Insecure at Any Speed

You’re driving to work when a favourite song comes on the radio. You crank up the volume and sing along at the top of your frankly rather crappy voice. Who’s gonna know?

A friend’s car has broken down so you lend him yours. ‘Just don’t break it,’ you tell him, knowing he’s a hard and fast driver. ‘No worries,’ he tells you, and later in the day it’s all still in one piece when he hands you back the keys. He doesn’t mention that he’s given it a good thrashing, or that he had a furious argument with his partner about how he was treating your car. After all, who’s gonna know?

Your teenage son borrows the car for a Saturday night date and things end up getting… well, shall we say a little hot and heavy…? But really, who’s gonna know?

Pretty much everyone if you credit the work of three privacy researchers from the Mozilla Foundation who spent more than 600 hours investigating the major car brands’ privacy practices. Their conclusion: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy. None of the 25 car brands they researched passed their privacy checks, “making cars the official worst category of products for privacy that we have ever reviewed.”

A handful of the highlow-lights:

  • Tesla ranked lowest of the 25 manufacturers, getting privacy “dings” for every category.
  • Nissan has some deeply creepy data collection categories, including: “…citizenship status, immigration status, race, national origin, religious or philosophical beliefs, sexual orientation, sexual activity, precise geolocation, health diagnosis data, and genetic information.” [My emphasis]
  • Five other car companies opt to collect your “genetic information” or “genetic characteristics.” [I mean, seriously? Genetic information…?]
  • You are assumed to have read and agreed to the car companies data collection policies—that’s 12 separate documents in the case of Toyota—but Hyundai go one step further. Their privacy policy says that even passengers are assumed to have “consented” to the collection, use and possible sale of their personal information just by being inside the vehicle.
  • Should you tell people about the data grab? Nissan makes you! “You promise to educate and inform all users and occupants of your Vehicle about the Services and System features and limitations, the terms of the Agreement, including terms concerning data collection and use and privacy, and the Nissan Privacy Policy.” [I hope all Nissan Uber drivers are adhering to that.]
  • Manufacturers encourage you to connect your mobile phone to their vehicle’s apps to “enhance your driving experience”, but in doing so you give them permission to help themselves to your photos, (Audi), your calendar, (Hyundai), or your to-do list, (Mercedes-Benz). What’s more, many of the apps feed your driving behaviour to data brokers who then on-sell it to insurance companies. Ford even have a patent application to enhance the process.
  • Twenty-two of the 25 brands looked at (88%) mention creating “inferences” about you—assumptions based on data they collect combined with other information they may have. What sort of inferences? Here’s Nissan again:

“Inferences drawn from any Personal Data collected to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes”

  • Nine of the companies (39%), including Nissan, say specifically they reserve the right to sell that information to third parties. For many of the others, that “permission” to sell your data is buried in the terms and conditions of the free apps they encourage you to download.

Despite doing 600 hours of research, the Mozilla team concluded:

…we were left with so many questions. None of the privacy policies promise a full picture of how your data is used and shared. If three privacy researchers can barely get to the bottom of what’s going on with cars, how does the average time-pressed person stand a chance?

Tweet or share this:

Leave a Reply

Your email address will not be published. Required fields are marked *