How Much Privacy Do You Really Have In Modern Vehicles?

Whenever the issue of vehicular privacy comes up, the discussion almost immediately pivots to individuals either defending or condemning the status quo. But this often happens without either side of the argument having a firm understanding of how much information is actually being obtained inside today’s automobiles.

While we’ve covered the topic frequently, articles have typically focused on specific issues rather than overall scope. But things are different this time, with the Mozilla Foundation recently issuing a study trying to assess just how far-reaching the automotive industry’s quest for data has become.

Based upon the data provided in the Mozilla report, and some additional data furnished by Axios, things look pretty bad. Older vehicles equipped with any amount of connectivity amassed loads of information regarding control inputs, positional data, music preferences, and just about everything that went through a car’s ECU. But newer models are equipped with sensor arrays, exterior camera systems, interior microphones, and maybe even an in-cabin camera that keeps tabs on the driver in real-time.

McKinsey & Company claims that’s sufficient for the average vehicle to compile and then transmit roughly 25 gigabytes of data per hour. For the sake of comparison, streaming a 2-hour video at 1080p HD and 60 frames per second is only about 6 gigabytes. That’s a truly staggering amount of information and that estimate comes from several years ago — presumably meaning newer vehicles are even better equipped to harvest data.

For those taking solace in the fact that over a dozen major automotive brands signed a voluntary set of automotive privacy principles in 2014, Mozilla claims that not one of them has actually adhered to them. It looked into 25 popular brands representing a majority of the vehicles people tend to buy and determined that none of them are seriously interested in protecting your privacy.

Though they weren’t all equal. Despite literally every brand investigated yielding serious privacy concerns Mozilla considered totally unacceptable, a few brands took data harvesting to legitimately scary places. For example, Nissan has a privacy notice that says the company can share "sensitive personal information, including driver's license number, national or state identification number, citizenship status, immigration status, race, national origin, religious or philosophical beliefs, sexual orientation, sexual activity, precise geolocation, health diagnosis data, and genetic information."

Genetic information? Religious or philosophical beliefs? Sexual activity?! Never mind how creepy that is. How in the world would a company even manage to access that kind of information?

Still, Nissan products ended up receiving the same negative score as the vehicles being offered up by Volkswagen, General Motors, Ford, Mercedes-Benz, Toyota, Honda, and Hyundai and all of its subsidiaries.

Stellantis brands (e.g. Jeep and Dodge), BMW, and Subaru performed marginally better. However, Mozilla still made it crystal clear that they too were engaged in unsavory data shenanigans — adding that the issue was so vast and murky that it likely had only scratched the surface.

This wasn’t due entirely to how much data was being collected. It also stemmed from the fact that it wasn’t clear whether the data collected was even being encrypted or anonymized. Ultimately, the report determined that no automaker was doing a good job protecting user data and all of them were sucking it up as fast as possible.

From the Mozilla Foundation report:

It’s so strange to us that dating apps and sex toys publish more detailed security information than cars. Even though the car brands we researched each had several long-winded privacy policies (Toyota wins with 12), we couldn’t find confirmation that any of the brands meet our Minimum Security Standards.

Our main concern is that we can’t tell whether any of the cars encrypt all of the personal information that sits on the car. And that’s the bare minimum! We don’t call them our state-of-the-art security standards, after all. We reached out (as we always do) by email to ask for clarity but most of the car companies completely ignored us. Those who at least responded (Mercedes-Benz, Honda, and technically Ford) still didn’t completely answer our basic security questions.

A failure to properly address cybersecurity might explain their frankly embarrassing security and privacy track records. We only looked at the last three years, but still found plenty to go on with 17 [or 68 percent] of the car brands earning the “bad track record” ding for leaks, hacks, and breaches that threatened their drivers’ privacy.

“We spent over 600 hours researching the car brands’ privacy practices,” explained the report. “That’s three times as much time per product than we normally do. Even still, we were left with so many questions. None of the privacy policies promise a full picture of how your data is used and shared. If three privacy researchers can barely get to the bottom of what’s going on with cars, how does the average time-pressed person stand a chance?”

Here’s what we do know.

Roughly 84 percent of the companies investigated share or sell the personal data they accrue and 56 will share data with law enforcement in response to an informal request. That latter issue means the company will hand over information about you to the government sans any kind of official warrant or legal backing. Additionally, the average driver spends about 300 hours per year driving and literally every second of that involves some kind of data capture that’s then beamed back to the company that sold you the vehicle.

There also seems to be a general consensus that Tesla is among the worst offenders (if not the worst) in terms of data harvesting and customer privacy. Axios noted this in 2019 and Mozilla backed it in its recent report.

However, chalking it up to companies wanting to spy on you is a massive oversimplification. Data sales is already a multi-billion-dollar industry and McKinsey has estimated that the automotive component will be worth between $450-750 billion by 2030. Still, minimizing the harm this could cause feels unwise and is already tragically commonplace.

One of the preferred ways of downplaying invasions of privacy is to suggest that one’s privacy has already been violated. People will make remarks about how their credit card company, phone, internet service provider, and other businesses are already spying on them — suggesting that another entity taking a peek into your personal doings is of little consequence.

This is a less-than-serious argument made by people who lack standards for themselves and those who have been so badly abused that subsequent abuse no longer registers as harm. One doesn’t suddenly stop being injured once their assailant has thrown a dozen punches and the issue is no different in terms of enduring privacy violations.

Your data is extremely valuable. Every company in the world wouldn’t be bending over backward to procure it otherwise. Social media companies' entire business model revolves around commodifying user data and other industries are quickly following suit. While customers do sometimes get something out of the arrangement (e.g. a deluge of analytics helping to yield a better product), that’s hardly a guarantee and it’s more common to see data being harvested just for the sake of having it on hand for later.

This could be resolved by limiting data harvesting to specific tasks. For example, something like Ford Pro offers scads of analytics to fleet operators with the Blue Oval raking in data that can be further used to improve its products. Regardless of how lopsided the deal is, the customer is still getting something in return.

But this reciprocation becomes less evident when we move to private vehicle ownership. Drivers may benefit from over-the-air updates (though they often seem like an excuse to dodge more complicated and costly repairs) and future products. However, it’s ultimately the company that benefits monetarily with the customer having no real way of opting out.

Similar to how various data-hungry websites offer lengthy terms and conditions nobody has time to read that come into effect the second you log in, automakers are making it extremely difficult to opt out of so-called vehicle data agreements.

“Many people have lifestyles that require driving. So unlike a smart faucet or voice assistant, you don’t have the same freedom to opt out of the whole thing and not drive a car,” stated Mozilla. “We’ve talked before about the murky ways that companies can manipulate your consent. And car companies are no exception. Often, they ignore your consent. Sometimes, they assume it. Car companies do that by assuming that you have read and agreed to their policies before you step foot in their cars. Subaru’s privacy policy says that even passengers of a car that uses connected services have ‘consented’ to allow them to use — and maybe even sell — their personal information just by being inside.”

While there are a few countries and states that have enacted privacy legislation designed to protect against all the above, they’re in the minority and it rarely prevents companies from ending data procurement in its entirety. There also doesn’t seem to be any automaker that’s going against the grain by electing not to harvest your personal information. This not only blurs the line in terms of who actually owns the vehicle you’ve spent so much money on, it also sets an ugly precedent for future privacy violations.

There are a few solutions. Customers can attempt to disable the connectivity features on their vehicles. However, this would nullify any features tied to those services and almost assuredly void aspects of your warranty. One could also exclusively buy older vehicles that lack connectivity features. But that’s not convenient for everyone and there will come a day when those models are difficult to come by in decent condition.

That basically just leaves customers finally coming together to tell the industry they’ve had enough of this. However, that could be easier said than done. Data procurement has spent the last two decades being normalized in a slew of industries and the government seems ill-equipped to even understand the concept of mass data harvesting, let alone how best to regulate such things.

Mozilla offered a petition asking car companies to “respect drivers’ privacy and to stop collecting, sharing and selling our very personal information.” But your author is inclined to believe that it’s going to take a lot more than that to undo what’s now the status quo.

The industry has already said it cannot comply with right-to-repair laws that are already on the books and they'll undoubtedly use similar arguments in regard to privacy concerns. There's little hope of automakers abandoning mass data harvesting without a fight. Raising awareness is absolutely essential in winning that battle. However, the data is simply too lucrative for companies to willingly abandon. Consumers will need to do more than simply acknowledge how unfair this is and that applies to more than just what's going on in the automotive sector.

[Image: Nissan]

Become a TTAC insider. Get the latest news, features, TTAC takes, and everything else that gets to the truth about cars first by  subscribing to our newsletter.