By Bryan Jung
Major automakers are failing to protect customer privacy while collecting data from drivers, according to a recent study.
The Mozilla Foundation’s latest “Privacy Not Included” study published on Sept. 6, found that much of the personal data collected from consumers by carmakers were regularly being sold or shared to third parties.
Most car owners are unaware of the vast amounts of personal data being collected and transmitted, let alone who collects it, or how it is being used or sold.
The latest vehicles are gathering driver locations, personal preferences, and details about users’ daily lives.
All of the 25 car companies examined in the study received a privacy warning label for collecting massive streams of personal data without notifying drivers.
“Serious privacy issues in cars. In cars of many vendors. You know, there’s more and more electronics and software in this stuff. It does collect a lot of data. Today buying a car comes with a surprise. In this respect, cars are … the worst product,” said Lukasz Olejnik, a security analyst in a post on X, formerly known as Twitter.
Vulnerabilities for Drivers
The increasing digitization of cars has been touted for years by automakers as a way to boost sales.
“Car makers have been bragging about their cars being ‘computers on wheels’ for years to promote their advanced features,” the study said, but “the conversation about what driving a computer means for its occupants’ privacy hasn’t really caught up.”
Ashkan Soltani, executive director of the state privacy watchdog California Privacy Protection Agency (CPPA), said that “modern vehicles are effectively connected computers on wheels.”
“They’re able to collect a wealth of information via built-in apps, sensors, and cameras, which can monitor people both inside and near the vehicle.”
Mozilla said that automakers are gathering “more personal data than necessary” and “for a reason other than to operate your vehicle and manage their relationship with you.”
Twenty-one of the car brands, or 84 percent, said they could share personal data with service providers, data brokers, and other businesses, while 19 firms, or 76 percent, admit to selling sensitive information.
Shockingly, 14 firms, or 56 percent, said they would share information with the government or law enforcement in response to an “informal request,” which is a very low bar.
The majority, about 92 percent, of vehicle manufacturers, give drivers little to no control over how their personal data is collected or used.
Automakers were discovered by researchers to even collect “super intimate information” about drivers in “huge quantities.”
Nissan and Kia stated in their privacy policies that they took information about a driver’s “sex life,” while six of the companies in the study said they collected “genetic information” from their customers.
Renault and Dacia, which belong to the same French conglomerate, were the only brands in the study that give drivers the option to have their personal data deleted, because of strict European Union privacy laws.
“It’s probably no coincidence though that these cars are only available in Europe — which is protected by the robust General Data Protection Regulation (GDPR) privacy law,” Mozilla researchers wrote.
“In other words: car brands often do whatever they can legally get away with to your personal data.”
Failing to Protect Customer Information
The Mozilla Foundation also admitted that they could not confirm whether any of the carmakers met its minimum security standards.
There is concern that companies are failing to properly encrypt collected personal information, which “might explain their frankly embarrassing security and privacy track records,” said researchers.
Seventeen of the companies received a “bad track record” for leaks, hacks, and breaches in the study.
Hacking is the top privacy concern, followed by car thefts, break-ins, and bad actors gaining control of car systems and disrupting services.
Driver data privacy breaches have become the most common cybersecurity threat against automakers over the last decade, accounting for 30 percent of all threats, according to Privacy4Cars.
Andrea Amico, the founder and CEO of Privacy4Cars, told the New York Post that car owners are now having to face hackers who are “attracted by the increasing amount and value of data that companies in the broad auto ecosystem collect” and “regular bad people who will leverage these technologies to stalk, harass, defraud, steal, and harm people.”
Hackers are able to use software and hardware to gain control over a vehicle through bugs in software, to gain access to the usernames and passwords of apps, which allow the vehicle to be unlocked and started remotely, USA Today reported.
Criminals can also hack into a vehicle’s telematics data, which allows them to pinpoint the exact location of a driver, or use tools to access the onboard diagnostic ports of cars to replicate and create new keys to steal a vehicle.
In May, Toyota admitted that a cloud data hack exposed the location information of 2,150,000 drivers between November 2013 and April 2023.
Data Privacy a Nationwide Concern
Owing to lax privacy standards across the board, Mozilla noted that consumers have limited ability to protect their privacy when it comes to cars.
“People don’t comparison-shop for cars based on privacy. And they shouldn’t be expected to,” the study said.
“Even if you did have the funds and the resources to comparison shop for your car based on privacy, you wouldn’t find much of a difference. Because according to our research, they are all bad!”
Meanwhile, the CPPA will start reviewing vehicle manufacturers’ efforts to collect private information from drivers in California, according to a July 31 press release.
The state agency is the first independent data protection authority in the nation and is in charge of implementing and enforcing California’s privacy laws.
It is governed by a five-member board, formed in November 2020, after voters approved the California Privacy Rights Act of 2020, which expanded privacy protections under the California Consumer Privacy Act of 2018.
The agency will require car manufacturers to provide information on how they collect user data, including location sharing, web-based entertainment, smartphone use, and cameras, to enforce compliance with state privacy laws.
Privacy4Cars is also offering its Vehicle Privacy Report, a tool that allows users to check their vehicle identification number and find out how much data their car is collecting.
The tool informs vehicle owners on what information is sold and to whom, including location status and their biometrics data, including their voice, facial recognition, and fingerprint records.
It also tells owners if that information is sent to the government, service providers, insurance, or data brokers.