Hey Utahns, Your Car Is Spying On You
This news item came across the wire today:
Major automakers are failing privacy tests. According to a new study from the Mozilla Foundation, cars collect a significant amount of personal data that can be sold or shared. The analysis gave a privacy warning label to each of the 25 major automakers studied.
In a trio of articles on Mozilla's website, the tech company cites dozens of privacy breeches associated with consumers and their cars.
From the article: It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy
1. They collect too much personal data (all of them)
We reviewed 25 car brands in our research and we handed out 25 “dings” for how those companies collect and use data and personal information. That’s right: every car brand we looked at collects more personal data than necessary and uses that information for a reason other than to operate your vehicle and manage their relationship with you. For context, 63% of the mental health apps (another product category that stinks at privacy) we reviewed this year received this “ding.”
2. Most (84%) share or sell your data
It’s bad enough for the behemoth corporations that own the car brands to have all that personal information in their possession, to use for their own research, marketing, or the ultra-vague “business purposes.” But then, most (84%) of the car brands we researched say they can share your personal data -- with service providers, data brokers, and other businesses we know little or nothing about. Worse, nineteen (76%) say they can sell your personal data.
A surprising number (56%) also say they can share your information with the government or law enforcement in response to a “request.” Not a high bar court order, but something as easy as an “informal request.” Yikes -- that’s a very low bar! A 2023 rewrite of Thelma & Louise would have the ladies in custody before you’ve had a chance to make a dent in your popcorn. But seriously, car companies' willingness to share your data is beyond creepy. It has the potential to cause real harm and inspired our worst cars-and-privacy nightmares.
3. Most (92%) give drivers little to no control over their personal data
All but two of the 25 car brands we reviewed earned our “ding” for data control, meaning only two car brands, Renault and Dacia (which are owned by the same parent company) say that all drivers have the right to have their personal data deleted. We would like to think this deviation is one car company taking a stand for drivers’ privacy. It’s probably no coincidence though that these cars are only available in Europe -- which is protected by the robust General Data Protection Regulation (GDPR) privacy law. In other words: car brands often do whatever they can legally get away with to your personal data.
4. We couldn’t confirm whether any of them meet our Minimum Security Standards
It’s so strange to us that dating apps and sex toys publish more detailed security information than cars. Even though the car brands we researched each had several long-winded privacy policies (Toyota wins with 12), we couldn’t find confirmation that any of the brands meet our Minimum Security Standards.
Our main concern is that we can’t tell whether any of the cars encrypt all of the personal information that sits on the car. And that’s the bare minimum! We don’t call them our state-of-the-art security standards, after all. We reached out (as we always do) by email to ask for clarity but most of the car companies completely ignored us. Those who at least responded (Mercedes-Benz, Honda, and technically Ford) still didn’t completely answer our basic security questions.
A failure to properly address cybersecurity might explain their frankly embarrassing security and privacy track records. We only looked at the last three years, but still found plenty to go on with 17 (68%) of the car brands earning the “bad track record” ding for leaks, hacks, and breaches that threatened their drivers’ privacy.
What Data Are Cars Collecting?
Amazingly, Mozilla found 17 pages worth of data that our cars are collecting about us. Seventeen pages!
Some of it was innocuous, like name and phone number. But some of it was downright scary -- your date of birth, your location at all times, credit and/or debit card numbers, social security number, medical information and even fingerprints -- and that's just the tip of the iceberg.
Said one Mozilla researcher: "Practically all of the privacy policies we looked at used qualifying language when listing the data points they collect. Words like ‘such as,’ ‘including,’ or ‘etc.’ tell us we are only getting a sample of what is collected and not the full picture.”
This summation by Mozilla should make all of us stand up and take note:
With car companies' long history of lying, cheating, and putting profit before everything, including human lives, we’re worried about what they have planned for the future.