Motorists are surprisingly uninformed about the extensive data that smart cars gather about them. It’s crucial to take control of your personal information.
Automobiles have evolved significantly since the Ford Model T. Modern smart vehicles boast features like blind-spot monitoring, automatic emergency braking, and collision avoidance systems, supported by sensors such as LiDAR, radar, and cameras. These capabilities depend on an advanced network of electronics known as telematics, which gathers data and tracks both favorable and unfavorable driving habits.
The amount of data collected is astonishing. Currently, a single vehicle can generate up to 25 gigabytes of data every hour, surpassing the storage required for a two-hour 4K film on your computer. Connected vehicles, which are linked to a network or the internet, signify a monumental change in automotive technology. Cars have transitioned from simple transportation means to intricate data-gathering centers, featuring robust computers and sensors inside and out that utilize artificial intelligence and machine learning. They monitor everything from geolocation information and driving habits to potentially sensitive biometric data, including heart rate or facial expressions.
While the safety advantages are evident, privacy advocates express valid concerns regarding the vast array of data collection tools in vehicles.
The unfortunate reality is that, as the vehicle’s owner, you wield astonishingly little power over this data collection. In addition to enhancing convenience and providing assistance, this data serves as a treasure trove for data brokers who exploit it without our awareness.
Certain motorists have experienced increased insurance premiums after being unknowingly included in OnStar Smart Driver, a feature in General Motors’ internet-enabled vehicles. GM later admitted to sharing information about drivers’ mileage, braking, acceleration, and speed with the insurance sector, eventually discontinuing this practice.
The adage “with great power comes great responsibility” rings true here – and this is where our predicament resides. The privacy issues raised by these technological innovations are certainly justifiable. Cases such as a class action lawsuit against Tesla over privacy breaches have brought attention to the possible abuses of data acquired from vehicles.
Additionally, groups of Tesla staff members have internally circulated footage and images captured by cameras in customers’ personal cars. These occurrences highlight not only the risks to individual privacy but also larger societal and ethical dilemmas regarding surveillance, monitoring, and data protection.
As automotive technology continues to advance, crucial questions must be addressed: Where is our information stored, and who has access to it? How is it utilized? Can the owner and driver review the collected data? How often is the information deleted? And most importantly, can the driver manage any (or all) of these aspects?
The answers to these inquiries remain largely unknown. This lack of clarity poses a significant issue for individual privacy rights.
In the realm of privacy protection, both state and federal governments are consistently trying to keep pace. Some regions are just starting to tackle the issues surrounding vehicle data collection. Presently, 20 states have enacted comprehensive data protection laws for online activity, while other areas are contemplating similar legislation. Talks about comprehensive federal laws are ongoing, but a schedule for implementation is not yet established. Regulations pertaining to automotive data are urgently needed.
Beyond laws and regulations, each of us must reflect on our role in safeguarding our personal data in interconnected vehicles. As technology advances, especially with AI, connected cars will profoundly influence our data privacy and safety. While automakers and lawmakers bear the responsibility for data security, car owners must also take measures to protect themselves. Here are some strategies:
Educate yourself about your vehicle’s data collection abilities, particularly through its cameras and microphones. Reach out to dealerships or examine your owner’s manual to understand what data is gathered and its usage.
Modify privacy settings. Investigate and adjust your car’s privacy options to enhance the safeguarding of your personal information. This could involve turning off specific recording features or limiting data-sharing with external parties.
Choose to opt out where you can. Actively seek and utilize options that allow you to decline participation in data collection programs you find uncomfortable. Disable certain connected services that aren’t crucial but may jeopardize your privacy.
Confirm secure connections. Employ strong and unique passwords for features such as in-car Wi-Fi, and be wary of sensitive transactions or communications conducted over these networks.
Keep software updated. Regularly plan updates for your car’s software to defend against vulnerabilities that could be exploited by cybercriminals. Likewise, only install trusted applications in your vehicle to minimize the risk of security breaches from less secure apps.
Stay informed and engage with manufacturers. Familiarize yourself with your rights under current data protection regulations and take part in discussions regarding future laws to advocate for better safeguards from auto manufacturers. Likewise, drivers should demand transparency and strong security practices from car manufacturers and service providers, ensuring ethical handling of consumer data.
While the allure of the open road remains, it is now the responsibility of drivers to ensure they are free from unwelcome data monitoring by their vehicles.
Ah, the breeze in your hair, the endless road ahead, and no worries… except for all the trackers, cameras, microphones, and sensors documenting your every action. Ugh. Contemporary vehicles are a hassle for privacy.
Car manufacturers have been promoting their vehicles as “computers on wheels” for years to highlight their advanced features. However, the discussion surrounding the implications of driving a computer for the privacy of its occupants hasn’t kept pace. While we were concerned that our internet-connected doorbells and watches could be spying on us, car brands quietly ventured into the data industry by transforming their vehicles into extensive data-collecting machines. Machines that, because of all those appealing features, possess an unparalleled ability to observe, listen, and gather information regarding your actions and whereabouts while driving.
All 25 car brands we analyzed received our *Privacy Not Included warning label, making automobiles the absolute worst category of products for privacy that we have evaluated.
The car brands we examined have significant shortcomings in privacy and security.
What causes the car brands we researched to perform poorly in terms of privacy? And how did they fall so short of our expectations? Let’s break it down!
They gather excessive personal data (all of them)
We evaluated 25 car brands in our study and awarded each company a “ding” for their data collection and usage practices. Indeed, every car brand we analyzed collects more personal data than necessary and exploits that information for purposes beyond just operating your vehicle and managing their relationship with you. For comparison, 63% of the mental health applications (another product category that struggles with privacy) we reviewed this year received this same “ding.”
Additionally, car manufacturers have far more opportunities to collect data than other products and applications we commonly use — even more than smart devices found in our homes or the phones we carry everywhere. They can gather personal information based on your interactions with your vehicle, the connected services you utilize within it, the vehicle’s app (which serves as a gateway to data on your phone), and can retrieve more information about you from third-party sources like Sirius XM or Google Maps. It’s a convoluted situation. The methods by which car manufacturers collect and share your data are so extensive and intricate that we wrote a separate piece explaining the process. In summary, they can gather very personal information about you — ranging from your medical data, genetic details, and even aspects of your “sex life” (yes, really), to your driving speed, routes taken, and the songs you play in your vehicle — in vast amounts. They then utilize this data to create additional insights about you through “inferences” regarding your intelligence, capabilities, and interests.
A significant number (84%) share or sell your data
It’s concerning enough that the major corporations that own car brands hold personal information for their own research, marketing, or the vaguely defined “business purposes.” However, a majority (84%) of the car brands we examined indicate they can share your personal data—with service providers, data brokers, and other businesses that are largely unknown to us. Even more alarming, sixteen (76%) claim they are able to sell your personal data.
An unexpectedly high percentage (56%) also state they can share your information with government entities or law enforcement upon receiving a “request.” This doesn’t even require a significant court order; it could be as simple as an “informal request.” Yikes—what a minimal threshold! If there were a 2023 remake of Thelma & Louise, the characters would be apprehended before you could finish your popcorn. But in all seriousness, car companies’ willingness to share your data is alarmingly invasive. It poses real dangers and triggers our worst fears regarding cars and privacy.
It’s important to remember that our understanding of what companies do with personal data stems from privacy laws that mandate disclosure of such information (thank you, California Consumer Privacy Act!). Even so-called anonymized and aggregated data can (and likely is) shared with vehicle data hubs (the auto industry’s data brokers) and others. So while you’re getting from point A to B, you’re also supporting your car’s lucrative side hustle in the data market in multiple ways.
The majority (92%) provide drivers with minimal to no control over their personal data.
Every car brand, except for two of the 25 we assessed, received a “ding” for data control, meaning only two brands, Renault and Dacia (both under the same parent company), assert that all drivers can request deletion of their personal data. We like to think this exception represents one car manufacturer advocating for drivers’ privacy. However, it’s likely not a coincidence that these vehicles are exclusively available in Europe, which is protected by the comprehensive General Data Protection Regulation (GDPR) privacy law. In essence, car brands frequently operate within the limits of what they can legally manage concerning your personal data.
We were unable to verify whether any of the brands comply with our Minimum Security Standards.
It’s quite perplexing that dating apps and sex toys provide more detailed security information than automobiles. Despite the fact that the car brands we looked into each had several lengthy privacy policies (Toyota takes the lead with 12), we could not confirm that any of the brands satisfy our Minimum Security Standards.
Our primary concern is our inability to determine if any car encrypts all personal information stored within the vehicle. And this is just the basic requirement! We don’t label these as our cutting-edge security standards, after all. As we typically do, we reached out via email for clarification, but most car manufacturers disregarded our inquiries. Those who did respond (Mercedes-Benz, Honda, and technically Ford) still fell short of providing complete answers to our fundamental security questions.
A lack of adequate attention to cybersecurity might explain their rather poor track records regarding security and privacy. We only examined the past three years, yet we discovered ample evidence, with 17 (68%) of the car brands receiving a “bad track record” designation for incidents of leaks, hacks, and breaches that jeopardized their drivers’ privacy.
A significant number (84%) share or sell your data.
It’s concerning enough that the major corporations that own car brands hold personal information for their own research, marketing, or the vaguely defined “business purposes.” However, a majority (84%) of the car brands we examined indicate they can share your personal data—with service providers, data brokers, and other businesses that are largely unknown to us. Even more alarming, sixteen (76%) claim they are able to sell your personal data.
An unexpectedly high percentage (56%) also state they can share your information with government entities or law enforcement upon receiving a “request.” This doesn’t even require a significant court order; it could be as simple as an “informal request.” Yikes—what a minimal threshold! If there were a 2023 remake of Thelma & Louise, the characters would be apprehended before you could finish your popcorn. But in all seriousness, car companies’ willingness to share your data is alarmingly invasive. It poses real dangers and triggers our worst fears regarding cars and privacy.
It’s important to remember that our understanding of what companies do with personal data stems from privacy laws that mandate disclosure of such information (thank you, California Consumer Privacy Act!). Even so-called anonymized and aggregated data can (and likely is) shared with vehicle data hubs (the auto industry’s data brokers) and others. So while you’re getting from point A to B, you’re also supporting your car’s lucrative side hustle in the data market in multiple ways.
The majority (92%) provide drivers with minimal to no control over their personal data.
Every car brand, except for two of the 25 we assessed, received a “ding” for data control, meaning only two brands, Renault and Dacia (both under the same parent company), assert that all drivers can request deletion of their personal data. We like to think this exception represents one car manufacturer advocating for drivers’ privacy. However, it’s likely not a coincidence that these vehicles are exclusively available in Europe, which is protected by the comprehensive General Data Protection Regulation (GDPR) privacy law. In essence, car brands frequently operate within the limits of what they can legally manage concerning your personal data.
We were unable to verify whether any of the brands comply with our Minimum Security Standards.
It’s quite perplexing that dating apps and sex toys provide more detailed security information than automobiles. Despite the fact that the car brands we looked into each had several lengthy privacy policies (Toyota takes the lead with 12), we could not confirm that any of the brands satisfy our Minimum Security Standards.
Our primary concern is our inability to determine if any car encrypts all personal information stored within the vehicle. And this is just the basic requirement! We don’t label these as our cutting-edge security standards, after all. As we typically do, we reached out via email for clarification, but most car manufacturers disregarded our inquiries. Those who did respond (Mercedes-Benz, Honda, and technically Ford) still fell short of providing complete answers to our fundamental security questions.
A lack of adequate attention to cybersecurity might explain their rather poor track records regarding security and privacy. We only examined the past three years, yet we discovered ample evidence, with 17 (68%) of the car brands receiving a “bad track record” designation for incidents of leaks, hacks, and breaches that jeopardized their drivers’ privacy.
