Modern connected cars are “a privacy nightmare” for drivers, capable of collecting reams of sensitive data that is frequently being shared, sold or potentially stolen.
This is according to a review of 25 carmakers in the USA from the non-profit, open internet researcher and watchdog Mozilla Foundation.
It’s no secret cars can use their cameras, microphones and sensors to track owners closely, and that they increasingly access cloud-based services and connect to smartphone apps.
Nor are multinational OEMs shy about the potential revenue opportunities to be had from data collection and services – a key reason for the rollout of so-called “software-defined vehicles“.
Mozilla’s analysts claim to have spent more than 600 hours researching the car brands’ privacy practices, and found a unanimous failure to properly disclose data policies and protect sensitive information through encryption.
Audi (3.3 million users), Toyota (2.15 million users, some in Australia) and Mercedes-Benz (up to 1.6 million users including some credit cards) have all been pinged for data breaches in the past few years.
“While we worried that our doorbells and watches that connect to the internet might be spying on us, car brands quietly entered the data business by turning their vehicles into powerful data-gobbling machines,” Mozilla writes.
“Machines that, because of their all those brag-worthy bells and whistles, have an unmatched power to watch, listen, and collect information about what you do and where you go in your car.”
The researchers found 100 per cent of brands collected more user data than would be necessary to operate the vehicle or manage their relationship with the owner. For context, the same researchers found only 63 per cent of mental health apps set off the same alarm bells.
They also found 84 per cent of the car brands researched disclosed they could share personal owner data with other organisations, and 76 per cent said they could sell it.
“Modern cars are a privacy nightmare and it seems that the Fords, Audis, and Toyotas of the world have shifted their focus from selling cars to selling data,” researcher Misha Rykov wrote.
At a macro level, connected cars depending on regional data laws have the potential to collect information on where their owners go and what they say. Other more granular examples contained in fine print included “demographic data”, and “sensor data” – including driver stress levels (driver-detection software) or imagery of the world around your car.
Privacy policy fine print must be made public where applicable due to privacy laws like the General Data Protection Regulation in Europe and the California Consumer Privacy Act (CCPA) in the USA, though Mozilla claims many of the carmakers “manipulate” or “assume” consent.
“Using broad language is a classic tool that companies use to leave the door open for collecting more data than they’re spelling out in their policies. It makes it pretty much impossible to know all of the information that’s being gathered about you,” the report says.
While there are reviews on each brand, a few examples from the US stood out.
Nissan USA’s privacy notice claims the company can share or sell “Inferences drawn from any Personal Data collected to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behaviour, attitudes, intelligence, abilities, and aptitudes” for targeted marketing purposes.
On Nissan’s own privacy section it classifies types of personal data collected as including “driver’s licence number, national or state identification number, citizenship status, immigration status, race, national origin, religious or philosophical beliefs, sexual orientation, sexual activity, precise geolocation, health diagnosis data, and genetic information”.
Meanwhile Kia’s policy mentions it can collect information about a driver’s “sex life”, and six car companies said they can collect “genetic information” or “genetic characteristics.”
Hyundai’s privacy policy further claims it will comply with “lawful requests” for data access from government or law enforcement – whether “formal or informal.”
You can read detailed reviews of 25 OEM privacy statements here and learn more about where all that data goes here.
From an Australian perspective, the federal government released a report of the Attorney-General’s departmental review of the extant Privacy Act 1988, which it said “has not kept pace with the changes in the digital world”, citing high-profile breaches during 2022.
“The Government is now seeking feedback on the 116 proposals in this report before deciding what further steps to take,” it added.
MORE ON THIS TOPIC: Toyota Australia customers victim of data breach