Skip to main content

Decoding What's in Your Car's Black Box

Who Owns the Data and Who Can Tap It?

If you've bought a new car in the past half-dozen years, there's a good chance it has a "black box" that activates if you brake suddenly, swerve off the road or hit something hard enough to make the airbags deploy.

The black box is formally known as an event data recorder (EDR), and today it's in 96 percent of new cars sold in the United States, according to industry estimates.

Surprised? You very well may be. Auto industry insiders say most drivers don't know event data recorders exist or how pervasive they are in newer vehicles.


See Edmunds pricing data

Has Your Car's Value Changed?

Used car values are constantly changing. Edmunds lets you track your vehicle's value over time so you can decide when to sell or trade in.

Price history graph example

All of that is changing for a variety of reasons. The National Highway Traffic Safety Administration (NHTSA) is on the verge of making black boxes mandatory in all new cars, light trucks and SUVs, although it appears the federal agency will miss a previously announced September 1, 2014 deadline for switching on the new rule.

States are passing their own laws stipulating what automakers must disclose about the devices, who sees the information they generate and under what circumstances. Delaware passed legislation in May, which brought the number of states to 15.

Meanwhile, in an age of hacked credit cards, National Security Agency phone taps and connected cars with multiple computerized systems, consumers and privacy advocates are becoming more concerned about the information vehicles create, including black box data, and who has access to it.

Finally, black boxes could play a significant role in lawsuits pending against GM over cars with defective ignition switches that contributed to fatal crashes.

With so much happening and so much at stake, drivers should be aware of what black boxes can do, what they can't do and the privacy issues they raise.

"The average driver knows very little about what their car is collecting and the battle that's being fought over their location and their data," says Nate Cardozo, a staff attorney on the digital liberties team at the Electronic Frontier Foundation. "It's important for us as Americans to start thinking about taking back the control of that data."

How Black Boxes Work
Event data recorders aren't actually black boxes but tiny microcomputer chip sets. In most vehicles, they're part of the airbag control module, and originally were included to ensure airbags deployed when they were supposed to.

Over the years, as electronics got cheaper, smaller and smarter, event data recorders became capable of doing more than simply monitoring airbags. Automakers realized the devices could be used to provide information about the seriousness of an accident, and if a car was being operated properly when a crash occurred. Based on a separate NHTSA regulation passed in 2012, if a vehicle today does have an event data recorder, it must track 15 specific data points, including speed, steering, braking, acceleration, seatbelt use, and, in the event of a crash, force of impact and whether airbags deployed.

Depending on the automaker and car model, an event data recorder may capture many more functions, though car companies aren't required to disclose exactly what those are. The language many use to explain black boxes in owner's manuals also is purposely general to cover technology updates and to save space.

Put everything the devices do in an owner's guide and "instead of one paragraph, you'd have potentially another 20 or 30 pages. That really wouldn't be realistic," says Richard Ruth, a black box equipment trainer, expert witness and consultant who worked at Ford Motor Co. for 33 years, including a stint evaluating event data recorders and other safety equipment. "It's not going to change whether or not you're going to buy the car."

Most event data recorders are programmed to record data in a continuous loop, writing over information again and again until a vehicle is in a front-end collision or other crash. When an accident occurs, the device automatically saves up to 5 seconds of data from immediately before, during and after an incident.

Today, practically every major automaker selling cars in the United States builds event data recorders into new vehicles. The exceptions are Volkswagen (which auto industry watchers say is preparing for the NHTSA regulation to kick in), Ferrari and Maserati. Traffic accident analysis consultant Harris Technical Services maintains a list of car makes and models from 1994-2014 with event data recorders.

The NHTSA rule, which the agency has been working on for years, was supposed to take effect September 1, 2014. However, auto industry insiders say the agency is still reviewing more than 1,000 comments it received about the proposed regulation, making that implementation date unrealistic. A NHTSA spokeswoman declined to comment on the delay.

Getting Black Box Data
Black box data is difficult and expensive to get to, and interpreting it takes special training. Extracting the data after an accident involves using a data-retrieval tool kit that consists of hardware, software and a cable that plugs into a car's onboard diagnostics port. That's the same port mechanics use to identify engine problems and insurance companies tap as the basis for use-based insurance policies. Crash data retrieval tool kits aren't cheap, running $2,000-$10,000 and up, not including training costs.

It follows that since drivers own their cars or trucks, they own data the vehicles generate, including black box data. But because it's so difficult and costly to extract, it's virtually impossible for average car owners to do it on their own — assuming that they even want to.

Who else can access the information is a point of contention. Automakers would like the right to access the information for numerous reasons including safety, to make sure systems work the way they should and to check for defects. Other parties that want a black box's car crash data can include police and other law enforcement agencies that are investigating an accident, insurance companies looking into a claim, lawyers representing parties in car-crash lawsuits and accident reconstruction consultants working for any of the above.

In states with no black box laws on the books, "state troopers could get the data without a subpoena if there was a fatality," says Tom Kowalick, a self-taught black box expert who chairs an event data recorder standards working group that's part of the Institute of Electrical and Electronics Engineers. Kowalick also wrote some of the black box information on the NHTSA Web site. "If they want to grab it, there's nobody saying they can't."

To rectify that situation, 15 states have passed EDR regulation over the past decade. Under the theory that car owners have privacy rights, many of the state laws require automakers to notify new-car buyers that vehicles contain black boxes, such as in the owner's manual. State laws also spell out the conditions under which police or other parties can obtain EDR information without an owner's consent, such as with a court order; for dispatching emergency personnel; diagnosing, servicing or repairing the vehicle; or probable cause in an accident. The National Council of State Legislatures maintains an updated list of state EDR laws.

Black boxes have become a battleground in states such as California, where earlier this year, insurance companies and automakers lined up on opposite sides of a black box data protection bill that would have required automakers to let car owners block or opt out of recording vehicle information. The bill didn't make it out of the state Senate Transportation Committee after heavyweights including the Alliance of Automobile Manufacturers opposed it.

Earlier in 2014, two U.S. senators introduced a bipartisan bill that would provide some of the same protections on a national level. The Driver Privacy Act explicitly states that a black box's data can't be retrieved by anyone other than vehicle owners without their consent and protects any personally identifiable information. By April 2014, the bill had collected 23 co-sponsors and been approved by the Senate Commerce Committee. As of July 2014, however, no further action had been taken.

Black Boxes, Privacy and Security
Meanwhile, electronic privacy advocates worry about a related car-data security issue: that a car's diagnostic port, through which black box data streams, isn't secure enough to withstand hacking, and therefore poses a danger. Security experts and "white-hat" hackers already are testing how to break into the ports to show how vulnerable they are. They are publicly sharing the results, as in a video called "How to Hack a Car."

Kowalick, a longtime black box data privacy advocate, started a company to sell a diagnostic port lock that he invented. The $30 AutoCyb lock, which he markets on his company Web site, is inserted into the diagnostics port to turn off access and prevent unwelcome parties from getting to the data or interfering with car systems. "Every car in America can be hacked," he says. "The diagnostic link connector is unsecure. All you have to do is set up access to the vehicle and have the right tool."

However, Ruth, the EDR consultant and former Ford executive, maintains a physical lock couldn't stop a black box expert or mechanic from bypassing the diagnostics port and obtaining the data another way. He also dismisses the notion that hackers would be interested in information.

"What would the incentive be?" he asks. "I think it's an over-reaction. For all practical purposes, the owner controls physical access. There's no Internet port on the car that's live, especially when the car's turned off. No one can hack into something without Internet access." Even if someone could break in, specifically in an effort to get data from an event data recorder, the devices have access codes that need authorized commands to work, he says.

In addition, car companies use threat modeling and simulated attacks to test security and to help design controls that protect data, says Wade Newton, communications director for the Alliance of Automobile Manufacturers, an auto industry trade group that represents 12 large car companies. "From bumper to bumper, automakers use proven security techniques to help prevent unauthorized access to software," he says.

Suing Over Black Box Data
Security concerns aside, black boxes are quickly becoming a factor in lawsuits filed by families of people killed in accidents in GM vehicles, allegedly due to faulty ignition switches that are part of a national recall.

One of those suits was brought by a lawyer for the family of Ben Hair, a 20-year-old Eagle Scout from Virginia who died in a 2009 crash in a GM vehicle with an ignition switch that's part of the recall. The suit alleges the 2007 Pontiac G5 that Hair was driving had a black box that could have produced evidence showing he wasn't to blame for the accident.

AAM spokesman Newton also would not comment on the lawsuit. However, as a rule, when automakers sell vehicles with event data recorders, they disclose the information in an owner's manual, he says. "But where it appears in the owner's manual may vary from one automaker to another."

GM and lawyers representing other plaintiffs in lawsuits related to defective parts also are looking to get black box data to help prove their cases, according to news reports.

It's too early to tell whether black boxes will become the backbone of every car-crash lawsuit, or if they'll end up posing significant privacy and security risks. But one thing is certain: Federal mandates or not, black boxes are here to stay, and the more informed drivers are about them, the better off they'll be.