Spyware on Wheels: Is Your Car Sharing—Even Selling—Your Personal Data?

A new report on Australia’s 15 most popular car brands reveals extensive privacy concerns, including unauthorised sharing with third parties.
Spyware on Wheels: Is Your Car Sharing—Even Selling—Your Personal Data?
Sean Gallup/Getty Images
Updated:
0:00

Want to find out what information your internet-connected car is collecting about you and your passengers, and sending back to the overseas manufacturer—and possibly to third parties?

Some carmakers make it hard to find out. In one case, understanding the data policies required reading over 40,000 words spread across five documents.

This troubling insight comes from a new study by Associated Professor Katherine Kemp of the Law and Justice Department at the University of New South Wales, Driving Blind: The Unexamined Privacy Risks of Connected Cars.

Kemp says it is another reason why Australia needs “urgent reform of privacy laws.”

Many of the reasons your car is watching your every move are benign or even positive: it might detect an accident and call emergency services or notify you if you inadvertently leave a child in the back seat.

However, all 15 cars in the study go beyond helpful uses, collecting data that can reveal a lot about the driver but is of no use to them, yet could be valuable to overseas car manufacturers and a range of third parties, including government agencies and insurance companies.

“If this data is misused,” Kemp warns, “it can result in privacy and security threats.”

Difficulties Finding Information

While data collection and storage are probably low on a buyer’s list of priorities—if they’re considered at all—the report says even tech-aware consumers would find “enormous obstacles” in finding and understanding privacy terms.

“Some brands also make inaccurate claims that certain information is not ‘personal information,’ implying the Privacy Act doesn’t apply to that data,” Kemp said.

“Some are also repurposing personal information for ’marketing‘ or ’research,’ and sharing data with third parties.”

In addition to monitoring the car, manufacturers often require drivers to download an app to access various “connected services.”

Depending on the brand and model, these may include the ability to remotely:
  • heat, cool, lock, or unlock the car
  • locate the parked car using headlights and horn
  • check fuel levels and tyre pressure
  • use the car’s internal and external cameras to view its surroundings and interior.
Kemp says the information collected by cars can be misused in various ways.

“It could be disclosed to insurers or data brokers without [a person’s] consent,” she said.

“It could facilitate crimes, including domestic violence, stalking, and robbery.

“It also risks the driver being subject to unjustified police or government surveillance and presents national security risks.”

National Security Risks

This year, the White House issued a warning that “certain hardware and software in connected vehicles enable the capture of information about geographic areas or critical infrastructure and present opportunities for malicious actors to disrupt the operations of infrastructure or the cars themselves.”

“Commerce has determined that certain technologies used in connected vehicles from [Communist China] and Russia present particularly acute threats,” it said.

“These countries of concern could use critical technologies within our supply chains for surveillance and sabotage to undermine national security.”

When consumers try to find out what data their vehicle is collecting and where it is being sent, they are directed to an average of three documents totalling around 14,000 words per brand—if they can find them.

“Hurdles for consumers included missing privacy terms, unhelpful interfaces, and significant errors in published privacy policies,” Kemp said.

There may also be further privacy notices in the vehicle, the user manual, or the purchase contract.

Privacy Terms For Major Brands

= not available = mixed = available
BrandFull Privacy Terms Reasonably Available on Australian WebsiteConnected Privacy Terms: Number of DocumentsConnected Privacy Document Word Count
Audi526,901
BMW541,495
BYD313,225
Ford216,980
GWM310,866
Honda314,162
Hyundai25,255
Kia23,087
Lexus312,625
Mazda24,862
Mercedes518,510
MG13,524
Tesla17,400
Toyota316,808
Volvo413,716
(Courtesy of Katharine Kemp/UNSW)

Kemp says several major brands fail to recognise the full scope of personal information protected by the Privacy Act.

“They claim that certain information ‘does not, on its own, personally identify’ the consumer, and they can use this for ‘any purpose,’” she explained.

“But this can, in fact, be personal information about a reasonably identifiable individual.”

Data Matching Allows Identification

For example, a map of a person’s precise location may not identify them on its own, but when combined with their home and work addresses or location history on their mobile phone, it can be linked to an individual. This data could then reveal:
  • Children’s schools
  • Occupation
  • Family and relationship status
  • Political opinions or religious affiliations
  • Use of legal, medical, rehabilitation, and family planning services
  • Involvement in sex work and other services
If the data includes audio or video from inside the car, it could identify:
  • Specific individuals in the car and their interactions
  • Planned activities
  • Political and religious views
  • Racial or ethnic origin
  • Whether the driver is alone
Although not all cars on the Australian market offer connectivity, it is expected to change rapidly.

The introduction of the technology in Australia has lagged behind other countries, notably the European Union and the United States. However, Austroads predicts that 93 percent of new car sales in Australia will be connected cars by 2031.

In 2023, the Mozilla Foundation analysed connected car privacy terms in the United States—where 63.4 percent of licensed drivers have connected cars and 91 percent of all new car sales include the feature—and concluded it was a “privacy nightmare on wheels.”

Rex Widerstrom
Rex Widerstrom
Author
Rex Widerstrom is a New Zealand-based reporter with over 40 years of experience in media, including radio and print. He is currently a presenter for Hutt Radio.
Related Topics