Mozilla Release Privacy Report on Connected Cars: Are You Driving a Privacy Nightmare?

Connected cars: The road to intrusion

Researchers at the Mozilla Foundation examined 25 car brands as part of their *Privacy Not Included project. The project is designed to help consumers make informed decisions about the privacy and security implications of smart devices and Internet of Things (IoT) products.

Your vehicle might not be the first thing that pops to mind when IoT is mentioned, but modern cars are basically big computers on wheels, increasingly connected to our digital world.

We now have vehicles equipped with advanced communication and connectivity technologies. They can connect to the internet, and communicate with other vehicles, smartphones, and infrastructure, allowing for a wide range of features and capabilities.

Here are just some of the key features connected cars offer:

• Internet connectivity: Built-in internet connectivity, often through cellular networks, Wi-Fi, Bluetooth, or other communication protocols.
• Telematics: Telematics systems gather data about the vehicle's performance including details on engine health, location, driving behavior, and more.
• Navigation and GPS: Connected cars typically feature advanced GPS and navigation systems that can provide real-time traffic updates, route optimization, and location-based services.
• Infotainment: Some vehicles come with integrated infotainment systems offering music streaming, weather updates, news, and social media access.
• Remote control: Many connected cars allow owners to remotely control certain functions, like locking/unlocking doors, starting the engine, or adjusting climate control, using a mobile app.
• Safety and driver assistance: Connected cars can improve safety through features like automatic emergency calling (eCall) in case of an accident and advanced driver assistance systems (ADAS) that use data and sensors to enhance driving safety.
• Vehicle-to-Everything (V2X) Communication: Connected cars can communicate with other vehicles (V2V), infrastructure (V2I), and pedestrians (V2P), which can improve traffic flow, safety, and efficiency.
• Data Analytics: Manufacturers and service providers can analyze the data collected from connected cars to improve vehicle performance, offer predictive maintenance, and develop new services.

These features require the collection of user data. Lots of it. Yet, for so long they have flown (drove?) under the radar of the privacy hounds.

Until now that is.

What did the Mozilla car privacy study find?

Out of the 25 car brands studied, ALL of them failed Mozilla's privacy tests. Every single one earned a *Privacy Not Included warning label. The all-out rock bottom score sheet makes cars the worst category of products ever reviewed by Mozilla. That makes them even worse than mental health apps and fitness trackers, and they are pretty awful!

Here are the key takeaways from the study:

• 84% of the car brands share your personal data with service providers, data brokers, and other “unknown” businesses.
• 76% of them say they can sell your personal data.
• 56% will share your information with government or law enforcement in response to requests as low as an “informal request.”
• Only two car brands give drivers the right to have their personal data deleted.
• 68% of the car brands earned a Mozilla “bad track record” rating for leaks, hacks, and data breaches.

The Mozilla researchers also couldn't confirm if any of the brands met their Minimum Security Standards. After trawling through long-winded, jargon-filled privacy policies, they couldn't discern if any of the connected cars encrypt the personal information that they collect.

What Mozilla did discover in those connected car privacy policies though was rather alarming.

Much of the personal data collected is not necessary for vehicle operation or safety.

According to the study, Nissan's privacy policy was the most disturbing. Or as Mozilla put it,

“Nissan's privacy policy is probably the most mind-boggling creepy, scary, sad, messed up privacy policy we have ever read.”

Apparently, Nissan feels the need to collect and share sensitive data such as your driver's license number, national/state ID number, race, religious beliefs, and, wait for it...

Your sexual activity.

How they collect this information exactly isn't mentioned.

Image source: Nissan Privacy Policy

Nissan isn't even the only one.

Kia also mentions collecting details on your “sex life”.

Other disturbing data points collected by other brands include medical and genetic data, sexual orientation, and details on your destinations and music preferences.

Tesla was actually the worst of the bad bunch, striking out on all fronts. The brand got a special Mozilla ding for “untrustworthy AI”, with the Tesla autopilot being linked to 17 deaths and 736 crashes.

There have been other reports about Tesla employees sharing videos and images captured by customers' car cameras on the Tesla internal messaging system. This included private moments of life including intimate encounters, road rage episodes, and accidents.

Ignoring privacy principles

To make matters worse, the majority of these car brands know that their data-collecting and sharing practices are out of order.

All of the car brands Mozilla reviewed, except Tesla, Renault, and Dacia, have signed up to the Consumer Protection Principles implemented by the US automotive industry group ALLIANCE FOR AUTOMOTIVE INNOVATION, INC. (Renault and Dacia are owned by a European company and as such should meet the principles of GDPR.)

The principles list actually includes privacy-preserving standards for “data minimization,” “transparency,” and “choice.” But when Mozilla reviewed the connected cars' privacy policies, not one of them followed these principles.

What can you do about it?

Not a lot, seems to be the answer from Mozilla. If you're unfortunate enough to own one of the connected car brands mentioned in the study, there is very little you can do about it. At least, not without affecting the functionality of the car and the connected features you've paid a tidy sum for.

You could avoid using the car's app or limit its permissions. However, the data the apps collect is a drop in the ocean and will result in certain features being unavailable. Under every individual car brand review, Mozilla does add “Tips to protect yourself” that are specific to each brand's privacy policy. It's definitely worth checking them out.

Conclusion

The connected car privacy report is shocking reading and is a stark reminder of how much surveillance we're subjected to without our consent and without even realizing it.

The automotive industry may be transitioning toward ethical electric vehicles, but its privacy-protecting practices leave a lot to be desired.

While we've been vigilant about safeguarding our privacy while online, it's very clear that the intrusion extends far beyond our screens. If anything, Mozilla's connected cars' privacy tests are a stark reminder of the challenges we face in protecting our personal information.

Of course, cars aren't the only IoT devices to be concerned about. Read: Why You Might Want to Delete Alexa Recordings