Your property. Your data. Your keys.
Why is the vehicle the one category of personal property where the manufacturer holds the encryption keys by default?
Modern connected vehicles produce 25 GB of operational data per hour. GPS location every 5 seconds. Speed, acceleration, braking patterns. Route history. Driver behavior scoring. All transmitted in cleartext to the manufacturer's cloud.
90% of new cars track your driving every 3 seconds.
Ford, GM, Toyota hold a continuous record of your operation. That record is:
Only Tesla notifies vehicle owners when their data is demanded.
The Secret Service operates GM vehicles. Congressional motorcades use connected SUVs. Military officers drive connected trucks. Six months of GPS data in GM's cloud is a foreign intelligence asset.
The government already banned Chinese components from vehicle data streams (BIS rule, March 2025). They left American OEMs holding the same data in cleartext.
Same threat. Different flag. Same architectural fix.
Research since 2004 confirms: driving behavior patterns (acceleration, braking, steering) uniquely identify individuals with 85-95% accuracy. With phone-as-key digital systems, identity is confirmed.
Vehicle telemetry isn't just "where the car went." It's WHO was driving, identified by their unique motor patterns.
This is biometric data collected without consent.
Connected vehicles are the first mass-deployed robots. They move through space, carry sensors, communicate wirelessly, and accumulate behavioral data about their operators.
The data sovereignty precedent we set for vehicles will govern every robot that follows: autonomous vehicles, delivery drones, household robots, surgical systems, agricultural machines, industrial automation.
We have one chance to set this precedent correctly. Vehicles are the test case. The policy window is open now.
"It is not that I want the data to not be collected. I just want the data in my personal closet under my disclosure control — not that my cloud services can expose me without even my knowledge."
Vehicle data is encrypted before it leaves the vehicle. The cellular uplink carries ciphertext, not cleartext. The OEM cloud holds opaque blobs it cannot read.
The encryption hierarchy is rooted in owner authority. The vehicle mints a key bound to the owner. Ownership transfer rotates keys — like rekeying a house at sale.
Emergency data (crash notification) remains open. Regulatory data (emissions, ELD) flows via attested channels. Commercial data (warranty diagnostics) requires owner grant. Operational data (GPS, speed, behavior) is owner-controlled only.
Engine diagnostics, frame health, emissions — the OEM gets what it needs for warranty, recall, and service. No GPS. No speed. No routes. No behavior. The line is clean.
| You lock your house. | The builder doesn't keep a key. |
| You have a private safe. | The manufacturer doesn't have the combination. |
| You encrypt your email. | Google can't read it if you choose. |
| You encrypt your phone. | Apple can't decrypt without consent. |
| You encrypt your vehicle data. | Ford can't sell what it can't read. |
OEMs claim continuous telemetry is required for regulatory compliance. It is not.
The EPA requires the vehicle to monitor itself and store fault codes. The owner presents the vehicle for periodic inspection. No federal regulation requires real-time cellular telemetry from the vehicle to the OEM.
The continuous data stream is a business decision — commercially valuable for data sales, insurance scoring, and fleet services. It is not a public safety necessity.
What the EPA actually requires: On-board monitoring + MIL lamp + DTC storage + owner-initiated inspection
What the EPA does NOT require: Continuous GPS, speed, behavioral data, or any wireless telemetry to the OEM
H.R. 6734 (Rep. Burlison, R-MO) / S.3494 (Sen. Lee, R-UT)
Prohibits OEM data access/sale without written consent. Bars foreign adversary transfers. Requires free owner access. FTC enforcement.
The gap: Consent-based, not encryption-based. Consent can be manufactured in a ToS. Encryption cannot be circumvented.
S.2040 (introduced June 2025)
Gives Commerce/BIS broader power to block high-risk vehicle technology transactions.
The gap: Foreign adversary focused. Doesn't address domestic OEM data exposure.
| 2012 | Chapter 93J — Right to Repair | "I can fix my car." | Exempted all telematics (Section 2(f)) |
| 2020 | Question 1 — Right to Access | "I can see my data." | No encryption, no disclosure control |
| Next | Right to Encrypt | "I own the keys to my data." | The completion |
Northern District of Georgia. 16 million class members. Federal Wiretap Act claims survived GM's motion to dismiss (April 2026). Fact discovery into late 2026.
Status: Active. Core claims proceeding.
First Circuit. OEMs appealing MA Question 1. If MA prevails, it becomes the template for other states.
Status: On appeal. Right to Encrypt is the logical next step.
Toyota shared driving data with Progressive Insurance via Connected Analytics Services. Compelled to arbitration December 2025.
Status: Shows why legislation is necessary — courts can't fix ToS arbitration traps.
9-0 (May 2026). Brokers owe "ordinary care" in carrier selection. Creates market demand for cryptographic proof of vetting.
Status: Decided. The commercial wedge for encrypted vehicle records.
| Bernstein v. DOJ (9th Cir. 1999) | Encryption is First Amendment protected speech |
| Carpenter v. United States (2018) | Third-party doctrine doesn't extend to comprehensive digital behavioral data |
| Riley v. California (2014) | Digital data is qualitatively different; warrant required for device search |
| Loper Bright v. Raimondo (2024) | Agency overreach more contestable; OEM data mandates face stricter scrutiny |
The doctrinal direction is clear: digital behavioral data from personal property has heightened constitutional protection. The right to encrypt that data is First Amendment protected. The vehicle is the last major property category where the architecture contradicts these principles.
The Right to Encrypt is not a request for the industry to stop collecting data. It is a demand for a clean architectural boundary:
Collect what you need. Encrypt it to my keys. The data is mine.
Your ELD vendor holds a record that can be subpoenaed against you. Sovereign architecture returns evidentiary control.
The Auto Data Privacy Act needs an encryption requirement. Consent can be manufactured. Encryption cannot be circumvented.
Encrypted-blob custody is cheaper than cleartext data lakes. Lower breach liability. Lower compliance cost. Procurement preference from sophisticated buyers.
Owner-granted, purpose-limited UBI data beats class-action-exposed OEM data sharing.
Expert testimony and technical architecture for connected vehicle litigation. The alternative existed. The OEMs chose surveillance.
If you drive a connected vehicle, your data is being collected and sold without your meaningful control. That changes with owner-held keys.
Get updates on legislation, court cases, and the movement.
No spam. Unsubscribe anytime. Your email is yours — we practice what we preach.