Since 2018, when the renowned cybersecurity expert Bruce Schneier tried (and failed) to buy a new car in the US that would come without internet connection, I have worried about the personal data automakers will be collecting from our vehicles. Turns out that the situation already in 2023 is much worse than I could ever imagine. Mozilla has conducted an extensive research on data collection practices and privacy policies of major vehicle manufacturers, and the results are scary even for “I have nothing to hide” kind of people.
Tiny computers that control, for instance, ABS braking systems have been embedded in vehicles for a long time, but ABS has quietly been doing its job and hasn’t been telling anyone else about it. Today, modern vehicles have computers that are connected to vehicle’s other computers and the entire system is also connected via the internet to the manufacturer, and possibly to other organizations, like a government.
Should we be worried about the data our vehicles are constantly transmitting to manufacturers, and in some cases to other organizations? Mozilla’s Privacy Not Included research ranked cars as the worst product category they have ever reviewed for privacy. Yes, we should be concerned about our privacy and what cybercriminals can do with our sensitive data when they manage hack into databases that store the data.
Mozilla researched 25 European, Japanese, Korean and US car brands only to find out that they all suck from privacy perspective. The key points are the following.
- All reviewed car brands collect plenty of personal data that doesn’t have anything to do with driving, safety, or vehicle maintenance.
- 84% of manufacturers share or sell the personal data that cars automatically have transmitted to the manufacturer’s databases. The most probable buyers are adtech businesses that use the data for marketing purposes, financial institutions, and even authorities.
- 92% of automakers grab data from vehicles without asking permission from drivers or car owners.
- Car manufacturers failed to explain how they protect the collected personal data from parties who may want to access the data without permission.
The research ranked reviewed car brands according to their privacy from bad to worst:
How a modern car collects your data?
Open the doors of your car, open a window, sit down on the driver’s seat, turn the steering wheel, brake, step on the accelerator, you name it and it is recorded. The functions that are required to drive a car are tracked by computers, and transmitted to the manufcaturer.
If you use the GPS funtionality, entertainment center, or other features in the car, these events are tracked and stored.
Connect your mobile phone to the car dashboard, or download the app recommended by the manufacturer to your phone, and say goodbye to a big chunk of your privacy.
In addition, many car brands say they may collect data from other sources to complement the information they already have about you.
All in all, the research identified 164 pieces of data a manufacturer can collect about the car owner. Here is a list of the data they may save. Some manufacturers also admit they grab data about passengers of a car (a method to do this is to try to identify the phone of a passenger by its Wifi or Bluetooth signal).
84% of car brands tell that they share and may sell car owners’ data to other parties, like businesses and governments. It is practically impossible to know where the data goes once it has left a car and has been received by the manufacturer. Ad tech businesses are ready to pay for it, so this industry is a highly likely destination. Officials may require a manufacturer to hand over data as well for one reason or another.
Can you do something to prevent data collection?
The GDPR legislation in Europe, and similar regulations in some other regions and states, hasn’t bee able to stop rampant data collection by car manufacturers (yet). At the moment, automakers specify in their lengthy, complex privacy policies that they will collect driver’s data and share it. They believe everything is all right with it, and start tracking. Let’s hope that EU, at least, can do something about this shady business practice.
An easy method to avoid some of the unnecessary data collection is not to connect a phone to the car, and not to install the manufacturer app on the phone.
Header photo by Krzysztof Hepner.