How the Tech of Modern Cars is Ripe for Domestic Violence
Sophisticated new car technology makes them easy to weaponize for stalking, harassing, and terrorizing intimate partners.
Hello and welcome to the first edition of my newsletter!
Roughly every other Sunday I’ll be sending this newsletter with information about what I spent the weekend researching, reading, and thinking about as relates to my work designing for safety, which I’m currently writing a book about.
A quick intro for those who don’t know me: I work as a designer at 8th Light, a software consultancy, where I do UX and some front-end. I’ve spent the last two years researching and speaking about technology-facilitated domestic violence during my free time (and some work time, thanks to all the support I have there), building on the foundation of my past as a volunteer rape crisis counselor and domestic violence educator.
I spend a lot of time outside of my 9-5 researching designing for safety and topics around technology-facilitated domestic violence (TFDV). But it’s not just researching what others have found - I look at a lot of source materials and talk to actual survivors and other experts in this space, which is necessary because the information I’m looking for has yet to be all put together in a succinct way that applies strictly to designing against violence. That’s one of the things I’m aiming to solve with my upcoming book. This means that I often find myself sifting through many, many articles, reports, and studies, searching for the nuggets that are relevant. Some things I find are clearly related to TFDV while others have a more nebulous connection that I have to sit and ponder for a while. I take a lot of notes about things that might be threats, or might become threats, and think about how certain abuses could have been prevent with more thoughtful, survivor-centered design.
This weekend I did that work with cars. I spend yesterday allowing myself to open every link, check out every footnote, and go down every rabbit hole, even if it seems to only be tentatively connected to the concept of one person weaponizing tech to harm someone close to them. Modern motor vehicles present a fascinating (in a terrifying way) problem: the more connected they become and the more they rely on mobile apps installed on the user’s phone to function, the more opportunity abusers will have to misuse them for violence.
The term “telematics” is useful here. It refers to sending, receiving, and processing information via telecommunications, as well as integrating GPS technology. “Automobile telematics” is the simplest term I’ve come across to describe the system of a modern digital car console, with its hardware and software (which lets you do things like get directions and make a call), plus an accompanying mobile app and the ability to access information about the car from a web browser. So that’s the term I’m using when I talk about this issue.
When I was first doing research for my talk, Designing Against Domestic Violence, I came across this article from the Washington post (apologies, it may be behind a paywall for you). It’s about a woman in Australia whose ex-boyfriend, a man she’d dated for six months, had stalked and terrorized her after they broke up, and how one of the tools he used for this abuse was the software integrated in her Land Rover. He could constantly track its location, as well as remotely start and stop her car and control the vehicle’s windows.
He had helped her purchase the car when they were together, and secretly taken note of the registration information, which allowed him to set up the app on his own phone without her ever knowing. She had no idea this was happening; while some digging around in the car console’s UI would likely have revealed a second user, this information is typically buried, and the fact that the vehicle’s location is being monitored by someone else is not made explicit. She found out after her phone went missing and she used her laptop to see if it had been used, which is how she saw that his email address was receiving data about her car (the news story is lacking some details about how this actually went down, but suffice to say that discovered what her ex was up to in a pretty round-about way). After he was arrested, his home was searched; they found a list of places she frequented and upcoming trainings she was scheduled to attend, as well as a list of weapons and their costs.
This is a very clear example of how the telematics of a modern car can be weaponized for domestic violence. This article remains the only example I can find of this specific form of abuse; but there’s simply no way, given what we know about domestic violence, that it’s the only time this has happened (and domestic violence is not merely an edge case when 1 in 3 women and 1 in 4 men in the US experience it at some point in their lives). The article reports that domestic violence advocates report that this is an emerging problem.
I knew the chances that the US government has any legislation or guidelines on the books addressing this were next to zero, but since I’m writing a book about this, I had to find out for sure. So I set out to find an answer to the question: are there any laws around automobile telematics that are aimed at keeping people safe?
Going down various rabbit holes led me to a document from the The National Highway Traffic Safety Administration (NHTSA), which is the branch of the US Department of Transportation. The NHTSA is responsible for things like investigating safety defects in motor vehicles, helping states reduce drunk driving, promoting the use of seat belts and child seats, and setting and enforcing fuel economy standards, among other things. The document, written in 2016, is titled Cybersecurity Best Practices for Modern Vehicles, (source), urges car companies to design vehicle systems to take safe and appropriate measures against cyber-attacks, including making a plan on how to quickly respond when an attack is successful. The document says companies should focus on protecting critical vehicle controls and the personal data of consumers.
This is all very nice, except for two big issues: first, there’s not a single mention of how vehicle systems can be weaponized by one driver against another; the focus is entirely on preventing anonymous hackers gaining access to vehicle systems and user data. It represents a good first step, the but the authors, like many people who think and write about security, need to remember that the threat model of domestic and other interpersonal violence is different: abusers typically have access to their victims’ devices and intimate knowledge about them that make it a very different threat from an anonymous hacker.
Secondly, the recommendations are just that: recommendations. There are no legal teeth, and the document straight out says that the industry should “self-audit” and think about vulnerabilities that could impact their operations. I admit that I’m cynical, but to me, that reads as the government telling car companies: you should do these things to keep your users safe; but we’re not going to force you to. We’ll just remind you that you should be motivated to follow these guidelines because not doing so could interrupt your cash flow.
From chemicals in cosmetics to Facebook acting as a news source, allowing industries to self-regulate typically sets the stage for a company to do whatever they want, even when it means people are harmed. We need a law that will enforce the auto industry taking cybersecurity seriously, and it must include designing for instances of domestic abuse.
A friend of mine who I used to work with and has seen my talk recently purchased a Tesla with her husband. She immediately identified multiple issues with the design of the car’s software, which was clearly built with the assumption that only one person would be primarily driving the car. However, they have one car and share it, which is common among many couples in urban areas who are able to rely on public transit to get to work or where one or both parties work from home, or, you know, just can’t afford a second car. Admittedly, these people are less likely to be buying a Tesla, but the point stands that it’s weird a company would make such a big assumption about their user.
Unfortunately for her husband, the Tesla enthusiast, she was made the primary user when they used her iPad, and therefor her Apple Pay, to make the purchase. She now has control over his access to the car; she had to add him as a driver, and at any time, she can remove him as a user. Imagine this feature in the hands of an abuser: he could ensure that his victim stays at home and has no escape route to leave him or method to get away during an attack; he could turn off her access to the car while she was somewhere uncomfortable or even dangerous; he could ensure she was trapped outside during a heatwave or snowstorm.
These sorts of things will happen. I’m very intentional about not saying abuse “might” happen - if it can, it will. We know this because that’s what’s happened over and over and over again. When one in three women and one in four men are subjected to domestic violence in the US, we know it’s only a matter of time until any piece of tech that can be used for abuse is used for abuse. And despite my friend’s best efforts, there seems to be no way to add her husband as a user with full privileges, and her scouring of the Internet has yet to reveal any number she can call or form she can fill out to get help from someone at Tesla. Access to customer service is a key part of giving power back to survivors of domestic violence - it’s a theme I continue to come back to throughout my book.
A few final notes - Like many of the aspects of TFDV I read and write about - financial abuse, Internet of Things abuse, etc - abuse through automobile telematics is worthy of its own focus. The issue needs far more attention than I can pay to it, and would greatly benefit from a dedicated designer (or anyone in tech, really) researching abuse, presenting and writing on findings, interviewing designers in the auto industry, and generally just raising the alarm bells and advocating for safer design. This would be a great area of focus for someone who works in tech and is also interested in modern connected cars. Maybe that person is you? Lastly, if you have a car that has creepy features, or even have a story of someone weaponizing the modern tech in a car against you, let me know about it! Like I said, the reporting in this area is very scarce, so I will take any help I can get on filling in the picture of what it looks like.
If you know someone who’d like this sort of thing in their inbox, forward it their way. You can subscribe here. You can follow me on Twitter here. If you want to support my work, you can become a Patron or hire 8th Light to build your custom software (and pre-order my book when the time comes, but that won’t be for a while yet!)