Data Security Assessment and Cross-Border Flow Risk Control: A Case Study of the Hivemapper Project

Recently, the Ministry of State Security issued a security alert, pointing out that some overseas mapping companies are enticing domestic personnel to illegally collect sensitive geographical spatial information data through virtual currency rewards. Some domestic individuals, due to weak security awareness, unknowingly became "accomplices" in the illegal data collection.

It is worth noting that the Hivemapper project in the DePIN field has developed rapidly in recent times. The project has mapped 91 million kilometers of road within just one year, covering 10% of the total global road mileage. Undoubtedly, the application of new technologies such as big data and blockchain has expanded the scope of geographic spatial information data collection, made navigation and positioning more precise, and facilitated travel. However, the risk of sensitive information data leakage has also increased.

This article will take Hivemapper as an example to analyze the data security risks that exist during its operation, and based on China's existing data security legal system, provide relevant companies with suggestions for data outbound security compliance.

The Operating Mechanism of Hivemapper

Hivemapper is a blockchain-based mapping network. Users can collect data by installing the Hivemapper dashcam and earn $HONEY tokens as rewards. The issuance and settlement of tokens occur on the Solana network. In this system, the dashcam acts as a "mining machine," interfacing with the Hivemapper application to upload street view image data. This project innovatively builds maps, allowing global users to collect images through dashcams to collaboratively complete the mapping of the world.

From the project name, Hivemapper( Hive Map) symbolizes the process of bees gathering nectar together to produce honey, while Hivemapper brings together a large number of users to share their results - a brand new and detailed world map.

The Hivemapper companion app supports Android and iOS systems and can connect to dash cams to transmit data. Users can earn HONEY by collecting data, and can also provide map image APIs, map functionality APIs, detect local changes, and offer customized services, providing real-time map data for autonomous driving, traffic condition detection, and more. Its main operating process includes:

1. Drive using a dashcam and map out the route
2. Participate in AI training games, train the map AI engine
3. Use Hivemapper Explorer to observe map development
4. Build maps and geography-related applications using APIs

The uniqueness of Hivemapper lies in its use of a large number of everyday drivers to collect street images, which is different from traditional mapping services that rely on expensive equipment and professionals. This model has the following advantages:

1. Low cost - Mapping is a byproduct of users' daily activities rather than a primary purpose, thus the cost of data acquisition is lower.

2. High update frequency - Due to the large user base, the same location can be drawn multiple times and frequently.

3. Better quality - Compared to traditional mapping services that update their data once every few years, Hivemapper can obtain more and updated image data.

In addition, participants in the Hivemapper community can earn HONEY token rewards just by adding value to the maps. The only way to access Hivemapper map data is by spending HONEY, so this token has real value. This "Drive to Earn" model allows users to earn rewards through their daily driving.

Hivemapper has minted 4 billion HONEY tokens as rewards. The specific amount minted each week is determined by global mapping progress, with 90% distributed to contributors and 10% used for network operations.

Data Security Risks Involved in the Hivemapper Project

In recent years, the emergence of smart vehicles, especially autonomous driving technology, has innovated transportation methods, improved road safety, enhanced passenger experience and driving efficiency, and closely integrated physical transportation with digital information, resulting in a large accumulation and sharing of data.

Hivemapper was born in this context. The core of the project lies in the borderless nature of automotive data acquisition and flow, allowing global users to collect images through dashcams to collaboratively build a world map. However, the cross-border flow of automotive data has also raised concerns about data security protection and regulation.

Taking Hivemapper as an example, the car data that may be collected during its operation includes but is not limited to the following categories:

1. Vehicle identification information: Vehicle Identification Number ( VIN ), license plate number, etc.
2. Geographic Location Information: GPS Coordinates, Driving Trajectory, etc.
3. Driving behavior data: acceleration, steering, braking, etc.
4. Environmental perception data: images, videos, LiDAR scans, etc.
5. In-vehicle system data: Records of in-vehicle entertainment system usage, etc.
6. Vehicle status data: fuel consumption, battery level, fault codes, etc.

The cross-border flow of this data may bring risks in both vertical and horizontal dimensions:

vertical risk

From a vertical perspective, the data cross-border flow security risks during the operation of the Hivemapper project involve multiple levels, including individuals, enterprises, and countries.

1. Personal information security risks. Automotive data contains a large amount of personally identifiable information, such as the driver's name, ID number, and other directly identifiable information, as well as indirectly identifiable information that can be associated with individuals. This also includes sensitive personal information such as location tracking and audio/video data, which, if leaked, could seriously harm personal rights.

2. Business development risks. Automotive data is crucial for companies to understand customer needs, provide personalized services, and explore new markets, often involving trade secrets that relate to the core competitiveness of the business. Cross-border data flows may lead to the leakage of trade secrets, affecting business development.

3. National security risks. Geospatial information data includes sensitive information such as transportation networks, important infrastructure, and military facilities. If leaked and analyzed, it will seriously threaten national security. The illegal collection and cross-border transmission of such data may violate multiple laws and regulations.

horizontal risk

From a horizontal perspective, the cross-border flow of data is usually a continuous and dynamic process involving multiple entities and links, with security risks permeating all stages:

1. Data collection phase. There may be risks such as unauthorized collection, unclear classification and grading, improper identification of sensitive data, lack of traceability, and insufficient security of collection terminals.

2. Data transmission and storage phase. There may be risks of data corruption, tampering, leakage, etc.

3. Data application stage. There may be risks such as core data being misused, privacy information being de-anonymized, and unauthorized access and modification.

Recommendations for Automotive Data Export Safety and Compliance

Currently, our country has formed a relatively complete system for the safe protection of data going abroad, which includes three pathways for the outbound transfer of personal information data: safety assessment, protection certification, and standard contracts. Based on this, the author proposes the following suggestions for relevant enterprises:

1. Develop a data classification and grading list to guide the security assessment of data going abroad.

Companies should develop a detailed data classification and grading table to provide a basis for the security assessment of data outbound. For automotive companies, this helps to seek a balance between compliance and business efficiency.

Personal information in automotive data should distinguish between ordinary and sensitive information. Important data includes six categories that may impact national security, public interest, or legal rights. Additionally, it should be identified whether it involves core national data.

Based on classification, enterprises should grade the data. They can refer to the five-level grading method in the Autonomous Driving Data Security White Paper to determine the protection level based on the subject of harm and the degree of harm. After completing the classification and grading, enterprises should establish corresponding outbound conditions.

2. Establish a data outbound security assessment mechanism

Automakers should establish a data outbound security assessment system, form assessment teams, and create internal assessment forms and other tools to prepare for the potential frequent occurrence of data outbound. The assessment system should consider necessity demonstration as an important part and plan for future data outbound situations.

3. Establish a risk self-assessment mechanism to dynamically monitor the risk of data going abroad.

Enterprises should establish a self-assessment mechanism for data export risks, regularly evaluate risks, and make timely corrections. At the same time, they should pay attention to regulatory trends and respond quickly to new compliance requirements.

In addition, the legal and policy environment assessment of the location of the foreign recipient is also very important. Enterprises should require the foreign party to provide necessary information, fulfill contractual obligations, and cooperate with data security assessments.