A recent report produced by the Mozilla foundation has uncovered a few eye-raising issues regarding the amount of data collected by modern vehicles.
The team of researchers at Mozilla studied the T’s & C’s of 25 different makes of vehicles including those from Fiat, Jeep, BMW, Chrysler, Volkswagen, Ford, Toyota, Audi, Mercedes, and Tesla, to name just a few.
A full, detailed breakdown of each car manufacturer and the data it collects can be seen here
The worst category of products for privacy
the findings of their research has made the team label vehicles “the official worst category of products for privacy that we have ever reviewed.“
The various reasons given for this label are:
- They collect too much personal data (all of them)
- Most (84%) share or sell your data
- Most (92%) give drivers little to no control over their personal data
- We couldn’t confirm whether any of them meet our Minimum Security Standards
With regards to personal data collection, every car brand looked at collects more personal data than necessary and uses that information for a reason other than to operate your vehicle and manage their relationship with you.
For context, only 63% of the mental health apps (another product category that stinks at privacy) reviewed this year achieved the same accolade.
A multitude of data points
The report goes on to say that car companies have so many more data-collecting opportunities than other products and apps we use — more than even smart devices in our homes or the cell phones we take wherever we go.
Vehicles can collect personal information from how you interact with your car, the connected services you use in your car, the car’s app (which provides a gateway to information on your phone), and can gather even more information about you from third party sources like Sirius XM or Google Maps.
The report states that the way in which cars and their manufacturers collect and share data was so complex that they had to do a separate write up just on that piece alone – that write-up can be seen here but a huge take-away from that report is expressed in this quote:
Cars’ new bells and whistles mean the potential for more data-collecting sensors, cameras, and microphones. But unlike with apps or smart home devices, most drivers aren’t even aware this data is being collected — let alone have the power to turn it off.
MISHA RYKOV, RESEARCHER @ *PRIVACY NOT INCLUDED
In this second write up, the researchers detail a huge list of data which a car can collect about its driver/owner, including (as in the case of Nissan) your sexual orientation and sexual activity. See here for the full Nissan privacy policy
Honda state in their privacy policy that they collect “personal data as described in Cal. Civ. Code 1798.80(e)” which as it transcribes is this:
(e) “Personal information” means any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. “Personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
Which is basically anything they want to collect
Assumptions through inference
Twenty two of the car brands (88%) mentioned creating inferences (assumptions ) about you based on other data. And nine of those companies (39%) said specifically that they might sell them to third parties.
For example which “title,” “artist,” and “genre” you listen to in your car. Whether you listen to christian rock, show tunes, or The Joe Rogan Experience podcast on your way to work might not say that much about you… but, when you combine that data with where you work (“employment information”) and all the places you go (“route history”), your track list can probably help fill in some blanks about your “preferences.”
Sharing is caring profit?
The report goes on to talk about the sharing of data by car manufacturers, and mentions the use of deliberate, vague language.
The privacy policies reviewed by the team usually only listed the categories of businesses they share with, like “service providers.” When they did name companies, the privacy policies often used more qualifying language like “such as,” “etc.” “and others,” “or similar” to make it clear that they’re only sharing a sample. Other times, the privacy policies only said that data would be shared or sold without saying to who.
After over 600 hours of research, the writers were confused about who car companies are sharing data with and selling it to. But did have a good idea about why they’re doing it.
Data is a valuable business asset to these companies. And cars can collect more and more detailed personal data than almost any other device or company can. So of course car companies are keen to cash in on that.
Nineteen (76%) of the car companies looked at say they can sell your personal data
But it’s all above board because it is stated that they will do it in their privacy policy – you know, that one you read, understood, and agreed to when you bought the car – right?
The data is secure though – yes?
Well, the answer to that I think you already know… but just in case you were wondering, the answer is NO!
According to the report, dating apps and sex toys publish more detailed security information than cars.
Even though the car brands researched each had several long-winded privacy policies (Toyota wins with 12), the researchers couldn’t find confirmation that any of the brands meet our Minimum Security Standards.
The main concern is that its impossible to tell whether any of the cars encrypt all of the personal information that sits on the car.
The researchers reached out by email to ask for clarity but most of the car companies completely ignored us. Those who responded (Mercedes-Benz, Honda, and technically Ford) still didn’t completely answer our basic security questions.
With regards to the security of data once in the hands of the car manufacturers, well history tells us that it isn’t always as secure as we would like it to be:
- Volkswagen and its daughter company Audi suffered a data breach affecting 3.3 million users.
- Toyota leaked data of 2.15M users over 10 years between 2013 and 2023.
- In June 2022 Mercedes-Benz disclosed a data leak on the part of a third-party vendor that exposed the personal information of up to 1.6 million prospective and actual customers, including names, street addresses, email addresses and phone numbers.
In the report, the team produce a list of which manufacturer fails a number of tests. these tests include Data use, Data control, Track record, Security, and AI.
So who came out top?
The companies with the fewest bad marks against their name in these test categories were Renault and Dacia with only 2 bad marks against their names in the categories of Data use and Security
BMW, Subaru, Fiat, Jeep, Chrysler and Dodge each had 3 hits (Data use, Data control, and Security).
VW, Toyota, Lexus, Ford, Lincoln, Audi, Mercedez-Benz, Honda, Akura, Kia, Chevrolet, Buick, GMC, Cadillac, Hyundai, Nissan all had five strikes
Only one company, Tesla, had strikes in all five categories which was not a surprise as they were the only company with an AI policy – however, as the rise in AI becomes more prevalent in the car market, expect this t be a strike against most, if not all other companies.
And you thought Google was bad!
