Mozilla’s latest edition of *Privacy Not Included reveals how 25 major car brands collect and share deeply personal data, including sexual activity, facial expressions, and genetic and health information
(WEDNESDAY, SEPTEMBER 6, 2023) -- All 25 major car brands reviewed in Mozilla’s latest edition of *Privacy Not Included (*PNI) received failing marks for consumer privacy, a first in the buyer's guide’s seven-year history.
According to Mozilla research, popular global brands — including BMW, Ford, Toyota, Tesla, Kia, and Subaru — can collect deeply personal data such as sexual activity, immigration status, race, facial expressions, weight, health and genetic information, and where you drive. Researchers found data is being gathered by sensors, microphones, cameras, and the phones and devices drivers connect to their cars, as well as by car apps, company websites, dealerships, and vehicle telematics. Brands can then share or sell this data to third parties. Car brands can also take much of this data and use it to develop inferences about a driver’s intelligence, abilities, characteristics, preferences, and more.
In another first for Mozilla’s *Privacy Not Included research, none of the brands meet Mozilla’s Minimum Security Standards. Specifically, researchers couldn’t confirm whether any of the brands encrypt all of the personal information they store on vehicles, and only one of the brands (Mercedes) even replied to Mozilla’s questions about encryption.
The newest edition of *PNI examines the privacy and security flaws of car brands spanning five countries: the U.S., Germany, Japan, France, and South Korea. Researchers spent 600 hours reading privacy policies, downloading apps, and corresponding with brands; the full methodology can be found here.
"All new cars today are privacy nightmares on wheels that collect huge amounts of personal information."
Jen Caltrider, Mozilla
Not a single brand received Mozilla’s Best Of designation, though researchers identified Renault as the least problematic. The European brand must comply with General Data Protection Regulation (GDPR), a stringent law governing the way in which personal data is used, processed, and stored.
Says Jen Caltrider, *PNI Program Director: “Many people think of their car as a private space — somewhere to call your doctor, have a personal conversation with your kid on the way to school, cry your eyes out over a break-up, or drive places you might not want the world to know about. But that perception no longer matches reality. All new cars today are privacy nightmares on wheels that collect huge amounts of personal information."
Says Misha Rykov, *PNI Researcher: “This isn’t the first time Mozilla has uncovered an industry with terrible privacy practices. But cars are unique — their privacy flaws impact not just the driver, but also passengers and sometimes even nearby pedestrians. They can hear you, see you, and track you. Today, sitting in someone’s car is a lot like handing your phone over to the auto manufacturer."
Apps add a new level of complexity (and creepiness). These days, few products come without an associated app — and autos are no exception. Today’s cars have apps that can be handy, helping you find your ride in a crowded parking lot or start your car remotely. But these apps are also an avenue for collecting even more personal data, like location and biometric information. Further, the governance of these apps can be convoluted: BMW USA, for example, manages an app for Toyota.
Many car brands engage in “privacy washing.” Privacy washing is the act of pretending to protect consumers’ privacy while not actually doing so — and many brands are guilty of this. For example, several have signed on to the automotive Consumer Privacy Protection Principles. But these principles are nonbinding and created by the automakers themselves. Further, signatories don't even follow their own principles, like Data Minimization (i.e. collecting only the data that is needed).
Data breaches are common. Serious data leaks and breaches are ordinary in the industry, from Tesla employees gawking at videos captured by consumers’ cars, to Volkswagen and Toyota leaking the personal information of millions of customers.
Consumers have very little control. While consumers can choose to not use a car app or try not to use connected services, that might mean their car doesn’t work properly — or at all. Consumers have almost zero control and options in regard to privacy, other than simply buying an older model. Regulators and policy makers are behind on this front.
About *Privacy Not Included:
*Privacy Not Included is a buyers guide focused on privacy rather than price or performance. Launched in 2017, the guide has reviewed hundreds of products and apps. It arms shoppers with the information they need to protect the privacy of their friends and family, while also spurring the tech industry to do more to safeguard consumers.
U.S. | Helena Dea Bala, [email protected]
Europe | Tracy Kariuki, [email protected]