A Privacy Nightmare on Wheels
- September 15, 2023
- Clayton Rice, K.C.
Modern automobiles are prodigious datavores. But owners have little control over the personal information their vehicles collect and many manufacturers share it with government or law enforcement for the asking. No longer designed simply for transportation the automobile has been transformed into a corporate surveillance machine. Long gone is the freedom associated with a blue sky and the open road. And a new report by the Mozilla Foundation has shown just how bad it is.
On September 6, 2023, the Mozilla Foundation, a nonprofit organization based in Mountain View, California, published a report titled It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy. (here) The findings of researchers Jen Caltrider, Misha Rykov and Zoë MacDonald heighten the concern that as cars become increasingly connected to each other and the internet, they have developed into generators that provide manufacturers with customer data that can be sold and shared without the explicit consent of the owners. The report found that all twenty-five car brands reviewed collect too much personal data and all except two, Renault and Dacia, give drivers little or no ability to control their data. “Cars is the first category we’ve reviewed where every product earned our *Privacy Not Included warning label,” Mozilla spokesman Kevin Zawacki told The Washington Post. (here)
2. The Mozilla Report
The report begins with six words – modern cars are a privacy nightmare. It is well known that manufacturers describe their cars as “computers on wheels” but “the conversation about what driving a computer means for its occupants’ privacy hasn’t really caught up.” The researchers then asked two questions. Why are cars we researched so bad at privacy? And how did they fall so far below our standards? Before giving you a summary of the analysis in the report, I will give you the twenty-five manufacturers in alphabetical order: Acura, Audi, BMW, Buick, Cadillac, Chevrolet, Chrysler, Dacia, Dodge, Fiat, Ford, GMC, Honda, Hyundai, Jeep, Kia, Lexus, Lincoln, Mercedes-Benz, Nissan, Renault, Subaru, Tesla, Toyota and Volkswagen. Here is a summary of the ways these manufacturers failed the privacy test.
- Too Much Personal Data Is Collected. Every car brand reviewed collects more personal data than necessary and uses that information for a reason other than to operate your vehicle and manage their relationship with you. And car companies have more data collecting opportunities than other products and apps – more than smart devices in the home or cell phones. They can collect personal information from how you interact with your car, the connected services you use in your car, the car’s app (which provides a gateway to information on your phone) and additional information from third party sources like Sirius XM or Google Maps. “The gist is: they can collect super intimate information about you – from your medical information, your genetic information, to your ‘sex life’ (seriously), to how fast you drive, where you drive, and what songs you play in your car – in huge quantities.” This data is then used to draw inferences about you bearing on your intelligence, abilities and interests.
- Most Share or Sell Your Data. Most of the car brands (84%) say they can share your personal data with service providers and data brokers. Nineteen brands (76%) say they can sell your personal data. And a “surprising number” (56%) say they can share your information with government and law enforcement in response to a “request”. As the authors wryly observed, “[a] 2023 rewrite of Thelma & Louise would have the ladies in custody before you’ve had a chance to make a dent in your popcorn.”
- Drivers Have Little or no Control Over Their Data. Only two brands, Dacia and Renault, say that all drivers have the right to have their personal data deleted. The authors emphasized that it is “probably no coincidence” that these cars are only available in Europe which is protected by the General Data Protection Regulation (GDPR).
- Minimum Security Standards. The researchers could not confirm whether any of the brands met their minimum security standards. “Our main concern is that we can’t tell whether any of the cars encrypt all of the personal information that sits on the car,” they said. A failure to properly address cybersecurity might explain their embarrassing security track records. A total of seventeen brands (68%) had a “bad track record” for leaks, hacks and breaches that threatened their drivers’ privacy. The report includes a guide to help consumers understand what questions to ask and what answers they should expect before buying a connected tech product. (here)
It is unduly burdensome to expect consumers to plough through pages of techno-legalese in the privacy policies of manufacturers only to come away in a dizzying state of blurred vision. Here are some findings about three specific manufacturers emphasized by the research team.
- Tesla. Tesla is only the second product reviewed by the researchers that received a negative rating in all categories. The first was an AI ChatBot reviewed earlier this year. Tesla’s AI-powered autopilot has been “reportedly involved in 17 deaths and 736 crashes and is currently the subject of multiple government investigations.”
- Nissan. Nissan ranked twenty-fourth for collecting some of the “creepiest categories” of data. Nissan’s policy includes the collection of “sexual activity”. Kia also mentions the collection of information about the “sex life” of users. And six companies said they can collect “genetic information” or “genetic characteristics”. As the authors said, “reading car privacy policies is a scary endeavor.”
- Hyundai. The researchers found that none of the companies use language that meets Mozilla’s privacy standard about sharing information with government and law enforcement. (here) Hyundai, in particular, will comply with “lawful requests, whether formal or informal.”
Except for Tesla, Renault and Dacia all the manufacturers had signed on to the list of Consumer Protection Principles published by the U.S. automotive industry group Alliance for Automotive Innovation, Inc. (here) The list of principles includes privacy enhancing practices such as data minimization, transparency and choice. But, the report concluded, none of the manufacturers follow these principles. And unlike home gadgets such as voice assistants very few consumers have the freedom to opt out and not own a car. Consent, then, is an illusion. Here is Tesla’s Customer Privacy Notice on opting out of vehicle data: “[I]f you no longer wish for us to collect vehicle data or any other data from your Tesla vehicle, please contact us to deactivate connectivity. […] If you choose to opt out of vehicle data collection (with the exception of in-car Data Sharing preferences), we will not be able to know or notify you of issues applicable to your vehicle in real time. This may result in your vehicle suffering from reduced functionality, serious damage, or inoperability.” (here)
What, then, are car manufacturers thinking? That question was asked by the researchers while reviewing the privacy practices of the selected car brands. Why do car manufacturers want so much intimate data about their customers? And what do they intend to do with it? The answer may lie in how connectivity could be weaponized against the consumer. A recent patent application filed in the United States by Ford provides information about self-repossessing technology that would make use of the car’s connectivity to the carmaker, a lending institution, a repossession agency and a law enforcement agency. Ford described “a series of escalating torments” that could be inflicted on owners who missed car payments. An increasing level of discomfort – from disabling windows and air conditioning to the car playing annoying sounds – may motivate an owner to make payments. The car repossession process might begin with a reminder by text message and end with the vehicle driving itself to an impound lot.
The Mozilla report is not the first to draw attention to the vulnerable state of privacy and security in the automotive industry. Ars Technica has been covering car hacks for over a decade. Earlier this year Ars ran a piece by Jonathan Gitlin titled Hackers discover that vulnerabilities are rife in the auto industry published under the banner: When You Drive, You Ride With Hackers. (here) Mr. Gitlin recalled the infamous Jeep hacking incident in 2015 when researchers proved they could remotely disable a Jeep Cherokee while it was being driven. In a post to Ars last week about the Mozilla report, Mr. Gitlin said “[t]he poor state of digital security in the auto industry should come as no surprise”. (here) In 2019, the Faculty of Business and IT at Ontario Tech University in Oshawa, Ontario, published A Privacy Code Practice for the Connected Car. Although the Code does not have legal effect, it has been endorsed by the Privacy Commissioner of Canada as a meaningful exploration of the merits of specific data handling practices in the connected and automated vehicle sector. (here)
The Mozilla report is the latest in the “Privacy Not Included” series that the nonprofit began publishing in 2017. “The amount of data that these car companies blatantly said that they could collect was shocking,” Ms. Caltrider told POLITICO. “It’s like nobody ever challenged them or asked them questions about privacy, and so they just include everything.” (here) The report is another exposé on an industry that hoovers vast amounts of personal data by filming the interior and exterior of vehicles, intercepting private communications and tracking drivers by connected apps on smartphones. Where you go, how often, and how long it takes you to get there is all data collected by the manufacturer. “It’s not just about selling cars to make money anymore,” Ms. Caltrider said. “It’s about collecting data, and then using that data to make money.”