The ability of modern home appliances such as “smart” refrigerators and “Ring” doorbells to collect and store data about those who own them isn’t particularly shocking; it seems that any device that uses an internet connection in its functional operations may be implicated in the seemingly endless quest by private corporations to obtain and sell your personal information.
But some folks may not realize that while you’re blissfully snoring away the evening, that new car you adore that you’ve parked in your driveway has spent all night ruminating about your behavior and activities, carefully selecting and sifting through tidbits of your personal data and sending it back to its corporate creator.
As reported by Andrew Paul for Popular Science:
A comprehensive data privacy assessment of 25 major automakers’ vehicle tech deems cars “the official worst category of products for privacy” that the Mozilla Foundation has ever reviewed. For a bit of context here, every car company analyzed by Mozilla’s security experts failed crucial benchmark safeguards, compared to 63 percent of mental health apps they reviewed this year (which often come with their own serious security risks).
“While we worried that our doorbells and watches that connect to the internet might be spying on us, car brands quietly entered the data business by turning their vehicles into powerful data-gobbling machines,” Mozilla’s researchers explained in their findings announcement earlier this week. Because of this, they warn, vehicles’ “brag-worthy bells and whistles” now possess “an unmatched power to watch, listen, and collect information about what you do and where you go in your car.”
As might be expected, Tesla ranks the worst in terms of collecting your personal data. However, Tesla is far from alone: 85% of automakers share your personal data with third-parties. Over half of the car companies have provisions in their “privacy policies” allowing them to provide your data to governmental or law enforcement organizations upon a simple request, without a warrant.
So if President DeSantis’ newly created gestapo wants a list of your phone contacts, friends and relatives, or wants to scrape together a quick primer on all the medications you’ve been taking, how much you paid, and where they came from, or maybe just want to know where you went this weekend and who with, all they have to do is make a phone call to the car company.
“But I never do anything wrong!” you say. Well, actually, the car companies themselves will be the judge of that.
If all that weren’t enough, an additional creepy layer further worsens matters. According to Mozilla, at least two companies—Nissan and Kia—include Privacy Policy data categories explicitly labeled “sexual activity” and “sex life.” Exactly what kind of data this entails isn’t clear, but new cars often come equipped with microphones and cameras. Even if this data is somehow anonymized and aggregated, chances are those in the market for a new vehicle might want to take a closer look.
In fact, as Paul reports, Kia’s own privacy policy explicitly includes the collection of data on your sexual orientation and sexual activity: “Per Kia’s privacy policy page, “sex and gender information,” as well as “health, sex life or sexual orientation information” may be collected. How they actually do this is murky, but they do it. Biometric data collection abounds in motor vehicles, from determining your weight in deciding to deploy an airbag, to reading your eyelids’ position to recommend a coffee break. But that barely scratches the surface of what cars are now being designed to detect.
Nissan was the most forthcoming about their data collection:
Japan-based Nissan astounded researchers with the level of honesty and detailed breakdowns of data collection its privacy notice provides, a stark contrast with Big Tech companies such as Facebook or Google. “Sensitive personal information” collected includes driver’s license numbers, immigration status, race, sexual orientation and health diagnoses.
As Paul notes, one of the dead giveaways is that provision in your owner’s manual that the vast majority of car owners never read: the one titled “Tips to Protect Yourself.” To be perfectly clear, the car company doesn’t care about your protection. That clause is included so they have plausible deniability for any later disputes about monetizing your data should things go … awry, somehow, by including buried warnings that they well know 99% of people pay exactly zero attention to; as Paul observes, each individualized review of the 25 carmakers includes a section entitled “Tips to protect yourself,” which includes suggestions such as to avoid using a car’s app and limiting its permissions on your phone.”
As reported by the Associated Press, “The proliferation of sensors in automobiles — from telematics to fully digitized control consoles — has made them prodigious data-collection hubs.”
“Increasingly, most cars are wiretaps on wheels,” said Albert Fox Cahn, a technology and human rights fellow at Harvard’s Carr Center for Human Rights Policy. “The electronics that drivers pay more and more money to install are collecting more and more data on them and their passengers.”
As explained in detail by Sam Biddle , writing for the Intercept, the data collecting you submit to by connecting your smart phone through your vehicle allows allows just about anyone to access your personal data without resorting to a pesky warrant.
Anyone who’s taken a spin in a new-ish vehicle and connected their phone — whether to place a hands-free call, listen to Spotify, or get directions — has probably been prompted to share their entire contact list, presented as a necessary step to place calls but without any warning that a perfect record of everyone they’ve ever known will now reside inside their car’s memory, sans password.
{***]
The push to make our cars extensions of our phones (often without any meaningful data protection) makes them tremendously enticing targets for generously funded police agencies with insatiable appetites for surveillance data. Part of the appeal is that automotive data systems remain on what Tajsar calls the “frontier of the Fourth Amendment."
Much like the phrase “frontier of the Fourth Amendment” suggests, it’s that yawning abyss between rapidly developing technology and the legal implications of its use, a place where “anything goes,” including what’s left of your privacy. One of the most energetic of all the government agencies utilizing this data is U.S. Customs and Border Protection, which has purchased technology from a “data extraction firm” that “vacuums up reams of personal information stored inside cars.” Biddle reports on a podcast appearance by that firm’s founder, Ben LeMere, in which he explained the company’s capabilities:
Biddle quotes from that podcast:
“Your phone died, you’re gonna get in the car, plug it in, and there’s going to be this nice convenient USB port for you. When you plug it into this USB port, it’s going to charge your phone, absolutely. And as soon as it powers up, it’s going to start sucking all your data down into the car.”
In the same podcast, LeMere also recounted the company pulling data from a car rented at BWI Marshall Airport outside Washington, D.C.:
“We had a Ford Explorer … we pulled the system out, and we recovered 70 phones that had been connected to it. All of their call logs, their contacts and their SMS history, as well as their music preferences, songs that were on their device, and some of their Facebook and Twitter things as well. … And it’s quite comical when you sit back and read some of the the text messages.”
“Quite comical,” indeed. But perhaps it depends more on the audience.