Cars: The Next Data Privacy Battleground

(SergeyBitos/Shutterstock)

Don’t look now, but your car may be spying on you. Unless you drive a pre-digital model, your car’s maker is likely collecting all kinds of data about you, including your race, your driver’s license numbers, how fast you drive, what music you listen to, and even your sexual habits, according to a new report from Mozilla.

Mozilla’s September 6 study, “*Privacy Not Included,” details the organization’s investigation into 25 car brands and their data collection practices. A simple reading of the carmakers’ data privacy policies shows that they failed to meet even minimum standards, Mozilla says. According to the report, carmakers collect, aggregate, share, and sell consumer’s data, and there’s not much car owners can do about it.

“While we worried that our doorbells and watches that connect to the internet might be spying on us, car brands quietly entered the data business by turning their vehicles into powerful data-gobbling machines,” write Mozilla authors Jen Caltrider, Misha Ryvok, and Zoë MacDonald.

In addition to collecting very large amounts of data, 84% of the carmakers Mozilla researched reserve the right to share drivers’ personal data with service providers, data brokers, and other businesses. And Mozilla says 76% of the carmakers will sell drivers’ data, according to the privacy policies, which few drivers actually read.

In addition to data gathered directly by the car, the manufacturers are also gathering data from other apps, including phones that drivers connect to their cars.

(Chesky/Shutterstock)

“They can collect personal information from how you interact with your car, the connected services you use in your car, the car’s app (which provides a gateway to information on your phone), and can gather even more information about you from third party sources like Sirius XM or Google Maps,” Mozilla writes. “It’s a mess.”

What’s more, robust data analytics programs also allow carmakers to infer all kinds of additional information about drivers, the Mozilla authors write.

“Nissan says they can collect information about your ‘sexual activity’ and ‘intelligence’ (which they apparently infer from your personal data) and can share that information with ‘marketing and promotional partners’ or for their own ‘direct marketing purposes,’” the authors write.

Thought your genetic information was safe? Not when you’re riding in a General Motors vehicle, according to Mozilla, which reports that “Cadillac, GMC, Buick, and Chevrolet say in their California Privacy Statement that they can collect (among so many other things) your ‘genetic, physiological, behavioral, and biological characteristics.’” Kia and Nissan make similar claims about genetic information (which almost certainly is phenotype data, or characteristics, and not actual genotype data, or your genetic code).

It’s bad enough that carmakers are gathering so much sensitive data without the consent of drivers, and are selling this data to data brokers, which would seem to be massive data privacy violations. To make matters worse, the carmaker’s have questionable security practices, putting all that sensitive data at risk of being hacked by cybercriminals, says Mozilla, which says there’s no way to tell if automakers are even encrypting the data.

“It’s a scary thought to think the data your car collects and the data your phone shares with your car could be sitting unprotected on your car. Especially since even encryption is no silver bullet for keeping data safe,” the authors write. “In fact, most (68%!) of the car companies earned our ‘bad track record’ ding for failing to protect their users’ privacy with a leak, breach, or hack in the past three years–from sources that should have been better protected.”

(ZinetroN/Shutterstock)

What about the government? American law enforcement organizations can get your personal data just by asking for it; they don’t even need a warrant, Mozilla says. “At least fourteen (56%) of the car brands’ own privacy policies say they can voluntarily share your personal data with law enforcement or the government in response to a ‘request,’” it says.

The situation is different in Europe, where laws like GDPR give consumers some control over their data.  Mozilla credits Renault and Dacia, owned by the same company, for at least giving customers the option to have their data deleted.

Other things that drew concern include Volkswagen’s “Car-Net” feature, which keeps track on who’s driving with boundary and curfew alerts. There’s also BMW’s digital key, which lets users share their car keys by text.

A Ford patent on automated repossession drew the attention of the Mozilla authors. If a car owner were to miss too many payments, Ford may take steps up to and including having “your car driving itself to an impound lot.” Before taking that step, however, the automaker could take certain steps to increase the “level of discomfort” by doing things like turning off the car’s infotainment sytsem or air conditioning.

Those sorts of activities could make a driver angry, which is why Ford states that it will take video recordings of the whole ordeal. But it gets better.

“The cameras’ images could also be used to determine whether you’re trying to ‘block repossession,’ and decide whether the car should ‘transmit a complaint to the computer associated with the police authority,'” Mozilla writes. “Congrats, Ford! Your imagination is better than ours at dreaming up privacy nightmares.”

Mozilla started a petition to respect drivers’ privacy and stop collecting, sharing, and selling personal data. You can find out more here.

Related Items:

Zoom Data Debacle Shines Light on SaaS Data Snooping

Anger Builds Over Big Tech’s Big Data Abuses

A Culture Shift on Data Privacy