We’re open books on the open road: Car brands are awful at privacy, security

Maybe you are driving and having a private conversation with your best friend or spouse on your cell phone while your favorite song is on the radio. Since you are driving in your car with the windows up,  you think no one can hear you. Someone can.

Perhaps you are having sex in your car on a quiet, remote road and you think no one can hear you. Someone can.

Just like all of the sci-fi movies, someone is listening. And, now, it’s your car.

“Cars are the worst product category we have ever reviewed for privacy,” said Jen Caltrider, the lead for Mozilla’s buyer’s guide, “Privacy Not Included.”

Since it was established in 2017, Privacy Not Included has been looking into the privacy and security of connected devices like phones and home pods like Alexa, and fitness trackers. “Our goal is to help you shop smart—and safe—for products that connect to the internet,” its website reads.

Caltrider said the Privacy team looks at a variety of categories, including how much data something collects, how they’re using that data, whether they share it with third parties for targeted advertising and if they sell it. Also, they consider whether companies have a good track record of protecting and respecting consumer data, if they do basic minimum security and handle security vulnerabilities.

A ‘privacy nightmare’

“We looked at all 25 car brands on that, and all 25 earned our Privacy Not Included warning label because they don’t do a good job at that,” Caltrider said. The Privacy website says modern cars are a “privacy nightmare.”

The report indicated that some car companies even track our sexual habits.

“That’s what Nissan’s privacy policy said. They said they had a section… a chart of data they say they could collect and sexual activity was listed in that chart of data they say they can collect,” Caltrider  confirmed. “And they say they can use that for things like interest based advertising.  Targeted marketing is how they describe how they can use that potential data. And that raises some eyebrows, doesn’t it?”

So, how do they track our information and what do they do with it?

“That’s the thing we just don’t know. What we know is what they publicly say … they can collect this data. They don’t say how they can collect it. They don’t say specifically what they’re going to use it for beyond marketing purposes,” Caltrider said. “But they do say they can collect it and the fact that they say that they can collect it, but then (aren’t) very clear about the the hows and the whys raises a lot of red flags.”

Most (84%) of the car brands Mozilla researched say they can share your personal data with “service providers, data brokers, and other businesses we know little or nothing about.” Nineteen of the 25 (76%) say they can sell your personal data.

And if you think about opting out of the privacy settings, good luck. Consumers don’t have a lot of choice when it comes to these car companies.

Will dashboard AM radio be saved? Bipartisan bill would require automakers to keep it in new cars

Caltrider brought up Tesla specifically as a good example. “They have a paragraph in their privacy policy that clearly says, if you want to opt out of data collection, for privacy purposes, you can, but in that same paragraph, they go on to say, ‘Oh yeah, but your car might not work or (it) might become unsafe,'” she said.

“A lot of times these these things are tied to safety features, or just great features that consumers might enjoy,” Caltrider added. “But you don’t have a lot of options. And not everybody is guaranteed the right to have their deleted data. Data deleted once is collected, which is scary.”

Where our personal information is going

For starters, the brands are selling consumer information to advertisers.

“Our personal information is big business,” Caltrider said, “They’re collecting as much data on you as they can, through your cars with the sensors, the microphones, the cameras that face in, the cameras that face out, the connected services that you use in your cars to listen to the radio, or navigate or contact emergency services, to the apps that you can use to start them, honk the horn set up, set up service appointments, all of that is collecting your data.”

They can also reach out and even buy more data on you from data brokers.

“They use it to create things they like, inferences about your intelligence or your characteristics. And those profiles are very valuable because that’s how they target you with marketing and get you to buy more stuff,” Caltrider added.

And if that isn’t scary enough, 56% of car companies can share our information with the government. Caltrider noted that all companies have a line in their privacy policy about how they can share data with law enforcement agencies and the government. What consumers want to see is the company won’t share data unless it comes in a court order, and even then, they’ll only share the minimum as possible.

“What we saw in car companies’ privacy policies about sharing was beyond crazy,” she said. “We saw that they said that they could share data with law enforcement with government or have something as simple as an informal request. … it’s very broad and very low bar. And when you think about all the data these cars collect, and can collect about where you’re going, how many people you might be going with, listening in on microphones, it gets really scary.”

The car brands’ practices are legal

None of the recording and sharing of our personal information is illegal, Mozilla notes.

“Unfortunately, it’s not against the law. And that’s the problem,” Caltrider said. “Consumers need better privacy protections in California (everywhere). Some consumers have better privacy protections … which allows them to at least get their data deleted. But I live in Vermont, I tried to get my car company to delete my data. And they laughed at me, basically. … They aren’t companies generally aren’t breaking the law, because there is no federal privacy law. And this is just where we are right now. We need to demand a federal privacy law.”

More on this topic in business: Amazon fined $25M for violating child privacy with Alexa

Oh, and if you have passengers, you, as the owner of the car, are responsible for relaying the privacy policy information the car companies set.

So, where do you find your car’s privacy policy? Caltrider said it’s next to impossible. But those who visit privacynotincluded.org can likely find the policies that apply to them.

When asked how to opt out of the privacy settings, Caltrider laughed, saying it’s not just realistic. “You know, people need to buy cars. And some of these things, the current modern cars have great backup cameras, you know, being able to navigate with a little screen on your car that helps you is great. So some of this stuff is great. Unfortunately, consumers don’t have a lot of choice when it comes to the data collection.”

Caltrider spoke at length about privacy settings and she told me, the best thing to do as a consumer/car owner is to call, email, or write your state and federal government. This is especially true since there are no federal laws to protect us against our date being sold and how car companies are listening in.

“What I’ve been telling people to do is get mad, and reach out to your elected official and demand that the policymakers and the regulators step up and deal with this problem because it’s gotten out of control and it’s only going to get worse if we don’t do something now,” she said.

KIRO Newsradio has reached out to BMW, Nissan, and Tesla for comment. Only BMW responded.

It stated:

Regarding Mozilla’s comment that states: “we can’t quite tell if they share (or sell) all that data with other third parties for their advertising purposes as well,” – we would like to confirm that BMW NA’s privacy policy explicitly states that BMW NA does not sell its customers personal information, such as their names, addresses, driving habits, Vehicle Identification Numbers, or other information that is tied to the customers or their vehicles. Additionally, BMW NA engages in online behavioral advertising solely for its own products or services (that is, to sell its vehicles to consumers). We do not sell this online information for use by other third-party companies for their own marketing purposes.

Follow @https://twitter.com/onairmichelle