You care about cars, but do they care about you?

Right now low emission schemes are a hot topic. The UK is seeing really divisive conversations surrounding the rights of motorists, with the controversial ULEZ scheme prompting a culture war. But while many rage about the rights of car drivers, are cars in turn protecting our rights?

New research from Mozilla shows that 25 major car companies, including brands like Volkswagen, Tesla, Toyota and Nissan, fail to protect our privacy. The non-profit’s latest report of *Privacy Not Included, released today, shines a light on how “deeply personal data” can be collected by car brands without the user having much or any control over the collection or use of this data. 

Shockingly, the list includes data on “race”, “immigration status”, “sexual orientation” and even “sexual activity”, leaving one puzzled as to why car companies would need such information.

“Most people think of their car as a private space. But that perception no longer matches reality,” says Jen Caltrider, Program Director for *Privacy Not Included.

Not only is such data amassed on a huge scale, the report suggests that much of this data lacks protection such as data encryption.

One of the lead researchers on this report, Misha Rykov, explains that “encryption is not an easy thing to do in cars, and most of them do not encrypt all consumer data.”

One of the worst performing brands on the list, Nissan, makes provisions to collect extremely sensitive information: from driver’s licence and national identification numbers to things like sexual activity, health diagnosis data and genetic information. All of it can be used for internal analytics as well as sharing with third parties for targeted marketing.  

In fact, of the brands reviewed in this report, 84% can share personal data with third party actors, and a whopping 76% can sell this data. Not to add, apart from Renault and Dacia, none of the other brands give all users the power to have their data deleted.

For this report, researchers pored over the privacy policies of companies as well as examined the apps that are built into these cars. But while things like location data is expected to be collected, researchers were surprised to find that data about people’s “sex life” and “sexual orientation” was also not off bounds. 

Just like Nissan, Kia and Toyota can also process data on “sex life.” And companies like General Motors and Ford can collect information on “sexual orientation.” But what exactly these headers mean — especially “sexual activity” and “sex life” — and how such information is extracted, one can only guess because companies are not transparent about it.

The picture is so grim, in a Mozilla *Privacy Not Included first (they’ve done similar reports on other product categories), none of the 25 car companies scrutinised met ‘minimum security standards’. Mozilla has even declared this the “official worst category of products for privacy that we have ever reviewed.”

No consent with cars

Speaking to me over call, Rykov explains that most of these car brands do not acquire meaningful consent for collection of personal data. Instead they often rely on indirect consent, and do not give users any choice to opt-out.

Take, for example, Tesla. The only way to stop Tesla from collecting vast amounts of sensitive information about you, would be to switch off connectivity in the car entirely. “But why would you need a Tesla if it’s not connected? It’s like [using] an iphone always in the airplane mode,” Rykov says.

Even brands in Europe that are tied to certain standards due to the General Data Protection Regulation (GDPR), which may give European users some control over data, might not extend this to users elsewhere.

While many brands claim to be privacy conscious, Rykov says this is mere “privacy whitewash.” In reality, these brands are a maze of multiple privacy policies, with Toyota having as many as twelve. These are tedious to read and understand, vague in their terms, and very forgiving of privacy violations. 

Escaping encryption

As mentioned before, car brands are also not bothered with data encryption. When researchers from Mozilla reached out to companies to ask about encryption of consumer data, most of them did not respond. Even those who did respond seem to have answered in vague terms.

Rykov says “this is alarming since cars collect huge amounts of data.” And it is even more worrying since car data is then also combined with phone data, which could compromise biometric information, contact lists, messages, pictures, audio and video from the phone.

As data from various avenues and devices are combined, they can dangerously give rise to new sets of data and patterns, even for purposes the user did not consent to (even indirectly).

Breaches, very many

While many of us may not think twice about data flows given how pervasive data extraction has become in every respect, it is important to highlight that cars do it on a massive scale; without adequate protections in place. And while there is some crackdown on Big Tech, in Europe and elsewhere, the same cannot be said for car brands whose data shenanigans go quite unnoticed.

There is no justifiable reason we can see for car companies to gather, much less hold, all this data. In the absence of clarification from them, we are left to wonder if the most obvious answer is perhaps the right one – the reason they have it – is so they can sell it. 

Or maybe it’s just good fun for their employees? Some months ago, reports came out about how, for years, Tesla employees had been looking at and circulating videos that were taken inside users’ cars. One worker described it as “like having access to god’s eye.” 

Tesla again – this time a worrying data breach when identifying information of 75,735 employees, including social security numbers were leaked. If they cannot protect the data of their own employees, what’s to say about the scores of information, including videos, they hold on users?

In a data breach incident with Volkswagen in 2021, personal details, including contact information and driver’s licence numbers of 3 million customers were compromised. And as revealed a few months ago, an incident with Toyota led to location data of more than 2 million customers being exposed for about a whole decade. Not to add, other kinds of security breaches that have hit brands like Kia.

So while data collected is large and intimate, and protections very few, car companies have somehow managed to avoid scrutiny for a very long time. This needs to change, because while your car might give you an illusion of seclusion, it is far from it. It has become a fancy surveillance tool you purchase, fitted with sensors, microphones and cameras in plenty.