The Motor Vehicle Safety Act of 2010


Chairman Rush, Ranking Member Whitfield, and members of thesubcommittee, thank you for inviting me to address this hearing onH.R. ____, the Motor Vehicle Safety Act of 2010.

My name is Jim Harper, and I am director of information policystudies at the Cato Institute. In that role, I study and writeabout the difficult problems of adapting law and policy to thechallenges of the information age. I have maintained a web sitecalled since 2000, cataloguing many dimensions ofthe privacy issue, and I also maintain an online federallegislative resource called It had over 1.6million visitors in 2009.

Cato is a market liberal, or libertarian, think-tank, and I payspecial attention to preserving and restoring our nation'sfounding, constitutional traditions of individual liberty, limitedgovernment, free markets, peace, and the rule of law.

I serve as an advisor to the Department of Homeland Security onits Data Integrity and Privacy Advisory Committee, and my primaryfocus in general is on privacy and civil liberties. I am not atechnologist, but a lawyer familiar with technology issues. As aformer committee counsel in both the House and Senate, I understandlawmaking and regulatory processes related to technology andprivacy.

After sharing two prefatory observations about the constitutionand risk management, I will turn to the privacy issues involvedwith the mandate for event data recorders authorized by section 107of the legislation. My conclusions are that most of the MotorVehicle Safety Act exceed the proper role of the federalgovernment, that collective overspending on collection of accidentdata may undermine the goal of preserving drivers' lives, and thatmandatory EDRs are another move toward constructing surveillanceinfrastructure that threatens the privacy and liberty of theAmerican citizen.

What's a Constitution When Lives Are atStake?
My analysis of federal legislation always begins with theConstitution. Which grant of power in the Constitution allowsCongress to act? And what impediments on federal power may limitCongress' action?

The Motor Vehicle Safety Act shares a constitutional infirmitywith much of the legislation Congress considers today. There is nosource of authority for it in the Constitution. Likely, if yourcommittee advances this legislation, your report will cite thecommerce clause (article I, section 8, clause 3) as the specificpower granted to Congress in the Constitution to enact it as law.That clause gives Congress power "To regulate Commerce with foreignNations, and among the several States, and with the IndianTribes."

The preface to the Cato Institute's pocket constitution - morethan three million copies in print - discusses the meaning of thisprovision. Since the New Deal,1 the Supreme Court hasabandoned the meaning and purpose of the commerce clause, allowingCongress to regulate based merely on activity having effects oninterstate commerce.2

You may regard the constitution's limited, enumerated grants ofpower, as quaint. But they are not. You swore an oath to bear truefaith and allegiance to the constitution at the beginning of thisCongress, as the Constitution requires you to do. This is not justceremony, and the Constitution is not just a symbol. The results ofcontinuing nonchalance about the Constitution's limits are plain tomany observers.

With reason, many people regard the federal government as overlylarge, remote, and imperious. Your good intentions notwithstanding,many view Congress negatively, as a body that cannot hew to anyprinciple. It is not just principle. There are consequences todisregarding the Constitution.

Campaign finance law "reformers" believe that too much money isspent on politics and influence at the federal level. But peopleand organizations will always try to influence the government'sinfluence over them. Money follows power. Huge expenditures onpolitical influence follow directly from the hugeness of federalpower.

As you press the federal government into involvement in everysegment of the economy - including auto safety, automobile design,and auto safety research - you should not be surprised to find thatevery segment of the economy spends money on lobbying andcampaigning to push for its interests. If you want campaign financereform, follow the Constitution and move authority back to thestates and people where it belongs.

The good intentions that animate your auto safety efforts do notovercome constitutional limits on the government.

Is Auto Safety for Rich People?
Everybody shares the goal of maximizing the welfare of Americans,including by making auto travel safe. Better data about theoperation of cars in the moments before collisions would almostcertainly improve knowledge of how to make auto travel safer.Important questions remain about using event data recorders togenerate statistical research that
would improve the design of the nation's cars, however. Riskmanagement and benefit-cost analysis can enlighten efforts tomaximize welfare by improving auto safety. As a member of theDepartment of Homeland Security's Data Privacy and IntegrityAdvisory Committee, I helped design a framework for analyzingprograms that generalizes to the problem of auto safety. In fact,we used the "security" of cars against common threats to illustraterisk management.

In the DHS Privacy Committee's "framework document,"3we defined the risk management problem as determining how, and howwell, a program addresses threats to the public. With benefitinformation in hand, the costs of the program can be compared todetermine whether it cost-effectively lowers risk. (Making autotravel safer for people is easier than securing against terrorism.Both the threats to car occupants and the costs of steps to countersuch threats are easier to measure.)

Responses to health threats like automobile collisions can becategorized four ways:

  • Acceptance - a rational alternative that is often chosen whenthe threat has low probability, low consequence, or both. Low-speed"fender benders" occur often, but are acceptable in terms of humansafety because they have only the rarest impacts on life andhealth.
  • Prevention - alteration of the target or its circumstances todiminish the risk of the bad thing happening. This is the main goalof data collection, to learn how cars might be altered to protectlife in the event of serious collisions.
  • Interdiction - confrontation with, or influence exerted on, anattacker to eliminate or limit its movement toward causing harm.The Privacy Committee report cited "flashing your lights to warnanother car about the fact that you are passing" as a "mildinterdiction." Discovering new interdiction techniques may be agoal of data collection.
  • Mitigation - preparation so that, in the event of the bad thinghappening, its consequences are reduced. It is unlikely, but theinclusion of first aid materials, for example, may be a mitigationof the effects of collisions on human health.

More data might contribute to each type of response to threatsto human health from auto collisions. Continuing with the riskmanagement framework:

The final step in analyzing the program's efficacy is to beaware of new risks created by the prevention, mitigation, orinterdiction of the threats under consideration. Installing heavyiron siding to a car may mitigate the risk to the car fromaccidents. At the same time, the reinforced car may pose new risksto other cars and pedestrians.

I do not worry that NHTSA will propose iron siding that sendscars careening into bike paths and playgrounds. But the costs ofthe data collection program may have risk transfer effects that areimportant to consider. According to the Research and InnovativeTechnology Administration's Bureau of Transportation Statisticsthere were 6,813,369 new retail sales of passenger cars in theUnited States in 2008.4 This is the lowest number of newcar sales since at least 1990, given economic conditions 2009 wasprobably not a good year, and the only year for which BTS reportslower sales is 1960. The number of vehicles on American roads,meanwhile, continues to rise, to a whopping 254,403,082 as of2007.5

A demand curve is a graph illustrating the willingness ofconsumers to buy at a certain price. A downward sloping demandcurve reflects the common circumstance in most markets: people buyless of things that cost more. In the demand curve pictured on thenext page, an increase in price of two units will cause sales todrop by one unit.

This is not the demand curve for automobiles in the UnitedStates, but the U.S. automobile demand curve almost certainlyslopes the same direction. When automobiles are more expensive,people buy fewer automobiles. I do not know how steep the U.S.demand curve for automobiles is, and I do not know the cost ofinstalling electronic data recorders in cars. But it is a nearcertainty that putting EDRs in cars raises their costs and lowerssales.6 It lowers sales more for poor people than forrich people. New car sales affect the availability of used cars, ofcourse, and the cost of trading up from an older used car to anewer used car.

This has negative effects for the automobile industry, ofcourse, and unemployment has negative effects on the health andwell-being of people. But lower auto sales probably also havenegative effects on the safety of drivers and passengers. Whenpeople forgo new car purchases or trade-ups to newer used cars,they remain in older cars that are likely to be involved in morecollisions due to wear and tear and design problems that have beenrectified in newer models. When they are in collisions, occupantsof older cars may suffer more injury and death than they would innewer cars which are better designed to protect them.

Because the poor are in older cars, the bulk of these effects -greater numbers of collisions and greater morbidity and mortalityin collisions - will fall on poor people. I do not have the costdata or the economic training to determine the amount of injury anddeath produced by including EDRs in automobiles, but it is almostcertainly above zero, and it probably falls more heavily on thepoor.

It would be a mistake to conclude that EDRs should not be put inautomobiles. The data they collect can improve auto safety so thatthe dynamic I have described - newer cars being safer - willcontinue.

The idea of trade-offs merely sharpens the auto safety riskmanagement question to: How much data do you need to make carssafer? It seems plain that statistically relevant evidence aboutauto safety could be produced using sampling, by drawing on across-section of collisions from which EDR data is available.Putting EDR functionality in every car is overkill that hascosts.

Perhaps 50% of the cars produced should have EDRs. Maybe it's30%, or 60%. If there is to be a mandate, why not place it on moreexpensive models?7 If EDRs were offered as a publicsafety option, perhaps the wealthier cohort of auto consumers wouldchoose them, avoiding cost impositions that endanger the poor.Analyzing EDR data from 100% of accidents is not required toproduce valid auto safety research. An across-the-board mandateserves some other end, which I speculate about below. The autoindustry's general "voluntary" inclusion of EDRs in automobiles isnot strong evidence to the contrary. The industry may not haveconsidered these trade-offs, or it may be pursuing ends beyond ordistinct from safety.

EDRs and Privacy
Privacy is a complex and vexing issue, and the interaction betweenEDRs and privacy is a challenge to describe or calculate. But theinstallation of EDRs in U.S.-sold vehicles to date has been achallenge to privacy. Making EDRs mandatory in new U.S. vehicleswill erode privacy further, the privacy protections in the MotorVehicle Safety Act notwithstanding.

The word "privacy" is used casually to describe many concerns inthe modern world, including fairness, personal security, seclusion,and autonomy or liberty. Few concepts have been discussed so muchwithout ever being solidly defined. The strongest sense of the word"privacy" is its control sense: having control over personalinformation about oneself. In his seminal 1967 book Privacy andFreedom, Alan Westin characterized privacy as "the claim ofindividuals, groups, or institutions to determine for themselveswhen, how, and to what extent information about them iscommunicated to others."

I use and promote a more precise, legalistic definition ofprivacy: as the subjective condition people experience when theyhave power to control information about themselves and when theyhave exercised that power consistent with their interests andvalues.8 The "control" dimension of privacy alone hasmany nuances, and I will parse them here briefly.

A Personal, Subjective Condition
Importantly, privacy is a subjective condition. It is individualand personal. One person cannot decide for another what his or hersense of privacy is or should be. To illustrate this, one has onlyto make a few comparisons: Some Americans are very reluctant toshare their political beliefs, refusing to divulge any of theirleanings or the votes they have cast. They keep their politicsprivate. Their neighbors may post yard signs, wear brightly coloredpins, and go door-to-door to show affiliation with a politicalparty or candidate. The latter have a sense of privacy that doesnot require withholding information about their politics.

Health information is often deemed intensely private. Manypeople closely guard it, sharing it only with doctors, closerelatives, and loved ones. Others consent to have their conditions,surgeries, and treatments broadcast on national television and theInternet to help others in the same situation. More commonly, theyrelish the attention, flowers, and cards they receive when anillness or injury is publicized. Privacy varies in thousands ofways from individual to individual and from circumstance tocircumstance.

An important conclusion flows from the observation that privacyis subjective: government regulation in the name of privacy isbased only on politicians' and bureaucrats' guesses about what"privacy" should look like. Such rules can only ape theprivacy-protecting decisions that millions of consumers make inbillions of daily actions, inactions, transactions, and refusals.Americans make their highly individual privacy judgments based onculture, upbringing, experience, and the individualized costs andbenefits of interacting and sharing information.

The best way to protect true privacy is to leave decisions abouthow personal information is used to the people affected. Politicalapproaches take privacy decision-making power away from the people.At its heart, privacy is a product of autonomy and personalresponsibility. Only empowered, knowledgeable citizens canformulate and protect true privacy for themselves, just as theyindividually pursue other subjective conditions, like happiness,piety, or success.

The Role of Law
The legal environment determines whether people have the power tocontrol information about themselves. Law has dual, conflictingeffects on privacy: Much law protects the privacy-enhancingdecisions people make. Other laws undermine individuals' power tocontrol information.

Various laws foster privacy by enforcing individuals'privacy-protecting decisions. Contract law, for example, allowsconsumers to enter into enforceable agreements that restrict thesharing of information involved in, or derived from, transactions.Thanks to contract, one person may buy foot powder from another andelicit as part of the deal an enforceable promise never to tellanother soul about the purchase. In addition to explicit terms,privacy-protecting confidentiality has long been an implied term inmany contracts for professional and fiduciary services, like law,medicine, and financial services. Alas, legislation and regulationof recent vintage have undermined thoseprotections.9

Many laws protect privacy in other areas. Real property law andthe law of trespass mean that people have legal backing when theyretreat into their homes, close their doors, and pull theircurtains to prevent others from seeing what goes on within. The lawof battery means that people may put on clothes and have all theassurance law can give that others will not remove their clothingand reveal the appearance of their bodies without permission.

Whereas most laws protect privacy indirectly, a body of U.S.state law protects privacy directly. The privacy torts providebaseline protection for privacy by giving a cause of action toanyone whose privacy is invaded in any of fourways.10

The four privacy causes of action, available in nearly everystate, are:

  • Intrusion upon seclusion or solitude, or into privateaffairs;
  • Public disclosure of embarrassing private facts;
  • Publicity that places a person in a false light in the publiceye; and
  • Appropriation of one's name or likeness.

While those torts do not mesh cleanly with privacy as definedhere, they are established, baseline, privacy-protecting law. Lawis essential for protecting privacy, but much legislation plays asignificant role in undermining privacy. Dozens of regulatory, tax,and entitlement programs deprive citizens of the ability to shieldinformation from others. Mandated EDRs undermine privacy, despitethe protections outlined in the Motor Vehicle Safety Act, as I willdiscuss below.

Consumer Knowledge and Choice
Perhaps the most important, but elusive, part of privacy protectionis consumers' exercise of power over information about themselvesconsistent with their interests and values. This requires consumersand citizens to be aware of the effects their behavior will have onexposure of information about them.

Technology and the world of commerce are rapidly changing, andpersonal information is both ubiquitous and mercurial.Unfortunately, there is no horn that sounds when consumers aresufficiently aware, or when their preferences are being honored.But study of other, more familiar, circumstances reveals howindividuals have traditionally protected privacy.

Consider privacy protection in the physical world. Formillennia, humans have accommodated themselves to the fact thatpersonal information travels through space and air. Withoutunderstanding how photons work, people know that hiding theappearance of their bodies requires them to put on clothes. Withoutunderstanding sound waves, people know that keeping what they sayfrom others requires them to lower their voices. From birth, humanstrain to protect privacy. Over millions of years, humans, animals,and even plants have developed elaborate rules and rituals ofinformation sharing and information hiding based on the media oflight and sound.

Tinkering with these rules and rituals today would be absurd.Imagine, for instance, a privacy law that made it illegal toobserve and talk about a person who appeared naked in publicwithout giving the nudist a privacy notice to that effect and theopportunity to object. People who lacked the responsibility to puton clothes might be able to sue people careless enough to look atthem and to recount what they saw. A rule like that would beridiculous, but legislation of precisely this character has been astaple of privacy proposals in Congress for at least a decade.

The correct approach is for consumers to be educated about whatthey reveal when they interact online and in business so that theyknow to wear the electronic and commercial equivalents ofclothing.

No, Really: EDRs and Privacy
If you needed any proof that privacy is complex, witness the factthat my introduction of the concept has consumed three writtenpages. I now turn to how EDR policy currently threatens privacy bydepriving consumers of control over personal information. There areat least three ways that EDRs undermine privacy: In the currentmarket environment, consumers generally cannot control whether ornot their vehicles have EDRs; they do not control what their EDRsdo; and they have limited ability to control what happens with thedata. The Motor Vehicle Safety Act makes the problem worse withregard to the first two, while providing some protection withregard to the third.

Control of Whether or Not Vehicles HaveEDRs
As I noted earlier, giving consumers choice with regard to EDRscould improve auto safety by allowing price-sensitive consumers -the poor - to decline having them. The margin of cost savings couldmove these consumers into safer vehicles, saving their lives andthe lives of others. This would also protect privacy. If EDRs werea choice, auto manufacturers, marketers, dealers, and resellerswould give consumers at least some information about EDRs and whatthey do. There would be greater public discussion of their safetymerits, privacy consequences, and value per dollar because carbuyers could do something with that information.11

Consumers motivated by privacy could opt out of having EDRsentirely. Consumers motivated by personal and public safety couldopt to have EDRs in their vehicles. Giving consumers control overthe choice whether to have EDRs in their cars would improve theirprivacy by improving their control over their personal informationinfrastructure.

Control of What EDRs Do
I note that some states have proposed to give consumers control ofwhether their EDRs are activated.12 This would shore upconsumers' control of personal information and thus their privacy.Consumers could decide based on their particular circumstanceswhether they want their vehicle collecting data about their use ofit. Given all the technology built into it, it is not a stretch tosay the car is a computer. But consumers do not get to control thiscomputer. Consumers should have more choice and control. At aminimum, government policy should not deprive them of it or channelthe market away from consumer control.

Of course, EDRs today are closely integrated with basic vehicleoperations and safety features like air bags. This is a historicalaccident, not something inherent to EDRs. The data recordingfunction could be logically separated from vehicle maneuvering andoperated by drivers from the console. An extension of this thinkingwould be to give consumers the ability to access and control muchof the software that runs inside their vehicles. Red Hat CEO JimWhitehurst recently made a pitch for automakers to adopt opensource principles in a recent, very interesting BusinessWeek commentary.13

Open source has its place, and I would not recommend open sourcefor the functions integral to stopping, starting, and turning, butthe many other computing and communications features in automobileswould benefit from open source software development. A feature ofthis approach would be that consumers could gain control over thefunctioning of much of the computing their automobiles do.

This control would improve their privacy by allowing them toselect what data is recorded, how long it is kept, where and how itis stored, and so on. Given the opportunity, some drivers mightcreate extensive personal records of their driving, perhapsoffering researchers greater insight into driver behavior than themandatory, onesize-fits-all EDRs envisioned by the Motor VehicleSafety Act.14

One can only guess at why government and corporate policy isconverging on requiring EDRs in cars and denying consumers controlof the EDRs' functioning. My best guess is that their use inlitigation is regarded by industry as an important protection andby litigators as important evidence. EDR data is being used inlitigation today, and its use will increase. Giving consumerscontrol of the data would protect privacy, but it would frustratethe interests of government, industry, and the trial bar. When allthese interests unite in Washington, D.C., it is no surprise thatconsumer privacy loses.

Control of EDR Data
With consumers substantially deprived of control over EDRs'existence and functioning, protections going to the use ofEDR-produced data cannot be entirely satisfying. The rules aboutdata proposed in the Motor Vehicle Safety Act provide some privacyprotection, but far less than the full array of controls consumershould have. Section 107(d)(1) would make any data in an EDR theproperty of the owner or lessee of the vehicle in which it isinstalled. This restates the appropriate and probable legal statusof such data. It is some benefit to privacy to have a restatementbecause the law in this "new" area is unclear.

The privacy subsection (107(d)(2)) bars collection of the databy anyone other than the owner or lessee except in certaincircumstances: when there's a court order, with the data owner'spermission, and when a government agency has certain beneficentpurposes. The first two are appropriate restatements of theappropriate legal rules around data, and I take it that the courtorder provision is not meant either to expand or to contract thecircumstances in which courts can authorize or require theacquisition of EDR data.

The third is interesting, though, because it illustrates how thebill giveth with one hand and taketh away with the other. Itcreates (or affirms) an intellectual property right in EDR data,but prescribes an unrestricted, royalty-free license to that databenefiting government researchers. The license is limited to datathat will not reveal the identity of the driver, owner, or lessee -a privacy protection - but on balance this provision reduces theconsumer's control by carving another exception from consumercontrol of data produced by the EDR.

There is little question that the data in someone's computer istheir property. So it is with the data in people's cars. But theMotor Vehicle Safety Act would reduce people's
property rights in EDR data by a small margin. Overall thedisability on consumers to control the existence of EDRs in theircars and to control the functioning of EDRs in their cars threatensprivacy. And it threatens privacy more than the modest protectionsof EDR data in the bill, which restate, then slightly derogatefrom, the better view of existing law about who "owns" data.

There is no privacy apocalypse that occurs should EDRs bemandatory nationwide in all new cars. This is but a small step inthe continuing erosion of privacy that has been goingon for years -and that will continue. The future trajectory of EDR policy isdeeply concerning. As they have in the past, EDRs will probablycontinue to add new functions and capabilities.

I note with dismay that the bill would allow NHTSA to requireEDRs to capture "certain events such as rapid deceleration,full-throttle acceleration lasting more than 15 seconds, and fullbraking lasting more than 10 seconds, even if there is not a crashor airbag deployment." This is an open-ended grant of authoritythat could allow recording of travel at 90+ miles per hour or 85miles per hour, or maybe 70.

Future changes to policy may further erode the weak privacyprotections in the bill. Perhaps reasonable suspicion will allowlaw enforcement officers to access EDR data and issue speedingtickets based on it. The existing ban on location data may fall, orEDR data might be correlated with location data collected by otherfunctions in the car. The mandatory EDR is surveillanceinfrastructure. There are no two ways about it. At some point inthe future, a day will come when it is "switched on," and driversacross the country may be subject to government monitoring of theircomings and goings.

Government and industry appear largely to agree on having EDRsin all our automobiles, with consumers prevented from controllingthose EDRs. Because the data collected by EDRs will be available togovernment and litigators, the Motor Vehicle Safety Act puts a sortof ankle bracelet on every American driver when he or she getsbehind the wheel. These things are not happening because of an evilplot hatched at NHTSA or because of a cabal between NHTSA and theauto manufacturers. They are happening because so few
people are looking down the road. You should be aware that the goodintentions behind this bill help build "Big Brotherinfrastructure."

To avoid this, to protect privacy, and to limit the injury andloss of life that I think comes from an overbroad mandate for EDRuse, federal policy should prefer EDRs to be optional, or at leastnot make them mandatory. Consumers should have control over thefunctioning of EDRs in their cars. And if they choose them,consumers should have full ownership of the data their EDRsproduce, being free to barter or trade that data to anyone whowants to access it.

1 E.g. Wickard v. Filburn,317 U.S. 111 (1942) (approving the regulation of wheat grown forpersonal use and not for sale under the Commerce Clause).
2 The Court discovered the commerce power's presentouter limits in United States v. Lopez, 514 U.S. 549(1995), which found that gun possession near a school was tooattenuated from effects on commerce to be within the commercepower.
3 Report of the Data Privacy and Integrity AdvisoryCommittee, No. 2006-01 (March 29, 2006)
4 U.S. Department of Transportation, Research andInnovative Technology Administration, Bureau of TransportationStatistics, Table 1-12: U.S. Sales or Deliveries of New Aircraft,Vehicles, Vessels, and Other Conveyances
5 U.S. Department of Transportation, Research andInnovative Technology Administration, Bureau of TransportationStatistics, Table 1-11: Number of U.S. Aircraft, Vehicles, Vessels,and Other Conveyances
6 I focus here on the policy of putting EDRs in all carsas a whole, not the incremental advance of that policy in thisbill. By requiring all makes to build EDRs into their cars, thebill would prevent any one manufacturer from gaining a costadvantage by not doing so.
7 That rule could be adjusted where less expensivemodels do not share all the relevant design characteristics withthe more expensive models.
8 See generally, Jim Harper, "Understanding Privacy-andthe Real Threats to It," Cato Policy Analysis No. 520(Aug. 4, 2004)
9 The Gramm-Leach-Bliley Act and federal regulationsunder the Health Insurance Portability and Accountability Actinstitutionalized sharing of personal information with governmentauthorities and various "approved" institutions. See 15 U.S.C.§§ 6802(e)(5)&(8); various subsections of 45 C.F.R.164.512.
10, "The Privacy Torts: How U.S. StateLaw Quietly Leads the Way in Privacy Protection," (July 2002)
11 It is important not to be fooled bytoday’s public ignorance of EDRs. Consumers areable to make choices about EDRs. In the present market environment,with EDRs standard on most vehicles, consumers exercise rationalignorance: There is no plausible benefit from learning about EDRs,so they invest no time or energy in learning about them or theirconsequences. They are disempowered objects of government andindustry policy.
12 I have not investigated the status of state laws, buta 2006 article cites proposed legislation in Montana, NewHampshire, and New Jersey. Aleecia M. McDonald and Lorrie FaithCranor, How Technology Drives Vehicular Privacy," I/S: AJournal of Law and Policy for the Information Society, Volume2, Issue 3 (2006)
13 Jim Whitehurst, "Why Toyota Should Go Open Source,"Bloomberg Businessweek (Apr. 1, 2010)
14 Researchers might pay for it, opening up a new marketin which some drivers cleverly capitalize on personal informationabout themselves to subsidize their mobility.

Jim Harper

Subcommittee on Commerce, Trade, and Consumer Protection
Committee on Energy and Commerce
United States House of Representatives