Major automakers are failing to protect customer privacy while collecting data from drivers, according to a recent study.
Most car owners are unaware of the vast amounts of personal data being collected and transmitted, let alone who collects it, or how it is being used or sold.
The latest vehicles are gathering driver locations, personal preferences, and details about users’ daily lives.
All of the 25 car companies examined in the study received a privacy warning label for collecting massive streams of personal data without notifying drivers.
Vulnerabilities for Drivers
The increasing digitization of cars has been touted for years by automakers as a way to boost sales.
“Car makers have been bragging about their cars being ‘computers on wheels’ for years to promote their advanced features,” the study said, but “the conversation about what driving a computer means for its occupants’ privacy hasn’t really caught up.”
Ashkan Soltani, executive director of the state privacy watchdog California Privacy Protection Agency (CPPA), said that “modern vehicles are effectively connected computers on wheels.”
“They’re able to collect a wealth of information via built-in apps, sensors, and cameras, which can monitor people both inside and near the vehicle.”
Mozilla said that automakers are gathering “more personal data than necessary” and “for a reason other than to operate your vehicle and manage their relationship with you.”
Twenty-one of the car brands, or 84 percent, said they could share personal data with service providers, data brokers, and other businesses, while 19 firms, or 76 percent, admit to selling sensitive information.
Shockingly, 14 firms, or 56 percent, said they would share information with the government or law enforcement in response to an “informal request,” which is a very low bar.
The majority, about 92 percent, of vehicle manufacturers, give drivers little to no control over how their personal data is collected or used.
Automakers were discovered by researchers to even collect “super intimate information” about drivers in “huge quantities.”
Nissan and Kia stated in their privacy policies that they took information about a driver’s “sex life,” while six of the companies in the study said they collected “genetic information” from their customers.
Renault and Dacia, which belong to the same French conglomerate, were the only brands in the study that give drivers the option to have their personal data deleted, because of strict European Union privacy laws.
“It’s probably no coincidence though that these cars are only available in Europe — which is protected by the robust General Data Protection Regulation (GDPR) privacy law,” Mozilla researchers wrote.
Failing to Protect Customer Information
The Mozilla Foundation also admitted that they could not confirm whether any of the carmakers met its minimum security standards.There is concern that companies are failing to properly encrypt collected personal information, which “might explain their frankly embarrassing security and privacy track records,” said researchers.
Seventeen of the companies received a “bad track record” for leaks, hacks, and breaches in the study.
Hacking is the top privacy concern, followed by car thefts, break-ins, and bad actors gaining control of car systems and disrupting services.
Driver data privacy breaches have become the most common cybersecurity threat against automakers over the last decade, accounting for 30 percent of all threats, according to Privacy4Cars.
Criminals can also hack into a vehicle’s telematics data, which allows them to pinpoint the exact location of a driver, or use tools to access the onboard diagnostic ports of cars to replicate and create new keys to steal a vehicle.
Data Privacy a Nationwide Concern
Owing to lax privacy standards across the board, Mozilla noted that consumers have limited ability to protect their privacy when it comes to cars.“People don’t comparison-shop for cars based on privacy. And they shouldn’t be expected to,” the study said.
“Even if you did have the funds and the resources to comparison shop for your car based on privacy, you wouldn’t find much of a difference. Because according to our research, they are all bad!”
Meanwhile, the CPPA will start reviewing vehicle manufacturers’ efforts to collect private information from drivers in California, according to a July 31 press release.
The state agency is the first independent data protection authority in the nation and is in charge of implementing and enforcing California’s privacy laws.
It is governed by a five-member board, formed in November 2020, after voters approved the California Privacy Rights Act of 2020, which expanded privacy protections under the California Consumer Privacy Act of 2018.
The agency will require car manufacturers to provide information on how they collect user data, including location sharing, web-based entertainment, smartphone use, and cameras, to enforce compliance with state privacy laws.
The tool informs vehicle owners on what information is sold and to whom, including location status and their biometrics data, including their voice, facial recognition, and fingerprint records.
It also tells owners if that information is sent to the government, service providers, insurance, or data brokers.
