Public Values, Private Infrastructure and the Internet of Things: The Case of Automobiles

9 Journal of Law and Economic Regulation 7, (Vol. 9. No. 1). 2016. 5. pp. 7~44.

UC Berkeley Public Law Research Paper No. 2914268

38 Pages Posted: 10 Feb 2017

See all articles by Deirdre K. Mulligan

Deirdre K. Mulligan

University of California, Berkeley - School of Information

Kenneth A. Bamberger

University of California, Berkeley - School of Law

Date Written: October 1, 2016


In July 2015, two researchers gained control of a Jeep Cherokee by hacking wirelessly into its dash-board connectivity system. The resulting recall of over 1.4 million Fiat Chrysler vehicles marked the first-ever security-related automobile recall. In its wake, other researchers demonstrated the capacity for remote takeovers of automobiles. By September, it became public that GM had initiated a quiet over-the-air (OTA) update program to fix security vulnerabilities in millions of their vehicles.

These incidents reveal the critical security issues of modern automobiles, so-called “connected cars,” and other Internet of Things (IoT) devices, and underscore the importance of regulatory structures that incentivize greater attention to security during production, and the management of security vulnerabilities discovered after connected devices are in circulation. In particular, it highlights the importance of incentivizing the development of OTA update systems to support safety and security critical updates to patch vulnerabilities. OTA update systems are essential to IoT security and the health and safety of humans who rely upon it.

Today’s connected cars can have more than a 100 million lines of software code, and this code base is growing. This code plays a significant role in compliance with regulatory obligations, and a crucial role in automotive safety and security systems. Embedded sensors and algorithms trigger and modulate airbag deployment, seatbelt engagement, anti-skid systems, and anti-lock breaks, identify the size, weight, and position of people to inform airbag and seatbelt behavior, and inform parking assistance systems, anti-skid and anti-lock break systems, among others. Software’s role in automotive safety is growing making the assumptions and calibrations of the code governing critical safety systems, as well as its security, increasingly important to saving lives. Addressing the vulnerabilities in automotive code — such as the ones exploited by the Jeep hackers — and specifically the capacity for remote exploits, are an essential element of the future of automotive safety and security.

The design of OTA update systems implicates crucial issues of governance, and the balance of a variety of values — both public and private. Developing systems intended to ensure automotive safety and security involves both choosing among competing visions of security, and determining how to protect other values in the process. The articulation of cybersecurity goals, and the way they are balanced against other values, must occur in a public participatory process beforehand that includes relevant public and private stakeholders.

This paper sets forth principles that should in-form the agenda of regulatory agencies such as the National Highway Transportation (NHTSA) that play an essential role in ensuring that the IoT, and specifically the OTA update functionality it requires, responds to relevant cybersecurity and safety risks while attending to other public values. It explains the importance of OTA security and safety update functionality in the automotive industry, and barriers to its development. It explores challenges posed by the interaction between OTA update functionality, consumer protections — including repair rights and privacy — and competition. It proposes a set of principles to guide the regulatory approach to OTA updates, and automobile cybersecurity, in light of these challenges. The principles promote the development of cybersecurity expertise and shared cybersecurity objectives across relevant stakeholders, and ensure that respect for other values, such as competition and privacy is built into the design of OTA up-date technology. In conclusion, we suggest reforms to existing efforts to improve automotive cybersecurity.

Keywords: cybersecurity, privacy, administrative law, regulation, privacy by design, Internet of Things, IoT, Connected cars, NHTSA, governance, soiftware updates, transportation safety, health and safety

JEL Classification: K23, K32, L83, L91, L92

Suggested Citation

Mulligan, Deirdre K. and Bamberger, Kenneth A., Public Values, Private Infrastructure and the Internet of Things: The Case of Automobiles (October 1, 2016). 9 Journal of Law and Economic Regulation 7, (Vol. 9. No. 1). 2016. 5. pp. 7~44., UC Berkeley Public Law Research Paper No. 2914268, Available at SSRN:

Deirdre K. Mulligan

University of California, Berkeley - School of Information ( email )

102 South Hall
Berkeley, CA 94720-4600
United States

Kenneth A. Bamberger (Contact Author)

University of California, Berkeley - School of Law ( email )

Boalt Hall NA446
Berkeley, CA 94720-7200
United States
(510) 643-6218 (Phone)


Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Abstract Views
PlumX Metrics