Endpoints-on-Wheels: Protecting Company and Employee Data in Cars

Intro 0:01  

Welcome to the She Said Privacy/He Said Security Podcast, like any good marriage, we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st Century.

 

Jodi Daniels  0:21  

Hi Jodi Daniels, here, I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified informational privacy professional providing practical privacy advice to overwhelmed companies.

 

Justin Daniels  0:36  

Hi, I’m Justin Daniels, I am a shareholder and corporate M&A and tech transaction lawyer at the law firm, Baker Donelson, advising companies in the deployment and scaling of technology. Since data is critical to every transaction, I help clients make informed business decisions while managing data privacy and cybersecurity risk. And when needed, I lead the legal cyber data breach response brigade.

 

Jodi Daniels  0:59  

And this episode is brought to you by Red Clover Advisors. We help companies. Hey, you’re not supposed to keep beeping. That’s being rude. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology e commerce, professional services and digital media. In short, we use data privacy to transform the way companies do business together. We’re creating a future where there’s greater trust between companies and consumers to learn more and to check out our best-selling book, Data Reimagined: Building Trust One Byte at a Time, visit redcloveradvisors.com, well, we are very giddy. This is going to be a super fun episode. I think you are giddy. I might be very giddy, and we don’t typically record at five o’clock, which might help make our giddiness even sillier, but we have a really awesome show and guest for every single driver out there on the planet. So we have Merry Marwig, who is the VP of global communications and advocacy at Privacy4Cars. She is a pro-consumer, pro-business privacy advocate, who is optimistic about what data privacy rights mean for everyday people. I’m an everyday person and for the companies they do business with, at Privacy4Cars, she helps protect driver and passengers personal data while creating business opportunities for automotive companies. And I am so delighted and excited that you are here with us today.

 

Merry Marwig  2:36  

Thank you so much for having me, guys. I’m excited to be here.

 

Jodi Daniels  2:40  

You are not allowed to laugh. Why? Because that’s mocking me, Mr. Frog, you can explain why you’re a frog.

 

Justin Daniels  2:48  

Why am Oh, because, yes, because in the pre show, we were talking about, oh, you’re ambidextrous. And when I hear that, I was like, Oh, I could be amphibious as well, because it’s very similar, but the words mean something very different.

 

Jodi Daniels  3:03  

We have to have some fun, okay, but let’s move on. Are you sure? Yes. Choppy, chop.

 

Justin Daniels  3:10  

Well, welcome Merry and so, can you tell us a little bit about your career journey, please?

 

Merry Marwig  3:18  

Sure. So my privacy career started in 2017 when I was at a conference in Toronto for the hospitality technology industry. And when I got there, pretty much every session was about this thing called GDPR. And I turned to my neighbor and say, Excuse me, what is the GDPR? And they explained that it was this brand new data protection regulation coming out of the EU that gave everyday regular people more control over the data about them, including asking companies to delete data about you. And when I heard that, I just melted in relief, because prior to that, I was dealing with stalking, and I was very concerned about the commercially available data about me, particularly my location data, and felt like I had no control over it. So even though I am not an EU resident. I don’t live in the EU what the GDPR gave me was hope, and so at that point, I decided to make a very hard pivot into privacy, and started at the bottom. Spent a number of years building my career. And flash forward to now. I work at Privacy4Cars, and we are bringing data privacy and data security solutions to the automotive industry.

 

Jodi Daniels  4:45  

What an incredibly fascinating journey. And I will say there probably are not us, people who are like GDPR, whoo story.

 

Justin Daniels  4:57  

What do you mean? GDPR is how you started your business.

 

Jodi Daniels  4:59  

No. Well, but from a personal standpoint. So I love that it was, it was, and even living here in the US, it didn’t necessarily affect her, unless she had a global company who decided to be really kind, and there were a few of those, but the idea that there’s hope and pivot and being able to foresee something and make a hard career decision to be a part of that and be really excited. There are not as many people who will do that.

 

Merry Marwig  5:28  

I was actually counting down the day that the GDPR went into force, and I printed out myself a t-shirt that said GDPR compliant as like a joke about me. I still have it. I don’t wear it, but yeah, I was personally very invested. And honestly, it makes my job really fun to be personally invested in the outcomes. Though I’m a happy camper in privacy.

 

Jodi Daniels  5:51  

I think that’s really important in any role. People I think are their happiest and perform their best when they actually believe in whatever it is that they’re doing, regardless of the industry. Okay, so not everyone is as well first as you in the challenges in the automotive space regarding personal data. So we gotta start with some basics. And what is it that you know, companies and people need to care about for privacy and security in their cars, and what kind of data are we talking about?

 

Merry Marwig  6:25  

Absolutely, and I want to focus our discussion today on corporate used cars, because I feel that is a segment we overlook. We do talk about personal cars quite a bit, but I haven’t really heard a lot of people talking about the data privacy and security risks of corporate cars. So what I want folks to know is that cars today, modern cars, are like computers on wheels that collect much of the same information that your phone would collect or a laptop and a lot more. So in the corporate setting, when an employee connects their device, like their phone or they use the navigation system, they are creating persistent data trails. And unlike phones and laptops, cars are typically not encrypted, so the data inside of them is plain text and accessible to anybody with access to that car. So you may have seen this if you’ve ever rented a car, and you get in and you see, you know, Brianna’s iPhone, John’s iPhone, and you can open someone’s Spotify account or read text messages. So this is an unfortunate reality that in the automotive system, most cars resold today contain prior driver’s personal data, and for corporate users, that also means it contains company data. And when that’s not properly and professionally deleted, it can put your company, the sensitive data your company generates and your employee personal data at risk.

 

Justin Daniels  8:01  

Hey, Merry, just real quick, when you talk about a corporate car, what do you mean by that? I interpreted that to mean, like a rental car, but maybe you mean something different.

 

Merry Marwig  8:10  

Yeah, I’m talking about three different types of cars. So the first would be, like you said, a rental car. You just go, maybe you’re flying into a city, and you need to get from point eight to your customer location. So that would be a rental car. We’re also talking about fleet cars, so cars that the company uses for their everyday business, and maybe, like for example, an executive would be assigned a vehicle for a very long time so but they use it for work. And then the third type of car that’s in scope is what I call a BYOD car. So it’s a personal car that someone is using for business purposes.

 

Jodi Daniels  8:47  

Oh, interesting. Now, I know you’ve done a significant amount of research, and there’s some shocking case studies, and it would be really helpful if you can share, you know, again, the vast situation that we’re talking about, what kinds of data and then is this like a teeny weeny problem, a medium problem, or a significant, widespread problem?

 

Justin Daniels  9:11  

Merry, she just wants to be shocked. Yeah, we want shock and awe here.

 

Merry Marwig  9:15  

Well, if you want shock and awe, I’m gonna point you in the direction of this resource. Actually, there’s video. There’s a new white paper, we can’t see it, that we just published, called Protecting company. I can’t read this backwards, protecting company and employee data in cars. Okay, I have to read it this way now, CSO mitigation strategies for fleets, rentals and personnel owned vehicles. So this is where those shocking case studies are, if anyone wants to understand what we’re talking about. And really the point, oh, and I’ll say, if you want to get this white paper, it’s, it’s at privacy, the number four cars, Comm, slash CI, so, C, i, s, o, so privacy, four cars.com/c, so this is really about protect. Collecting your company data by one, deleting personal and company data off that car when the car changes hands, and then secondly, providing your employees with data use disclosures of what type of data, including personal data, that the car that you’re driving can collect. So we do have a number of case studies in this document, if you turn to page 12, one of my favorite stories was this bank vice president whose car got totaled, and unfortunately, his company, his insurance provider, and anyone else who had contract responsibility for that car did not have a data deletion policy. So when that car was scrapped, his infotainment system still contained a ton of company and personal data, and so we purchased an infotainment system off of an online marketplace, and that’s how we got access to this person’s infotainment system. And inside of that, there were all of the contact details to the bank’s CEO, the Chief Financial Officer, their general counsel and their VP of HR, there was banking pin numbers in plain text. In the text messages, there were multiple user credentials stored totally unencrypted, and this person’s home address to his personal residence. So I mean, as you can see, that is not the type of information any person or their company would want willy-nilly floating out there in the universe, which is why I am strongly recommending companies include a vehicle data deletion policy whenever something happens to a car, whether it’s a total loss situation, you’re renting a car, or you’re de fleeting a car. So you wanted to be shocked. Jodi, so that was pretty shocking. This one’s even worse. So on page 13 of that document, there is a case study of a US, I’m sorry, a UK military contractors deflated company car that we got access to, and this military contractor had security clearances. We were able to see a ton of locations for military research facilities stored in the navigation there were a number of visits to reportedly decommissioned facilities, detailed personal communications, identities of him, his family, even the address of his second home and where they went to their sports games and everything. So we were able to recreate someone’s identity just by what was left on a car that came off of deflating in addition? Yeah, I know I’m gonna I just like, it just doesn’t end. I’ll leave you with two more quick ones. Some I feel like some industries in particular have a heightened risk, and one of those is pharmaceutical companies. We also got access to a deflated pharma reps car which had their cancer trial patients addresses stored in the text messages, plain text, not good for patient security, not good for the company. And just, I just, it’s hard to believe, but it’s true. And then this last one I want to mention is we also had access to a former actor’s car, and it still had the garage codes to their house. So if you got this car and you opened up the nav and found out where the address was, you could go and pop that garage open again. It’s a security risk. It’s a privacy risk. So the message I want to hit home. Here is companies, security leaders, privacy leaders, you have to put a data deletion policy in place to make sure this data doesn’t leak out or get into the wrong hands.

 

Jodi Daniels  13:53  

I really think this is an area that companies are not even thinking about at all.

 

Justin Daniels  13:59  

Were you shocked? And awed?

 

Jodi Daniels  14:01  

I was shocked. Were you?

 

Justin Daniels  14:04  

I think it’s interesting that they go and they can buy the infotainment system.

 

Jodi Daniels  14:12  

And are able to do that because, well, that was probably the one thing left from being totaled. And they’re, you know, they’re trying to be able to salvage as many different pieces of the part. So when a car is total, not every part of it is total. It’s just the cost to put it back together isn’t worth it. So then they’ll go and scrap all these pieces that infotainment to the yard is like just a software piece of equipment, right?

 

Justin Daniels  14:33  

But if I’m doing corporate espionage, instead of having to hack into something that’s really secure, I just know, hey, they have a policy for when their car’s coming due. Hey, I’ll just wait until the car gets deflated or whatever, and then that’s like a completely unsecured attack surface for corporate espionage worth.

 

Jodi Daniels  14:55  

Yeah, I guess if you know how to get in and figure out when the fleet timeline is. Yes.

 

Merry Marwig  15:01  

Well, this happens all the time, too, and a lot of auctions do process deflated vehicles. So, you know, you can figure out where a company’s headquarters are, and, you know, purchase cars off the auction that way. But what I really think is a huge problem is this issue hasn’t really been under the purview of security for a while, and fleet managers just haven’t considered it. So at a fleet conference a couple weeks ago and talking to fleet managers about this, and most everyone was like, Wow, I’ve never thought about that. Like, yeah. So what I really love to see is security leaders and privacy leaders get in the same room with fleet managers, procurement and risk teams and figure this out, and make sure that vehicles are an end point in your risk frameworks moving forward, and that companies put policies in place to prevent these types of risks to their companies and their employees.

 

Justin Daniels  16:01  

You know what I’m thinking, Merry  is maybe one time I could go to a rental car place with you, and we can pose as a couple who are going to rent a car, and then let me watch you grill the unsuspecting salesperson when you’re like, Well, what do you do with my data? Are you deleting my data? Because if you’ve ever asked someone like that, because Jodi and I had that with our famous smart bed story rush. It’s like a deer in headlights.

 

Merry Marwig  16:26  

Well, you’re really hitting on something else that is another takeaway. There’s two takeaways I want listening to our show to take away. And the first one is, again, that data deletion policy, and I think that lies with your automotive providers, so the rental car companies, your fleet management companies, they’re the ones managing the vehicle, so they need to have that offboarding process in place. So require it contractually. The second thing you kind of touched on is data disclosures. I think a lot of people are not aware of these risks because they’re not even aware of the type of data collection that’s happening in cars. And so what I’d really like to see is companies require their like, say, rental car companies that they contract with, to provide a disclosure when someone rents the car and saying, Hey, here’s the capabilities of this car, and it’s Vin specific, so you know exactly that car can do this, and this is what happens with that data, and where it gets shared, how it gets retained, and all of that. When you read those disclosures, it’s usually between, like, six to 12 different documents, and it can take, you know, six to 12 hours to read. So it’s practically not realistic if you’re just trying to rent a car, because you’re, you know, getting in and out. So what I’d like to see is summaries. We at Privacy4Cars. Have a product that summarizes the data practices of cars. It’s called a vehicle privacy report. We have a consumer version that you can look at vehicleprivacyreport.com if you want to just check out your own car. Go ahead and do that. But we also have a product for the automotive industry to do that at scale, so I would like to see that. So imagine your rental car experience again. You go there, you check in. Your agent says, Hey, this is the car you’re thinking about renting. Here’s a quick overview of the data collection practices. Are you good with this? Yes or no. Cool, here’s the keys. Let’s go right, and then when you come back, you drop off that car. You know, most of us are running late. Gotta just drop off the car, get to the airport, whatever. You know, your rental car company says it is our policy to delete your data, to delete everyone’s data after this car comes back. And when you do that, we’re going to give you a certificate of deletion, so you know when it was cleaned by whom, and that you can take that certificate of deletion and give that back to your security team at the office, showing that you have not left corporate data on your rental car.

 

Jodi Daniels  18:52  

Yeah, that would be quite lovely, because then there’s people like me who rent cars and don’t and know what would happen, and so then I don’t sync it up, and my poor daughter is the navigation device person. I didn’t want to sync anything.

 

Merry Marwig  19:04  

Well, that’s also part of the problem. We have all this awesome, you know, these cool features, right? And don’t you want people to be able to use them? So it’s kind of like, okay, give people the tools, but then also give them the reassurance that, you know, bad things are not going to happen with their data. So maybe Jodi, if you knew that your rental car company had a deletion policy after you returned it, maybe you feel more comfortable hooking up to the car, right?

 

Jodi Daniels  19:28  

I probably would, yeah, see, I would not. Oh, why? Because he’s still away.

 

Justin Daniels  19:36  

Because they can have the policy. But then there’s the issue of them following it. And I guess the other thing, Merry, I’d love to get your take on that I always struggle with is, how many suppliers are there that put components in a car? So your infotainment system could be by Bose, your speakers could be by infinity. You have Apple CarPlay. And so when I hook up to that. It’s like, where is all of that data going? Because what you haven’t talked about yet, which fascinates me, is they now have sensors that know how much pressure I apply to the brake, how fast I’m going, and they may just shift that information to my insurance carrier and I find out, well, wait a second, why did my rates go up? Because I haven’t been in any accidents like, oh, well, we were tracking your driving habits, and you’re too hot on the car where Jodi’s gonna smile at that for reasons we won’t discuss. And I just, I don’t know, that’s kind of why I struggle with it. Merry , even if they had a deletion policy, it’s just, there’s so many suppliers in that car I really don’t have confidence in where they’re sharing. So I just, you know, Jodi is my co pilot and reads me off where we have to go. I don’t know. Maybe I’m being too conservative. I just, I don’t know. I struggle with it in the car context, for some reason.

 

Merry Marwig  20:53  

Yeah, I think you bring up a really good point that it’s not, firstly, it’s the disclosures, like it’s not happening actually in the industry, so you don’t know what’s happening with the data, unless you, like, I said, Read those very dense legal documents full of just it’s just hard to get through 12 hours worth of reading to understand what your rental car is doing. And I really don’t know anybody who would actually do that. So it’s an issue of being actually informed.

 

Jodi Daniels  21:24  

Read for 12 hours, of all the things, mostly.

 

Merry Marwig  21:27  

How can you consent to this if you’re not truly informed? That’s a question that haunts me often. But one thing I really want to mention too is we started this talk about how inspired I was to get into privacy because of GDPR, right? Like, I literally changed my life because of this regulation for the better. But I am actually quite horrified by the privacy practices in the automotive space in the European Union, because, despite them having the legal requirements to delete data from cars, in practice, it is happening very seldomly over there. So I would argue that some people in the United States, in states that have more rights in practice, have better privacy than folks in the EU so again, it has to not only be just like, what does the law say, but how is it actually getting implemented? And that’s why I want to sell anybody listening to this, this podcast, please use your market pressure. I hear from folks all the time like, oh, you know, it’s such a great idea to delete data from cars. But firstly, there hasn’t been any enforcement. There’s no regulatory pressure. Nobody’s come knocking on our door. So why would I invest in this if it’s not really a problem. And secondly, none of our customers have asked for it, and it just blows my mind, but I get it. And so what I would like listeners to this show who have the power to do so is advocate with your procurement teams, your fleet managers, your privacy teams, your security teams, band together and demand of your automotive providers to provide the data deletion and the data disclosures, because I do think a market pressure would help change the tides here.

 

Jodi Daniels  23:10  

One of those pressure components is often regulation. And so I am curious, because I think a lot of people are not familiar what type of law may or may not cover this kind of data. So can you share a little bit more on that?

 

Merry Marwig  23:26  

Yeah, absolutely. Well, so like I mentioned GDPR, it’s very clear companies have no legal, legal processing of having the data on cars. There’s other than just like a fleeting initial moment of when they receive a car, there’s no legal process for that, so they are going to have to delete the data. It’s not been very well put into practice there, despite the fact that there are commercially available solutions to do exactly this and provide the certificates of deletion to prove that you have the technical organizational methods in place. In fact, if you need help with that, Privacy4Cars does this, so please reach out to me. So that’s one that really shocked me. If anyone wants to dig deeper on that, we do have another white paper specifically on GDPR, so you can go to Privacy4Cars.com/GDPR, to see all of the legal analysis about exactly that. But in addition to that, there’s been data deletion standards for a very long time. I’m going to say this and Justin, I know you’re going to know NIST 888 data sanitization that came out in 2006 and then was updated in 2014 so you know that is about making sure your hard drives are wiped, your phones are wiped. Why would that not apply to cars? There is no exception for cars. So I would like companies to start seeing to doing that. And in some states, they. Do provide liability to companies that follow NIST guidelines, so keep that in mind, folks. And then in California with the CCPA, we know that they require employee data collection notices. So how are companies disclosing the data practices of the cars that they assign to or get rent out to their employees, and so that’s why I’m suggesting you get, like, a VIN specific sumMerry , along with all of the underlying full notices, so that your employees can be properly informed.

 

Jodi Daniels  25:34  

I want to go back up a second for where you were emphasizing putting pressure, and companies really emphasizing this is important. I see this work when companies require certain privacy obligations and security obligations, and in the B2B context, company A who’s looking for Company B services, if they don’t have what they need, they don’t get it. And it does work. So hopefully more and more companies or people listening will rally and appreciate, oh, my goodness, this is a really significant liability, a security risk, a privacy risk, and we’ll begin to put some of that pressure in it. Again, it does work.

 

Merry Marwig  26:15  

I want to underscore I fully agree. I’ve actually had people tell me exactly that in the industry. And so in this white paper, the one at Privacy4Cars, comm slash, CISO on page, I think it’s 44 I have some sample languages of what you should be asking of your vendors, how you can work with your procurement team to make sure that becomes a reality. What to say? So I really feel like this is a lift that’s easy to do on the company side. Just start contractually requiring it. And really, the work should be done by your automotive providers anyway. They’re the ones with the expertise in the automotive space. They can provide those notices in the data deletion services for you. That’s what I’d like to see. Yes, sir.

 

Justin Daniels  27:03  

So now I’m going to throw a monkey wrench into what we’re discussing, because Merry  here in Atlanta, they’re starting to roll out, you know, autonomous like shuttles, and I’ve seen it in other cities. And when you look at these autonomous cars or shuttles and all this other stuff. The amount of sensors and things that they now have, it like quadruples. The amount of data they collect is even more. We’re already behind the eight ball. So I was just curious, you know, when you see these kinds of trends coming down the pike, you know, what do you think from a privacy perspective for the individual, when now they’re going to drive cars that are, you know, outfitted with every sensor known to man, what do you do?

 

Merry Marwig  27:51  

That’s a very good question. I think a big part of how we move forward is about proper disclosure. I would argue that a lot of people don’t know about all of the data sharing that’s happening with like vehicle to vehicle, vehicle to infrastructure, this types of data cities are collecting. So just starting with disclosure would be a great start. In addition to that, bringing this back to a corporate context, I do feel like in addition to the technological changes that we’re seeing that you’ve talked about, we’re starting to see regulatory scrutiny intensifying as well. We’ve already seen some enforcements against automotive companies in the last year and even this year. So I do think that corporations, you know, get this under wrap, get this in your risk registers, get a plan in place, talk to your colleagues in privacy, security, procurement, other risk roles, and start to put something in place to protect your company and inform your employees of what’s happening.

 

Justin Daniels  29:03  

Because I guess Jodi and Merry looking at economic incentives and pressures that you kind of the both of you discussed, if I’m one of the auto manufacturers, isn’t all this data collection and what I do with it, this is potentially a huge profit center. Oh, for sure, for sure. And so when I’m talking about putting pressure on there, you know, like, I remember the last time I went to buy a car, little different than your rental scenario, but still, you know, it was a new car, and I’m thinking, well, who really owns the data? The dealer sold me a car. You have the manufacturer, but yet, Apple CarPlay is in there, yet the system is owned by Bose. It’s like, I don’t know where my data is going. I guess Privacy4Cars also can help me as a consumer understand that if I buy car XYZ, this is the data that’s being collected, and this is where it may be going.

 

Merry Marwig  29:58  

Yes, so we do. Do offer goodwill services to consumers. Privacy4Cars is a B2B company serving automotive providers with, again, the privacy and security solutions, but we do offer consumers some lighter weight versions of our B2B products. So for example, if you’re curious about the car you own or a car you’re considering buying, and want to know a simple understanding of the data collection and use and where that is, that data is sold and shared. To go to vehicleprivacyreport.com, type in your VIN number and see what data your car collects and where it goes. You also might want to use your market pressure, in a personal capacity, to only do business with privacy respecting dealerships. So if you’re interested in that, if you go on vehicleprivacyreport.com. There’s also a link at the home page of that that’s says considering trading in or buying a new car work with a privacy care dealership, and you there’s a list of all the dealerships across the globe that offers either one or two things, one, the data disclosures that we talked about, and then two, they have the data deletion services in place. So these are customers of our automotive solutions that consumers can do business with.

 

Justin Daniels  31:21  

I’m going to ask a follow up to both of you. What is it about cars and privacy and data make I don’t know this every time we talk about it, this is always such an interesting and enjoyable topic. What is it about cars and data and privacy that I don’t know?

 

Jodi Daniels  31:37  

Just for my view, a car is very personal. So someone feel like this is, this is where I am, and the data inside that car feels like it should be mine, and I should know what is actually happening. And you know, it’s, it’s one of those. It’s your mini castle. It’s like your mini, little portable, mobile vessel that people are they’re eating in, they’re taking calls in, they’re transporting their family in. It’s what takes you from point A to point B, and maybe you don’t want people knowing where you’re going. It’s the example that I always used to use when I would talk to try and get people to understand privacy, I would say, imagine you had someone you were walking down the street, and you had someone with a notebook behind you making a notation of every single thing that you did. You stopped at Starbucks and what you ordered. Then you went over here to the yoga studio. You went to Publix. Here’s what you ordered for lunch, and every single part of your day, if someone was behind you making a note of all of that. Literally, after 30 seconds, you probably would have turned around and said, Why are you following me? In the digital world, all of those are clicks that are being captured, and that is why people are sometimes frustrated with with the amount of data that is being collected online. So now, if I’m in my car, I didn’t tell anyone that it was okay that you essentially follow me, and that’s what the data is. The data is serving as a trail, following me, or listening to me, and knowing you know all of my if my phone is connected to it, my your phone is, I mean, that’s like an attachment to the people these days. So now you just have, it’s almost like you have the person, if you have all the details from the phone that is Jodi’s view. And I could keep going, but I’m not going to, no, I want Merry to go.

 

Justin Daniels  33:29  

We’re here for Merry there.

 

Jodi Daniels  33:31  

Both of us, okay.

 

Merry Marwig  33:34  

Fully support that as well. Jodi and I’ll say I was interested in working at privacy group cars, because cars touch so many people like I drive regularly. I know a lot of people that drive. I know a lot of people who are passengers in cars. I mean, it’s a big part of our lives. I think the issue is that, unlike phones and laptops that you trade in every couple of years and always get the latest and greatest model, we’ve got all different ages of cars on the road. So, you know, you might have a car from 13 years ago, which is, I think, the average age of a car on the road now that may not have all the bells and whistles of the cars today. And so within just a, you know, decade or so, we’ve got had a massive transformation of what a car actually is I still think of a car as like, Oh, how I get from home to work or home to the store, whatever we think about it as a personal mode of transportation, but really it’s now a device, and that’s what I was trying to get with the security and privacy professionals. It’s really an end point. Now we need to start thinking about them as hard drives, little computers or big phones driving around. I mean, would you ever like imagine you actually had a real hard drive that was unencrypted, you put like, tiny little Lego wheels on and just had them, like hundreds of them driving around. This would be like wild, you know, but that’s effectively what’s happening now with the corporate cars. But. Getting back to a personal level for me, I particularly get concerned when we have like that online threat you were talking about, like if someone was following you and at your every click, because cars also have one of the most powerful types of data, which is your location data. Where are you? And when you combine the online threats and the geolocation data that can become a physical harm as well. It’s the unfortunate reality too, that cars are used as a literal vehicle for harassing people, stalking people. We have a number of survivors of domestic violence who reach out to us on a regular basis seeking help from whoever is causing them harm via their vehicle, whether that’s remote tracking, or, you know, turning on the heat really, really high while you’re in the car, or putting the temperature really, really low, or flashing the lights or the horn in the middle of the night, or using it to spy on you with The cameras, and all sorts of wild things. But I would argue this all really comes down to lack of informed knowledge and informed consent. So these data practices, i That’s why we’ve seen some of these cases with privacy enforcers or attorneys general using deceptive trade practices saying people really were not aware of what’s going on. So starting to solve this problem is making people aware of the capabilities of their specific car. And like I said, there’s all different types of cars on the road today that which makes it more difficult than just, oh, you wait for your next version of your phone, and we’re going to solve this problem so it matters like that’s why we are suggesting a VIN specific disclosure. So your car, this car specifically, what are the capabilities? And then you can make the smart choices around that. Do you want to buy that car? Do you want to rent that car? Do you want to accept this fleet vehicle? Or do you want to change your actions or demand different things from your automotive providers? So let’s start there. Let’s also make sure that it’s a normalized practice to delete personal and corporate data off cars when those cars change hands.

 

Jodi Daniels  37:09  

Merry, when you are not talking about privacy, security and cars, what do you like to do for fun?

 

Merry Marwig  37:16  

Okay, well, I’m gonna caveat that I actually really love my job, so I’m kind of privacy all the time. It’s been really fun. So I do enjoy my day today, but outside of work, I am kind of a big plant and gardening nerd. I actually made a new friend recently, and we went on a walk, and she was like, you seem to know a lot about trees, Merry. And I thought, Oh, God, did I bring my plant nerd out way too soon. But thankfully, she invited me out for another walk in nature, so I don’t think I scared her off. So yeah, gardening and plants, awesome.

 

Jodi Daniels  37:53  

Maybe you can give me some gardening tips. If people would like to connect with you. Where is the best place to go.

 

Merry Marwig  38:00  

Um, they can find me on LinkedIn. I’m Merry Marwig, I’m the only one out there, so search me and you’ll find me. Um, you can also connect with some of our work. Again, those white papers that I mentioned earlier are privacy4cars.com/ciso. And the other one I mentioned is our GDPR white paper, which is privacy4cars.com/gdpr.

 

Jodi Daniels  38:27  

Amazing. Well, Merry , thank you so much for all that you’re doing for every driver out there and passenger, and also the wealth of information that you brought for us today.

 

Merry Marwig  38:39  

Thank you so much for having me. You two. I really had a lot of fun today. Thank you.

 

Outro 38:48  

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.