Carmakers are failing the privacy test

A recent study reveals that many leading automobile manufacturers acknowledge the possibility of selling your personal data, although they remain unclear about potential buyers. Furthermore, half of them indicate a willingness to share this data with government or law enforcement entities even in the absence of a court order.

The proliferation of sensors in cars, including telematics and fully digital control systems, has turned them into significant data collection hubs. Nevertheless, the nonprofit Mozilla Foundation’s recent “Privacy Not Included” survey reveals that drivers have limited control or oversight over the personal data collected by their vehicles. This lack of control is a cause for concern, particularly in light of the vague security standards, given automakers’ past susceptibility to cyberattacks.

“Automobiles have seemingly escaped significant privacy scrutiny, and we aim to address this issue because the situation is genuinely concerning,” noted Jen Caltrider, the research lead for the study. “Cars are equipped with microphones where individuals engage in sensitive conversations, and they feature cameras oriented both inside and outside the vehicle”.

“Unless consumers choose a pre-digital, used model, they find themselves with limited choices,” Caltrider pointed out.

Among the various product categories examined by Mozilla since 2017, including fitness trackers, reproductive-health apps, smart speakers, and connected home appliances, cars received the lowest privacy score.

Out of the 25 car brands whose privacy notices were assessed, all of which were selected for their popularity in Europe and North America, none managed to meet Mozilla’s minimum privacy standards. In contrast, 37% of the mental health apps reviewed by the non-profit this year were able to meet these standards. Mozilla, known for promoting open-source technologies in the public interest and maintaining the Firefox browser, conducted the assessment.

Carmakers are failing the privacy test

According to their privacy notices, nineteen automakers acknowledge the potential sale of your personal data. Half of them are willing to share your information with government or law enforcement upon a “request,” without the necessity of a court order. Remarkably, only two automakers, Renault and Dacia (not available in North America), provide drivers with the choice to have their data deleted.

Car manufacturers are rather ambiguous when it comes to revealing the recipients of the data they collect. However, researchers strongly suspect that these recipients encompass data brokers, marketers, and dealers. Additionally, partners associated with installed products and services, such as SiriusXM, Google Maps, and OnStar, are actively accumulating data as well.

Albert Fox Cahn, a technology and human rights fellow at Harvard’s Carr Center for Human Rights Policy, stated:

“In essence, most cars are becoming mobile wiretaps. The electronic systems that drivers invest considerable sums in are gathering an ever-increasing amount of information about them and their passengers.”

He further noted:

“Turning a vehicle into a corporate surveillance area is distinctly invasive.”

However, the Alliance for Automotive Innovation, a trade association representing the majority of car and light truck manufacturers in the United States, disagreed with this description. In a letter addressed to the leaders of the U.S. House and Senate and sent on Tuesday, the group stated that it is committed to safeguarding consumer privacy and shares that objective.

The Alliance for Automotive Innovation urged the implementation of a federal privacy law, emphasizing that the current array of state privacy regulations causes confusion among consumers regarding their privacy rights and presents unnecessary compliance challenges. The absence of a unified law allows connected devices and smartphones to accumulate data for personalized advertising and other marketing purposes. Additionally, it increases the risk of significant data breaches due to cybersecurity vulnerabilities.

Carmakers are failing the privacy test

The Associated Press inquired whether the Alliance for Automotive Innovation, which has been reluctant to grant car owners and independent repair shops access to onboard data, supports permitting car buyers to automatically opt out of data collection and offering them the choice to delete the collected data. In response, spokesperson Brian Weiss expressed concerns about allowing customers to entirely opt out due to safety reasons. However, the group does advocate for providing customers with increased control over how the data is utilized in marketing and by third parties.

According to a 2020 Pew Research survey, 52% of Americans reported refraining from using a product or service due to concerns about the extent of personal information it would gather about them.

In terms of security, Mozilla’s minimum standards entail encrypting all personal data stored in a car. The researchers noted that the majority of car manufacturers either ignored their inquiries on this issue or provided partial and unsatisfactory responses when they did respond.

Nissan, a Japanese automaker, impressed researchers with its remarkable transparency and comprehensive breakdown of data collection in its privacy notice. This transparency stands in stark contrast to major tech giants like Facebook or Google. The data categorized as “sensitive personal information” includes driver’s license numbers, immigration status, race, sexual orientation, and health diagnoses.

Additionally, Nissan indicates that it has the capability to share “inferences” derived from the data, which are used to establish profiles that encompass the consumer’s preferences, attributes, psychological patterns, predispositions, behavior, attitudes, intelligence, capabilities, and aptitudes. Notably, it was one of six car manufacturers that acknowledged their capacity to gather “genetic information” or “genetic characteristics,” as reported by the researchers.

Nissan also indicated that it gathered data related to “sexual activity,” without specifying the methods employed for such data collection.

Meanwhile, the all-electric Tesla brand received a high rating on Mozilla’s “creepiness” index. According to Tesla’s privacy notice, if an owner chooses to opt out of data collection, the company may not be able to provide real-time notifications to drivers regarding potential issues that could lead to “reduced functionality, serious damage, or inoperability.”

Carmakers are failing the privacy test

Tesla did not provide responses to inquiries regarding its data practices.

Nissan, on the other hand, issued a statement emphasizing its commitment to the privacy and data protection of both consumers and employees. The statement affirmed that when collecting or sharing personal data, Nissan adheres to all relevant legal requirements and maintains a high level of transparency.

Caltrider from Mozilla acknowledged that regulations such as the European Union’s General Data Protection Regulation, spanning 27 nations, and California’s Consumer Privacy Act have played a significant role in compelling car manufacturers to disclose details about their existing data collection practices.

She noted that it’s a beginning, as it raises awareness among consumers, similar to what happened in the 2010s when consumer backlash led TV manufacturers to provide more options for surveillance-light connected displays.