Audi

Warning: *Privacy Not Included with this product

Audi

Volkswagen Group
Wi-Fi Bluetooth

Review date: Aug. 15, 2023

|
|

Mozilla says

|
People voted: Super creepy

German auto manufacturer Audi is known for their luxury cars, their 4-ringed logo, and their slogan "Vorsprung durch Technik" (Progress through Technology). A subsidiary of the Volkswagen Group, Audi makes electric cars, sedans, coupes, wagons, SUVs, and sporty convertibles. Following along with BMW, they won't win any awards for creativity in naming their cars with models ranging from the Q3, Q5, Q7, and Q6, A4 - A8, the TT, R8, and electric vehicles like the e-tron GT, and q4 e-tron.

Audi offers connected vehicle features through various paid tiers of the Audi Connect services. And their myAudi app lets users do things like remotely lock and unlock your car, check on fuel levels and service appointments, set up speed alerts, and geofence boundaries to alert you if your car goes somewhere outside of a set area. OK, that sounds kinda creepy (and handy too, we suppose). So, how is Audi at privacy? Unfortunately, not great. Turns out Progress through Technology isn't exactly a good thing for your privacy, especially when your data makes Audi money.

What could happen if something goes wrong?

Uhg, Audi, really?!? Why must you make things so hard for people (especially in the US) who want to buy your cars -- and for privacy researchers! -- to understand your privacy policies? Let's just take a quick (hahaha, just kidding, it won't be quick) look at Audi's privacy policies. First there is Audi Privacy Statement page (US), that links to a privacy policy for Audi cars built 2019 and later (US) and then another privacy policy for Audi cars build 2018 and earlier (US), unless of course you agree to the 2019 and newer privacy policy or use something called Key User or sign up for the Connect PRIME services. Confused yet? We were. Then there is the privacy page for the Volkswagen Group of America (which owns Audi) where consumers can submit a privacy request in the United States, but ONLY if you live in certain states like California with stronger privacy laws. Speaking of California, USA, there's also the link to the Your California Privacy Rights page. If you live outside the US, you can go to their privacy portal (EU) by country and find their EU and other privacy policies (EU) there. And then you have to also read Audi's Connected services privacy policy (EU).

It's a lot to sort through...and that's not even mentioning the various broken links and "unavailable at this time" websites we stumbled across in our search through all of Audi's privacy policies. None of this will make a privacy researcher happy because if we're struggling this much to find and understand Audi's privacy landscape -- and it's our job to do this -- what chance do consumers have to understand how Audi and is collecting, using, sharing, and possibly even selling your personal information and car data? Uhg. Please made navigating your privacy policy ecosystem easier car companies! (We've done our best to link out to all these privacy policies below to help you out).

OK, mini-rant over. Let's get into the details of what Audi's various privacy policies do say (as best we can tell). First off, yes, just like all car companies, Audi collects a huge amount of personal information, car data, and other data on you. Everything from our name, email, phone number, where you live, age, gender, your geolocation data based on your car and phone's GPS, those voice commands you make in the car, and lots and lots of vehicle usage data like vehicle speed, seat belt usage, what the temperature is, and so much more. Oh, yeah, there's also all the data they say they can collect through your use of those connected services like your navigation, music streaming, the speed alerts, and geofencing boundaries you set up for others, and this hugely broad category described in their privacy policy, "and information about your interactions with us, our affiliates, our service providers, Content Providers, or Optional Third Parties related to your vehicle usage."

That's a whole lot of information. That's not all though. Audi goes on to say they can also collect even more information on you from places like data brokers, car dealerships, social media platforms, content providers, and more. And once they have all this information on you they say they can combine it to draw inferences about you and create a big old profile of you "reflecting your preferences and characteristics." Yuck!

So Audi knows a ton about you, your car, your driving habits, the locations you visit, how often you lose your parked car, what streaming music you listen to, how fast you drive, and then they make inferences about who you are and what you like. And THEN they say they can share and even sell that data to third parties for Audi's and these other (mostly) nameless third parties for lots and lots of marketing and advertising purposes. None of this is good. Audi also says they can share your data with the entire huge Volkswagen Group family of companies, Audi dealers, all those Audi connect content providers, and more. Your data gets around!

Audi does a good job protecting all that personal information, vehicle data, connected service and myAudi app usage information right? Nope. Unfortunately, Audi (and their parent company VW Group) have bit of a spotty track record at respecting and protecting all that personal information they collect. Back in 2021 they announced a big old data breach that saw the personal information of 3.3 million users compromised and then offered up for sale by hackers resulting in a $3.5 million class action settlement. Shoot. Audi's own privacy policy warns users that while they maintain "reasonable safeguards to protect your information. Some services, including Audi connect services, may involve the transmission of voice and data from your Audi vehicle over wireless and cellular telephone networks and therefore, we cannot guarantee the privacy and security of conversations or data transmitted to and from your Audi vehicle." So yeah, that's a good reminder that there are no guarantees that your personal information, including things as personal and private as your voice data, will be kept private and safe. It's good to be cautious folks, even if you feel like you have nothing to hide.

All this -- coupled with the fact that not everyone has the same right to request all that personal information Audi collects is deleted or opt-out of data sharing for marketing purposes -- is bad enough. Add in Audi's (and VW Group ) spotty track record of protecting and respecting that data and we've got some big concerns about your privacy if you drive an Audi and connect to it through the myAudi app and use those cool connected services to listen to SiriusXM radio or navigate about town.

So, what's the worst that could happen? Well, dang it if we can't see an abusive partner using those feature Audi touts as a Valet Service to stalk, abuse, and restrict the freedom of an abused partner That, and the fact that you could get targeted with lots of weird ads after Audi infers you're hopelessly single because you like to drive to the same brewery every Friday night while listening to your "I'm soooo lonely" playlist through your streaming music service and then at 3am tend to use the car finder feature to remind you where you parked your car. Yeah, Audi -- or anyone but your best friend and your Mom -- really don't need to know that much about you.

Tips to protect yourself

  • Enable the 'Privacy Mode' feature in the myAudi app.
  • If you use BMW CarData, only give access to your data to trusted third-parties.
  • Always do a factory reset on your car before selling or trading it away to wipe your data clean and disconnect the app.
  • Do not give consent to tailored advertisement.
  • Opt out from selling of your personal information, as well as from Cross-context Behavioral Advertising.
  • Always do a factory reset on your car before selling or trading it away to wipe your data clean and disconnect the app.
  • Before reselling your car, make sure to notify the company
  • When buying a used car, always make the previous owner removed their connected account and performed a factory reset.
  • Always use strong passwords and set up two-factor authentication for apps and services that connect to your car
  • Only give access to your data to trusted third-parties
  • When connecting a mobile app to the car, make sure to minimize the amount of data collected through this app. You can use iOS or Android settings to limit the data collected through your phone.
  • Opt out from your mobile device's location sharing.
  • Do not use Amazon Alexa in your car if you are concerned about Amazon collecting that voice request information, IP address, and geolocation information and using it to target you with advertising.
  • mobile

Can it snoop on me? information

Camera

Device: Yes

App: Yes

Microphone

Device: Yes

App: No

Tracks location

Device: Yes

App: Yes

What can be used to sign up?

What data does the company collect?

How does the company use this data?

We ding this product for sharing personal data with third parties for their own marketing purposes and for combining data they gather on you from third parties for advertising and marketing purposes.

Privacy Statement for Model Years 2019 and Newer, and Certain Older Vehicles

Audi uses information for "marketing, such as marketing our products or services or those of our affiliates, business partners, or other third parties. However, we will not use or disclose GPS location data or driver behavior data for AoA marketing purposes or the marketing purposes of unaffiliated third parties without your affirmative consent."

"We also provide your information to third parties who use it for the commercial purpose of marketing their products and services to you."

"We may combine information that we receive from the various sources described in this Privacy Statement, including third-party sources, and use or disclose it for the purposes identified below."

Audi shares data "to third parties for their own marketing purposes. We may your contact information and vehicle identification information to third parties for their own marketing purposes, such as Sirius XM and Audi Dealers." and "to third party entities that provide online advertising and analytics functionality. We may disclose your information to third parties that provide advertising and analytics services."

Data Protection Notice Audi Connect

"As a matter of principle, we will only disclose your personal data to third parties if this is necessary for the performance of the contract, if we or the third party have a legitimate interest in such disclosure, or if you have given your consent. In addition, data may be transferred to third parties (including investigative or security authorities) if we are obliged to do so by law or by enforceable official or court order."

"If we have transmitted your data to third parties, we will inform them about the erasure to the extent required by law.
Please note that your right to erasure is subject to certain limitations. For example, we may not and/or must not erase data that we are still required to retain due to statutory retention obligations. In addition, your right of erasure does not extend to data that we need for the establishment, exercise or defence of legal claims."

"To be able to display a high-resolution navigation map with satellite images in the MMI or the myAudi app, information about the map section that is to be displayed is transmitted to our service provider for the delivery of the satellite images. The data is sent in accordance with the principle of data minimisation. Under this principle, all queries from your vehicle are pseudonymised. "

"We may further use your personal data from the vehicle in an anonymised form. Anonymous means that it is no longer possible to draw conclusions or identify an individual person. For example, we remove identifying features such as the vehicle identification number, aggregate the data or only process statistical data. Anonymising the data serves to protect your privacy. "

"Control units process data to operate the vehicle. This includes for example:
- Vehicle status information (e.g., speed, deceleration, lateral acceleration, wheel revolution speed, whether the seat belts are fastened),
- Environmental conditions (e.g., temperature, rain sensor, distance sensor).
This data is generally volatile – it is not stored after the vehicle is switched off and is only processed in the vehicle itself. Control units often contain data memory (sometimes also including the vehicle keys). These are used to temporarily or permanently document information about vehicle status, component stress, maintenance requirements and technical events and errors.
Depending on technical equipment, the following information is stored:

- Operating conditions of system components (e.g., fill levels, tyre pressure, battery status)
- Deviations from system states in important system components (e.g., lights, brakes) that are documented in the internal vehicle systems event memory,
- System responses in specific driving situations (e.g., deployment of airbags, use of stability control systems)
- Information about vehicle-damaging events,
- For electric vehicles, the charge level of the high-voltage battery, estimated range.
In special cases (e.g., when the vehicle has detected a malfunction), it may be necessary to store data that would otherwise be volatile.

If you use services (e.g., repair services, maintenance work), the stored operating data and the vehicle identification number (VIN) might, to the extent necessary, be read out and accessed. The data may be read out from the vehicle by an employee of the service network (e.g., workshops and manufacturer) or third parties (e.g., roadside assistance services). The same applies to warranty cases and quality assurance measures.
The readout is generally carried out via the statutorily prescribed connection for OBD ("on-board diagnostics") in the vehicle. The readout operating data records the technical conditions of the vehicle or individual components and helps with error diagnostics, compliance with maintenance obligations and with quality improvement. This data, especially information about component stress, technical events, operating errors and other errors, is sent with the respective vehicle identification number (VIN) to the manufacturer, if necessary. In addition, the manufacturer is subject to product liability. For liability issues, such as vehicle recalls, the manufacturer also uses operating data from the vehicle. This data may also be used to review warranty and guarantee claims by customers."

How can you control your data?

We can not confirm that all users regardless of location can get their data deleted.

"As the data subject, you are entitled to the following data protection rights, depending on your place of jurisdiction. Please note that such rights might be extended or restricted under applicable local law. <...> Erasure. You have the right to obtain erasure of your personal data stored by AUDI AG without undue delay if the legal requirements are met."

"Every user of the vehicle has the option of deactivating data collection in the vehicle via the privacy settings in the vehicle. "

"The "Privacy Mode" feature allows you to partially or completely restrict data communication via the vehicle's internal SIM card. To do this, you can deactivate/activate the data processing displayed in the vehicle for each group. Safety-relevant services are excluded from deactivation through Privacy Mode. You can find an overview of which services and data processing are assigned to the respective group under "Privacy Settings" in your vehicle's MMI. Depending on the vehicle equipment and country, the primary user has the option of deactivating/activating individual services for all users of the vehicle in the myAudi portal, or the individual user can deactivate/activate individual services in the vehicle itself."

"Your information will be retained as long as necessary to fulfill the purposes we have outlined above unless we are required to do otherwise by applicable law. This includes retaining your information to provide you with the products or services you have requested and interact with you; maintain our business relationship with you; improve our business over time; ensure the ongoing legality, safety and security of our services and relationships; or otherwise in accordance with our internal retention procedures. Once you have terminated your relationship with us, we may retain your information in our systems and records in order to ensure adequate fulfillment of surviving provisions in terminated contracts, or for other legitimate business purposes, such as to demonstrate our business practices and contractual obligations or provide you with information about our products and services in case of interest. "

What is the company’s known track record of protecting users’ data?

Bad

In June 2021, Volkswagen and its daughter company Audi suffered a data breach affecting 3.3 million users. A few days later, hackers put the data stolen from the car maker for sale on a notorious hacking forum. In January 2023, Volkswagen "agreed to a $3.5 million class action lawsuit settlement to resolve claims their customers’ information was stolen in a data breach spanning several years."

In January 2022 it was reported that VW fired a senior employee after they reported cybersecurity concerns. Audi is a subsidiary of VW Group.

Child Privacy Information

"AoA does not knowingly collect, use, disclose or sell the information of children under the age of 16. In the event that we learn that we have collected information from a child under age 16, we will delete that information. For questions or additional information, see the “Contact Us” section below."

Can this product be used offline?

Yes

User-friendly privacy information?

No

Audi has a complicated privacy policy ecosystem (yeah, I wrote privacy policy ecosystem...trust me, it feels weird even for a privacy researcher to write that) for their cars, apps, website, and more that can be tricky to find, navigate, and understand. For instance, Audi USA has different privacy policies for cars made from 2019 forward and another for cars made in 2018 and older. As part of the Volkswagen Group, they link out to their privacy policies too. Navigating and trying to understand Audi's privacy policies can get very confusing.

Links to privacy information

Does this product meet our Minimum Security Standards? information

Unknown

Encryption

Can’t Determine

We cannot determine if all data sitting on the car, including telematic data the car collects as well as data shared when you connect your phone sits encrypted, and if all collected data is encrypted in transit. We reached out to the company to attempt to determine this multiple times and received no response.

Strong password

Yes

To log into myAudi a strong password is required.

Security updates

Yes

Manages vulnerabilities

Yes

Anyone can submit a vulnerability according to Audi vulnerability reporting policy.

Privacy policy

Yes

Does the product use AI? information

Yes

Audi pre sense® systems use radar sensors in the rear bumper to help detect an impending rear-end collision, and can initiate preventive measures. They also use forward-facing camera and radar systems for pedestrian and stationary vehicle detection and preparation.

Audi Driver Assistance systems include adaptive cruise assist, active lane assist, adaptive cruise control with Traffic jam assist, night vision assistant, parking help, etc. These features are enabled by numerous cameras, sensors and radars on the car.

Is this AI untrustworthy?

Can’t Determine

What kind of decisions does the AI make about you or for you?

Is the company transparent about how the AI works?

Can’t Determine

Does the user have control over the AI features?

Can’t Determine

*Privacy Not Included

Dive Deeper

  • Volkswagen, Audi disclose data breach impacting over 3.3 million customers, interested buyers
    ZD Net Link opens in a new tab
  • Hackers Are Selling Data Stolen From Audi and Volkswagen
    Vice Link opens in a new tab
  • Audi, Volkswagen customer data being sold on a hacking forum
    Bleeping Computer Link opens in a new tab
  • Audi Customer Must Keep Data Breach Claims in Federal Court
    Bloomberg Law Link opens in a new tab
  • Volkswagen and Audi Hit with Data Breach Class Action
    National Law Review Link opens in a new tab

Comments

Got a comment? Let us hear it.