Want to find out what information your internet-connected car is collecting about you and your passengers, and sending back to the overseas manufacturer—and possibly to third parties?
Some carmakers make it hard to find out. In one case, understanding the data policies required reading over 40,000 words spread across five documents.
This troubling insight comes from a new study by Katherine Kemp of the Law and Justice Department at the University of New South Wales, Driving Blind: The Unexamined Privacy Risks of Connected Cars.
Kemp says it is another reason why Australia needs “urgent reform of privacy laws.”
Many of the reasons your car is watching your every move are benign or even positive: it might detect an accident and call emergency services or notify you if you inadvertently leave a child in the back seat.
However, all 15 cars in the study go beyond helpful uses, collecting data that can reveal a lot about the driver but is of no use to them, yet could be valuable to overseas car manufacturers and a range of third parties, including government agencies and insurance companies.
Difficulties Finding Information
While data collection and storage are probably low on a buyer’s list of priorities—if they’re considered at all—the report says even tech-aware consumers would find “enormous obstacles” in finding and understanding privacy terms.“Some brands also make inaccurate claims that certain information is not ‘personal information,’ implying the Privacy Act doesn’t apply to that data,” Kemp said.
“Some are also repurposing personal information for ’marketing‘ or ’research,’ and sharing data with third parties.”
In addition to monitoring the car, manufacturers often require drivers to download an app to access various “connected services.”
- heat, cool, lock, or unlock the car
- locate the parked car using headlights and horn
- check fuel levels and tyre pressure
- use the car’s internal and external cameras to view its surroundings and interior.
“It could be disclosed to insurers or data brokers without [a person’s] consent,” she said.
“It could facilitate crimes, including domestic violence, stalking, and robbery.
National Security Risks
This year, the White House issued a warning that “certain hardware and software in connected vehicles enable the capture of information about geographic areas or critical infrastructure and present opportunities for malicious actors to disrupt the operations of infrastructure or the cars themselves.”“Commerce has determined that certain technologies used in connected vehicles from [Communist China] and Russia present particularly acute threats,” it said.
“These countries of concern could use critical technologies within our supply chains for surveillance and sabotage to undermine national security.”
When consumers try to find out what data their vehicle is collecting and where it is being sent, they are directed to an average of three documents totalling around 14,000 words per brand—if they can find them.
“Hurdles for consumers included missing privacy terms, unhelpful interfaces, and significant errors in published privacy policies,” Kemp said.
Privacy Terms For Major Brands
⊗ = not available ⊕ = mixed ⊕ = available| Brand | Full Privacy Terms Reasonably Available on Australian Website | Connected Privacy Terms: Number of Documents | Connected Privacy Document Word Count |
| Audi | ⊗ | 5 | 26,901 |
| BMW | ⊕ | 5 | 41,495 |
| BYD | ⊕ | 3 | 13,225 |
| Ford | ⊕ | 2 | 16,980 |
| GWM | ⊗ | 3 | 10,866 |
| Honda | ⊕ | 3 | 14,162 |
| Hyundai | ⊕ | 2 | 5,255 |
| Kia | ⊗ | 2 | 3,087 |
| Lexus | ⊕ | 3 | 12,625 |
| Mazda | ⊗ | 2 | 4,862 |
| Mercedes | ⊗ | 5 | 18,510 |
| MG | ⊕ | 1 | 3,524 |
| Tesla | ⊕ | 1 | 7,400 |
| Toyota | ⊕ | 3 | 16,808 |
| Volvo | ⊕ | 4 | 13,716 |
Kemp says several major brands fail to recognise the full scope of personal information protected by the Privacy Act.
“They claim that certain information ‘does not, on its own, personally identify’ the consumer, and they can use this for ‘any purpose,’” she explained.
Data Matching Allows Identification
For example, a map of a person’s precise location may not identify them on its own, but when combined with their home and work addresses or location history on their mobile phone, it can be linked to an individual. This data could then reveal:- Children’s schools
- Occupation
- Family and relationship status
- Political opinions or religious affiliations
- Use of legal, medical, rehabilitation, and family planning services
- Involvement in sex work and other services
- Specific individuals in the car and their interactions
- Planned activities
- Political and religious views
- Racial or ethnic origin
- Whether the driver is alone
The introduction of the technology in Australia has lagged behind other countries, notably the European Union and the United States. However, Austroads predicts that 93 percent of new car sales in Australia will be connected cars by 2031.
In 2023, the Mozilla Foundation analysed connected car privacy terms in the United States—where 63.4 percent of licensed drivers have connected cars and 91 percent of all new car sales include the feature—and concluded it was a “privacy nightmare on wheels.”
