“What did I learn in researching the privacy and security of 25 of the top car brands in the world? Modern cars are a privacy nightmare and it seems that the Fords, Audis, and Toyotas of the world have shifted their focus from selling cars to selling data.” Think about that statement from Misha Rykov, a researcher for the Mozilla Privacy Not Included initiative. How bad is it? Read on.
Jeff Bezos was one of the first to realize that enormous profits could be made from selling customer data. Some people think Amazon started as an online bookseller. Wrong. When the company was just a gleam in Bezos’ eye, the main focus was to vacuum up all the data available from what people searched for and ordered on Amazon’s website and sell it to marketing firms.
Google, Facebook, and a host of other companies do much the same thing. Cellphone data is routinely collected and sold. There’s money to be made from mining all that data. That’s why when your spouse searches for a new pair of tennis shoes, that fact is noted by data centers all over the world. Since the digital world knows you and your spouse are affiliated, suddenly ads for Adidas, Nike, New Balance, and others start popping up in the margins of whatever you are reading online.
A Computer On Wheels
Tesla started the trend when it stuck a large touchscreen into the interior of the Model S in 2011. Suddenly, the phrase “computer on wheels” became popular as drivers became bedazzled with the idea of a car that was also a computer. Or was it the other way around?
Mozilla recently did a deep dive into the data collection and privacy protections offered by 25 car companies to their customers. All of them failed, some more spectacularly than others. Here’s what the Mozilla researchers found.
- All of them collect too much personal data — Mozilla reviewed 25 car brands during the course of its research and handed out 25 “dings” for how those companies collect and use data and personal information. Every car brand it looked at collected more personal data than necessary and used that information for a reason other than to operate a vehicle and manage its relationship with the driver.
- Car companies have so many more data collecting opportunities than other products and apps we use — more than even smart devices in our homes or the cellphones we take wherever we go. They can collect personal information from how you interact with your car, the connected services you use in your car, the car’s app (which provides a gateway to information on your phone) and gather even more information about you from third party sources like Sirius XM or Google Maps.
- They can collect intimate information about you — from your medical information, your genetic information, to your “sex life” (seriously), to how fast you drive, where you drive, and what songs you play in your car — in huge quantities. They then use it to invent more data about you through “inferences” about things like your intelligence, abilities, and interests.
- Most (84%) share or sell your data — It’s bad enough for the behemoth corporations that own the car brands to have all that personal information in their possession, to use for their own research, marketing, or the ultra-vague “business purposes.” But then, most (84%) of the car brands Mozilla researched said they can share your personal data — with service providers, data brokers, and other businesses you know little or nothing about. Worse, nineteen (76%) say they can sell your personal data.
- A surprising number (56%) also said they can share your information with the government or law enforcement in response to a “request.” Not a court order but something as easy as an “informal request.” Car companies’ willingness to share your data has the potential to cause real harm and inspire cars and privacy nightmares.
- Keep in mind that we only know what companies do with personal data because of the privacy laws that make it illegal not to disclose that information like the California Consumer Privacy Act. So-called anonymized and aggregated data can be shared with vehicle data hubs and others. So while you are driving from A to B, you’re also funding a car maker’s thriving side hustle in the data collection business.
- Most (92%) give drivers little to no control over their personal data — All but two of the 25 car brands Mozilla reviewed earned a “ding” for data control. Only two car brands, Renault and Dacia, said that all drivers have the right to have their personal data deleted. But those brands operate primarily in Europe which has a robust General Data Protection Regulation privacy law. In other words, car brands often do whatever they can legally get away with to your personal data.
- Mozilla couldn’t confirm whether any of car companies met its Minimum Security Standards — Dating apps and sex toy manufacturers publish more detailed security information than automakers do. Even though the car brands Mozilla researched had several long winded privacy policies (Toyota wins with 12), it could not confirm that any of the brands meet its Minimum Security Standards.
Mozilla Privacy Findings
Mozilla says its main concern is that it can’t tell whether any of the car companies it contacted encrypt all of the personal information stored in the onboard computers installed in the cars they manufacture. The company reached out by email to ask for clarity, but most of the car companies completely ignored its requests. Those who did respond — Mercedes-Benz, Honda, and Ford — still didn’t completely answer the most basic security questions.
Mozilla says when it first started looking into cars and privacy, only one thing was clear — it’s complicated even to the car markers themselves. In response to a standard set of privacy and security questions, Mercedes Benz told Mozilla it wasn’t possible to give “universal answers.” With all the data being collected by vehicles, apps, connected services, and more, not even the companies themselves fully understand the monster they have created.
Mozilla On Informed Consent
Most manufacturers have lengthy data collection consent procedures and assume drivers consent to them simply by electing to drive the car. The Nissan policy is nearly 10,000 words long and makes drivers “promise to educate and inform all users and occupants of your Vehicle about the Services and System features and limitations, the terms of the Agreement, including terms concerning data collection and use and privacy, and the Nissan Privacy Policy.”
The Tesla opt-out policy is simply bizarre. “If you no longer wish for us to collect vehicle data or any other data from your Tesla vehicle, please contact us to deactivate connectivity. Please note, certain advanced features such as over the air updates, remote services, and interactivity with mobile applications and in-car features such as location search, Internet radio, voice commands, and web browser functionality rely on such connectivity. If you choose to opt out of vehicle data collection (with the exception of in-car Data Sharing preferences), we will not be able to know or notify you of issues applicable to your vehicle in real time. This may result in your vehicle suffering from reduced functionality, serious damage, or inoperability.”
The Takeaway
I am watching a series on TV at the moment in which a thief only steals cars with cassette players so he can listen to his favorite music while he drives. Frankly, if you want to drive an automobile that won’t collect your personal data, you may need to limit your search to cars that are at least 30 years old.
We voluntarily submit to so many intrusions into our privacy because it is convenient to do so. I have friends with Google Assistant or Alexa installed in their homes who look at me like I just hoovered down from Mars when I suggest those devices are listening to, recording, and dissecting every word that gets said in their house all day every day. They think I’m kidding.
Some states now are making it a felony to drive out of state to seek certain medical services. All they have to do is contact the manufacturer of your vehicle and make a “request” to find out exactly where you went and when. If you are a woman of child-bearing age, you might want to drive a 1986 Town Car instead of anything manufactured this century.
We complain endlessly about government intrusion, and yet we voluntarily make it exceptionally easy for governments to intrude for any good reason or even no reason at all into our private lives. And we are supremely comfortable with that. Why that would be is a great mystery.
Car companies see data collection as a multi-million dollar post-sale business opportunity. Is there anything you can do to protect your privacy? Sure, disable apps, don’t use Google Maps, and only buy new cars from companies which can explain their data collection policies in clear, easy to understand language. Good luck with that!
I don’t like paywalls. You don’t like paywalls. Who likes paywalls? Here at CleanTechnica, we implemented a limited paywall for a while, but it always felt wrong — and it was always tough to decide what we should put behind there. In theory, your most exclusive and best content goes behind a paywall. But then fewer people read it! We just don’t like paywalls, and so we’ve decided to ditch ours. Unfortunately, the media business is still a tough, cut-throat business with tiny margins. It’s a never-ending Olympic challenge to stay above water or even perhaps — gasp — grow. So …
