According to a recent study, many major car manufacturers have acknowledged the possibility of sharing personal information, although they remain unclear about the recipients. Additionally, half of these companies have indicated their willingness to share such data with government or law enforcement entities without the necessity of a court order. The increasing prevalence of automobile sensors, ranging from telematics to fully digital control systems, has transformed them into significant data collection centres. However, individuals who drive these vehicles have minimal to no control over the personal data that is gathered, as noted by researchers from the nonprofit Mozilla Foundation in their latest “Privacy Not Included” survey. Furthermore, there are concerns regarding the lack of clear security standards, particularly in light of automakers history of vulnerabilities to cyberattacks.
Jen Caltrider, the research lead for the study, expressed her concern, saying, “Cars seem to have really flown under the privacy radar and I’m really hoping that we can help remedy that because they are truly awful. Cars have microphones, and people have all kinds of sensitive conversations in them. Cars have cameras that face inward and outward.”
According to Caltrider, car buyers have limited options unless they choose a used, non-digital model.
Privacy Concerns for the automakers
In a study spanning more than a dozen product categories, including fitness trackers, reproductive health apps, smart speakers, and other connected home appliances, cars ranked the lowest in terms of privacy. Mozilla has been conducting these studies since 2017.
Surprisingly, none of the 25 car brands whose privacy policies were examined, all of which are popular in Europe and North America, met Mozilla’s minimum privacy standards. Mozilla advocates for open-source, public-interest technologies and is known for maintaining the Firefox browser. In contrast, 37% of the current year’s mental health apps reviewed by this non-profit met the minimum privacy standards.
Nineteen automakers have acknowledged that they possess the ability to sell individuals’ personal data, as revealed in their official notices. Among them, half are willing to share this data with government or law enforcement entities upon request, without necessitating a court order. Only two of these automakers, Renault and Dacia, offer drivers the option to request the deletion of their data. Notably, these two brands are not available in North America.
The automakers are rather vague when it comes to disclosing the specific recipients of the data they collect. However, researchers strongly suspect that data brokers, marketers, and dealers are among those who benefit from this information. Moreover, partners who offer installed products and services, such as SiriusXM, Google Maps, and OnStar, are also accumulating substantial amounts of data.
Albert Fox Cahn, a technology and human rights fellow at Harvard’s Carr Center for Human Rights Policy, aptly points out that modern vehicles have essentially become “wiretaps on wheels.” The electronic features that consumers invest in are continuously amassing data about them and their passengers, leading to heightened concerns about personal privacy.
Automotive Industry’s Call for Federal Privacy Legislation
Criticizing this characterization, the Alliance for Automotive Innovation, a trade group representing most car and light truck manufacturers in the U.S., emphasized in a letter addressed to U.S. House and Senate leadership that they share the common goal of safeguarding consumer privacy.
They called for enacting a federal privacy law, arguing that a “patchwork of state privacy laws creates confusion among consumers about their privacy rights and makes compliance unnecessarily difficult.” The absence of such a law allows connected devices and smartphones to accumulate data for tailored advertising targeting and other marketing purposes, increasing the risk of massive information theft through cybersecurity breaches.
According to a 2020 Pew Research survey, 52% of Americans indicated that they had refrained from using a product or service because they were concerned about the extent of personal information it would gather about them.
Regarding security, Mozilla’s minimum standards encompass encrypting all personal information on a car. The researchers noted that most car brands did not respond adequately to their emailed inquiries on the subject and those that did provide responses offered only partial and unsatisfactory answers.
Nissan, based in Japan, surprised researchers with the level of transparency and detailed breakdowns of data collection provided in its privacy notice, in stark contrast to major tech companies like Facebook or Google. The “sensitive personal information” collected by Nissan includes driver’s license numbers, immigration status, race, sexual orientation, and health diagnoses.
Furthermore, Nissan claims it can share “inferences” from the data to develop profiles that accurately represent a consumer’s preferences, characteristics, psychological trends, predispositions, behaviour, attitudes, intelligence, abilities, and aptitudes.
Among the six-car companies examined, Nissan was one of them that indicated the potential to gather “genetic information” or “genetic characteristics.” However, the specifics of how this is done were not provided.
Interestingly, Nissan also stated that it collects data related to “sexual activity,” though it did not elaborate on the methods employed for this purpose.
Privacy Concerns for the Automakers
On a different note, the all-electric Tesla brand received a high score on Mozilla’s “creepiness” index. Notably, suppose a Tesla owner chooses to opt out of data collection. In that case, Tesla’s privacy notice mentions that the company may be unable to provide real-time notifications to drivers concerning issues that could lead to “reduced functionality, serious damage, or inoperability.”
Unfortunately, Tesla did not respond to inquiries regarding its data practices. In a statement, Nissan emphasized its commitment to safeguarding the privacy and data protection of its consumers and employees. The company asserted that it adheres to all relevant laws and prioritizes transparency whenever personal data is collected or shared.
Caltrider from Mozilla acknowledged the positive impact of data protection laws such as the European Union’s General Data Protection Regulation, spanning 27 nations, and California’s Consumer Privacy Act. These regulations have compelled car manufacturers to provide comprehensive information about their data collection practices.
This marks a significant step forward, as it heightened consumer awareness, akin to the developments in the 2010s when a surge in consumer concerns prompted television manufacturers to offer more privacy-conscious alternatives to their surveillance-heavy connected displays.