Warning: *Privacy Not Included with this product
German auto manufacturer Audi is known for their luxury cars, their 4-ringed logo, and their slogan "Vorsprung durch Technik" (Progress through Technology). A subsidiary of the Volkswagen Group, Audi makes electric cars, sedans, coupes, wagons, SUVs, and sporty convertibles. Following along with BMW, they won't win any awards for creativity in naming their cars with models ranging from the Q3, Q5, Q7, and Q6, A4 - A8, the TT, R8, and electric vehicles like the e-tron GT, and q4 e-tron.
Audi offers connected vehicle features through various paid tiers of the Audi Connect services. And their myAudi app lets users do things like remotely lock and unlock your car, check on fuel levels and service appointments, set up speed alerts, and geofence boundaries to alert you if your car goes somewhere outside of a set area. OK, that sounds kinda creepy (and handy too, we suppose). So, how is Audi at privacy? Unfortunately, not great. Turns out Progress through Technology isn't exactly a good thing for your privacy, especially when your data makes Audi money.
What could happen if something goes wrong?
Uhg, Audi, really?!? Why must you make things so hard for people (especially in the US) who want to buy your cars -- and for privacy researchers! -- to understand your privacy policies? Let's just take a quick (hahaha, just kidding, it won't be quick) look at Audi's privacy policies. First there is Audi Privacy Statement page (US), that links to a privacy policy for Audi cars built 2019 and later (US) and then another privacy policy for Audi cars build 2018 and earlier (US), unless of course you agree to the 2019 and newer privacy policy or use something called Key User or sign up for the Connect PRIME services. Confused yet? We were. Then there is the privacy page for the Volkswagen Group of America (which owns Audi) where consumers can submit a privacy request in the United States, but ONLY if you live in certain states like California with stronger privacy laws. Speaking of California, USA, there's also the link to the Your California Privacy Rights page. If you live outside the US, you can go to their privacy portal (EU) by country and find their EU and other privacy policies (EU) there. And then you have to also read Audi's Connected services privacy policy (EU).
It's a lot to sort through...and that's not even mentioning the various broken links and "unavailable at this time" websites we stumbled across in our search through all of Audi's privacy policies. None of this will make a privacy researcher happy because if we're struggling this much to find and understand Audi's privacy landscape -- and it's our job to do this -- what chance do consumers have to understand how Audi and is collecting, using, sharing, and possibly even selling your personal information and car data? Uhg. Please made navigating your privacy policy ecosystem easier car companies! (We've done our best to link out to all these privacy policies below to help you out).
OK, mini-rant over. Let's get into the details of what Audi's various privacy policies do say (as best we can tell). First off, yes, just like all car companies, Audi collects a huge amount of personal information, car data, and other data on you. Everything from our name, email, phone number, where you live, age, gender, your geolocation data based on your car and phone's GPS, those voice commands you make in the car, and lots and lots of vehicle usage data like vehicle speed, seat belt usage, what the temperature is, and so much more. Oh, yeah, there's also all the data they say they can collect through your use of those connected services like your navigation, music streaming, the speed alerts, and geofencing boundaries you set up for others, and this hugely broad category described in their privacy policy, "and information about your interactions with us, our affiliates, our service providers, Content Providers, or Optional Third Parties related to your vehicle usage."
That's a whole lot of information. That's not all though. Audi goes on to say they can also collect even more information on you from places like data brokers, car dealerships, social media platforms, content providers, and more. And once they have all this information on you they say they can combine it to draw inferences about you and create a big old profile of you "reflecting your preferences and characteristics." Yuck!
So Audi knows a ton about you, your car, your driving habits, the locations you visit, how often you lose your parked car, what streaming music you listen to, how fast you drive, and then they make inferences about who you are and what you like. And THEN they say they can share and even sell that data to third parties for Audi's and these other (mostly) nameless third parties for lots and lots of marketing and advertising purposes. None of this is good. Audi also says they can share your data with the entire huge Volkswagen Group family of companies, Audi dealers, all those Audi connect content providers, and more. Your data gets around!
Audi does a good job protecting all that personal information, vehicle data, connected service and myAudi app usage information right? Nope. Unfortunately, Audi (and their parent company VW Group) have bit of a spotty track record at respecting and protecting all that personal information they collect. Back in 2021 they announced a big old data breach that saw the personal information of 3.3 million users compromised and then offered up for sale by hackers resulting in a $3.5 million class action settlement. Shoot. Audi's own privacy policy warns users that while they maintain "reasonable safeguards to protect your information. Some services, including Audi connect services, may involve the transmission of voice and data from your Audi vehicle over wireless and cellular telephone networks and therefore, we cannot guarantee the privacy and security of conversations or data transmitted to and from your Audi vehicle." So yeah, that's a good reminder that there are no guarantees that your personal information, including things as personal and private as your voice data, will be kept private and safe. It's good to be cautious folks, even if you feel like you have nothing to hide.
All this -- coupled with the fact that not everyone has the same right to request all that personal information Audi collects is deleted or opt-out of data sharing for marketing purposes -- is bad enough. Add in Audi's (and VW Group ) spotty track record of protecting and respecting that data and we've got some big concerns about your privacy if you drive an Audi and connect to it through the myAudi app and use those cool connected services to listen to SiriusXM radio or navigate about town.
So, what's the worst that could happen? Well, dang it if we can't see an abusive partner using those feature Audi touts as a Valet Service to stalk, abuse, and restrict the freedom of an abused partner That, and the fact that you could get targeted with lots of weird ads after Audi infers you're hopelessly single because you like to drive to the same brewery every Friday night while listening to your "I'm soooo lonely" playlist through your streaming music service and then at 3am tend to use the car finder feature to remind you where you parked your car. Yeah, Audi -- or anyone but your best friend and your Mom -- really don't need to know that much about you.
Tips to protect yourself
- Enable the 'Privacy Mode' feature in the myAudi app.
- If you use BMW CarData, only give access to your data to trusted third-parties.
- Always do a factory reset on your car before selling or trading it away to wipe your data clean and disconnect the app.
- Do not give consent to tailored advertisement.
- Opt out from selling of your personal information, as well as from Cross-context Behavioral Advertising.
- Always do a factory reset on your car before selling or trading it away to wipe your data clean and disconnect the app.
- Before reselling your car, make sure to notify the company
- When buying a used car, always make the previous owner removed their connected account and performed a factory reset.
- Always use strong passwords and set up two-factor authentication for apps and services that connect to your car
- Only give access to your data to trusted third-parties
- When connecting a mobile app to the car, make sure to minimize the amount of data collected through this app. You can use iOS or Android settings to limit the data collected through your phone.
- Opt out from your mobile device's location sharing.
- Do not use Amazon Alexa in your car if you are concerned about Amazon collecting that voice request information, IP address, and geolocation information and using it to target you with advertising.
Can it snoop on me?
Camera
Device: Yes
App: Yes
Microphone
Device: Yes
App: No
Tracks location
Device: Yes
App: Yes
What can be used to sign up?
Yes
Phone
Yes
Third-party account
N/A
What data does the company collect?
Personal
"Name, address, telephone number, email, preferences, photographs, user-generated content and other materials that you may submit, demographic information, Audi connect subscription information, Key User registration information, Authorized User registration information, and myAudi registration and account information (such as a date of birth or other information to verify your identity), Geolocation data (please note that GPS location tracking is automatically enabled and active before purchase or lease of Audi vehicles), Inferences drawn from any of the information we collect to create a profile about you reflecting your preferences and characteristics. Vehicle- and driving-related information: Vehicle status information (e.g., speed, deceleration, lateral acceleration, wheel revolution speed, whether the seat belts are fastened), Environmental conditions (e.g., temperature, rain sensor, distance sensor), Convenience and Infotainment Features, general vehicle status data (including warning lights, vehicle condition data, and service-related data such as upcoming service schedule, fuel level, battery level, and tire pressure); service history and fault or trouble codes; ambient data (such as outside temperature and brightness); vehicle performance data and other data about your vehicle, including its identification, condition, equipment status, charging data (for electric vehicles), or collision information; vehicle/technology usage data (such as usage of start/stop and remote start technology); driver behavior data (such as vehicle speed, seat belt use, and information about breaking habits); information that you provide when using the Audi connect services, including information you send and information you request; information about your use of Audi connect services, mobile applications and websites; and information about your interactions with Audi, its affiliates, service providers, Content Providers, or Optional Third Parties related to your vehicle usage. If your vehicle is equipped with an Event Data Recorder (“EDR”), crash or near-crash information about the vehicle or driver’s behavior will be recorded in the vehicle."
Body related
Audio, electronic, visual, or similar information, such as call recordings for emergency and customer service purposes, and voice command data.
Social
How does the company use this data?
How can you control your data?
What is the company’s known track record of protecting users’ data?
In June 2021, Volkswagen and its daughter company Audi suffered a data breach affecting 3.3 million users. A few days later, hackers put the data stolen from the car maker for sale on a notorious hacking forum. In January 2023, Volkswagen "agreed to a $3.5 million class action lawsuit settlement to resolve claims their customers’ information was stolen in a data breach spanning several years."
In January 2022 it was reported that VW fired a senior employee after they reported cybersecurity concerns. Audi is a subsidiary of VW Group.
Child Privacy Information
Can this product be used offline?
User-friendly privacy information?
Audi has a complicated privacy policy ecosystem (yeah, I wrote privacy policy ecosystem...trust me, it feels weird even for a privacy researcher to write that) for their cars, apps, website, and more that can be tricky to find, navigate, and understand. For instance, Audi USA has different privacy policies for cars made from 2019 forward and another for cars made in 2018 and older. As part of the Volkswagen Group, they link out to their privacy policies too. Navigating and trying to understand Audi's privacy policies can get very confusing.
Links to privacy information
- Audi Privacy Policy by Country Selection Page
- Audi EU Privacy Policy
- Audi Connect EU Privacy Policy
- Audi USA Privacy Statement Portal
- Audi USA 2019 and New Cars Privacy Policy
- Audi USA 2018 and Older Cars Privacy Policy
- Audi USA California Privacy Rights Statement
- Audi USA Privacy Request Portal (Through Volkswagen Group of America)
- German Datenschutz
- German MyAudi App Privacy Policy
Does this product meet our Minimum Security Standards?
Encryption
We cannot determine if all data sitting on the car, including telematic data the car collects as well as data shared when you connect your phone sits encrypted, and if all collected data is encrypted in transit. We reached out to the company to attempt to determine this multiple times and received no response.
Strong password
To log into myAudi a strong password is required.
Security updates
Manages vulnerabilities
Anyone can submit a vulnerability according to Audi vulnerability reporting policy.
Privacy policy
Audi pre sense® systems use radar sensors in the rear bumper to help detect an impending rear-end collision, and can initiate preventive measures. They also use forward-facing camera and radar systems for pedestrian and stationary vehicle detection and preparation.
Audi Driver Assistance systems include adaptive cruise assist, active lane assist, adaptive cruise control with Traffic jam assist, night vision assistant, parking help, etc. These features are enabled by numerous cameras, sensors and radars on the car.
Is this AI untrustworthy?
What kind of decisions does the AI make about you or for you?
Is the company transparent about how the AI works?
Does the user have control over the AI features?
Dive Deeper
-
Volkswagen, Audi disclose data breach impacting over 3.3 million customers, interested buyersZD Net
-
Hackers Are Selling Data Stolen From Audi and VolkswagenVice
-
Audi, Volkswagen customer data being sold on a hacking forumBleeping Computer
-
Audi Customer Must Keep Data Breach Claims in Federal CourtBloomberg Law
-
Volkswagen and Audi Hit with Data Breach Class ActionNational Law Review
Comments
Got a comment? Let us hear it.