Auto manufacturers are not protecting consumer privacy while collecting driver data. The Mozilla Foundation’s recently released “Privacy Not Included” survey concluded that automakers sold or shared much of their consumers’ personal data, including highly sensitive data.
Most vehicle owners are unaware of the massive quantities of personal data gathered and transferred, who gathers it, or how it is used or sold. New cars today track drivers’ locations, preferences, and even everyday activities that have nothing to do with driving or driver safety.
All 25 auto companies included in the study received a privacy warning for gathering significant amounts of personal data without alerting drivers.
Mozilla reports:
And car companies have so many more data-collecting opportunities than other products and apps we use — more than even smart devices in our homes or the cell phones we take wherever we go. They can collect personal information from how you interact with your car, the connected services you use in your car, the car’s app (which provides a gateway to information on your phone), and can gather even more information about you from third party sources like Sirius XM or Google Maps. It’s a mess.
Privacy is a growing concern among industry experts and consumers. Autos have more circuitry and software than in past decades and lots of data are collected. Buying an automobile today is surprising.
Vulnerabilities for drivers
Automakers have hyped automobile digitalization for years to encourage sales for the “convenience” of drivers.
“Car companies have been talking about their cars being ‘computers on wheels’ for years to sell their sophisticated features,” former Twitter security researcher Lukasz Olejnik states. “the discourse about what driving a computer implies for its occupants’ privacy hasn’t really caught up.”
California Privacy Protection Agency (CPPA) executive director Ashkan Soltani stated “modern vehicles are effectively connected computers on wheels.”
Vehicles now connect drivers in even more ways than their phones or other digital devices.
“Built-in applications, sensors, and cameras can watch persons inside and near the car, collecting a plethora of data.”
Mozilla stated manufacturers collect “more personal data than necessary” for “a reason other than to operate your vehicle and manage their relationship with you.”
Twenty-one automobile brands, or 84%, indicated they may share personal data with service providers, data brokers, and other businesses, while 19 companies, or 76%, admitted to selling sensitive personal consumer data.
Excerpt from report:
They can collect super intimate information about you — from your medical information, your genetic information, to your “sex life” (seriously), to how fast you drive, where you drive, and what songs you play in your car — in huge quantities. They then use it to invent more data about you through “inferences” about things like your intelligence, abilities, and interests.
Shockingly, 14 car companies (56%) claimed they would disclose information with the government or law enforcement in response to an “informal request,” a low, and possibly illegal standard because an “informal” request would likely be outside of an official search warrant.
About 92% of automakers give drivers minimal control over how their personal data is gathered or utilized.
Researchers found that automakers acquire “super intimate information” about drivers in “huge quantities.”
In their privacy policy, Nissan and Kia gathered drivers’ “sex life,” while six other companies even collected “genetic information” from consumers.
French multinational Renault and Dacia were the only brands in the research that allowed drivers the ability to remove their personal data due to tight EU privacy restrictions.
Mozilla researchers noted, “It’s probably no coincidence though that these cars are only available in Europe — which is protected by the robust General Data Protection Regulation (GDPR) privacy law.”
“In other words: car brands often do whatever they can legally get away with to your personal data,” the report said.
Failure to Secure Customer Data
The Mozilla Foundation also confessed they couldn’t determine if carmakers exceeded baseline security criteria. Researchers say corporations’ failure to encrypt personal data “might explain their frankly embarrassing security and privacy track records.”
The analysis found 17 organizations had a “bad track record” for leaks, hacks, and breaches.
Hacking is the top privacy worry, followed by auto thefts, break-ins, and bad actors taking control of car systems and interrupting services.
Driver data privacy breaches have accounted for 30% of all cybersecurity risks against manufacturers during the previous decade, according to Privacy4Cars.
The New York Post reported that Privacy4Cars founder and CEO Andrea Amico said car owners now face hackers “attracted by the increasing amount and value of data that companies in the broad auto ecosystem collect” and “regular bad people who will leverage these technologies to stalk, harass, defraud, steal, and harm people.”
USA Today stated that software faults allow hackers to get app identities and passwords to remotely unlock and start a car.
Criminals can also hack a vehicle’s telematics data to track a driver or use equipment to access the onboard diagnostic ports to copy and make new keys to steal a vehicle.
Toyota confirmed in May that a cloud data leak disclosed 2,150,000 drivers’ whereabouts between November 2013 and April 2023.
In addition to Nissan and Hyundai, those rounding out the worst six offenders were Chevrolet, Buick, GMC, and Cadillac.
Ford, Chrysler and Dodge were also rated poorly.
Nationwide Data Privacy Concern
Mozilla observed that automobile owners had poor privacy protection due to low privacy regulations.
People don’t compare automobiles by privacy. The report cautioned against expecting them to.
“Even if you had the money and resources to compare car prices based on privacy, you wouldn’t find much difference. Because our study shows they’re all harmful!”
According to a July 31 press release, the CPPA will assess car manufacturers’ California driver privacy measures.
First autonomous data protection authority in the nation, the state agency enforces California’s privacy laws.
A five-member board was created in November 2020 after voters adopted the California Privacy Rights Act of 2020, which strengthened privacy safeguards under the California Consumer Privacy Act of 2018.
The government will compel automobile makers to disclose how they collect user data, including location sharing, web-based entertainment, smartphone use, and cameras, to enforce state privacy rules.
Privacy4Cars’ Vehicle Privacy Report lets consumers verify their vehicle ID and see how much data their automobile collects.
The program educates car owners about who sells their location status and biometrics data, including voice, facial recognition, and fingerprint records.
Owners may also see if the government, service providers, insurers, or data brokers receive such information.
–Dwight widaman and wire services
