Cars are spying on drivers
and a growing chorus of privacy advocates and
politicians say automakers aren't doing enough to
protect consumer data, collect. Gigabytes of personal data. They know who's driving it,
where they're driving huge amounts of data. You have a car that is
connected with the outside world. Any of those
connections potentially could be targeted by
hackers. The Mozilla Foundation,
makers of the Firefox browser, call cars a
privacy nightmare. They say they're the least
secure devices you can buy. A powerful statement given
the tech industry's reputation these days. You know the data collection
potential is only growing, and car companies have
gotten away with this for so long. So, you know, is the
toothpaste out of the tube? Can we put any of this back
in, or is this just the life that we live now? And our
cars aren't aren't a means of independence and privacy
anymore. They're a place that we can
be spied and surveilled and coerced. Every one of the 25 brands
the group reviewed got a privacy not included
rating, making the category as a whole the worst the
group has ever evaluated. Nissan's privacy policy is
probably the most mind boggling, creepy, scary,
sad, messed up privacy policy we have ever read,
the group said in 2023. And we here at Privacy Not
Included read a lot of privacy policies. And yet, overall, Nissan
still fared better than Tesla. Making money off
information about you, aka data monetization has been
hyped as a big business, albeit with mixed results. There's a big divide, right? Companies are focused on
collecting more and more data, trying to monetize
it. They're failing at it. And what consumers want is
exactly the opposite. In late April, two senators
asked the Federal Trade Commission to investigate
automakers for allegedly deceiving customers about
their own data management practices. Other agencies
at the state and federal level are probing the
issue. A car collects two types of
data technical and personal. Technical data is
information about the car itself, battery, engine,
health, brakes, and so on. Personal is about the
driver or passengers in the car. Nearly anything you do
in a car can be tracked, and it can store fingerprints
and images of your facial features. Medical
information for emergency assistance services,
financial information for purchases, passwords, your
home address, and of course, the codes to your garage
door. Cars can record tons of
information about exactly where, when, and how you
drive and where and when you park. It's of great
interest to all sorts of parties, including
insurance companies. That they could collect your
biometric information, your genetic information, your
information about your sex life, your sexual activity,
your union status, your immigration status. You know, things like that
that are kind of very sensitive information. And again, you know, who
knows if they're collecting it? All we know is that
they require you to consent to a privacy policy that
says that they can. And the question then
becomes, well, how does them, you know, requiring
me to consent to them collecting information
about my sex life, get me from point A to point B
safely, which is what the car is supposed to do. That data is funneled into
any one of 60 or so on board computers. Cars also
commonly have 4G or 5G modems. This, of course,
allows anyone in the car to use the internet for work
navigation or say, if the kids in the back seat want
to watch a movie on a road trip. But as you drive
through the world, it's also broadcasting a Wi-Fi
network and the car's serial number. Rear facing cameras
are required by law, front facing cameras are common,
and a growing number of vehicles have cameras all
around them, such as on mirrors for lane keeping
assist features. Even some inside pointed at
the driver, such as those used for the driver
assistance system. Do you want the OEM
constantly collecting a photo of you or your
passengers inside the car? And some of these are
camera based. Some of these are infrared
eye, you know, monitoring systems. It kind of varies
across the OEM and model of what they what they decided
to use. Um, I mean, even the
forward facing camera you pull inside your garage,
that camera has a view inside of your garage and,
you know, possibly into your home. There's data there
that, you know, I personally wouldn't want people having
a camera on 24 over seven inside my garage. Tesla's Sentry Mode, which
guards the car as it is parked, uses the cameras
positioned around the car to record suspicious activity. Connecting a smartphone
provides an even greater source of data and the
opportunity to draw a whole new range of connections. Your smartphone maker might
have a very tight data management policy, but the
infotainment system maker you plug it into might not. So who is interested in
this data and what are they doing with it? It depends
on who they are companies, cops or criminals. First, let's talk about
companies. I think it started with good
intentions. Right. So cars again, a lot
of sensors were added and many of these features were
actually for safety. Right. And then I think
companies woke up one day and realized, oh my gosh,
we have this giant pile of data. Mckinsey, the consultancy,
estimated in 2016 that the vehicle data monetization
market would be worth about $750 billion by 2030. Some data is collected for
internal use by, say, the OEMs themselves or their
captive financing arm, or to provide data to their
dealerships. Automakers have also in recent years, tried
to offer features and services directly to
customers in the car throughout the life of the
vehicle. And so that's when the
divergent point started to happen, in which data
collection became more and more because they wanted to
know about you and market things to you, and less and
less about because it was strictly necessary for the
maintenance and safety of the vehicle. Data gets sold to or
otherwise shared with advertising and research
firms, social media companies and others. Of the 25 brands the
Mozilla Foundation studied in 2023, 84% shared their
data with outside firms, 76% sold it. That includes data
brokers, which will sell extremely granular data on
drivers, including metrics like heart rate and driver
fatigue. Data can be sold to
insurance companies, even the ones the driver has a
policy with. 56% of companies in the
Mozilla study shared data with government or law
enforcement in response to a request, which seems to be
a broad and hazy category that can include someone
simply asking for it. I don't want law enforcement
to have access to any of my cars, data or data about my
location or my microphone or camera without like a
significant reason for them to access that. And the fact that, you
know, they said that they could access it with
something as little as an informal request is, was,
was kind of nuts. We have a process and
procedure around getting a warrant or a wiretap. Um, for phones, there's not
really set laws and procedures around setting
up a station that collects, you know, Mac addresses and
over the air tire pressure, serial numbers. But you
could still start to track that. And you combine that
with, say, a license plate reader on the edge of your
city, and you set up a few of these monitoring
stations throughout your city. You can understand
the pattern of where everyone in your town is
going without having to have, uh, license plate
readers everywhere. Finally, crime. We helped a few dealerships
in our couple of last couple of years recovering
vehicles because they realized that the consumer
can come in with fake documents, they can test
drive the car, they create a connected account, and then
guess what? This has become a spare
key. You come back at night, you locate the car, you
unlock it, you study, you take it. Privacy for cars, a data
privacy consumer protection company says the data a car
holds is more valuable to criminals than the car
itself. Data or privacy breaches have been the most
common cybersecurity threat against automotive
companies in the last decade. There are also
cases of domestic abuse. A new plan out today would
make domestic abuse laws. Apply to car makers to try
to get ahead of some of the concerns that connected
cars or cars that connected the internet could enable
stalking because of features like the ability to track
your car or turn your car on or off remotely. Problems continue after the
car is out of your hands. Four out of five cars are
sold, with some personal data still on them. And in fact, one of the
biggest problems we face in privacy today is that
companies are bundling consent. My wife bought a
car recently, and it comes with one of those buttons
that if you press or if you get into an accident, it
calls automatically emergency services. The problem is you are
agreeing to give them a lot more data than they need
for the service. I think we can all agree
that safety is super important. I mean, more
than 40,000 people lose their lives every year. I feel at times that their
safety is a little bit less, you know, holding us
hostage and is used as a leverage point for
companies to extract data that has nothing to do,
that it's used for nothing to do with with safety. What Amico was talking about
is just one problem. Another is when companies
allegedly gather data without any consent at all,
and there's been several lawsuits on those grounds,
one driver said. General Motors and
LexisNexis Risk Solutions collected and distributed
his driving data, and it ultimately made its way to
insurance companies. He found it hard to secure
insurance from several providers, and when he did,
rates were doubled. It doesn't help that a car
can't tell who's driving. A friend or partner's worst
driving habits could drive up your insurance rate, GM
told CNBC it is reviewing the complaints and has no
further comment at this time. It did sever ties and
stopped sharing data with Verisk and LexisNexis Risk
Solutions on March 20th, 2024. As the Mozilla report
shows, nearly all brands available in the US today
have some kind of problematic data, policy or
practice. Cnbc reached out to every
automaker on the Mozilla list GM, Nissan, Toyota,
Stellantis and BMW responded with statements saying they
take customer privacy and data protection very
seriously and comply with all applicable laws. Nissan said previous
reports suggesting otherwise misunderstood or
mischaracterized our privacy practices, and Stellantis
added that the Mozilla report contained multiple
errors. They say it contains all
these errors, but they've never pointed any of those
errors out to us directly. You know, because we we
were always like, we'll make changes. If you can prove
to us that we got something wrong and they've not done
any of that. The major trade group
Alliance for Automotive Innovation shared a privacy
memo saying that connected car technology enables life
saving safety systems, allows automakers to
proactively identify defects and pinpoint resolutions by
design. No, your car isn't spying
on you. Companies will tell you,
well, everything is properly disclosed in our privacy
policy and terms, which takes an average of, you
know, five, six, seven hours for each manufacturer to
read. Very often you need a
college degree or a, you know, graduate degree. Amico said that privacy for
cars research indicates that less than 12% of
dealerships tell customers that their cars will share
their data. Even when they do, they
often say the vehicle only shares data that is
relevant to the vehicle warranty or in case of
emergency, or to provide some service. As cars have been
increasingly stuffed with tech, the case for data
monetization appears to have weakened. In 2021, McKinsey
cut its connected car data market estimate by about
half. A little bit of exaggeration
happening at the beginning, which is why, you know,
numbers may may decrease over time. And it's very
common with high tech. I'm sure you may remember
projections back in the late 90s about, you know,
internet stuff, right? You know, I'm not a math
genius, but I know what the next data point is going to
be because it's a straight line. So reality is that,
you know, all these companies are focused on
what humbly is just the wrong thing, right? They're focused on a pie
that is shrinking over time, as companies are finding
it's harder and harder to monetize it. And there's more and more
pressure from regulators to make it shrink even faster. National security concerns
led the Biden administration to begin an inquiry into
the supply chain for connected cars in February
2024. Ftc Chair Lina Khan has
been urged to investigate several automakers for
deceiving their customers by falsely claiming to require
a warrant or court order before turning over
customer location data to government agencies. The Federal Communication
Commission proposed new rules around vehicle data
to protect victims of domestic abuse in April. The California Privacy
Protection Agency, created in 2020, chose to review
connected cars as its first case in 2023. You know, I'm constantly
asked, you know, what's the best car to buy? And unfortunately, right
now the answer is probably if you're obsessed about
privacy, it's an older car. And let's be honest, people
can't prioritize privacy when shopping for a car. They have to look at what
they can afford and what's available to them, what
meets their needs, and the fact that, you know, you
know, you can't return a car after you've bought it
because it's got bad privacy, you know? So the the big problem is
consumers don't have any good options. I mean, it
would be great if consumers could contact, you know,
their elected officials and lobby for what would be
good for consumers because that's important. That's
the one thing I can tell consumers that actually
could make a difference is if you push for a strong,
consumer focused federal privacy law that will
protect everybody equally. First of all, if you're
selling your car, you're returning your car to a
rental car company. Delete your data if you
know how to, or ask that they do it for you, but
they also they give you written evidence. They actually have done it
because, uh, privacy is a little bit in the world of
broken promises. I hate to tell you.
