documents/risk/Deloitte-Trusted-Software-POV-On-demand-car-features.pdf)

-> Standardized Interfaces to real-time data in the car are required. OEMs, Google and Apple provide their own proprietary solutions

-> Multiple interfaces increase the effort for service-providers

-> User lock-in as they can not easily change smartphone or car brand without losing data or functionality

-> Currently no common approach to privacy & data protection and user control over data flow existing

| 6

7 of 19

Connected Services Typology

| 7

Connected Service Registry (COVESA as authority?)

PLB -> Add schema

8 of 19

Why Silo Approach Doesn’t Work

Prevents tailored and customized in-vehicle experience as the scope of connected services goes beyond what a single OEM can deliver.

Without interoperability and proper data model for connected services that covers the full typology associated inclusive of a customer profile the industry won’t be able to compete with car-agnostic and universal car companion offering nor to properly integrate/leverage them.

9 of 19

Building an Interoperable Ecosystem

Any information architecture design needs to start with requirements, including from regulators/legislatures

Europe leading personal privacy and data access (next slide) but far from alone
Drivers Privacy Protection Act (DPPA)
Act on the Protection of Personal Information (APPI, Japan)
Australian Privacy Principles
Personal Information Protection and Electronic Documents Act (PIPEDA)
California Consumer Privacy Act (CCPA) & California Privacy Rights Act (CPRA)
Privacy and Electronic Communications Regulations
To name a few, 66% of all countries have privacy law…

Designing for the most restrictive provides more future proofing and less costly revision especially if adopted industry wide - collective lift.

Enabling cross-border connected services so the vehicle can adjust its configuration to applicable laws, possibly consent renewal or new consent, based on its location

Dynamically adjust Data Residency based on vehicle location

10 of 19

Building an Interoperable Ecosystem

European Union has been making broad legislative requirements on the collection, use and individual access to data

EU Data Act

IoT device (definition extends to connected vehicles) that collect data must make it available to owners

EU General Data Protection Regulation (GDPR)

follows citizens regardless of what country they are in and who is collecting data

EU Digital Identity - Self Sovereign Identity (SSI)

Lower cost, increased security, empowers individuals, creates interoperability instead of silos

Taken together, to sell a connected vehicle in the EU there needs to be clear consent for any data connected, bound to SSI authenticated individual and data must be provided to any third party of their choosing.

11 of 19

Can the EU Digital Identity Wallet be part of the solution?

The EU will introduce the European Digital Identity Wallet (EUDI-Wallet)

Personal digital wallet for all EU citizens, free, open-source and secure
All public and private organisations als well als large online platforms must accept a EUDI-Wallet if requested (e.g. for login / authentication)
Until beginning 2027 all EU states are required to provide a EUDI-Wallet solution to their citizens

Can your smartphone be used as the privacy agent for vehicle services, too?

Source: https://gitlab.opencode.de/bmi/eudi-wallet/eidas-2.0-architekturkonzept/-/blob/main/architecture-proposal.pdf?ref_type=heads

12 of 19

Importance of Privacy and User Data Rights

Lower financial liability (fines and lawsuits) by properly handling sensitive personal information

Done well an interoperable information architecture can enable a broad ecosystem of diverse data driven services

13 of 19

Importance of accurate and beyond the car personal data

Reduce risk and enable reward

Vehicles are an extension of individuals lives and need to think outside the box
Providing compelling, data driven services that provide convenience, improve lives, increase safety will ensure user consent
Vehicle is used within the context of a life, and thus parts of events and situations it is not aware of

14 of 19

Design goals

General Goals

Good Usability & User Experience
Ease of use
Safety / Security
Interoperability

Opt out per trip

use cases, domestic violence, undercover law enforcement operations

Roles - driver, owner, passenger, AV passenger

15 of 19

Benefits to separation of roles

Separating authentication/authorization from providing and processing data provides interoperability and reduces provider/process financial risk
Auth*n provider should be independent of OEMs
Examples / Use Cases

Drivers do not operate a single vehicle nor vehicles solely from one manufacturer
Reluctance to enter personal information per OEM (driver’s license, insurance, services, contacts, preferences)

16 of 19

Possible Information Architectures

17 of 19

RACI / Data Model / Data Flow

Roles & Responsibilities of each party

Baseline/high level data model from identity, authentication, profile, consent, privacy level, to service/subscription to link to VISS/VSS (entities)

High level Data Flow of all key functions

| 17

18 of 19

Next steps

Much of this is outside the scope of the COVESA Commercial and Fleet Vehicle Expert Group, additional groups must be formed with strong coordination starting with a Consent and Privacy Birds of a Feather (BoF) activity.

Automotive Telematics Ecosystem Needs

Consent management
Common data model (COVESA VSS)
Industry vertical requirements (Commercial and Fleet EG)
Consistent protocols and authentication means (FIDO involvement)
Streamlined information flows - provisioning services for vehicles at delivery or subscription
…

Convene group to sketch out specifics on information architecture, flows, prioritized areas of focus, identifying existing external efforts to leverage

| 18