We’re open books on the open road: Car brands are awful at privacy, security

Sep 14, 2023, 12:15 PM | Updated: 12:22 pm

Image: A 2020 Nissan Leaf is on display at the 2020 Pittsburgh International Auto Show on Feb. 13, ...

A 2020 Nissan Leaf is on display at the 2020 Pittsburgh International Auto Show on Feb. 13, 2020 in Pittsburgh. (Photo: Gene J. Puskar, AP file)

(Photo: Gene J. Puskar, AP file)

Maybe you are driving and having a private conversation with your best friend or spouse on your cell phone while your favorite song is on the radio. Since you are driving in your car with the windows up,  you think no one can hear you. Someone can.

Perhaps you are having sex in your car on a quiet, remote road and you think no one can hear you. Someone can.

Just like all of the sci-fi movies, someone is listening. And, now, it’s your car.

Cars are the worst product category we have ever reviewed for privacy,” said Jen Caltrider, the lead for Mozilla’s buyer’s guide, “Privacy Not Included.”

Since it was established in 2017, Privacy Not Included has been looking into the privacy and security of connected devices like phones and home pods like Alexa, and fitness trackers. “Our goal is to help you shop smart—and safe—for products that connect to the internet,” its website reads.

Caltrider said the Privacy team looks at a variety of categories, including how much data something collects, how they’re using that data, whether they share it with third parties for targeted advertising and if they sell it. Also, they consider whether companies have a good track record of protecting and respecting consumer data, if they do basic minimum security and handle security vulnerabilities.

A ‘privacy nightmare’

“We looked at all 25 car brands on that, and all 25 earned our Privacy Not Included warning label because they don’t do a good job at that,” Caltrider said. The Privacy website says modern cars are a “privacy nightmare.”

The report indicated that some car companies even track our sexual habits.

“That’s what Nissan’s privacy policy said. They said they had a section… a chart of data they say they could collect and sexual activity was listed in that chart of data they say they can collect,” Caltrider  confirmed. “And they say they can use that for things like interest based advertising.  Targeted marketing is how they describe how they can use that potential data. And that raises some eyebrows, doesn’t it?”

So, how do they track our information and what do they do with it?

“That’s the thing we just don’t know. What we know is what they publicly say … they can collect this data. They don’t say how they can collect it. They don’t say specifically what they’re going to use it for beyond marketing purposes,” Caltrider said. “But they do say they can collect it and the fact that they say that they can collect it, but then (aren’t) very clear about the the hows and the whys raises a lot of red flags.”

Most (84%) of the car brands Mozilla researched say they can share your personal data with “service providers, data brokers, and other businesses we know little or nothing about.” Nineteen of the 25 (76%) say they can sell your personal data.

And if you think about opting out of the privacy settings, good luck. Consumers don’t have a lot of choice when it comes to these car companies.

Will dashboard AM radio be saved? Bipartisan bill would require automakers to keep it in new cars

Caltrider brought up Tesla specifically as a good example. “They have a paragraph in their privacy policy that clearly says, if you want to opt out of data collection, for privacy purposes, you can, but in that same paragraph, they go on to say, ‘Oh yeah, but your car might not work or (it) might become unsafe,'” she said.

“A lot of times these these things are tied to safety features, or just great features that consumers might enjoy,” Caltrider added. “But you don’t have a lot of options. And not everybody is guaranteed the right to have their deleted data. Data deleted once is collected, which is scary.”

Where our personal information is going

For starters, the brands are selling consumer information to advertisers.

“Our personal information is big business,” Caltrider said, “They’re collecting as much data on you as they can, through your cars with the sensors, the microphones, the cameras that face in, the cameras that face out, the connected services that you use in your cars to listen to the radio, or navigate or contact emergency services, to the apps that you can use to start them, honk the horn set up, set up service appointments, all of that is collecting your data.”

They can also reach out and even buy more data on you from data brokers.

“They use it to create things they like, inferences about your intelligence or your characteristics. And those profiles are very valuable because that’s how they target you with marketing and get you to buy more stuff,” Caltrider added.

And if that isn’t scary enough, 56% of car companies can share our information with the government. Caltrider noted that all companies have a line in their privacy policy about how they can share data with law enforcement agencies and the government. What consumers want to see is the company won’t share data unless it comes in a court order, and even then, they’ll only share the minimum as possible.

“What we saw in car companies’ privacy policies about sharing was beyond crazy,” she said. “We saw that they said that they could share data with law enforcement with government or have something as simple as an informal request. … it’s very broad and very low bar. And when you think about all the data these cars collect, and can collect about where you’re going, how many people you might be going with, listening in on microphones, it gets really scary.”

The car brands’ practices are legal

None of the recording and sharing of our personal information is illegal, Mozilla notes.

“Unfortunately, it’s not against the law. And that’s the problem,” Caltrider said. “Consumers need better privacy protections in California (everywhere). Some consumers have better privacy protections … which allows them to at least get their data deleted. But I live in Vermont, I tried to get my car company to delete my data. And they laughed at me, basically. … They aren’t companies generally aren’t breaking the law, because there is no federal privacy law. And this is just where we are right now. We need to demand a federal privacy law.”

More on this topic in business: Amazon fined $25M for violating child privacy with Alexa

Oh, and if you have passengers, you, as the owner of the car, are responsible for relaying the privacy policy information the car companies set.

So, where do you find your car’s privacy policy? Caltrider said it’s next to impossible. But those who visit can likely find the policies that apply to them.

When asked how to opt out of the privacy settings, Caltrider laughed, saying it’s not just realistic. “You know, people need to buy cars. And some of these things, the current modern cars have great backup cameras, you know, being able to navigate with a little screen on your car that helps you is great. So some of this stuff is great. Unfortunately, consumers don’t have a lot of choice when it comes to the data collection.”

Caltrider spoke at length about privacy settings and she told me, the best thing to do as a consumer/car owner is to call, email, or write your state and federal government. This is especially true since there are no federal laws to protect us against our date being sold and how car companies are listening in.

“What I’ve been telling people to do is get mad, and reach out to your elected official and demand that the policymakers and the regulators step up and deal with this problem because it’s gotten out of control and it’s only going to get worse if we don’t do something now,” she said.

KIRO Newsradio has reached out to BMW, Nissan, and Tesla for comment. Only BMW responded.

It stated:

Regarding Mozilla’s comment that states: “we can’t quite tell if they share (or sell) all that data with other third parties for their advertising purposes as well,” – we would like to confirm that BMW NA’s privacy policy explicitly states that BMW NA does not sell its customers personal information, such as their names, addresses, driving habits, Vehicle Identification Numbers, or other information that is tied to the customers or their vehicles. Additionally, BMW NA engages in online behavioral advertising solely for its own products or services (that is, to sell its vehicles to consumers). We do not sell this online information for use by other third-party companies for their own marketing purposes.

KIRO Newsradio

Image: The sun sets over the University District in Seattle. (File photo: Lindsey Wasson, AP)...

Ted Buehner

Friday sets new record for consecutive 80-degree days in Western Washington

A record-breaking streak of 80 degrees or better in Seattle and much of the Western Washington interior is expected to reach 16 days Friday.

23 hours ago

Photo: Police are looking for a Tacoma serial arsonist after a rash of fires. This photo is of a fi...

James Lynch

Tacoma police looking for serial arsonist after rash of fires endanger lives, property

Tacoma police are currently searching for a serial arsonist after a rash of fires in the area endangered lives and property.

2 days ago

Photo: Thousands of members of Boeing's Machinist Union met at T-Mobile Park Wednesday to decide wh...

James Lynch

Boeing machinists vote overwhelmingly to authorize a strike

Thousands of members of Boeing's Machinist Union met at T-Mobile Park Wednesday to decide whether to authorize a strike vote.

2 days ago

Image: Red and white reflective stripes are being added to Washington State Department of Transport...

Chris Sullivan

Going green isn’t what you think when it comes to WSDOT safety

The Washington State Department of Transportation (WSDOT) is tired of people plowing into trucks and is taking a green approach.

2 days ago

Photo: Traffic on I-5....

Micki Gamez

Prepare for traffic: Sound Transit to close lane of I-5 south

Washington has two seasons: winter and construction. Sound Transit is going to close one lane on I-5 south.

3 days ago

Image: Kimberly Cheatle is the 27th director of the U.S. Secret Service. She has held the position ...

Angela Poe Russell

Angela Poe Russell: The unlikely scapegoat in the Donald Trump assassination attempt

A Republican from Tennessee, said DEI was to blame for the tragedy that saw a gunman try to kill Donald Trump.

3 days ago

We’re open books on the open road: Car brands are awful at privacy, security