Modern vehicles have become connected computers on wheels, but all that connectivity comes at a huge cost to user privacy. A recent report from Mozilla Foundation reveal just how much personal data cars are collecting and sharing without consent.
Cars Earn Top Spot as Worst Product Category for Privacy
In September 2023, Mozilla Foundation released the results of their research reviewing the privacy practices of 25 major car brands. In a report titled "It's Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy", they declared cars to be far and away the worst offenders when it comes to respecting user privacy. Mozilla said:
Excessive Data Collection
The first major problem was that all 25 car brands collected far more personal data than necessary. As Mozilla explained:
Cars have access to immense amounts of sensitive data through their sensors, microphones, cameras and connectivity to driver phones. Some of the most concerning types of data collected included medical records, genetic data, sexual activity and even inferred characteristics like intelligence and personality traits.
Unfettered Sharing of Personal Info
Mozilla also found that the majority of car brands they analyzed freely shared driver data with third parties. A shocking 84% admitted to sharing data with other companies, while 76% said they may sell personal info outright. Even more alarming, 56% claimed the right to hand over driver data to law enforcement with only an "informal request".
Little to No Driver Control
Most cars, 92% to be exact, provided drivers with little to no means to control how their personal information is used. Only Renault and Dacia, (which are owned by the same parent company), said all drivers could request deletion of their data - likely due to stronger EU privacy laws. Otherwise, users had virtually no oversight or options to opt-out of extensive data collection programs.
Questionable Security Practices
Finally, Mozilla was unable to confirm any car brand met even their most basic security standards due to a lack of transparency. The research found a history of data breaches and leaks affecting millions of drivers, calling into question how securely personal info was protected. 17 of the brands had track records of data breaches, leaks or hacks that threatened driver privacy over the past 3 years.
Clearly, the privacy issues uncovered were far-reaching and fundamental flaws in how automakers approach user data. But what exactly does all this mean for drivers, and how can they help protect themselves?
What Data is Collected, and Where Does it Go?
To better understand the privacy threats posed, it's important to grasp exactly what types of sensitive user data cars are harvesting massive troves of. In their report "What Data Does My Car Collect About Me and Where Does It Go?", Mozilla breaks down the various sources and kinds of intimate user information automakers are privy to:
In-Vehicle Sensors & Systems
Onboard diagnostics ports, microphones, cameras, Bluetooth connections and infotainment systems all feed vast streams of data to manufacturers. Beyond basic location tracking from GPS, they record:
- Driving habits like speed, braking, turning
- Conversation audio inside the vehicle
- Biometric data from cameras monitoring drivers
- Health & fitness info if linked to wearables
Connected Services & Mobile Apps
Systems that link cars to driver phones via apps drastically expand the scope of collected info. Some automakers desire:
- Call logs, contacts, photos
- Calendar events & scheduled meetings
- Credit card transactions and payment info
- Questions asked virtual assistants
External Data Sources
Manufacturers also partner with third parties to supplement vehicle records with even more personal files. This includes:
- Medical records and insurance claims history
- Shopping preferences and product reviews
- Genetic test results and other sensitive medical data
Beyond direct collection, automakers "infer" additional insights about drivers through analysis of all this aggregated information over time. The real-world implications of carmakers amassing these extensive dossiers on individuals are concerning, to say the least.
Privacy Nightmares: Where Your Data Ends Up
With such enormous troves of sensitive user data in their hands, it's reasonable for drivers to worry about just how automakers utilize and potentially misuse or expose this information. Those fears were further validated by Mozilla's analysis of what automakers disclose about their data practices in privacy policies and terms of use.
Automakers also maintain data-sharing partnerships with entities like vehicle data hubs - described as "the data brokers of the auto industry". These middlemen profiles further monetize and redistribute driver information across countless downstream users.
As if all this wasn't alarming enough, Mozilla found language in some carmaker policies even absolving themselves of responsibility for any misuse of personal data by third parties they provided it to. The potential privacy threats of automakers unrestrained data-fishing are clear.
Consent is an Illusion
A key factor allowing automakers such extensive collection and use of sensitive driver information is the illusion of consent presented through lengthy terms of service. But as privacy advocates rightly argue, true informed consent is impossible in the context of modern vehicles.
Mozilla highlighted examples of problematic consent dynamics:
- Subaru assumes consent for all passengers just by riding in a connected car
- Tesla warns opting out of data collection could compromise vehicle functionality or safety
- Nissan puts responsibility on owners to inform all users of its privacy policy
"Car companies do whatever they can legally get away with to your personal data... Consumers have almost zero control and options in regard to privacy, other than simply buying an older model."
When "consent" is stipulated in incomprehensible legalese and refusal can impair driving, true choice does not exist. Drivers are left with little power over how their lives are tracked, monitored and monetized during everyday transport.
So what Now?
The Mozilla Foundation is calling on drivers to sign a petition that will “ask car companies to respect drivers’ privacy and to stop collecting, sharing and selling our very personal information.”
