Warning: *Privacy Not Included with this product
Honda is a Japanese-based company that got its start in the car business back in 1960s. Honda's cars -- as well as motorcycles, ATVs, and garden equipment -- are known for having some of the most reliable engines in the world. Car models include the Civic, Accord, Fit or Jazz, CR-V, HR-V, Pilot, Odyssey, Ridgeline, and their electric versions of the Accord and CR-V. Their HondaLink app (for US and Canadian Honda owners) and the My Honda+ app (for European owners) works with most newer model Hondas and their connected services. The app lets you do the remote things like lock and unlock the car, start the car, find your car when you've misplaced it, and even send commands to your car with Amazon Alexa. Many of Honda's connected car features require a subscription, as this is the way of the world these days. So, how is Honda at privacy? Well, their privacy policy had us shaking our head, and it's never good when your privacy policy leaves privacy researchers shaking their heads. Yeah, Honda isn't great at privacy.
What could happen if something goes wrong?
Whoa Honda! That's an interesting privacy policy you've got there (we'll, technically, they have like 3+ privacy policies/notices/vehicle data privacy practice statements, at least for people in the US). You start off by saying you totally take privacy seriously and you're all on board with this set of privacy principles an automotive industry group created back in 2014. Those principles include things like transparency, data minimization, choice, and respect for context. OK, fine that all sounds good. Here's the problem. Honda's own privacy statements then go on to outline a huge amount of personal information they say they can collect, share, maybe even sell, and more. So much for privacy principles. (We should note, nearly every car company we reviewed also signed on to these privacy principles and as far as we can tell, every one of those car companies seems to see these privacy principles as more of a marketing gimmick rather than something they actually take seriously...at least that's what it looks like from this grumpy privacy researcher's perspective).
Let us give you an example of what we mean when we say Honda doesn't seem to treat these privacy principles seriously. One of those stated principles is "data minimization." To Honda that means, "Honda commits to collecting Covered Information only as needed for legitimate business purposes." Except, they seem to have a very broad definition of "legitimate business purposes."
Here's a fun line we found in their privacy documentation: "Covered Information disclosed with Third Parties may include all or some of the following: Personal Identifiers; Audio electronic, visual, or similar information; Commercial Information; Geolocation Information; Personal information as described in Cal. Civ. Code § 1798.80(e)." Wait, what the heck is Cal. Civ. Code § 1798.80(e)?!? Well, it's a line in the state of California's set of regulations that defines personal information as, "any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information." Holy cow! Dang if that doesn't cover pretty much anything personal Honda could hope to collect about you! All conveniently hidden in a gibberish sounding code in their privacy statement. So much for those principles of "data minimization" and "transparency." Also, why would Honda say they can collect things like your "medical information" for their "legitimate business purposes"? Perhaps they need to limit that personal information collection a little?
That's not all Honda says they can collect on you either. They also say they can gather even more information about you from data brokers, marketing agencies, the government, and lots and lots of information from your car and those connected services. Things like information about your trips "including trip start time and end time, trip start and end location, trip distance, and fuel consumed," how fast your drive, search content, and "geolocation information meaning the exact location of your vehicle at a specific point in time or over a period of time." The good news is, Honda says they won't disclose your geolocation information with third parties or use it for their own marketing purposes without your consent. Sounds good, right? You're not going to consent to that so you're covered, right? Well, wait a minute. Honda also says, "You accept the terms of this Vehicle Privacy Notice, and consent to our collection, use, storage, and disclosure of information as explained in this Vehicle Privacy Notice, when you: Purchase or lease a vehicle equipped with Connected Vehicle Technologies and Services; Use Connected Vehicle Technologies and Services; Subscribe, register, or provide any information to us in connection with an attempt to subscribe or register for any Connected Vehicle Technologies and Services; Agree to the terms & conditions of any Connected Vehicle Technologies and Services; or Accept or enable data transmission, collection, or analytic services on a vehicle or connected smart device." So, does that mean when you buy a Honda you've consented to all this nonsense? Or when you provide some information in an attempt to subscribe to their connected services but stop before you finish, you've now consented to all this nonsense? The way their privacy statement is worded, it sure seems like that could be the case. That means your consent for Honda to use some very personal information about you likely isn't exactly always gotten from you explicitly and clearly.
Not only does Honda collect a ton of information on you and your car and your whereabouts and also make inferences about things like your intelligence and abilities. They also say they can then take much of that personal information and use it for things like targeted marketing to sell you more stuff. And they say they can share, or in some cases maybe even sell, your information" "We disclose Covered Information to third parties who provide goods or services that may benefit vehicle owners, including insurance companies, Honda/Acura dealerships, and consumer goods or services companies, such as satellite radio providers and connected vehicle data services and analytics platforms. These companies may use Covered Information for their everyday business purposes, including marketing, customer service, fulfillment and related purposes. These disclosures may qualify as a sale under certain state privacy laws." They also outline a pretty big number of other third parties, service providers, business affiliates, government, and law enforcement officials they could possibly share your information with as well.
So, yeah, Honda says they can collect -- and share, or even sell -- a huge amount of personal information about you, your car, where you've been in your car, and more. And they say they can share some of that pretty widely, with third parties for things like marketing, interest-based advertising, market research, with law enforcement and governments, and more. Disturbingly, they also include a line in their privacy statement that says they can use your personal information "For any other purpose for which we obtain your consent; and as otherwise permitted by law." OK, that's a very broad statement, and we already have concerns about how they get your consent. This all worries us a great deal. It also calls into question their commitment to that "respect for context" principle they claim to follow.
When a company says they can collect and share so much personal information about you, your car, your driving habits, and more, you want them to have an impeccable track record at protecting and respecting that personal information. And while Honda doesn't have the worst track record for privacy and security lapses of the car companies we reviewed, they are not perfect. In 2022, it was reported that a security vulnerability in their keyless entry system could let anyone with the hacking skills to remotely unlock and perhaps even start some Honda cars. It would suck for someone to be able to hack into your car and then access all the personal info and data stored there. There was also a report of a security vulnerability that could allow hackers to take over a Honda account and disclose some personal information with a VIN (Vehicle Identification Number).
Perhaps the worst part of the keyless entry security vulnerability was the tidbit in the report about how the security researchers who found the vulnerability couldn't find a good way to actually report it to Honda for them to fix. "The security researchers say they attempted to contact Honda about the vulnerability but found that the company “does not have a department to deal with security-related issues for their products.” As such, they reported the issue to Honda customer service but have not yet received a response." Not having a way to report security vulnerabilities is bad. Our research also didn't find any good way to report security issues to Honda, which means we could not confirm Honda meets our Minimum Security Standards. A company that says they can collect so much personal information should absolutely meet our MINIMUM Security Standards. These are minimum standards, folks, not super high ones. (We did reach out to Honda/Acura multiple times with our privacy questions to try and get confirmation on these questions and were only provided with links to Honda's public privacy documentation, no clarification.)
Now is a good time to remind you of what Honda's own privacy statements warn about sharing your data with them: "...no data transmission or storage can be guaranteed 100% secure. As a result, while we strive to protect Covered Information, you provide or authorize collection of Covered Information by us or our service providers at your own risk." Words to live by...if only it were easier to actually keep Honda from collecting a ton of data on you. They do outline a list of choices, or opt-in/opt-outs, in their privacy policy. That is good, choice is good. However, we are concerned that these opt-outs options are rather hard to determine, and we wouldn't be surprised if Honda pushes consumers into opting-in rather than making it easy for them to remain opted-out. (To be fair, this is a concern with all car companies, not just Honda.)
So, what's the worst that could happen with your Honda car, and Honda's apps, and Honda's connected services? Well, given that Honda says they can collect a whole heap of personal information on you, and given that they say they can draw inferences about your intelligence and abilities and use that to market stuff to you, and given that they say they charge you a subscription fee to access the Security feature through the Honda app that lets you do a personal data wipe to restore your audio and navigation system to factory defaults, well, we're afraid a lot could go wrong. All that personal information Honda collects on you is out there and you no longer have control over it while a whole bunch of third parties, affiliate companies, service providers, Honda employees, and more could have access to it. That means it could leak, be hacked, be snooped on, be handed over to law enforcement. And no one needs to know that Honda thinks your intelligence is below average...because why in the world would Honda ever need to know that for their "legitimate business purposes"? So much for that "data minimization" principle Honda brags about following in their privacy statement. Sigh...
Tips to protect yourself
- Be mindful of a possible privacy breach when you provide your vehicle access to Apple CarPlay, Android Auto, Google built-in and/or Alexa Auto. Better make sure you want to give access to your vehicle data to these places.
- Do not give consent to tailored advertisement.
- Opt out from selling of your personal information, as well as from Cross-context Behavioral Advertising.
- From Honda/Acura's privacy policy: To reduce the amount of On-Board Data stored on the vehicle prior to sale or turning it in at the end of a lease, you should perform a data reset of the audio and navigation systems. Instructions for performing a data reset of the audio and navigation systems may be found in your owner’s manual and/or navigation manual.
- Always do a factory reset on your car before selling or trading it away to wipe your data clean and disconnect the app.
- Before reselling your car, make sure to notify the company
- When buying a used car, always make the previous owner removed their connected account and performed a factory reset.
- Always use strong passwords and set up two-factor authentication for apps and services that connect to your car
- Only give access to your data to trusted third-parties
- When connecting a mobile app to the car, make sure to minimize the amount of data collected through this app. You can use iOS or Android settings to limit the data collected through your phone.
- Opt out from your mobile device's location sharing.
- Do not use Amazon Alexa in your car if you are concerned about Amazon collecting that voice request information, IP address, and geolocation information and using it to target you with advertising.
Can it snoop on me?
Camera
Device: Yes
App: Yes
Microphone
Device: Yes
App: No
Tracks location
Device: Yes
App: Yes
What can be used to sign up?
Yes
Phone
Yes
Third-party account
N/A
What data does the company collect?
Personal
Name, login username, device identifier, and contact information such as your address, email address, and phone number. Vehicle- and driving-connected information: oil life, odometer mileage, fuel level, miles remaining to empty, dashboard warning lamps, tire pressure, battery life, battery charge status, coolant temperature, engine rotations per minute, diagnostic trouble codes (e.g., electronic system generated trouble or failure codes), vehicle maintenance status, and other vehicle status and diagnostic information; trip log information, including trip start time and end time, trip start and end location, trip distance, and fuel consumed; airbag system status, including airbag deployment and the relative change in velocity (delta-v) associated with airbag deployment (as noted above, information recorded on the SRS ECU is not collected); Driver Behavior Information such as vehicle speed, vehicle acceleration and deceleration, pedal positions, engine speed, direction of travel, time of travel, steering angle, yaw rate, vehicle control systems settings/ position/usage, Honda Sensing/Acura Watch system settings and usage; Geolocation information meaning the exact location of your vehicle at a specific point in time or over a period of time. Information about Use of Connected Vehicle Technologies and Services such as Search content; HondaLink or AcuraLink account access information, including information about anyone making a call using the Connected Vehicle Technologies and Services; Call history information, including the date, time, and duration of a call, and any response specialist’s notes written during a call; Navigation system settings and usage; Audio system settings and usage; Voice commands given (which may include audio recordings); Connectivity systems (e.g., embedded TCU, Wi-Fi hotspot) settings and usage; The privacy policy mentions that other "Personal information as described in Cal. Civ. Code § 1798.80(e)" is collected. That section of the Cal. Civ Code says ""Personal information" means any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. "Personal information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records."
Body related
Audio electronic, visual, or similar information such as calls and other communication recordings and associated logs with our customer service team or service providers, such as recordings and logs of telephone calls, or communications using Connected Vehicle Technologies and Services; Voice commands given (which may include audio recordings); Search content; HondaLink or AcuraLink account access information, including information about anyone making a call using the Connected Vehicle Technologies and Services; Call history information, including the date, time, and duration of a call, and any response specialist’s notes written during a call; Navigation system settings and usage; Audio system settings and usage; Voice commands given (which may include audio recordings); Connectivity systems (e.g., embedded TCU, Wi-Fi hotspot) settings and usage.
Social
How does the company use this data?
How can you control your data?
What is the company’s known track record of protecting users’ data?
In July 2022, security researchers revealed a vulnerability in Honda’s keyless entry system that could allow hackers to remotely unlock and start potentially “all Honda vehicles currently existing on the market.”
Security researchers could not reach to Honda on the problem: "The security researchers say they attempted to contact Honda about the vulnerability but found that the company “does not have a department to deal with security-related issues for their products.” As such, they reported the issue to Honda customer service but have not yet received a response."
According to SecurityIntelligence, weak encryption was part of the problem: "Although the fobs are encrypted, they tend to use symmetric encryption or a single key used by both the device sending the message and the device receiving it. The problem with symmetric encryption is that it can be easily intercepted."
In June 2020, global operations at the Japanese car manufacturer Honda have been disrupted by a confirmed cyber attack.
In October 2019, Honda exposed roughly 26,000 vehicle owner records containing personally identifiable information (PII) of North American customers after misconfiguring an Elasticsearch cluster.
Child Privacy Information
Can this product be used offline?
User-friendly privacy information?
Honda included some very not user-friendly language in their privacy statement that hid a huge list of personal data they could collect. They also have a number of privacy statements to wade through.
Links to privacy information
Does this product meet our Minimum Security Standards?
Encryption
We cannot determine if all data sitting on the car, including telematic data the car collects as well as data shared when you connect your phone sits encrypted, and if all collected data is encrypted in transit. We reached out to the company to attempt to determine this multiple times and received no response.
Strong password
Security updates
Manages vulnerabilities
We were unable to find any security vulnerability policy/bug bounty info for Honda. Also, in 2022, security researchers found a security vulnerability and were not able to submit it to Honda. This leads us to believe Honda does not have an adequate system in place to manage security vulnerabilities.
Privacy policy
Honda introduced Honda Sensing advanced driver-assistance system (ADAS) called Honda Sensing Elite, as a partially autonomous driving system, in 2021. And in 2022, Chinese customers were able to buy cars with this autonomous driving feature. Honda Sensing 360 includes hands-free highway driving and automatic lane changes. These features are enabled by numerous cameras, sensors and radars on the car.
Is this AI untrustworthy?
What kind of decisions does the AI make about you or for you?
Is the company transparent about how the AI works?
Does the user have control over the AI features?
Dive Deeper
-
Your Car Is Tracking You Just as Much as Your Smartphone Is—and Your Data Is at RiskThe Drive
-
Honda key fob flaw lets hackers remotely unlock and start carsTechCrunch
-
Security Vulnerabilities in Honda’s Keyless Entry SystemSchneier on Security
-
Honda Exposes 26,000 Records of North American CustomersBleeping Computer
-
From Ferrari to Ford, Cybersecurity Bugs Plague Automotive SafetyDark Reading
-
Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and MoreSam Curry
-
Critical flaws found in Ferrari, Mercedes, BMW, Porsche, and other carmakersSecurity Affairs
-
Honda's global operations hit by cyber-attackBBC
-
Cybersecurity, a growing threat for the automotive industryJust Auto
-
Honda is the latest automaker to bring hands-free highway driving tech to the USThe Verge
-
SiriusXM Software Flaw Let Researchers Unlock And Start Cars RemotelyMotor 1
Comments
Got a comment? Let us hear it.