From The Editor | September 15, 2023

Why Connected Cars Are A Privacy Nightmare

John Headshot cropped  500 px wide

By John Oncea, Editor


When it comes to connected cars and privacy consider this: sex toys typically provide more detailed security information about their products. So, when your privacy policies and protections are worse than those of a sex toy, you might have a problem.

With apologies to The Boss, Bruce Springsteen

I’m drivin’ in my car, you turn on the radio
The car is connected, so everyone knows
All my personal data, for the whole world to see
Cause when we drive, ooh, no privacy

Heck, I’ll even apologize to Robin Williams, whose parody is magnitudes of order better than mine. But all joking aside, let’s talk about the Mozilla Foundation study that found, “Modern cars are a privacy nightmare.”

Getting To Know You

While listening to Pushkin’s podcast Axios Today* I wasn’t too surprised to hear just how poorly connected cars graded out. After all, any internet-connected device is going to have its share of privacy struggles, but it was disconcerting to hear, “All 25 car brands we researched earned our *Privacy Not Included warning label – making cars the official worst category of products for privacy that we have ever reviewed.”

Axios continued, reporting, “Cars are now computers on wheels — which means they ‘have an unmatched power to watch, listen, and collect information about what you do and where you go.’ That information is then shared with or sold to data brokers, law enforcement, and others.” The Mozilla Foundation reports that 56% of the car brands will share data with law enforcement in response to an informal request, while 84% share or sell personal data.

And oh, the amount of personal data collected! According to Mozilla, it’s too much.

“We reviewed 25 car brands (and) handed out 25 ‘dings’ for how those companies collect and use data and personal information. That’s right: every car brand we looked at collects more personal data than necessary and uses that information for a reason other than to operate your vehicle and manage their relationship with you.” Mental health apps, another category “that stinks at privacy,” only had a  ding rating of 63%.

In addition to collecting more data, car companies have more data-collecting opportunities than other connected devices such as cell phones and in-home smart devices. Not only are they collecting personal information through your interactions with your car, but they’re also collecting it from the connected services and apps used within the vehicle. Third-party sources such as Sirius XM and Google Maps also can provide additional information about you.

“The gist is: they can collect super intimate information about you – from your medical information, your genetic information, to your ‘sex life’ (seriously), to how fast you drive, where you drive, and what songs you play in your car – in huge quantities,” writes Mozilla. “They then use it to invent more data about you through ‘inferences’ about things like your intelligence, abilities, and interests.”

* I was listening to it on my phone during a run and not in my car so my privacy should be completely protected, right? LOL jk

Introducing You To The Rest Of The World

“It’s bad enough for the behemoth corporations that own the car brands to have all that personal information in their possession, to use for their research, marketing, or the ultra-vague ‘business purposes,’” Mozilla writes. As previously noted, 84% of the car brands studied say they can share your personal data with businesses you know little or nothing about. Even worse: 76% say they can sell it.

More than half say they can share your information if the government or law enforcement requests it. “Not a high bar court order, but something as easy as an ‘informal request,’” writes Mozilla. “Car companies’ willingness to share your data is beyond creepy. It has the potential to cause real harm and inspired our worst cars-and-privacy nightmares.”

Making matters worse is that only Renault and Dacia (owned by the same parent company) allow drivers the right to delete their personal data. So, good for them, right? Truth is, these two cars are only available in Europe and are therefore subject to GDPR privacy laws. “In other words: car brands often do whatever they can legally get away with to your personal data,” opines Mozilla.

Not-So-Fun Fast Facts

Tesla is only the second product Mozilla reviewed to receive all of their privacy dings, highlighted (lowlighted?) by earning the “untrustworthy AI” ding. The brand’s AI-powered autopilot was reportedly involved in 17 deaths and 736 crashes and is currently the subject of multiple government investigations.

Nissan finished second-to-last and collected “some of the creepiest categories of data (Mozilla has) ever seen” including your “sexual activity.” Kia also mentions they can collect information about your “sex life” and six car companies say they can collect your “genetic information” or “genetic characteristics.”

Most car brands do not conform to Mozilla's privacy standard regarding sharing information with government or law enforcement. However, Hyundai surpasses these standards by stating in its privacy policy that it will comply with both formal and informal lawful requests. This is a concerning issue.

And, while 22 of the car brands signed on to a list of Consumer Protection Principles from the U.S. automotive industry group ALLIANCE FOR AUTOMOTIVE INNOVATION, INC., none follow the principles. Mozilla says this is “interesting if only because it means the car companies know what they should be doing to respect your privacy even though they don’t do it.”

Back To The Horse And Buggy?

In a word, no. As Axios notes, “Americans spend about 300 hours a year driving — plus many more hours when the car is repurposed as an office, a lunchroom, a phone booth, or even a recording studio.” So, cars aren’t going anywhere.

“Mozilla claims it spent over 600 hours researching the privacy practices of car brands — three times longer per product than it usually spends on these privacy reviews,” writes The Verge. “The report was so scathing that the organization said the advice it typically provides to help customers protect their personal data feels like ‘tiny drops in a massive bucket.’

“Instead, the Mozilla Foundation has started a petition urging car companies to stop the data collection programs they’re unfairly benefitting from, expressing that ‘our hope is that increasing awareness will encourage others to hold car companies accountable for their terrible privacy practices.’”

Beyond that, there’s … hope?

Jen Caltrider, director of Mozilla's *Privacy Not Included project, told the Associated Press, that unless you buy a used, pre-digital model, you “just don't have a lot of options.” She added that the U.S. could pass laws similar to Europe’s GDPR but, for the most part, “Cars seem to have really flown under the privacy radar and I'm really hoping that we can help remedy that because they are truly awful.”