Your car is a moveable computer, and it is listening to you and watching you.
The Mozilla Foundation just published a report on what have been termed “connected cars,” and it says that our vehicles have “an unmatched power to watch, listen, and collect information about what you do and where you go”.
All 25 car brands the Foundation researched earned its “Privacy Not Included” warning label – making cars the official worst category of products for privacy that it has ever reviewed. Yikes.
Personal data
Mozilla reviewed 25 car brands and handed out 25 “dings” for how those companies collect and use data and personal information. Literally every car brand it examined was deemed to collect more personal data than necessary and use that information for a reason other than to operate your vehicle and manage their relationship with you.
Most (84%) of the car brands Mozilla researched say they can share your personal data with service providers, data brokers, and other businesses, and 76% say they can sell it.
They can collect personal information from how you interact with your car, the connected services you use in your car, the car’s app (which provides a gateway to information on your phone), and from third party sources like Sirius XM or Google Maps.
The ways car companies collect and share data can be found in a separate Mozilla publication.
Most (84%) of the car brands Mozilla researched say they can share your personal data with service providers, data brokers, and other businesses, and 76% say they can sell it.
Security standards
Even though the car brands Mozilla researched had several long-winded privacy policies (Toyota has 12), Mozilla still could not ascertain if any of the cars encrypt all of the personal information that it collects.
The 25 cars were reviewed against Mozilla’s privacy and security criteria and then ranked — with Tesla coming in first — meaning, getting the most dings. Kia says it can collect information about your “sex life” right in its privacy policy, and it’s not the only one, Mozilla says.
Consumer protection
There’s a list of Consumer Protection Principles the US automotive industry group Alliance for Automotive Innovation, Inc. has created that outlines privacy-preserving principles such as “data minimization,” “transparency,” and “choice,” and a number of car brands signed up to follow (voluntarily) these principles.
They include BMW, Ford, Nissan, Volkswagen, and other brands — but Mozilla says, based on its examinations, they don’t actually comply.
Nissan and Subaru
In Nissan’s privacy policy, a long list of data can be shared with any number of service providers, marketing and promotional partners, etc., about users, including “inferences drawn from any personal data collected to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes”.
Subaru says that even passengers of a car that uses connected services have “consented” to allow them to use – and maybe even sell – their personal information just by being inside.
Data collected through Nissan’s direct interaction with users (so not through its connected devices) can be shared with such service providers and promotional partners as well, and those data points can include what Nissan gleans (or maybe surmises?) about your citizenship status, immigration status, race, national origin, religious or philosophical beliefs, sexual orientation, and more.
In its privacy policy, Subaru says that even passengers of a car that uses connected services have “consented” to allow them to use – and maybe even sell – their personal information just by being inside.
Data collection
On a related note, Nissan makes you “promise to educate and inform all users and occupants of your vehicle about the services and system features and limitations, the terms of the agreement, including terms concerning data collection and use and privacy, and the Nissan Privacy Policy”.
Apparently, the disclosure obligation about a complete lack of privacy protections offered by the maker of the car are on the owner of the car.
Mozilla’s researchers spent over 600 hours researching the car brands’ privacy practices and said it was the toughest work they had ever done as privacy researchers. None of the privacy policies promise a full picture of how your data is used and shared, the researchers said.
The author of this article does not own a car and is feeling rather smug right now.