It's looking very likely that a bill in Congress that will make mandatory the use of "black boxes"— more formally, Event Data Recorders (EDR) — will become law soon. These are little computers clad in rugged casings that record data from your car's various sensors and computers to use for accident investigation and, very likely, other uses.


There's lots of privacy concerns around this new bill, and lots of questions as to exactly what that little boxy black snitch is snooping on. Plus, what about the voluntary black boxes some insurance carriers are offering? Let's see what we can clear up.

1. It's pretty likely your car already has an EDR.

GM was the pioneer here, starting to install them in the late '90s, and by 2005 a number of marques (GM, Ford, Isuzu, Mazda, Mitsubishi, Subaru and Suzuki) were putting them on everything. According to the NHTSA, about 91.6% of cars currently have them. Here's a list. Notable exceptions are Audi and Mercedes-Benz, but this new law will change that.


If you're like many of us Jalops, myself included, you may be driving a car that predates OBD-anything, so, unless you have a very technologically adventurous stalker, you likely don't have one. The law does not appear to require retrofitting the devices to, say, your King Midget.

2. It's not a tracking device.

These black boxes are not GPS devices, and do not track where you're going. So your drug-prostitute-deep fried food secret habits are still safe, as long as you don't get in a wreck with your hookers and crack and mouthful of fried cheese.

3. Okay, what do these things record?

Great question, disembodied voice. And a surprisingly tricky answer to find. Most articles just mentioned the bill requires 15 separate data points to be recorded, without listing what they are. While more data can be recorded based on manufacturers' own desires, these are the 15 data points that would be required by the new law— well, this list has 17, so maybe there's a couple others:

Change in forward crash speed

Maximum change in forward crash speed

Time from beginning of crash at which the maximum change in forward crash speed occurs

Speed vehicle was traveling

Percentage of engine throttle, percentage full (how far the accelerator pedal was pressed)

Whether or not brake was applied

Ignition cycle (number of power cycles applied to the EDR) at the time of the crash

Ignition cycle (number of power cycles applied to the EDR) when the EDR data were downloaded

Whether or not driver was using safety belt

Whether or not frontal airbag warning lamp was on

Driver frontal airbag deployment: time to deploy for a single stage airbag, or time to first stage deployment for a multistage airbag

Right front passenger frontal airbag deployment: time to deploy for a single stage airbag, or time to first stage deployment for a multistage airbag

Number of crash events

Time between first two crash events, if applicable

Whether or not EDR completed recording

As you can tell, most of this data is designed to aid in accident investigations, to help determine who was at fault, if any laws were broken, and to determine driver input compared to car performance to aid in investigations like the Toyota unintended acceleration incidents.


4. Who owns this data?

This is actually the best part about this new law, because it clearly states that you, the car's owner, owns the data. I don't think any of us are thrilled about having these things in our cars, but if it's going to happen anyway, a law like this is needed to protect car owners. I'm a firm believer that any and all data your car generates should be the easily-accessible property of the owner. As the IIHS says on their site about this:

EDRs and the data they store belong to vehicle owners. Police, insurers, researchers, automakers and others may gain access to the data with owner consent. Without consent, access may be obtained through a court order. For example, in a Florida criminal case involving a vehicular manslaughter charge, the police obtained a warrant to access the EDR data. For crashes that don't involve litigation, especially when police or insurers are interested in assessing fault, insurers may be able to access the EDRs in their policyholders' vehicles based on provisions in the insurance contract requiring policyholders to cooperate with the insurer. However, some states prohibit insurance contracts from requiring policyholders to consent to access.


I'd be more concerned about what private insurance companies would do with this data than I am what the police would do with it, so if you're in a state that allows your insurance company to require you to let them access the data, make sure you carefully read your contract.

The fact that the data is your property will also prevent it from being used by advertisers and/or dealerships (whew) and law enforcement agencies will normally need a warrant to get the data. This point about requiring a warrant has already been tested in court, with the appeals court reversing an original manslaughter conviction of a California driver, stating of the police's access to the driver's Yukon's EDR data:

"We conclude that a motorist's subjective and reasonable expectation of privacy with regard to her or his own vehicle encompasses the digital data held in the vehicle's SDM."


That means the cops can't bully your car into testifying against you, its loving owner.


5. How is the data retrieved from the EDR?

The data is retrieved via either a connection to your ODB port in your car, or, if you had a really dramatic wreck that left your car strewn over a quarter mile of highway, the EDR itself may be removed from the mess and the data retrieved directly.


In order to help enforce the idea that the data is the owner's property, there have been proposals (and this patent) for lockable OBD port access panels.

6. So if it's my data, can it be used against me in court?

Oh hell yes. You own it, but warrants can be gotten, data can be downloaded, and, potentially, you could be screwed. Or vindicated. It's just data.


More alarming is the potential for unauthorized access, or even inadvertent access to the data. It's happened before, such as in the case of Nissan Leafs sending GPS and speed data in unencrypted text to websites for voluntary crowdsourcing and tracking of fuel economy data.

7. What should I be most concerned about?

This new law itself isn't too bad, in that if we accept that these recorders were already appearing on cars, it's good to have some legal protection of the data. What's more alarming are third-party tracking systems from companies like Progressive, which promise lower rates, but at the cost of making the consumer far more vulnerable. Plus, these private systems are not necessarily subject to the same laws that protect owners for the federally-mandated black boxes.


I sure as hell wouldn't want my insurance company tracking everything I do— their primary goal is to make money, and I don't trust my data would be used for any goals other than that.

8. So how should I feel about all this, in general?

Wary, but not paranoid. This new bill will give a reasonable level of protection, but never forget that while this will likely help greatly for traffic safety and accident investigation, there is a huge privacy hole being opened, and if we're not constantly vigilant and careful, abuses will happen.


As it stands now, with cable-based retrieval, you can have a reasonable degree of assurance that your data is safe. Some companies, like BMW, are experimenting with wireless transmission of this sort of data, to schedule maintenance and alert dealerships of service needs. If this becomes more common, safeguarding data integrity will become a much more difficult issue.

9. Are there any fun upsides?

Maybe, if these things are hackable. I'm picturing some interesting art possibilities using your car's data to produce interesting visualizations. Plus, wouldn't you like to hack this so your car can Tweet it's throttle position every minute? No? Me neither. But I bet there'll be some fun hacks to be found in these things.


(Sources: IIHS, Google Patent Search, Computerworld, Forbes)