THE STANDING SENATE COMMITTEE ON TRANSPORT AND COMMUNICATIONS
EVIDENCE
OTTAWA, Tuesday, June 13, 2017
The Standing Senate Committee on Transport and Communications met this day, at 9:30 a.m., to continue its study on the regulatory and technical issues related to the deployment of connected and automated vehicles.
Senator Dennis Dawson (Chair) in the chair.
[Translation]
The Chair: Honourable senators, I call the meeting of the Standing Senate Committee on Transport and Communications. This morning, the committee is continuing its study on the regulatory and technical issues related to the deployment of connected and automated vehicles.
[English]
Today, we have two panels of witnesses. For this first panel, I would like to welcome Patrick Patterson, President of Carillon Information Security Inc.; and Nolan Bauerle, Director of Research at CoinDesk.
As you know, Mr. Bauerle, you are limited to five minutes for your presentation; you have been here often enough in the past, listening to the presentations.
Nolan Bauerle, Director of Research, CoinDesk: I have been doing some work with both the Blockchain Research Institute, Don Tapscott’s outfit in Toronto, as well as CIGI, the Centre for International Governance Innovation, with the University of Waterloo and Wilfrid Laurier University, participating in round tables for governance innovation, as well as talking at conferences around the world to regulators, legislators and business people interested in this technology.
My principal work, since I began in this industry, has been with Manhattan-based CoinDesk, where I am the Director of Research. CoinDesk is the world leader in Bitcoin cryptocurrency, blockchain and distributed ledger, news and research. We host the largest and most important conference in the world related to this technology. Three weeks ago, in Times Square, we had 3,000 conference attendees, along with a full list of the brightest minds in the business, including Toyota Research Institute, who mentioned some of their announcements at our conference, at committee hearings here two weeks ago.
The most important metric of our success has been generated from our editorial team. We are the world leader in attracting eyeballs to well-written and well-scrutinized news. This team is led by Editor-in-Chief Peter Rizzo and a list of contributors too long to mention. The story we are telling is a mix of cryptography, finance, law, accounting, politics, technology and, of course, futurism.
One narrative I am interested in at CoinDesk, and something I use to help guide my research, is related to the story of cryptography. More precisely, the story of individuals wielding for themselves the full power of cryptography. Cryptography is at the heart of the problems you are studying here with the security of connected cars: how to secure communications, data and connections; how to tell secrets, maintain privacy and keep out eavesdroppers and those who would do us harm.
After World War II, the Nazi enigma machine and Alan Turing, governments realized the power of cryptography was so great that its proliferation needed to be controlled, so cryptography was counted as a gun or a munition, its commercial development severely restricted. This meant that cryptography was in the exclusive hands of the military and, for the most part, the NSA.
With the digital age, the munitions designation of cryptography ended. It was untenable, and cryptography needed to be deployed commercially in order for people to use computers.
Some of people who helped change this designation remain vital to the crypto-currency industry today; cryptographers like Adam Back, the CEO of Montreal-based Blockstream, one of the most important companies in our industry.
Cryptographic keys went from being a munition to a commercial tool, but cryptography took a detour there. In the digital world, there exists a fundamental question: Who are you? In the physical realm, this is simple. With the digital world, the answer to this question is less clear. “Who are you?” authentication became a major use case for an entire industry of cryptographic tools.
Instead of wielding private keys ourselves, users exchanged their mother’s maiden name or a dog’s name in exchange for these. A bank and other information providers managed our cryptographic needs for us.
But this arrangement is under siege. So many privacy breaches you hear of — every large-scale hack — can be traced to vulnerabilities created by the mere introduction of a third party into our cryptographic authentication.
We have shared our entire lives all in exchange for authentication. Satoshi Nakamoto, the mythical creator of Bitcoin, warned that banks and service providers must be weary of their customers, as they need to collect more private information than is necessary in order to transact. The result is something akin to a public health epidemic.
How Bitcoin solved authentication was to put cryptographic keys in the hands of users and in the hands of individuals. Possession of a cryptographic key is ownership in Bitcoin. In the case of Bitcoin and other crypto-currencies, possession is ownership. This is the newest development in the story of cryptography: from a munition, to a service provided in exchange for your mother’s maiden name to, finally, cryptographic keys in the hands of individuals.
The implications of this shift represent a revolution. Because keys and security are with users, Bitcoin has also spurred a major innovation in the physical security of cryptographic keys. Early adopters suddenly needed to manage their own keys, and a market for digital wallets that store and generate cryptographic keys grew. This market has led to amazing physical wallets that are excellent at privacy protection and new microchips that have trusted encryption enclaves that allow for keys to stay in a device and never expose themselves to the connections of the Internet.
Secure key management and on-device cryptographic key transactions are an important consideration for connected cars as the industry moves forward. It is this innovation, along with several others, but this one in particular, that has a role to play with connected cars.
Machines and sensors that are connected in cars are not going to be able to submit a mother’s maiden name in order to be authenticated by a third party. The only way forward is to extend Bitcoin’s authentication logic. The same way possession of keys means ownership of Bitcoin, the possession of cryptographic keys means authentication of machines and connected devices in cars themselves. In short, these sensors might end up looking a lot like a Bitcoin wallet.
Blockchain technology and Bitcoin achieve something called privacy by design and, because of this, it is compliant with privacy laws. Keys remain with the users and there is no need to force other parties to share too much data, limiting the surface area of attack for those who would do us harm. Thank you.
Patrick Patterson, President, Carillon Information Security Inc.: Good morning. I would like to thank the committee for the opportunity to speak with you regarding the importance of cyber security in the context of autonomous and connected vehicles. I work for Carillon Information Security Inc., a firm based in the Montreal area that has been involved in the standardization of identity management policies for the aerospace and U.S. government areas for the last 16 years.
We have been intimately involved in the entire history of e-enabled aircraft. We already have autonomous and connected vehicles. They are flying over our heads right now.
We faced many of the same challenges as you are looking at today in the context of autonomous cars and other kinds of vehicles, but I would also challenge that we should broaden it and take a look at things like autonomous naval ships and, again, aircraft, trains and other things, because they are all beginning to do exactly the same thing. They are all beginning to send and receive digital information and get their signalling information completely digitally. We are beginning to do things like transmit software from a manufacturer down to a vehicle. I will not talk about cars, but just generic vehicles, because we are doing it in just about every single sector right now.
As Mr. Bauerle said, identity is the key to cyber security. If we don’t know who we are talking to, we have no idea whether we should trust them and listen to the message they are sending or unpack that piece of software they are sending us.
The other piece is integrity. We need to ensure that that piece of software that left the manufacturer or that message that left the signalling centre actually gets to the correct vehicle and is also decoded and able to be trusted as not having been tampered with in transit.
As I said, some of the applicability areas include software updates. We have been intimately involved in the security of software updates to aircraft. Now we are looking around to the field of autonomous cars, and even semi-autonomous cars: take a look at companies like Tesla, which is already beaming software directly to your car. If you have a Tesla and you walk in in the morning, you have a button that says, “Hi, you received a software update overnight,” a bit like your Windows system, which is kind of scary.
We are doing that today with enabled aircraft. We can take a piece of software that leaves a manufacturer — whoever writes that software goes to the OEM, whoever is producing that aircraft, which then gets transmitted out to the operator and they will then beam it to their aircraft. Once it gets on the aircraft, a technician can come on board, hit a button, watch the light go green — hopefully — and know that that piece of software is exactly the same and is coming from a trusted source as the one that originated and went through all of the various QA steps along the chain of custody.
The other one is communications with trusted sources. When we are talking about trains, ships, airplanes and sometimes about cars, these vehicles will be receiving signals from various points of infrastructure along the way. Some are already happening today in an unauthenticated fashion. In the aerospace industry, this is becoming increasingly important, because we are moving away from voice communications to pure data. A pilot will no longer hear an air traffic controller on the other end of the line; they will get a message that says, “Hi, aircraft ABC. Climb to 10,000 feet at heading 2-1-3.” They have to be able to know that the message absolutely came from an air traffic control centre. Trains and ships will each get the same thing.
For cars, it will be a bit different. It might be a message from the roadside saying, “Hi. Your maximum speed limit in this sector is not 90 as the GPS would tell you; rather, it’s 70 because of road work” or some other event going on. We still need to be able to authenticate the sources of those messages.
Then there is the inter-vehicle communication. The way a lot of this autonomous technology works is that you have a car sitting there going, “Hi. I am here. I am going this fast at this particular heading” and people or vehicles around you know exactly what is going on.
With the ADSB system with aircraft, that is where they are moving to as well. An aircraft, instead of having a radar vector, they have collision avoidance systems and also the ADSB systems where the aircraft is saying, “Hi. I’m at 30,000 feet over this point of ground, going in this direction at this speed.”
All of these things are exactly the same problem, so we need to take a look at it in a completely holistic manner. We can’t take a look at it as Transport Canada makes one sets of rules for airplanes, another for trains, another for ships and another for cars. This will work best if it is a common set of standards or at least a common set of principles.
In the aerospace industry, there is already a bunch of ways of doing this — of standards that have been created. We have worked over the last 16 years to go through and standardize each of these individual sectors. We have worked with ICAO, IATA, FAH, Transport Canada, IASA — all of the worldwide regulators — so that when you have a C Series aircraft made here in Canada by Bombardier, an Airbus aircraft or a Boeing aircraft, all of them use exactly the same mechanisms and methodology.
That allows you to solve the cross-border or cross-national problem. If we take a look at this as a single insular Canadian issue, that’s not going to work. We will have to take a look at this in the context of a broad global context. Manufacturers will not want to make a car that is only for Canada, just like an aerospace manufacturer doesn’t make an airplane that is only for Canada. We want to have something that is truly across borders and is exactly right.
The other thing we really need to encourage Transport Canada to do is not to issue broad directives. They need to issue specific guidance. We’ve seen this over the last 16 years in the aerospace industry, where they issue us broad things like “you should take into account the cybersecurity considerations for doing X,” which is great — thank you for making us think about it — but it doesn’t help solve the problem, and it doesn’t help solve it in a standards way. They need to say, “We need to solve it. You need to take this into accounts and apply X, Y and Z” — very specific standards in order to make it work.
Thank you very much.
The Chair: Thank you, Mr. Patterson. We will begin questions.
Senator Runciman: Thank you, gentlemen. You talked about specific standards versus broad guidelines. You were relating it with respect to the privacy issues and cybersecurity. I would like to get more explanation from Mr. Bauerle about cryptography, because I wasn’t quite clear in the application to the issue we are studying. Maybe you can be a bit more down-to-Earth, if you will, in terms of folks who aren’t in that kind of field to better understand the implications and what recommendations you might be making for us as a committee to provide the government.
I am interested in the hacking vulnerability of automated vehicles. Could you speak about the potential vulnerability to cyberhacks by unauthorized third parties and how we can come to grip was that particular issue?
Mr. Bauerle: The first question was on standards and the second on vulnerabilities.
Senator Runciman: Yes.
Mr. Bauerle: With cars communicating between each other, they use the 5.9 gigahertz range. You heard Toyota research mention quite a bit about that and how this particular piece of spectrum is under siege in America. It’s making sure this piece of radio frequency remains dedicated to cars.
The standards that we have developed for this imply necessarily that a third party will manage cryptographic authentication and that the government itself becomes the administrator of a root key. They are in the middle of that. They gather the data to authenticate these machines, whether there are sensors in the devices or not.
The very idea that bitcoin eliminated banks as third parties — what they really meant was that they eliminated banks as the third party for the cryptography needed to exchange. That same logic applies to cars. One of the ideas I am hoping this committee will pass on is that the government doesn’t always insist on being a certificate authority, because the mere introduction of a third party into authentication creates the vulnerability itself. The very idea that we have asked another entity to authenticate us has created the surface area that is used to hack the cars.
The FBI, for example, came out with its list of white-hat hackers. They work for universities or organizations, and they try to test these devices to their limits. The telematics we have in cars these days for insurance purposes is a connected device. They will give you a lower premium, in theory, if they see your braking and speed habits. But the problem was that these devices themselves allowed cars to be targeted on the street. Now we know who that is. This insurance company that just wants to be an insurance company has had to, all of a sudden, develop cryptographic techniques as important as a bank. They have had to develop cutting-edge cryptographic technologies. Cryptography is a rare field. It is easy to propose solutions that work but it relies on its antithesis; it relies on people hacking it and breaking it in order for us to ensure it works.
One of the interesting things about bitcoin is that by eliminating third-party authentication, it spends literally zero dollars securing the network, yet it has never been hacked. It has a feature called anti-fragility. You can think of traditional cybersecurity and cryptographic security as an onion. You pack more layers of security onto that, but you still centralize the information. It is still in one place, which makes it a target.
It only requires one weakness. It is not a fair fight between hackers and cryptographers trying to secure your information. You can devise a beautiful system that looks great on paper, but with one little weakness, hackers get in and get it all.
Bitcoin distributed this around a large area so that attacks come into the network, and it gets stronger as it's attacked. The more people that attack bitcoin, the stronger it becomes, which is different from what we have used all these years in cryptographic authentication.
My message, and this is what I hope the committee will ponder and have other departments ponder, is that the reflex for a government to be a certificate authority — the reflex — should be questioned. I’m not saying in this instance it should be a different case. This is for testing and all kinds of development to figure out. But the idea is that these communications can be done between two machines, just like bitcoin exchanges are done between two people without anyone else involved; there is no bank, no one looking at the secure communication between these cryptographic keys; there is no appealing to a third party.
Senator Runciman: I am a bit concerned about that analogy because, in using bitcoin as an example, with vehicles we’re talking about public safety and potential use for terrorism, those kinds of issues where I think my perspective on this is that government has to play a more intensive role and a more involved role with respect to automated vehicles.
Mr. Bauerle: My comment to that is if they are involved in authentication, the mere introduction and insistence on a role in the secure lines of communication open up an attack vector. Because bitcoin has put this onus on bitcoin holders to control their own keys, to be in possession and control of their own keys, it spurred a wonderful industry on its own that so far is only connected theoretically to connected cars. There are start-ups working on this. There are start-ups that work with Lockheed Martin, for example.
Senator Runciman: Because of time limitations, could Mr. Patterson briefly respond to that? Do you share that view?
Mr. Patterson: I take a bit of a different view on its. I fully agree that insistence on the government necessarily always being in the loop is not necessarily a good thing. Within the aerospace industry, there is its own authentication and identity management framework that the industry has adopted and that they’ve made sure is compatible and trustable by the various governments that have signed on to the same identity management regime.However, they let the industry have their own authentication and issuance capability and integrity protection mechanisms.
I will disagree with Mr. Bauerle. I think that PKI certainly has a role at least in part of the equation. He and I can perhaps have a debate later with regard to whether it works for vehicle to vehicle or not. But categorically, I would say have the government make the regulations but let industry have the infrastructure that is issuing and managing keys in the vast majority of cases.
With regard to the hacking question, senator, the issue there comes down to architecture. That is, which systems are we tying together? There is a wonderful press article that came out about a year and a half ago, and I think it was Jeep, that someone figured out by broadcasting a digital FM signal to them, they could actually jump from the radio on to the command bus of the car. Now, if we ever designed that in an airplane, the engineer who did it would probably be lynched, and the regulator certainly wouldn’t allow it. The idea of having a complete bidirectional link between the infotainment systems in the car and the on-board command and control system is where Transport Canada has to say no to the automotive manufacturers and anyone else who is making those things and that you have completely separate networks.
Yes, I realize you need to get speed information there so your GPS makes sense, but there has to be way that we can architect that the same way as we get information that displays on your in-flight entertainment systems about where the airplane is and how high we’re flying. That comes from the cockpit, but that link is very narrow and highly protected so you can’t go back through it.
We need to ensure that we basically have two different sets of streams. On aircraft, there are actually three. There is the cockpit network, the cabin network, which is used by the flight crew, and the passenger network, and none of the three talks to each other. There is no way to get from one to the other. Autonomous cars need to have the architecture built that way.
Senator Eggleton: Picking up on your remarks, government needs to be involved when it comes to issues of safety, security and privacy. We’re trying to sort out exactly where we draw the lines on those so as to not impede the attempts to advance technology but bear those basic requirements in mind.
You have talked a fair bit about bitcoin, but bitcoin is relevant to the blockchain technology. Tell me in simple terms where you see, with respect to the advancement in automotive vehicles, the benefits and the challenges to be met in terms of the use of blockchain technology. What are the pluses and minuses?
Mr. Bauerle: First, decentralization. Bitcoin and blockchain technology are an elegant solution to two challenges in the digital world. The first one I mentioned in my opening remarks: Who are you? We have to know that; authentication. Possession of a key in bitcoin becomes who you are. You own that bitcoin because you hold the key. Just like a device with a key attached to it, with keys being transacted within the device itself that never leave the device are able to authenticate that way.
Senator Eggleton: Better personal security.
Mr. Bauerle: Better personal security.
The second question is, can you do what you’re trying to do? Who are you and can you do what you’re trying to do? That’s the area where the government can come into play. Bitcoin, doing what you’re trying to do, is simple. It is exchanging a small piece of digital properties. It’s the first time this ever was done and it does that very well. It is very simple. But the rules and parameters around what type of transaction can be made through blockchain technology and new advancements can be much more complex, but it remains an elegant solution to those two questions: Who are you and can you do what you’re trying to do? Authentication and authorization.
Within blockchain technology, the government has a great role to play in setting the parameters of what a valid transaction is for a particular network. That is definitely a role they play.
Senator Eggleton: Cybersecurity?
Mr. Bauerle: Yes.
Senator Eggleton: So it’s much more capable of preventing a cyberattack?
Mr. Bauerle: It is this law of nature argument. Sometimes things that are simpler are better. In this case, the simplicity of bitcoin — and I understand it sounds complicated — if you see it from 35,000 feet and you compare it to traditional cryptographic architecture, it can look quite unruly, huge, like a circus big tent with all kinds of directions and keys going everywhere, like when you want to buy something on the Internet. If it’s a one-click purchase, if you actually pull back and see what’s behind there, there’s a whole tangle and mess of stuff going on.
Senator Eggleton: But is that also a vulnerability?
Mr. Bauerle: It certainly is. Bitcoin ends up looking a lot like a vending machine. You just send the money. This is why bitcoin is so important for transactions in plastic, for example, cash versus plastic. Plastic is a pull transaction. You’re basically allowing a bank to go into your wallet, take the money out and open up someone else’s wallet and put it in. In the case of bitcoin, it’s exactly like cash. Here’s the money; transaction over. That’s it.
Senator Eggleton: What other challenges are there? Is there a heavy cost? Is the automotive industry likely to get into this?
Mr. Bauerle: There are several companies that are working on it already. There is a company that started in the Internet of things called Filament. They realized immediately that devices that transact with keys on them didn’t exist when they came into the industry. They developed something called the crypto-chip, which attaches itself to the main micro processor and is able to keep the keys away from the connected parts of the device.
Guardtime has invented something called keyless signature infrastructure where they use a hash of a key. A hash is the workhorse of cryptography. You can think of a hash as breaking a plate. It is easy to do in one direction, but it would be hard to put that plate back together to the point where I didn’t notice it was broken. They are able to use these tools to authenticate in a much simpler way.
Senator Eggleton: So it protects personal information better in terms of access to it. It protects you from cyberattack, by and large. Is it still in an early evolutionary stage?
Mr. Bauerle: Very early stages.
Senator Eggleton: How about the issue of privacy? Will it benefit or will it be a problem? We’re concerned about all the data that is being collected in these systems now.
Mr. Bauerle: I included a few of the relevant privacy laws, particularly the EU general regulation on privacy, which is about to take effect in 2018. PIPEDA is in harmony with this law. That law suggests that almost any information that can be tied back to an individual is counted as personal information and therefore subject to the penalties of this new EU regulation.
But there are two other super important parts of this regulation. They talk about security by design. This one is the super wide scope slide I sent you guys. The second one is something called privacy by design and by default, and I’ll read you what the law says: “Encryption and decryption operations must be carried out locally, not by remote service, because both keys and data must remain in the power of the data owner if privacy is to be achieved.”
This is followed by the general directives under which the privacy law was written, and that says, “If the personal data is pseudonymised with adequate internal policies and measures by the data controller, then it is considered to be effectively anonymised, and not subject to the controls and penalties” of this new regulation.
So it’s my belief that because bitcoin is anonymous, pseudononymous — and other cryptocurrencies are anonymous — but the architecture can be used in such a way that we can anonymize users, machines in particular, and that authentication comes with their use of keys that they are able to automatically comply with privacy law, which is a tremendous advantage, and that’s something that I’m here to defend and suggest never changes.
Senator Eggleton: That’s good. Let me ask you about one more aspect of this. Is there any impact on publicly-paid-for infrastructure? We’re talking about connecting vehicles. We’re talking about possibly connecting into street signs, traffic lights or whatever else, as part of the general infrastructure provided in municipalities. How does this impact on that? Is this all self-contained, or does it require that kind of an investment in infrastructure by public sources?
Mr. Bauerle: I don’t think so. I think what might end up working is that the manner in which the technology behaves can be dictated by executive power and legislative power and regulatory power from an executive ministerial level or from a governmental level, but the deployment of this technology can be a commercial opportunity, for example.
Mr. Patterson: Regardless of the foundational cryptography, whether it’s classical PKI, bitcoin, anything like that, the cost for adding it to the infrastructure will be approximately the same.
The exact adoption, which systems would, for instance, use bitcoin, and looking at it from a cryptography point of view, I could see having a great deal of applicability for vehicle-to-vehicle communication. You may want to take a look at using more classical authentication models for things like the digital signature of software and the recognition of whether or not this particular software should be trusted to be loaded on this vehicle; or whether or not this particular signal originating from an authoritative source, i.e., a police vehicle, a piece of traffic infrastructure, some other source that is beaming something to that autonomous car. It may end up looking like a mix of the two. So bitcoin for vehicle to vehicle, or to put it more succinctly, blockchain for vehicle to vehicle, and for vehicle to something other than a vehicle, you’re looking at using more classical authentication methods.
Mr. Bauerle: Even to illustrate that point for the vehicle-to-vehicle point, there’s someone in the bitcoin industry working on this for autonomous vehicles where the vehicle will pay the cars in front of it in the lanes to get out so it can go. This is being developed today. There is no need for the machine to appeal to a third party, which will then negotiate with this other car so that they will beat it. They are just going to pay the guy in front of them, get out of my way, and then pay the next guy to get out of my way, and this is being developed right now.
The Chair: Well, that opens up a whole new bunch of issues.
Senator Galvez: Thank you very much for this very interesting presentation. In the last sessions here, I have been changing my opinion about cars. I have started seeing them more as computers. The more you talk, the more you talk, the more I feel like we will be driving computers.
If I go in that direction, I can bring all my worries from the software to this situation, and I will add to my colleague Senator Eggleton saying that we as a government worry about safety, security, privacy, but also consumer protection. Consumer protection is worrying me a lot because there is a lot of planning obsolescence in the industry of software. There is planned obsolescence. It’s there, so the consumer has to keep buying and buying and buying, and you just said the guy is there, push him out.
We know that every system can be hacked at a point. We have been blind. It’s just a matter of time. We have viruses. We have all kinds of things going into our machines.
You were mentioning that I will have my car, and Tesla is saying it’s beaming the data and the software is there and we have to worry about the authentication, who am I, and am I downloading what I want to download? Are you suggesting that, at a point, if I’m not downloading or I’m not authenticating the right things, I will need somebody to come and help me out? My colleague the other day said what happens with the Canadian Tire and the mechanics that come? Who will help me out? Will it be a telephone and down beam me and I’m blocked for some time? Can you please tell me, reassure me?
Mr. Patterson: The way I would look at it is this moving them to being more autonomous platforms is actually good for the consumers, and the reason being is we can look at the Tesla model again. You can upgrade; they are sending upgrades to your car. If you bought a model 90D a few years ago, it didn’t have autopilot. Now it does, so you’re getting a free feature. Since it’s now software, this isn’t something where we need to go and add a module to the car or anything like that.In a certain way, it’s adding to the life of the vehicle. You can also get a performance upgrade. You just simply pay them their extra $2,000 and all of a sudden your car will accelerate from 0 to 60 in four seconds instead of nine seconds. We’ll argue whether that’s a safe thing or not, but some people like it.
With regard to the fact that they are now computers, yes, they are, and we’re not going to get away from that. That’s how we’re getting to the point of having efficient vehicles. We can’t build mechanical systems that get the fuel efficiencies and emissions controls that we have. That has to be governed by a computer on a second-by-second and millisecond-by-millisecond basis. It’s got to be a computer doing that, but the thing that we have to take a look at is who can service the parts.
Well, if it’s a computer, it will be a matter of taking that computer module off the car, as long as the manufacturer allows the diagnostic codes, which I agree need to be available to every single Joe mechanic in this country, and the ability to purchase that particular computer module and make it modular on and off. The aerospace industry already does this. Flying an airplane now is a whole bunch of computers running Windows and Linux, as interesting and scary as that may sound. The mechanics servicing these airplanes go and get a bare unit out of the warehouse when something breaks on the airplane, puts it in, and then somebody in the engineering department says, “Okay, that particular airplane needs to have the following 27 pieces of software installed on it.” That’s just what happens. The dealers will probably keep track of which software you’re entitled to.
Your mechanic that’s at Canadian Tire or your corner mechanic won’t be able to add pieces of software for you, but there will definitely be a way, since that module will be able to authenticate that this is a Tesla-certified piece of software or a Ford-certified or Toyota-certified piece of software; why not? It’s easy. As I said, it will actually prolong the life of the cars because we will be able to get those features.
Apple comes out with a phone every year. I’m sure they would love me to upgrade it. I still have a three-year-old iPhone, but I’m running the all-but-latest version of their operating system, so I benefited from all those extra upgrades. We are seeing the same thing with the autonomous cars, and we are certainly seeing that with airplanes.
The Chair: Colleagues, I want to remind you that we have a second panel.
Senator Mercer: Thank you, gentlemen, for being here.
Mr. Patterson, I want to continue on a couple of things that you just said, that you didn’t think that the mechanic at the local Canadian Tire would be able to fix the car because he wouldn’t have access to the software. This is a huge concern. This is another whole industry that goes on, particularly in rural or small-town Canada. If you live in a big city, you have access to dealers, and traditionally car owners don’t go back to the dealer because in their mind, whether it’s right or wrong, the price is higher at the dealer than it might be at the mechanic down the road. If the mechanic down the road, whether it be at Canadian Tire or the local garage, doesn’t have access to this software, we will create a huge employment problem in that industry, and it’s an important industry, particularly in small-town and rural Canada.
Mr. Patterson: I would say, realistically, the only time the software would need to be reloaded is if the central computer module or one of those computer modules is replaced. Certainly, the committee needs to ensure that the rules are in place to allow the free and fair access to those computer modules by any qualified mechanic and that the manufacturers of those cars don’t require a visit to the dealership in order to reload the software.After all, why would you? You’re getting the software updates over the air. Theoretically, it should be a matter of taking the old computer module that’s faulty — and remember it’s only that module. The rest of the parts should just work.
Senator Mercer: You just said the magic words, “free access.” That sounds very good as we’re sitting around this table having this discussion, but the people sitting around the table at the boardroom of the company that’s producing the software are saying, “Why are we giving away our software free? Why aren’t we making Joe mechanic out in rural Canada pay a fee to access that software? He needs it, we’ve got it, so why not make a dollar as it’s going by?”I see a very big risk for the support of rural Canadians and small-town Canadians because of the lack of access. You’ll have to help me with that.
You also spoke earlier in your presentation with respect to broad directives, and it sounded good. You talked about broad directives, and we need more specific applications. The directions need to be more specific instead of broad statements. You gave us a broad statement in explaining that to us, so I want you to be a little more specific. Give us an example of something that has happened because of those broad applications instead of specific direction.
Mr. Patterson: All right. So one of the applicabilities was in the transmittal of software to the aircraft. Transport Canada and the FAA have a regulation that simply says if you are transmitting the software over a non-governmental network, you have to take appropriate security controls to ensure the integrity and authenticity of that software. That’s the rule. It says nothing.They could have said, “Use the methods in ARINC, which is one of the aerospace standards bodies, ARINC standard 827 and standard 835 and the identity management guidance in ATA spec 42 in order to provide that level of security.”
Senator Mercer: One of my concerns in this whole process is that Canadians are excited -- and some are nervous — about the future of autonomous vehicles, et cetera, but I don’t know that they have factored in what they sacrifice in the process, namely, information that will be going from the vehicle back to the car manufacturer or the software manufacturer. Somebody will know what’s going on.
One of you mentioned speed earlier. If you are someone who is consistently 10 kilometres over the speed limit, that information goes back. Your insurance company says, “Hey, we don’t want to insure somebody.” Insurance companies are bad enough to deal with. Nobody wants to deal with them. I have a phrase for it. I call it “legalized extortion.” You can’t do things without insurance, so you have to buy it. You have no choice. You try to shop around, but because they know you have no choice, it’s not that competitive a market. Why would I want to give information from my vehicle that would affect my insurance rate, if, for example, I were to be a speeder?
Mr. Patterson: Senator, do you use Google?
Senator Mercer: Rarely.
Mr. Patterson: I saw an article today that says apparently Google’s AI algorithms are now able to predict with about 90 per cent accuracy when somebody is going to commit suicide. Google essentially knows every single thing about you. That’s their entire business model. Facebook is exactly the same thing.
When we’re looking at the privacy rules, we are already giving up, through the use of our phones — for instance, how many here have android phones? You are already giving Google exactly the same telemetry information as your car would. Keep that in mind before we try to say the car can’t emit anything that is identifying.
Senator Mercer: All that being said, Mr. Patterson, Canadians don’t know that. It’s happening, but they don’t know it, and they also don’t know what the consequences are. I think that’s one of my concerns, and this is the Transport and Communications Committee, and on the communication and transportation industries’ issues, I think we have a duty to report that if you’re going down this road, you are giving up all of this privacy. You are giving up all of this information. You are giving information to people who may turn around and use this against you. For example, in renewing your insurance, they can say, “Well, since you are a constant speeder, we’re going to increase your premiums, even though you haven’t had an accident in 10 or 15 years, but because you’re always 10 kilometres over the speed limit, we’re going to increase your premiums,” and, of course, they will have the data to back that up.
Mr. Bauerle: Senator Mercer, when it was just discussed that Google’s entire business model is aggregating and collecting this information, the business model of many bitcoin and blockchain companies is the opposite. It’s to negotiate this data where privacy is first and that users can control the data themselves.
The announcement that Toyota Research Institute mentioned here about blockchain technology and was announced at our conference in New York three weeks ago was precisely that. They are using a start-up called BigchainDB, which is able to coordinate this information to use to help set standards, pass standards, but it also blinds it. It also ensures that you’re not sharing unnecessary information, that you’re not doing exactly what you’re worried about — sharing too much.
So it coordinates the relevant information for those who need it and is able to actually tear away parts of the transaction and blind the rest and leave the person who needs to know the very limited amount of information that’s required to get that, but everything else becomes hidden. One of the main purposes of a lot of these companies is to address exactly what you are talking about, that you don’t have to give away your entire life just to speed up a little on the highway.
Senator Mercer: However, Mr. Bauerle, what puzzles me about bitcoin is that the attractiveness is the security, but the public concern should be the security. If there’s wealth moving around in the world and nobody’s monitoring this, and wealth is moving from a legitimate operation to an illegitimate operation to a criminal operation, or what have you, somebody needs to know about it. And by having this privacy, you can’t do it.
Mr. Bauerle: The on- and off-ramps are pretty well regulated around the world. From cash into crypto, there’s a lot of KYC and all traditional business methods that go on. The senator mentioned before that every system is hackable, and you just mentioned no one is watching bitcoin. Bitcoin is secured by half a billion dollars of computers competing to earn bitcoin by adding security to the network. The computers themselves that make up the bitcoin network are doing the work of the security. Bitcoin has never been hacked, and they are spending zero dollars on security, not a penny, because that is the business model. Computers are sitting there staring at a public ledger, which did something different. It created digital property. It made something digital scarce, limited. Before that, things that were digital could be copied and pasted. It was very easy. Ask the music industry or the movie industry. Digital meant ephemeral, unlimited. It was an oxymoron to call something limited and digital, but all these computers that are attached to the network — I’ve even forgotten the metric. Bitcoin has been around for seven years and has attracted more computing power than the 10,000 largest banks in the world combined, seven or eight times more than Google itself, and it’s very new.These computers, their entire purpose, their entire reason for being is the security of the network. That’s the point of these computers coming. They are sitting staring at this information, waiting for people to move keys. And if one makes a transaction that is not authorized, the network will find out right away because they are competing to tell — the analogy you can use to understand this —
The Chair: I want to remind you, we have a second panel.
Mr. Bauerle: I’ll leave it there and maybe come back to it.
Senator Marwah: This is a question for Mr. Bauerle. I see that CoinDesk specializes in the subject of bitcoin and its underlying technology blockchain. Is the view that for bitcoin to get traction in a material sense, meaning where it becomes part of a global currency, that it needs to be regulated? Is that an oxymoron? How do you regulate something that is built to not be regulated?
Mr. Bauerle: I think it is already regulated by math. The math regulates it.
Senator Marwah: But I’m talking about government, in terms of central banks. I’m talking about that’s the regulation. Do you believe there’s a role for governments to play there, or is it really a role that’s not required?
Mr. Bauerle: In the end, it’s just cryptographic keys being passed between people, and I’m not sure how you could regulate that other than saying you can use it for this or that. There’s nothing that a government can do that would make a system that is so elegant to begin with better than it already is. There are technical applications, but the idea of regulating — maybe a cash-to-crypto conversion, that’s already being regulated. That’s being regulated all over the world, but regulating the use of cryptographic keys is impossible. It’s a key.
Senator Marwah: How about regulating in the sense of being part of national currency? We have a Canadian dollar.
Mr. Bauerle: That would be fine.
Senator Marwah: How do you regulate something like bitcoin in a country like Canada? It’s impossible. I would like to hear your thoughts on how you bring it into a national exchange services.
Mr. Bauerle: Bitcoin was three technologies. It was the cryptographic keys, the network and the program that runs the actual authorization of transactions. These three technologies coordinate. They are orchestrated in a particular way.
Think of a bicycle for a second. When the first bicycle was invented, none of the parts were new. It was the orchestration that was magic, the idea that this thing on two wheels could have momentum and go forward. That can be regulated all people want. They can add these technologies in this same combination, in this same orchestration, the same way bitcoin did, because no one owns the idea of a bicycle; it’s just out there.
The genius of bitcoin was the orchestration and arrangement of these technologies. That was the, “Aha, if you do it that way, it works.” So central banks are absolutely free to copy this orchestration to their heart’s desire, and they can do all kinds of wonderful things, and they are doing all kinds of wonderful things. The Bank of Canada is heavily involved testing this stuff. They have tried to put part of the Canadian dollar in its native digital form so that there would be part of the money supply that does not have a paper equivalent and that is digital to its core. This can be used for settlement and all kinds of things. The largest banks in the world have all created their own network together called the distributed ledger, which is basically the same arrangement as bitcoin but without the coin being minted.
This can be deployed, used and copied to any government’s heart’s desire. They can continue to do this for years to come, and they will. That’s effectively what people in my industry believe, that this orchestration of cryptographic tools will continue for many years and represents a true revolution in the way we deploy cryptography.
Senator Mercer: I want to come back to the issue of the security of bitcoin and people, and I don’t mean individual citizens but police forces and bank regulators understanding where this wealth is being moved. We’re not talking about simple information; millions or billions of dollars can be moved via bitcoins, and without proper regulations or supervision. It could be moved into or out of drug cartels. It could be moved into criminal organizations or terrorism organizations. This is the concern that people have when the movement of large volumes of wealth is not regulated. That’s why we have central banks. That’s why we have regulations, to protect the common good. The common good is to protect us all, so I need you to explain to me why bitcoin should be excluded from the protection.
Mr. Bauerle: We have banks all around the world that are doing nothing but. Take Canada with FINTRAC provisions. They have to report every transaction above $10,000. They can’t trace one single prosecution from all of this reporting that banks and co-ops and all these small outfits are doing. They are just reporting into this big void, and all this is going on every single day.
Police have to do their jobs. They have to catch money launderers and criminals, but we have a public health epidemic on our hands with private data, and it will get worse. If we rig connected cars the same way we have organized our online banking, we’re in big trouble. It’s not going to work. We’re going to expose ourselves even more. It’s one thing to have a couple hundred bucks stolen from your credit card; it’s another thing entirely to have your car out of control on the highway.
Sure, financial regulation is really important and there are tools that will not go away. Investigators and police will all be there, and that doesn’t need to go anywhere. But arranging the security of this just so someone can call the cops when they know something’s wrong is not as good as baking the security into the technology itself. It certainly does allow a vehicle for some of this stuff that you talked about, but more importantly, it protects our privacy.
So you have to weigh the two, and it is a one or the other in some cases. Not in every case. There are many different examples, but if you introduce a third party just to make sure this reporting goes on, you might be leading the whole system down a path where it can be corrupted very easily. You end up increasing the surface area of attack, which is extremely dangerous.
The Chair: And a final statement, Mr. Patterson?
Mr. Patterson: I would say that regardless of what the cryptographic underlying underpinnings are, whether that is blockchain or PKI, regardless, the piece that needs to really be elucidated by Transport Canada and regulated for this is cars should be first and foremost trusted computing environments. If this software did not come from someone, it should not be executable, which means even if somebody finds a vulnerability and manages to load a piece of software onto your radio or into your car’s navigation system, if that piece of software wasn’t signed by the automotive manufacturer or one of his designated authorized software producers, it should not be executable. That is a fundamental security practice that needs to be applied to autonomous vehicles, the same way as we do for aircraft and the same way we are beginning to do for trains. We need to segregate the networks and make sure we have a trusted computing environment.
[Translation]
The Chair: I would like to thank Mr. Patterson and Mr. Bauerle for being with us today.
[English]
We are continuing our study on connected and automated vehicles. I am pleased to introduce our next witness, from Ford Canada, Mr. Blake Smith, Director for Sustainability, Environment and Safety Engineering.
[Translation]
Thank you for being here. We are ready to hear your opening remarks.
[English]
Blake Smith, Director, Sustainability, Environment and Safety Engineering, Ford Motor Company of Canada, Limited: I’d like to preface my remarks with a couple of overview comments. From a Ford perspective, when we talk about connected and automated vehicles, it’s really about making things better for our customers and, ultimately, making a better world. It is in that context that I am making my comments. If it doesn’t do that, it shouldn’t be done.
Good morning, and thank you, honourable senators. More than 100 years ago, Ford was founded with a clear vision, and that was really around making people’s lives better by making transportation accessible to everyone, democratizing transportation.
The innovations at Ford have helped to make car ownership a reality for millions, advanced human progress, enabled people to become more connected with each other and to find greater opportunities to live, work and play where they want, make personal choices. It was a revolution in connecting average people, the likes of which we haven’t seen again until recently.
In Canada, Ford has been part of the fabric since 1904. In addition to our current $700 million investment in our manufacturing facilities, we recently announced a $500 million research and development investment. Approximately 300 software and hardware engineers have been added to our mobility team in Ottawa, Waterloo and Oakville. Our mobility team is the development group looking at new ways for people to move. That’s the connection. These folks are part of the connected and automated vehicle space.
At Ford, our approach to automated driving is to pursue both a bottom-up approach, where we focus on adding features that provide drivers with increasing levels of automation — think about adaptive cruise control, automated emergency braking, those sorts of features that are add-ons to existing vehicles that we are familiar with — and the top-down approach, where we focus on a high level of autonomy and where the vehicle does the driving for the driver or for the person that is in control of the vehicle.
For most people, autonomous vehicles are a new idea. Trust is really important. Ford has spent the past century earning that trust. We know how to make safe, quality vehicles at high volumes, to meet varying needs of people around the world.
We have an extensive design, development and verification process to ensure the high quality and performance of all of our products. These include analyzing the intended function, identifying user experiences and performing robustness and durability testing, including modelling, track and real-world driving.
Autonomous vehicles will be held to the same high prove-out standard. They do, of course, have some unique attributes that will require some additional considerations. As such, we believe that self-certification, which is the methodology used in North America, is the best path forward as we continue to work with regulators on these types of vehicles.
Public trust can also be earned by establishing pilots with specific geofenced areas or mapped areas where the vehicles are confined. This will provide much needed interaction with the public to influence the perception about self-driving vehicles. In the U.S., our team has been partnered with a variety of cities to implement new mobility services, including fully autonomous vehicles. I am optimistic that this will extend to Canada in the future.
We are also activity engaged with the U.S. National Highway Traffic Safety Administration, NHTSA for short, and other stakeholders to provide data and policy considerations that may help to inform their views on autonomous vehicles. We support NHTSA’s federal automated vehicle policies and appreciate Transport Canada’s continued collaboration with NHTSA as policy is further developed.
Ford looks forward to continued work with the Canadian government on developing a national framework and policies to enable deployment of transportation as a service, using the SAE Level 4 vehicles without driver controls. The U.S. and Canada have a shared driving environment, so it just makes sense to have aligned approaches. This is really an extension of the way we have operated for a very long time.
Ford will look very different in the next 5 to 10 years if it meets its intent to put autonomous vehicles on the road by 2021. According to recent remarks by Bill Ford, “We should be less capital intensive, less cyclical, much closer to the customer, and help cities sort out their issues. We will be making vehicles. It is something we do and we do well. . . But how they behave, how they interact and who is in them may all be different.”
This is a transformational moment in the industry, perhaps the most transformational moment of the past century, and we look forward to being part of it.
Senator Mercer: Thank you very much, Mr. Smith, for being here; we appreciate your time.
You mentioned earlier in your presentation about the verification process and how important it was. Can you give us a little more detail about the verification process that Ford is looking at and how that will work from the point of view of the company?
Mr. Smith: Perhaps you could help me a little bit. I guess I can do it from a couple of angles. I can talk about how we layer security; I can talk about privacy. When it comes to the automated vehicle space —
Senator Mercer: The answer to the question is all of those.
Mr. Smith: Okay. First and foremost, we believe that data belongs to the person in control of the vehicle. We also believe in an approach that treats different kinds of data differently. For example, today, the systems for the so-called OBD port on a vehicle, for its emission control setup and so on, is a port that vendors can plug into and service the vehicle. Obviously, that level of security is not adequate for some other system. The approach is unique to the system. These are layered systems.
Our security control approach is what you call defence in depth layered technique. You isolate systems, and you have them layered. Then, if any system is violated, for whatever reason, it sets off some form of signal. I didn’t want to answer specifically, of course, because our product development process is proprietary. That is a place we can’t go too far on, but I did want to give you a sense of how we try to deal with that.
On different kinds of data, I think there will be different values for different purposes. Obviously, people’s truly personal information they should have control of. I will use how my cellphone connects to my vehicle today. I make a choice about whether I connect, whether I let my contacts load into my vehicle. That’s a choice. I choose to put mine in because then I can do what I do while I drive. It is the same with text. Once I have done that, though, and I turn my vehicle in, I have to have the presence of mind to delete it. Otherwise, it could be exposed. The individual has a role to play as does the company.
Over-the-air updates involves a choice, again. The system will identify that an update is available. You can choose to subscribe for the update or you can choose to wait and make a choice on an individual basis. That’s the sort of approach. Leave the decision with the data owner.
There is public good, however, in some forms of data. If it’s properly handled or anonymized, for example, in the current world, that data could be used to smooth traffic, for example. If vehicles are connected, over a period of time the system can learn to operate more efficiently. There is a public good. Part of the discourse of public policy has to be how do we do that in a manner that protects the individual’s privacy so that an individual’s location or speed or whatever isn’t identified but it’s part of a data set that can be used to communicate back to vehicles that are automated and make traffic smooth, flow more evenly, avoid an accident, et cetera.
Senator Mercer: My final question, Mr. Smith, is one that we have asked a number of people because this committee has dealt in the past with the licensing and issuing of spectrum by the government.Are you convinced that Ford’s efforts in this industry will not be hindered by the lack of spectrum availability to allow you to communicate with vehicles?
Mr. Smith: My understanding is that ISED has moved to protect the frequency or is in the process of moving to clear the frequency that would be used for vehicle-to-vehicle communication in North America. I think Canada is going in the right direction. We continue to discuss that with them, obviously. If vehicle-to-vehicle communication becomes a regulation in Canada, that will obviously be very important.
Senator Mercer: But is there enough spectrum available to allow that communication to happen?
Mr. Smith: It’s a specific frequency, and that frequency is protected.
Senator Mercer: We now have 50 per cent of the vehicles on the road that have this capability, and everyone wants to communicate with everyone. That is system overload. In particular, if there needs to be communication because of weather, accidents or something, that could put a strain on the system. I assume that in your research there is a stress management process when there is stress on the system?
Mr. Smith: First, vehicle-to-vehicle communication is one very specific corner of the connected vehicle space. Vehicles will be connected with the outside world in several different ways in all likelihood. My vehicle today is connected through its cellphone interface. Presumably there will be more than one connection in the future.
Senator Griffin: One thing I was pleased to see in your presentation was that you could help cities sort out their issues. I used to be a municipal councillor, so I am interested in how you see that happening.
Mr. Smith: As we move to a more shared economy and mobility as a service and a shared transportation model, if congestion is to be lessened, there needs to be fewer vehicles. That is something as a company we are willing to acknowledge and state is important in the long haul.
Automated vehicles have the potential to be supportive of multimodal public transportation. We own a service called Chariot that is based in San Francisco which is a van sharing type arrangement that can support public transportation where it is absent. It is connected with train services like the GO Train or VIA. As different types of transportation move forward, the ideal would be for those systems to be able to communicate with each other. There is no point in the Chariot service showing up 10 minutes early or 10 minutes late. Those systems are able to communicate with each other. There is an efficiency opportunity.
Senator Griffin: As part of the process for this planning, I’m assuming that you have done consultation with municipalities and with provinces possibly, too?
Mr. Smith: It’s early days. The discourse is a little further along in the U.S. than it is in Canada, so we have an opportunity. We are talking to some provinces and some municipalities about what the future might look like. Each of them is going to have to make their decisions about how they want to participate.
Senator Griffin: Yes. That is very important for their planning.
What do you see as the continuing role of the after market? That is, the Canadian Tires of the world and the local service station, especially in rural areas?
Mr. Smith: I have listened to some of the testimony. Folks tend to refer to these rolling computers. Fair enough, but they still have wheels, tires, brakes and steering systems — those are all mechanical systems. Yes, the electrification and the computing power of vehicles continues to go up, but they are still mechanical systems that will require service. What has happened with service generally over time as vehicles have gotten more robust is they require service less frequently. There are fewer and fewer conventional service technicians and more and more higher level technicians that are capable of dealing with the most advanced systems. Tires last longer; exhaust systems last longer — everything last longer. As the quality of vehicles in terms of durability has improved, the need for service has gone down.
[Translation]
Senator Saint-Germain: It is very interesting to hear you talk about the durability and longevity of your cars in the new context. This leads me to wonder about the nature of the warranties you will offer to consumers, and therefore to the buyers of your self-driving vehicles. How will the warranties your provide change? For instance, will the warranty be longer for the computer parts, since the durability and longevity will be longer? Will there be a warranty on the security of the system? By that, I mean the ability to maintain the confidentiality of consumer-entered data. Please tell us about anything else you currently have to consider in developing your warranties to be consistent with the vehicles as they evolve.
[English]
Mr. Smith: The company will have a role in its warranty policy, and I think it’s far too soon to predict what that will look like. There is always a role for public policy and the regulator in this space. The basic requirements of the Motor Vehicle Safety Act require us to make sure that vehicles don’t have defects or, if they do, they have to be corrected.There are those sorts of obligations, and it is the same on the environmental side. There is an interplay with public policy and the regulator in those spaces.
I assume that as we get more and more learning about technology in the lower levels of automation, when the benefits are clear, the regulator will probably set a minimum standard and make it part of the regulatory landscape. To the extent that any of the systems affect either the safety or environmental elements, those are already in place. As we go forward, I am sure there will be a dialogue about what is essential to be covered and what is less important from a minimum standard of operation.
[Translation]
Senator Saint-Germain: In the interest of both the company and the consumer, you said:
[English]
It is far too soon to think about the guarantees.
[Translation]
Will it be necessary to adapt the warranties that you will give upon the purchase of a car — which today is basically built according to traditional mechanics — to cars that will be like computers on wheels? Have you thought about how you will tailor the warranties you will offer to consumers for these vehicles that will have a much higher price than traditional mechanical cars?
[English]
Mr. Smith: It’s not even clear at this point for fully autonomous vehicles what the ownership model is likely to look like. For example, I don’t know whether most autonomous vehicles will belong to private individuals or service providers. That is an interesting question. Will they need service? No doubt. How extensive it is, I think, is part of the learning. As vehicles get more electrified and more controlled by electronics, the level of maintenance should go down, not up. They are likely to require some software upgrades from time to time, and the service model for that, at least in my mind, isn’t clear yet.
Senator Galvez: Thank you, Mr. Smith, for being here. We understand that car companies will remain the builders of the mechanics of the car. However, there are a lot of software security companies coming forward to ensure communication in the Internet of things. As you said, it is a layered system. There is the inside of the car, then vehicle-to-vehicle, plus vehicle-to-infrastructure and then the vehicle to the satellite for positioning.
I want to get your opinion on this. Having so many players that have the knowledge but not necessarily the control, as they are the developers of this software, there are fractures by which hacking or privacy problems or fraud can be allowed. I want to give you an example.
The gentleman before you said something that was disturbing. He said that you have a car and you can go at this speed, but if you have an update, you can make it faster. If my car had the potential of doing this mechanically by paying for updating the software so I will then be able to go faster, that worries me. It worries me that the mechanics and capacity are enhanced by a software program but that is not told to the customer from the beginning.
I was just thinking about what happened to Volkswagen. They had a problem with their emissions, and this was a software problem. Through the software they could control the emissions reading at various speeds. There was fraud there.
What is Ford thinking about this issue with respect to so many software companies and the layers which are there? If there is a problem, what part of the responsibility will Ford take?
Mr. Smith: First, Ford has the privilege of having been voted one of the most ethical companies in the world eight years in a row. That's something we are quite proud of and we take it very seriously. Having said that, it is incumbent on us as the manufacturer to take responsibility for those sorts of things. In our development protocols, we have ways of doing that. We have also voted with our pocketbook to a certain extent by adding, just as recently as March, 400 engineers from another company, a half-billion-dollar investment. We bought companies that build the LiDAR system. We are insourcing what we view as critical operations.We have long-standing relationships with companies like QNX in Canada that help us with software. It’s about making sure that that the business relationship is set up in a manner that deals with those things.
Senator Galvez: Do you see a role for government in ensuring this?
Mr. Smith: I’m sure you have heard by now, for example, that there are automated vehicle guidelines in the U.S. They have 15 principles, and there is a set of interactions with government before you move into the space. Certainly there is a role for government in ensuring the policy framework for this sort of technology is right. It can’t be cookie-cutter; it will have to be situational. It will be data dependent. It will be what the specific data is.
Ideally, we would find a framework that allows innovation in the space to thrive. At the same time, there has to be a public policy framework that establishes boundary conditions and provides the public confidence that they will be safe and secure and their privacy will be protected. The bonus of autonomous technology will be safety and environment.
Senator Eggleton: We have had a lot of discussion about electrification of automobiles through the computer and through the information systems that are being developed. There has also been the reference to propelling the vehicles forward, electrified vehicles or electrical cars as we have known them in the past. Does Ford see all this going hand in hand, moving from fossil fuels over to electrified vehicles as part of this total electrification?
Mr. Smith: There are supporting elements. They are not mutually inclusive, but they can be supporting. Our prototype autonomous vehicles are, in fact, electrified products because they have the kind of battery capacity that’s necessary for the sensor technology and so on. So they have a fairly high electric draw at this stage. Our prototypes are hybrids. Ideally, in the short term, we see them as plug-in hybrids, probably. There is some interplay in that sense.Again, because of the power draw of the technology, that will likely change a little bit over time, so they are mutually supportive, I would say.
Senator Eggleton: That’s interesting.
Mr. Smith: And to the extent of connectivity, vehicle-to-vehicle communication, can smooth traffic flow, you would make that electrified technology more efficient because it’s not accelerating and decelerating all the time. Again, there is some convergence.
The challenge with anything that has a large battery today is still that it is very expensive, and we’re probably 10 years or more away from getting to the point where fully electrified vehicles make economic sense. So it’s a journey, and we think it’s a really important one, like autonomous vehicles, and it’s a decision of over what time frame and so on we want to move forward.
Senator Eggleton: Ten years seems amazing. These electrified vehicles have been around for a long time already.
Mr. Smith: You may be aware if you’re a historian that Henry Ford worked for Edison, and they were studying and developing electric vehicles in the 1800s.
Senator Eggleton: Still trying to master it.
I want to ask you about cybersecurity because a couple of studies have indicated that manufacturers — not necessarily picking you out or Ford — generally don’t seem to be quite on top of this. The McKinsey & Company study said that 75 per cent of executives surveyed — this is in the industry or related components of the industry — did not have a countermeasure strategy in place to respond to a cyberattack. And then U.S. Senator Ed Markey, in his study, found only two manufacturers were able to describe any capabilities to diagnose or respond to an attack in real time. What are you doing to overcome what appears to be either an indifference or just a lack of understanding of what to do?
Mr. Smith: I wouldn’t call it indifference, and I don’t think there’s a lack of understanding. I think the landscape is changing very quickly, and we belong to a set of collaborative efforts to improve that space, so that’s ongoing and developing quickly. We’re actually quite confident that we’ll be able to protect the systems.
Senator Eggleton: You said in your opening remarks that you believe self-certification is the best path forward.
Mr. Smith: Right.
Senator Eggleton: In France, they are apparently considering — I guess it’s a government issue — a safe AV label. In the United States Senate, they have also suggested a cyberdashboard label. These are government-sponsored labels that are intended to improve public confidence that the systems will work. However, you seem to suggest self-certification is better.
Mr. Smith: Let me describe what self-certification is, to begin with.
In the U.S. and Canada, we have a system of certifying vehicles that’s different than the rest of the world. The motor vehicle safety standards in Canada are set up to be protective of the public, and we take the responsibility for saying they comply. And if they don’t, there are consequences, both in terms of recall and correction. But in my view, we’re held to a higher standard than the so-called type approval where government authorities review the detailed records and decide whether a vehicle is to be certified or not. It’s just a different approach, but it puts a very high onus on the manufacturer.
Senator Eggleton: One of these measures coming out is in the United States Senate at the moment, though.
Mr. Smith: I can’t speak to the label, and I’m not sure what value it would provide. However, we have been quite vocal as a company that this has to be a partnership going forward. We view it as the federal government’s role to set the framework that we operate in from a product perspective. It’s a provincial jurisdiction to set driver requirements and conditions for use, and we would hope that we would get to a provincial model-type system.
Ontario has done some nice work in trying to lay out the conditions for AV-type use, and they have collaborated in that effort along with the state of Michigan quite a bit. It’s not a surprise because that’s where a lot of the development work is done.The idea of getting through the CCMDA, getting to a model approach and then letting folks adopt it makes a ton of sense to us so that there’s continuity.
And then there’s a role for municipalities that have to decide how they want their transportation system to work. There are many challenges for municipalities in terms of infrastructure and infrastructure spending, but the most efficient use of their dollar in the long run will be to have these systems be used most efficiently and have them communicate with each other. The dialogue has to be around how does that work best. Simple things. For example, today there’s no connection between a GO train and TTC.
Senator Eggleton: True.
Mr. Smith: A bus doesn’t communicate with the subway system. These things are all independent. In the long run, that doesn’t make any sense. That’s where the efficiencies can come and where the technology suite that’s coming into this space can apply.
I want to share one other thing where there’s an opportunity. We talk about connected vehicles. It tends to get into an urban discussion. It doesn’t have to be that way. There are real opportunities. We operate in India and Africa, in places with very remote communities that are difficult to get at. If vehicles can be connected under those conditions, you can ensure that health care is provided for better. If a vehicle can communicate somebody’s vitals back to a hospital or a health care facility, there are a lot of opportunities to make life better for people that wouldn’t have it otherwise, or for people to get to work that couldn’t get to work otherwise. That’s the real opportunity here and, of course, in Canada we have lots of these remote places. We tend to think of remote as central Ontario or Nova Scotia or something. Those aren’t remote. It’s the real remote places where there may be a big opportunity.
Senator Eggleton: Thank you.
Senator Runciman: I have a few brief questions following up on Senator Eggleton and referencing one of our notes about the U.S. government publishing non-binding guidance on cybersecurity best practices for CVs and AVs. As a follow-up to Senator Eggleton’s question, what measures has Ford taken to make cybersecurity an organizational priority? Are you aware of what is happening?
Mr. Smith: All I can tell you is we have. As I said earlier, we’re members of a number of consortiums to improve and continue to improve our knowledge in that space. We’re part of the Auto-ISAC initiative. We belong to the AV consortium. There are a bunch of these sorts of things.
In fairness, this is a journey. Autonomous vehicles are not the conventional privately owned vehicles. They are intended to operate in a geofenced setting, a geomapped kind of confined space and to be for moving people and goods. They are not the classic vehicle the general public would acquire. Part of the reason we announced early our intent to have autonomous vehicles in 2021 is to ensure that we expose the public to them so they have an opportunity to learn. We continue to evolve our best practices, and they operate in a highly controlled setting where if they need to be updated, or if something needs to change, it can happen quickly.
Senator Runciman: I have been a Ford driver for over 20 years, so I’m a big fan of the company and especially respect the fact that a few years ago, when two of the big three went for bailouts, Ford did not. Kudos for that.
I was talking about the issue of public trust, which you mentioned in your submission, and the role of government. We heard from one of the previous witnesses about a minimal role for government, and, in the past, I have referenced this issue of public trust. General Motors, Volkswagen, Hyundai and a number of major manufacturers have kept problems from the public — some of them are now in litigation — that have resulted in deaths. I question this whole issue with respect to public trust. We’re only made aware of some of these through whistle-blowers. I have put the question in terms of at least in the initial decade or so of moving in this direction, we should perhaps have a more involved role of government, especially when you look at all these potential security threats involved with automated vehicles as well. I’m just putting to you that this whole public trust issue is, I think, questionable given the actions of some significant manufacturers.
Mr. Smith: From our perspective, we view this space as one where it will have to be a partnership. There is a role for the regulator in the space for sure. That’s what the regulator’s role is, to ensure public safety.
Senator Runciman: Currently, it hasn’t been working, obviously, in some instances, with pretty severe results.
Mr. Smith: The systems need to evolve with time, for sure.
I will not comment on other companies’ issues for sure, but the way to proceed is to get a good set of oversight parameters in place, and if there are deficiencies in those oversight parameters as technology changes, then obviously it will stress conventional regulators some because technology is moving at a faster pace than they move. It will require some new models. Certainly, though, Mr. Ford in particular has been quite vocal about the need for public policy to develop in a way that allows that trust to develop in the technology.
Senator Runciman: In terms of the long-term viability of the industry in Canada and the serious questions surrounding that, do you have any recommendations you can make in terms of distinguishing that in Canada? It’s a very integrated industry, and we know that. But in terms of legislatively or through regulation policy development rather than simply opening the bank vault, what can we recommend to government with respect to ensuring, as best we can, the long-term viability of the industry in Canada?
Mr. Smith: If we’re talking about the manufacturing industry, obviously we need a competitive operating environment, and there are some issues in that space at present.
Senator Runciman: And you don’t care to get into them today?
Mr. Smith: I’m here to talk about automated vehicles.
Senator Runciman: I would like to hear about that sometime in the future.
Mr. Smith: Sure. There are, obviously, efficiencies in manufacturing when there is an alignment of requirements, and obviously technology is cheaper to the end consumer when there’s efficiency. Certainly, I am a long-time advocate of getting the requirements right, but also of internationally, both on a continental basis within North America and on a global basis, moving towards harmonized requirements. Harmonization shouldn’t be a dirty word. It’s about getting the best requirements and aligning them.
History is the biggest enemy of harmonization, by the way. This is why when we have new spaces, like electrification, fuel cell vehicles, automated vehicles, we’re starting from basically ground zero, and then there really is an opportunity to move it on an aligned international basis.
[Translation]
Senator Cormier: Thank you for your presentation. I am interested in the impact of the arrival of self-driving cars on the employment and labour sector. You said, on the one hand, that the cars were going to be more and more durable. You also said that they will need less and less maintenance. So we can imagine that this will have an impact on vehicle manufacturing.
On the one hand, I wonder how your business plan will take these factors into account. What interests me first and foremost is the impact of these changes on the workforce. What do you think the main impacts will be? I am thinking, for instance, of small contractors, small garage owners in the regions. Considering that the cars will be more durable and will need less maintenance, how can the federal government help this industry prepare for this change?
[English]
Mr. Smith: First of all, I guess it would be fair to say that as vehicle technology evolves, it will continue to get more durable and last longer and continue the trend towards fewer people needed in the service industry. That’s just a fact. There will be some displacement.
The larger issue may be that as freight in particular becomes more automated, then there may be some displacement of the driver community, and that is a very large source of employment. Some folks will likely be displaced, and so that transition is something that will have to be looked at going forward.
From a business planning perspective, it’s too early for me to speak to that in the sense that we’re talking about a fully autonomous entry level 4 vehicle in 2021. That’s a long way out from a business planning perspective. It will be a vehicle that’s used, as I said, in a geofenced environment, so the first vehicle won’t likely have a huge volume. It will be more piloting and getting the public to see the technology, start to get comfortable with it, that sort of thing. Impacts are probably further down the road from a business planning perspective, for example, if we looked at our manufacturing footprint.
[Translation]
Senator Cormier: Do you have any ideas about how the federal government could help this sector’s workforce anticipate or prepare for this transition and change?
[English]
Mr. Smith: I’m an optimist, so I think that over time, as business models change, employment will shift away from some of those conventional jobs to less conventional jobs. I just don’t know what they are yet. I think that’s a space that certainly the federal government can watch, and they would no doubt be more knowledgeable than I am about what those options are.
[Translation]
Senator Boisvenu: First of all, I would like to thank our guest. Perhaps I will finish this round of questions with a bit of philosophy.
According to the people who have appeared before our committee, the future of the automobile seems very exciting. However, my great fear concerns all these computerized systems invading our world. For example, if you lose your cell phone or access the Internet, you panic. People are losing more and more autonomy in problem-solving because they are increasingly dependent on the outside world to solve their communication problems.
We already depend on public transit; for example, if there is a blackout, the subway does not work, or airplane pilots may go on strike. We are also in a world that depends on communications, and the car depends on it as well. Humans have always sought independence in their movements, and they have always sought independence to solve problems.
We will be facing an automotive market where it will be almost impossible to do any car repairs, such as changing a belt, because everything will be computerized. Is the industry going to propose a plan B, in which we will not have to rely completely on the autonomous mode in our movements, and basically become slaves of our homes? Will there be other ways to be independent in our movements, so that we are not completely dependent on them?
This aspect frightens me a little.
[English]
Mr. Smith: I guess the move to autonomous vehicles or the penetration of autonomous vehicles into the fleet will take a significant amount of time. Only about 8 per cent of the vehicle fleet changes over in any given year, and the average vehicle on the road today in Canada is over 10 years. With both the durability of existing vehicles and how the technology flows in, they’re not suddenly all going to be autonomous vehicles 10 years from now.
I view my personal mobility as very important and driving is still a pleasure, so I’m sure there are folks like me and there will continue to be a market for people who want to drive. As long as there’s a market for those vehicles, we will want to supply it.
[Translation]
Senator Boisvenu: I am looking at the technologies embedded in our cars. Mine has warnings all around. If I pass someone, I get a warning. If I touch a white line, the steering wheel vibrates. Driving a vehicle, whatever kind, is a century-old practice for humans. We will no longer need our reflexes to drive our cars.
So I am repeating my question. In situations of total dependence, will there be alternate means that will allow humans to continue their journey? If I buy a car tomorrow and it breaks down because of the computer system, will I get stuck or will there be mechanisms in the car that will ensure that I can drive it without having to depend on the computer system?
[English]
Mr. Smith: There are several levels of automation. A vehicle that is a low level of automation, level 2 or below, if it has a system fail, may well be able to continue. It will depend on whether it involves critical safety systems. If it did have a failure of that sort of system, the vehicle would probably disable itself. But electronic failures are relatively uncommon.
With higher levels of automation, the vehicle we intend to come to market within a 2021 time frame has no steering wheel, no brakes and no gas pedal, so you would start it, in essence, launch it, more like launching your phone or your computer at the start of the day. Then you probably have to put a destination or tell it where to go or whatever, but it would take over.
I want to come back to something. Statistics say that the vast majority of fatalities come from operator error of one form or another. Some of it’s distraction, some of it’s substance and some of it’s speed. There are all sorts of things, but it’s a very high percentage. That is a safety opportunity with lives to be saved.
There is a net safety benefit to the technologies that are regulated on vehicles today. Transport Canada has been able to say we will save “X” number of lives with this technology. That’s why it has come forward. Some of the newer technologies haven’t quite hit the threshold where that’s demonstrated yet, but certainly insurers are taking note and pushing. In the U.S., there’s a voluntary agreement on automated emergency braking. We’ll see what Canada does.
There is a benefit to these technologies. It’s pretty clear the vehicle-to-vehicle technology, if it becomes regulated, DSRC will be coming on to vehicles because there’s a net safety benefit where the system says to the vehicle you’re not doing something you need to do to be safe, and it will either signal or intervene. So you can see how vehicle-to-vehicle technology could work. I’ve seen these sorts of displays.
A vehicle is dead in the road and a vehicle is between you and that dead vehicle. DSRC would say there’s a dead vehicle up there and tell the vehicle to slow down or stop to avoid the collision. That’s an intervention where the technology has stepped in and prevented a serious consequence. That is, in fact, the kind of opportunity we’re facing, and that’s a relatively low level of automation. The further you automate, the bigger the opportunity.
The Chair: Colleagues, I would like to thank Mr. Smith for his participation today.
Honourable senators, for our meeting tomorrow, which will be our last meeting of the session, we will hear from the representatives of the Intelligent Transportation Systems Society of Canada.
(The committee adjourned.)