Is driving style the next biometric?

Tell the truth. Who was driving your car when it ran that red light and got flagged by that automated camera? Was it you – or was it your teenage son, who’s not on that car’s insurance policy yet?

Or: you promised to be the only driver on your rental car, but you let your boyfriend drive. Bad!

Since the dawn of driving, it’s often been impossible to prove exactly who was driving when. But modern cars are rolling computer networks, constantly capturing data about how they’re being driven. And that data just might be enough to betray its driver.

According to new research published in Proceedings on Privacy Enhancing Technologies, “at least among small sets, drivers are indeed distinguishable using only in-car sensors…”

Miro Enev, Alex Takakuwa, Karl Koscher, and Tadayoshi Kohno captured data on 15 drivers, plugging into the Controller Area Network (CAN) of a typical 2009 sedan. The researchers tracked those drivers, first, in an isolated parking lot and then along a pre-set 50 mile route throughout the Seattle area.

The results: 100% accuracy when the authors used all available sensors and 90% of available data.

The tested cars report a true cornucopia of data: 16 separate measurements, ranging from vehicle and engine speed to steering wheel angle and fuel consumption rate. However, researchers also achieved strong results using only the brake pedal sensor.

What’s more, they found that a “test driver’s unique fingerprint was consistent across multiple days and roads,” so once a driver is measured, his or her ID data might be usable for quite some time to come.

As the authors point out, thousands of car owners are already voluntarily shipping their CAN data to insurance companies via plug-in dongles, in exchange for rate reductions.

Some are also using emerging applications like Automatic and Zubie that capture and monetize this data in exchange for transforming your car into a “smart car” – capable of remembering your parking space, coaching new drivers, deciphering diagnostic codes, and even gamifying your vehicle (can you beat yesterday’s fuel efficiency)? Moreover, as Wired notes, as more cars become wirelessly web-connected:

…driving data may also be uploaded directly by cars themselves, as Tesla already does.

The study authors aren’t arguing that your insurer, carmaker or app provider is abusing you. But, “present/future systems could upload raw data to servers where it could be compromised or abused.”

Imagine, for example, they capture the data, “for debugging or other purposes but, because of a data breach or subpoena, later exposes that data to a different party who does wish to use the data to compromise the driver’s privacy.”

While these results are limited to 15 individuals, the researchers think they’ll scale. One thing they can’t say yet: will an individual’s signature remain unique if they switch cars?

It’s early days for car data: plenty of questions remain. For instance, who owns your data? According to the researchers:

13 states have adopted the stance that a vehicle’s sensor data is private and the property of the car owner… however within these 13 states there are marked differences on what constitutes acceptable data retrieval without owner consent.

As for the rest of the planet, rules vary widely – where they exist at all.

Beyond “who owns it,” who can get at it? In Wired, head researcher Miro Enev argues that car operating systems are radically insecure:

Instead of making all of a car’s data and sensitive systems available to any device connected to their CAN bus, vehicles should have permission systems, just as… iOS or Android do. A gadget meant to track your fuel efficiency… shouldn’t be able to track every exact push of your brake pedal or turn of the wheel.

Right now, they, umm, CAN. And that may have some very disconcerting implications… a little way down the road.