While connected cars can deliver more efficient fleet management and safety benefits they are also a “privacy nightmare on wheels”, according to the US based Mozilla Foundation.
The Mozilla report, released late last year, looked at 25 car brands which collected customer data.
Connected cars today exchange information across wireless networks, often in real time, to the vehicle manufacturer, third party service providers, and infrastructure operators.
This data can be sold to data brokers, and used for marketing and targeted advertising.
According to the Mozilla research popular car brands such as BMW, Tesla and Toyota can collect “deeply personal” data such as sexual activity, immigration status, race, facial expressions, weight and genetic information.
Between 2019 and 2022, it has been reported that Tesla employees internally distributed intimate footage taken in private cars for their own amusement.
Sitting in a car, the report says, was “a lot like handing your phone over to the auto manufacturer.”
“Researchers found data is being gathered by sensors, microphones, cameras, and the phones and devices drivers connect to their cars, as well as by car apps, company websites, dealerships, and vehicle telematics,” the report said.
“Brands can then share or sell this data to third parties. Car brands can also take much of this data and use it to develop inferences about a driver’s intelligence, abilities, characteristics, preferences, and more.”
Mozilla has an ongoing report into data privacy called Privacy Not Included and the research into cars was the first time none of the brands met Mozilla’s minimum security standards.
“Specifically, researchers couldn’t confirm whether any of the brands encrypt all of the personal information they store on vehicles, and only one of the brands – Mercedes – even replied to Mozilla’s questions about encryption,” the report says.
The worst offender, according to Mozilla, is Nissan.
“The Japanese car manufacturer admits in their privacy policy to collecting a wide range of information, including sexual activity, health diagnosis data, and genetic data — but doesn’t specify how,” the report says.
In Australia, one of the main champions of data privacy in this area is Dr Katharine Kemp, from the faculty of Law & Justice at the University of New South Wales.
Kemp says that if people find out how much data is being collected and how it is being shared they will be met with “very vague, broadly worded privacy policies” the ultimate aim of which is to give car companies permission rather than to protect consumers.
She was responding to the case of a Queensland man who decided against purchasing a Toyota vehicle after he learned about the data collection in the company’s Connected Services system, which can share data with third parties such as financial and insurance companies and for market research.
“Connected Services operate by using data collected from you and your vehicle, including your personal information, vehicle information and vehicle location,” the Toyota policy says.
There is an option not to sign up to the Connect Services features, but anyone who opts out disables features such as Bluetooth connectivity and speaker functionality, as well as aspects of the vehicle warranty.
Australia has a voluntary code of conduct on data privacy through an industry body, the Federal Chamber of Automotive Industries. Members tell customers about data collection, but do so on a voluntary basis.
This, according to Dr Katherine Kemp, is “opportunistic”. She says Australian privacy laws are well behind those of other jurisdictions, particularly the European Union.
