The Risk Factor

According to today's Boston Globe (registration may be required), the Massachusetts Appeals Court upheld the accuracy of information received from automobile event data recorders (EDR) for use in court cases. Event data recorders, sometimes called car "black boxes," are devices installed in a motor vehicle to record technical vehicle and occupant information for a brief period of time (seconds, not minutes) before, during and after a crash, according to the National Highway Transportation Safety Association website.

An EDR may record (1) pre-crash vehicle dynamics and system status (e.g., wheel speed, engine rpm), (2) driver inputs (e.g., braking, acceleration), (3) vehicle crash signature, (4) restraint usage/deployment status, and (5) post-crash data such as the activation of an automatic collision notification (ACN) system. According to an article in Time magazine, some 64% of cars made today have EDRs, and about 33% of all cars on the road today have them installed.

In the Massachusetts case, a woman was sentenced to two years in prison after her GMC Yukon skidded on ice and hit a tree, killing her passenger in 2003. The woman claimed that she was traveling only 20 to 30 miles per hour when she lost control, but the car's recorder showed that she was traveling 58 m.p.h. in a 40 m.p.h. zone. Her lawyer appealed her case arguing that the EDR's information was not reliable or accurate.

Consumer and privacy advocates have been opposite sides of the debate. According to the Time article, Public Citizen's Joan Claybrook "wants tougher rules compelling automakers to install EDRs in every car because objective crash data will lead to the design of safer cars and highways. Privacy activists want the government to prevent police and insurance companies from checking drivers' black boxes without permission. 'We have a surveillance monster growing in our midst," says Barry Steinhardt of the American Civil Liberties Union. 'These black boxes are going to get more sophisticated and take on new capabilities.' "

Like most technologies, once out of the bottle, they can't be put back in. And when its a question of public safety or privacy, privacy usually loses. The same will likely be true in the case of electronic medical records.

Over the weekend, the New Yorks Times ran an article on a potential IT security problem posed by errors in microprocessor chips such as the Intel Pentium error of a few years back or the recent Microsoft Excel spreadsheet bug.

Adi Shamir, a professor at the Weizmann Institute of Science in Israel and one of the three designers of the RSA public key algorithm, circulated a research note about how an attacker could exploit an undetected subtle math error and make breaking public key cryptography possible.

The Times article notes that Mr. Shamir believes that "if an intelligence organization discovered a math error in a widely used chip, then security software on a PC with that chip could be 'trivially broken with a single chosen message.' Executing the attack would require only knowledge of the math flaw and the ability to send a 'poisoned' encrypted message to a protected computer. It would then be possible to compute the value of the secret key used by the targeted system. With this approach, 'millions of PC’s can be attacked simultaneously, without having to manipulate the operating environment of each one of them individually.' "

It isn't believed that this technique is being used - yet. It still seems easier to poison PC components themselves like hard drives at the factory, which recently happened to Seagate Maxtor drives made in Thailand and which were pre-loaded with password stealing Trojan horses.