By: Caroline Dolan

As global warming and ecological degradation progress, sustainable technology and infrastructure is being implemented to remediate and prevent aggravation. However, electric vehicles (EVs), which are an effective way to curb carbon emissions and boost green efforts, pose a unique set of privacy risks every time we plug-in.

The data transaction: Plugging-in

EVs are dependent on EV chargers and for the majority who do not have the capacity to charge at home, public chargers are a necessity. Public EV chargers are essentially an Internet of Things (IoT) device that facilitate the transaction of data for kilowatts. Information involving pricing, session date, time, duration, and power patterns is collected and sent to the operator’s network. Furthermore, most chargers are affiliated with a mobile-app or use a radio-frequency identification card (RFID) implicating your phone as another data source sharing payment information, names, emails, IP addresses, and internet history. In order for an app to make the consumer experience more convenient and recommend the nearest charger, location identification is necessary. However, Certified Information Privacy Professionals have reported how this data can be used to pinpoint your location and predict your typical driving route. 

Sharing and collecting this information can make life a lot more convenient and does not seem to pose any imminent risks of harm. However, every public charger is connected to a grid and whether it is a closed or open network, there is always a risk of ransomware attacks, ID fraud, and grid damage. The Cybersecurity and Infrastructure Security Agency defines ransomware as “a form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption.” As described by privacy professionals, closed networks relate to a certain set of manufacturers who have discretion and unrestricted authority to use the data and create profiles; open networks tether multiple manufacturers which decreases each manufacturer’s control but gives more stakeholders access increasing your data’s vulnerability. In other words, while there is not an imminent risk of harm, there is a perpetual risk.

An EV economy

As the Wall Street Journal reported, “Modern vehicles are effectively connected computers on wheels. They’re able to collect a wealth of information via built in apps, sensors, and cameras, which can monitor people both inside and near the vehicle.”

Whether the data originates from the user’s personal device connected to the EV or solely through the charging equipment, the data is ripe for hackers, car manufacturers, insurance companies, and emergency service providers. While such data can help urban planners determine the optimal areas for development and economic profit, it can also inform insurance companies on how to set rates based on driving risk and behavior. More importantly, the Wall Street Journal has recognized that if data brokers obtain and sell the data, even with personal information redacted, movements and habits are individualistic and may provide insight into one’s identity.

Well-intentioned green policy may be getting ahead of itself

President Biden’s goal of boosting U.S. EV production is being achieved through his Made-in-America EV charging network initiative which is supported by the Department of Transportation’s National Electric Vehicle Infrastructure (NEVI) program. NEVI is distributing $5 billion into various EV programs to create a coast-to-coast network of EV chargers and electrify the highway system. However, these good intentions may be putting the cart before the horse since privacy risks of EVs have yet to be adequately and uniformly regulated.

Notably, the Federal Highway Administration (FHWA) has imposed a set of requirements on NEVI fund recipients stated in its “final rule.” The final rule consists of network connectivity requirements that ensure secure payment processing and minimize the amount of personal information that companies may retain. While these efforts seek to safeguard data and promote transparency, the final rule essentially requires merely “appropriate” data protection and gives states the discretion to determine the means. 

California is one state that is addressing the privacy concerns raised by the EV boom. California’s newly approved Electric Vehicle Infrastructure Deployment Plan cites the state’s Senate Bill 327 which requires a manufacturer of a “connected device” to equip the device with reasonable security features based on the nature and function of the device. From a legal perspective, the reference to SB-327 indicates that EV chargers may constitute a “connected device” and therefore warrant reasonable and appropriate security features and protection. 

However, state regulations are not an adequate shield from the broad destruction of a cyberattack. Therefore, some EV charger companies like ChargePoint have adopted internal regulations and earned certifications from the International Organization for Standardization (ISO) based on its comprehensive  information security and cyber-risk management. ChargePoint is a predominant U.S. company that supplies EV charging stations across North America as well as Europe and is therefore subject to Europe’s General Data Protection Regulation (GDPR). The GDPR controls the collection, use, and storage of personal data as well as the conduct of non-EU companies that possess the data of EU residents and citizens. While it seems unlikely that the U.S. will implement a federal law akin to the GDPR, California and ChargePoint may prompt other states and companies to implement regulations that supplement FHWA’s final rule.

Will supporting EVs come at the cost of our privacy?

While it is difficult to encourage people to undertake the risks posed by EVs, even for the sake of curbing carbon emissions; the Earth is a finite resource and without it our privacy is moot. Therefore, people should not be discouraged from purchasing an EV or plugging-into a public charger. Rather, the government and individuals should be compelled to hold corporations accountable for how data is stored and used so that we may plug-in without fear. As the effects of global warming become more apparent, embracing corporate accountability and privacy protection is critical in order to keep up with the EV boom and conserve the Earth.