Continuous Collateral Privacy Risk Auditing of Evolving Autonomous Driving Software

Autonomous driving systems have a rich and diverse set of sensors and collect a tremendous amount of data during their operations. This has significant implications for individual privacy and induces a new type of potential privacy risks - collateral privacy risks. It is important for the public and the developer community to be aware of the collateral privacy risk posed by current autonomous driving software systems. We performed data privacy analysis for the Apollo project, an open-source autonomous driving software system. We applied source code-based privacy auditing techniques tailored for this particular problem and produced preliminary results, although there were unresolved open issues remaining. As we performed auditing, Apollo was upgraded from version 3.0 to 3.5 with significant under-the-hood technology changes. It was a challenge to perform the analysis as the underlying software evolves and maintain a result that is up-to-date. To address this challenge, we developed and deployed a continuous source code privacy risk analysis tool to assist in the process. In this paper, we discuss our experience and lessons learned from this industrial case study.