Warning: *privacy not included with this product
What could happen if something goes wrong?
Let us give you an example of what we mean when we say Honda doesn't seem to treat these privacy principles seriously. One of those stated principles is "data minimization." To Honda that means, "Honda commits to collecting Covered Information only as needed for legitimate business purposes." Except, they seem to have a very broad definition of "legitimate business purposes."
Here's a fun line we found in their privacy documentation: "Covered Information disclosed with Third Parties may include all or some of the following: Personal Identifiers; Audio electronic, visual, or similar information; Commercial Information; Geolocation Information; Personal information as described in Cal. Civ. Code § 1798.80(e)." Wait, what the heck is Cal. Civ. Code § 1798.80(e)?!? Well, it's a line in the state of California's set of regulations that defines personal information as, "any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information." Holy cow! Dang if that doesn't cover pretty much anything personal Honda could hope to collect about you! All conveniently hidden in a gibberish sounding code in their privacy statement. So much for those principles of "data minimization" and "transparency." Also, why would Honda say they can collect things like your "medical information" for their "legitimate business purposes"? Perhaps they need to limit that personal information collection a little?
That's not all Honda says they can collect on you either. They also say they can gather even more information about you from data brokers, marketing agencies, the government, and lots and lots of information from your car and those connected services. Things like information about your trips "including trip start time and end time, trip start and end location, trip distance, and fuel consumed," how fast your drive, search content, and "geolocation information meaning the exact location of your vehicle at a specific point in time or over a period of time." The good news is, Honda says they won't disclose your geolocation information with third parties or use it for their own marketing purposes without your consent. Sounds good, right? You're not going to consent to that so you're covered, right? Well, wait a minute. Honda also says, "You accept the terms of this Vehicle Privacy Notice, and consent to our collection, use, storage, and disclosure of information as explained in this Vehicle Privacy Notice, when you: Purchase or lease a vehicle equipped with Connected Vehicle Technologies and Services; Use Connected Vehicle Technologies and Services; Subscribe, register, or provide any information to us in connection with an attempt to subscribe or register for any Connected Vehicle Technologies and Services; Agree to the terms & conditions of any Connected Vehicle Technologies and Services; or Accept or enable data transmission, collection, or analytic services on a vehicle or connected smart device." So, does that mean when you buy a Honda you've consented to all this nonsense? Or when you provide some information in an attempt to subscribe to their connected services but stop before you finish, you've now consented to all this nonsense? The way their privacy statement is worded, it sure seems like that could be the case. That means your consent for Honda to use some very personal information about you likely isn't exactly always gotten from you explicitly and clearly.
Not only does Honda collect a ton of information on you and your car and your whereabouts and also make inferences about things like your intelligence and abilities. They also say they can then take much of that personal information and use it for things like targeted marketing to sell you more stuff. And they say they can share, or in some cases maybe even sell, your information" "We disclose Covered Information to third parties who provide goods or services that may benefit vehicle owners, including insurance companies, Honda/Acura dealerships, and consumer goods or services companies, such as satellite radio providers and connected vehicle data services and analytics platforms. These companies may use Covered Information for their everyday business purposes, including marketing, customer service, fulfillment and related purposes. These disclosures may qualify as a sale under certain state privacy laws." They also outline a pretty big number of other third parties, service providers, business affiliates, government, and law enforcement officials they could possibly share your information with as well.
So, yeah, Honda says they can collect -- and share, or even sell -- a huge amount of personal information about you, your car, where you've been in your car, and more. And they say they can share some of that pretty widely, with third parties for things like marketing, interest-based advertising, market research, with law enforcement and governments, and more. Disturbingly, they also include a line in their privacy statement that says they can use your personal information "For any other purpose for which we obtain your consent; and as otherwise permitted by law." OK, that's a very broad statement, and we already have concerns about how they get your consent. This all worries us a great deal. It also calls into question their commitment to that "respect for context" principle they claim to follow.
When a company says they can collect and share so much personal information about you, your car, your driving habits, and more, you want them to have an impeccable track record at protecting and respecting that personal information. And while Honda doesn't have the worst track record for privacy and security lapses of the car companies we reviewed, they are not perfect. In 2022, it was reported that a security vulnerability in their keyless entry system could let anyone with the hacking skills to remotely unlock and perhaps even start some Honda cars. It would suck for someone to be able to hack into your car and then access all the personal info and data stored there. There was also a report of a security vulnerability that could allow hackers to take over a Honda account and disclose some personal information with a VIN (Vehicle Identification Number).
Perhaps the worst part of the keyless entry security vulnerability was the tidbit in the report about how the security researchers who found the vulnerability couldn't find a good way to actually report it to Honda for them to fix. "The security researchers say they attempted to contact Honda about the vulnerability but found that the company “does not have a department to deal with security-related issues for their products.” As such, they reported the issue to Honda customer service but have not yet received a response." Not having a way to report security vulnerabilities is bad. Our research also didn't find any good way to report security issues to Honda, which means we could not confirm Honda meets our Minimum Security Standards. A company that says they can collect so much personal information should absolutely meet our MINIMUM Security Standards. These are minimum standards, folks, not super high ones. (We did reach out to Honda/Acura multiple times with our privacy questions to try and get confirmation on these questions and were only provided with links to Honda's public privacy documentation, no clarification.)
So, what's the worst that could happen with your Honda car, and Honda's apps, and Honda's connected services? Well, given that Honda says they can collect a whole heap of personal information on you, and given that they say they can draw inferences about your intelligence and abilities and use that to market stuff to you, and given that they say they charge you a subscription fee to access the Security feature through the Honda app that lets you do a personal data wipe to restore your audio and navigation system to factory defaults, well, we're afraid a lot could go wrong. All that personal information Honda collects on you is out there and you no longer have control over it while a whole bunch of third parties, affiliate companies, service providers, Honda employees, and more could have access to it. That means it could leak, be hacked, be snooped on, be handed over to law enforcement. And no one needs to know that Honda thinks your intelligence is below average...because why in the world would Honda ever need to know that for their "legitimate business purposes"? So much for that "data minimization" principle Honda brags about following in their privacy statement. Sigh...
Tips to protect yourself
- Be mindful of a possible privacy breach when you provide your vehicle access to Apple CarPlay, Android Auto, Google built-in and/or Alexa Auto. Better make sure you want to give access to your vehicle data to these places.
- Do not give consent to tailored advertisement.
- Opt out from selling of your personal information, as well as from Cross-context Behavioral Advertising.
- Always do a factory reset on your car before selling or trading it away to wipe your data clean and disconnect the app.
- Before reselling your car, make sure to notify the company
- When buying a used car, always make the previous owner removed their connected account and performed a factory reset.
- Always use strong passwords and set up two-factor authentication for apps and services that connect to your car
- Only give access to your data to trusted third-parties
- When connecting a mobile app to the car, make sure to minimize the amount of data collected through this app. You can use iOS or Android settings to limit the data collected through your phone.
- Opt out from your mobile device's location sharing.
- Do not use Amazon Alexa in your car if you are concerned about Amazon collecting that voice request information, IP address, and geolocation information and using it to target you with advertising.
What can be used to sign up?
What data does the company collect?
Audio electronic, visual, or similar information such as calls and other communication recordings and associated logs with our customer service team or service providers, such as recordings and logs of telephone calls, or communications using Connected Vehicle Technologies and Services; Voice commands given (which may include audio recordings); Search content; HondaLink or AcuraLink account access information, including information about anyone making a call using the Connected Vehicle Technologies and Services; Call history information, including the date, time, and duration of a call, and any response specialist’s notes written during a call; Navigation system settings and usage; Audio system settings and usage; Voice commands given (which may include audio recordings); Connectivity systems (e.g., embedded TCU, Wi-Fi hotspot) settings and usage.
How does the company use this data?
How can you control your data?
What is the company’s known track record of protecting users’ data?
In July 2022, security researchers revealed a vulnerability in Honda’s keyless entry system that could allow hackers to remotely unlock and start potentially “all Honda vehicles currently existing on the market.”
Security researchers could not reach to Honda on the problem: "The security researchers say they attempted to contact Honda about the vulnerability but found that the company “does not have a department to deal with security-related issues for their products.” As such, they reported the issue to Honda customer service but have not yet received a response."
According to SecurityIntelligence, weak encryption was part of the problem: "Although the fobs are encrypted, they tend to use symmetric encryption or a single key used by both the device sending the message and the device receiving it. The problem with symmetric encryption is that it can be easily intercepted."
In June 2020, global operations at the Japanese car manufacturer Honda have been disrupted by a confirmed cyber attack.
In October 2019, Honda exposed roughly 26,000 vehicle owner records containing personally identifiable information (PII) of North American customers after misconfiguring an Elasticsearch cluster.
Child Privacy Information
Can this product be used offline?
User-friendly privacy information?
Honda included some very not user-friendly language in their privacy statement that hid a huge list of personal data they could collect. They also have a number of privacy statements to wade through.
Links to privacy information
Does this product meet our Minimum Security Standards?
We cannot determine if all data sitting on the car, including telematic data the car collects as well as data shared when you connect your phone sits encrypted, and if all collected data is encrypted in transit. We reached out to the company to attempt to determine this multiple times and received no response.
We were unable to find any security vulnerability policy/bug bounty info for Honda. Also, in 2022, security researchers found a security vulnerability and were not able to submit it to Honda. This leads us to believe Honda does not have an adequate system in place to manage security vulnerabilities.
Honda introduced Honda Sensing advanced driver-assistance system (ADAS) called Honda Sensing Elite, as a partially autonomous driving system, in 2021. And in 2022, Chinese customers were able to buy cars with this autonomous driving feature. Honda Sensing 360 includes hands-free highway driving and automatic lane changes. These features are enabled by numerous cameras, sensors and radars on the car.
Is this AI untrustworthy?
What kind of decisions does the AI make about you or for you?
Is the company transparent about how the AI works?
Does the user have control over the AI features?
Your Car Is Tracking You Just as Much as Your Smartphone Is—and Your Data Is at RiskThe Drive
Honda key fob flaw lets hackers remotely unlock and start carsTechCrunch
Security Vulnerabilities in Honda’s Keyless Entry SystemSchneier on Security
Honda Exposes 26,000 Records of North American CustomersBleeping Computer
From Ferrari to Ford, Cybersecurity Bugs Plague Automotive SafetyDark Reading
Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and MoreSam Curry
Critical flaws found in Ferrari, Mercedes, BMW, Porsche, and other carmakersSecurity Affairs
Honda's global operations hit by cyber-attackBBC
Cybersecurity, a growing threat for the automotive industryJust Auto
Honda is the latest automaker to bring hands-free highway driving tech to the USThe Verge
SiriusXM Software Flaw Let Researchers Unlock And Start Cars RemotelyMotor 1
Got a comment? Let us hear it.