There's currently a bill pending in Congress, known to those inside the Beltway as MAP-21, which would "reauthorize Federal-aid highway and highway safety construction programs." But the part of the bill that has gotten the attention of privacy and tech activists is Section 31406, which says, "beginning with model year 2015... new passenger motor vehicles sold in the United States [will] be equipped with an event data recorder that meets the requirements under that part."

Last month, the bill passed in the Senate as S. 1813, where its House equivalent, H.R. 14 is likely to come up for a vote in the coming months. While some conservative news websites have pre-emptively gotten their knickers in a twist about this provision, others have been quick to point out that nearly all new cars sold in the United States since 1996 already have an event data recorder (EDR). In fact, the National Highway Traffic Safety Administration reports current usage rates at 91.6 percent.

The EDR "must keep a record of 15 discrete variables in the seconds before a crash," says IEEE Spectrum. "Among them are the car’s speed, how far the accelerator was pressed, the engine revolutions per minute, whether the driver hit the brakes, whether the driver was wearing a safety belt, and how long it took for the airbags to deploy."

Since 2011, car manufacturers have been required to disclose the presence and physical location of an EDR in a car's owner's manual. Seven years earlier, California became the first state to mandate such disclosure.

Data protection

Beyond requiring the auto industry holdouts (we're looking at you, Mercedes-Benz and Audi) to include EDRs, the new law also provides an interesting provision specifically pertaining to privacy and how the data in the devices would be used. Some privacy and legal experts say that while the new bill provides a step in the right direction, the legislation doesn't go far enough in ensuring bulletproof consumer protection.

As the bill has currently been written in both the House and Senate versions: "Any data in an event data recorder required under part 563 of title 49, Code of Federal Regulations, regardless of when the passenger motor vehicle in which it is installed was manufactured, is the property of the owner, or in the case of a leased vehicle, the lessee of the passenger motor vehicle in which the data recorder is installed."

The bill then goes on to list a few exceptions where that would not be the case, including under court order, if the car owner or lessee consents to the data's release, under investigation or inspection as allowed under federal law, or to help in an emergency situation.

"The fourth exemption is especially troublesome because it seems to say that any EDR data that might be useful for determining the need for emergency response to any vehicle crash would be generally available," wrote Dorothy Glancy, a law professor at Santa Clara University, in an e-mail to Ars.

She added that because language in the bill refers to "in response to a motor vehicle crash," as opposed to something more specific, such as "the crash of the vehicle in which EDR data was accessed," there could be future legal disputes where an insurance company representative could be included in the parties that could access the relevant data.

There has been a worry by some car owners and privacy activists that this data would automatically be shared with insurance companies and law enforcement.

"The new language seems to require a court order for the government to obtain the data in a criminal investigation, or for another driver to get in a dispute over a crash," wrote Justin Brookman, director for consumer privacy at the Center for Democracy and Technology, in an e-mail to Ars on Friday. "That's a nice nod, but [I'm] not sure that's that high a bar to reach however in either case."

USA Today reported in 2011 that there were laws in 13 states specifically outlining how data on an EDR can be accessed, but that some local law enforcement, including the Tennessee Highway Patrol, retain equipment to read EDRs after an accident.

A physical lockout?

Other legal experts though, say, the legislation is a step in the right direction, by including provisions for individual data protection from the get-go.

"A law that makes it clear that the data belongs to the owner and cannot be accessed without permission is a good thing," Christopher Wolf, co-chair of the Future of Privacy Forum, and a partner at Hogan Lovells LLP, told Ars on Thursday. He called the legislation, as it has been written, a "net plus."

But beyond the specifics of the law, there may be a simpler way to restrict how the EDR data can be accessed.

For years, a team of IEEE engineers have been pushing for an EDR standard, which in addition to standardizing what data was collected, would include a "connector lockout," or a way to physically secure access to the EDR data. A two-person team published a draft standard in 2004, which was later revised in 2010.

"Congress could easily mandate that if a vehicle has an EDR it must also have a consumer protection lockout," wrote Tom Kowalick, a North Carolina community college professor, and one of the two people who authored the IEEE standard, in an e-mail sent to Ars on Thursday.

"By securing the download port, the owner or operator is establishing his or her basic right to lock access to the data in the same manner that one would lock the glove box to protect personal data, or lock the trunk to protect others from entering the trunk. It's just common sense. That's why glove boxes and trunks have keys. Why would anyone leave something valuable unprotected?"