Warning: *Privacy Not Included with this product
Lincoln -- named after the US president who ended slavery, Abraham Lincoln -- is the luxury car brand of US car maker Ford. Founded back in 1917 the company was renowned for their 1970s Lincoln Continental, a giant boat of car with doors that weighed as much as modern small cars probably weigh now (seriously, does anyone remember being a kid and trying to open the door on a Lincoln Continental?). Lincoln models today include the Navigator, Aviator, Nautilus, and Corsair. Lincoln owners can connect to their car through the Lincoln Way app and do things like remotely lock/unlock, and start their cars, create virtual valet keys, and check things like tire pressure and maintenance schedules. So, how does Lincoln do at protecting your privacy? Well, they share their privacy policies with parent company Ford, and both car brands a pretty dang bad a privacy.
What could happen if something goes wrong?
Starting way back in 1903, Ford has a very long history of building cars and getting people in them. Sometimes that history has been less than perfect (remember the Ford Pinto?). So when we hopped into Ford/Lincoln's land of privacy policies and read their statement that, "Ford Motor Company is committed to be a trusted steward of the personal information you provide to us," well, we were a bit skeptical. Remember, this is the same company that changed their slogan to "Quality is Job #1" after opting not to fix the problems in those Pintos that ended up killing people we just mentioned.
And based on a read of Ford/Lincoln's Privacy Notice, their Connected Vehicle Privacy Notice, their California Privacy Disclosures (probably the best place to read privacy information, regardless of where you live), their Lincoln Way app Privacy Policy, and other privacy and security documentation we reviewed, it seems we were correct to be skeptical. Ford does not appear to us to be so great a respecting and protecting their users personal information and car data.
Let's start with the massive amount of personal information, vehicle and driving information, location information, inferences about you, and other data they say they can collect on your in their privacy policies. Of course they collect things like your name, email, phone number. That's to be expected. They also collect things like your age, gender, ethnicity, driver's license number, your purchase history and tendencies, who your mobile network provider is, lots of location data on your vehicle and your mobile device, voice commands and "other utterances captured when the vehicle’s voice recognition system is in “active listen” state", and more. They use all the to create inferences about you to guess more about your "likely preferences and other characteristics." Yuck.
But that's just the data they say they can collect on you. Then there is the data they say they can collect on your car (f you have a car with connected services or technology, of course). This vehicle data can include all manner of things like, your tire pressure, odometer reading, fuel level, your vehicle's precise location, what traffic signs you've passed, whether the roads are wet, what the weather is, vehicle driving data like speed, seat belt usage, braking, steering, how many passengers, voice commands and other "utterances", "Information about what is listened to in the vehicle (such as radio presets, volume, channels, media sources, title, artist, and genre)," and what vehicle features you use. Remember, all this connected vehicle data can be associated with your cars VIN (Vehicle Identification Number, a unique iD) and that VIN can pretty easily be associated with you as well as being something fairly easy for bad actors to find out.
Ford/Lincoln knows so much about you...and your passengers. Oh yeah, on that passengers note. There's this line in Ford/Lincoln's privacy notice you're expected to follow: "you must inform others who drive the vehicle, and passengers who connect their mobile devices to the vehicle, about the information in this Notice, including the Connected Vehicle Privacy section..." So yeah, make sure you tell all your friends and family all the details on this before they connect their phone to your car to play that cool new playlist they put together for your road trip to Las Vegas! Don't worry, when they give you grief about being a total privacy nerd, tell them privacy nerds rock! (We should know ;-).
And then let's look at the many, many places they say the can share, and perhaps even sell, the information they collect on you. First there's the vast "Ford Motor Company family of companies and affiliates". Ford Motor Company is a huge global corporation, so that is potentially a lot of places it can share your data. They also say they can share your personal information with dealers (there are lots of those around for sure), social media platforms, advertising companies, joint marketing partners, SIRIUS XM radio service, law enforcement, regulatory agencies, and other government agencies. So yeah, once Ford has your personal information, it's going to be shared all over the place. Now is a good time to remind folks that every time your information is shared, you have to trust that new place to do a good job securing, protecting, and respecting it. Good luck with that.
So, Ford/Lincoln collects a ton of information from you, from you car, from your mobile device if you install the LincolnPass app, from the connected services you use while in your car, and from other sources like public information, business partners, and data brokers/data analytics firms. Uhg. What does Ford/Lincoln say they can then do with all this personal and vehicle information? Well, a huge one is trying to sell you stuff. Advertising, marketing, joint marketing, promotions, all feature heavily in Ford's privacy policies. So count on seeing ads for locations you visit in your car, from your local car dealers, from SIRIUS XM, and from tons and tons of other sources based on where you drive, how you drive, what features or your car you use, what radio stations you listen to, and so much more. Have we mentioned yet that cars are a privacy nightmare. Ford/Lincoln included.
Oh, one other lovely things Ford/Lincoln says they can do. They say that in some circumstances they can collect your vehicle location, whether you give them permission to or not. That link in their privacy policy reads in part, "In limited situations, we may collect Vehicle Location, regardless of location settings. We do this to protect and defend our rights or property (including repossessing a vehicle in the event of a delinquency) or to comply with applicable law, to respond to valid legal process (including from law enforcement or other government agencies), or, in the event of exigent circumstances, to help prevent the loss of life or serious injury or help protect the personal safety of Ford personnel, users of our vehicles, websites, or apps, our visitors, or the public." That section of the privacy policy goes on to list a variety of other circumstances. This frightens us for a couple of reasons. One, even people delinquent on their bills due to any number of circumstances should have a basic right to privacy. And two, the potential for abuse of this is huge and quite frightening. Governments and law enforcement have been known to abuse their power and who gets to determine "exigent circumstances." All in all, as privacy advocates, this leaves us quite worried.
We also have some concerns about Ford/Lincoln's track record at protecting all this personal information and car data they collect on people. They've had a few public security incidents over the past few years that leave us worried. Those include a 2020 report by consumer-watchdog Which? in which cybersecurity researchers found concerning security vulnerabilities in a popular Ford model as well as concerns about the FordPass app data collection. When Which? reached out to Ford/Lincoln to discuss their findings with them, they reported, "Ford declined to receive Which?’s technical report. Which? believes this shows a worrying disregard for possible issues relating to its customers’ security and safety." There are also been other security concerns found by security researchers including white hat hackers letting Ford know customer records and other sensitive information was vulnerable to exposure in 2021 (Ford fixed the bug reportedly before any major data leaks), and a group of security researchers looking into security vulnerabilities in cars announced Ford was included when they found a number of vulnerabilities in various car brands in 2023. The good news is, Ford/Lincoln seems to have addressed these publicly known security vulnerabilities, as best we can tell. The bad news is, much like Which?, when we reached out to Ford/Lincoln to ask them our list of privacy and security related questions as part of our research (we do this for every company we research), the declined to provide answers to any of our questions, making it harder for us to help consumers understand how Ford/Lincoln works to protect and respect their privacy.
Henry Ford is quoted as once saying, “Don't find fault, find a remedy: anyone can complain.” So we'll end our story here with just that, a remedy rather than a complaint. Ford/Lincoln, here are some suggests for ways to remedy your terrible privacy practices: Collect much less data on people. Don't sell the personal information of your customers. Give your consumers the right to delete all their data, no matter where they live. Instead of opting people into the huge amounts of data collect you do by default, opt them out at first and let them decide if they want you to collect all this personal information on them, their cars, their whereabouts, how fast they drive, what they listen to, what their preferences are, and more. Shoot, we'd just ask you to follow your stated Ford Motor Company values to "Put People First' and "Do the Right Thing." Or even better, follow the privacy principles you signed on to follow when you signed onto the automotive industry's own Consumer Privacy Protection Principles. Because right now, we have to say, it doesn't look like you are putting people first or doing the right thing when it comes to protecting and respecting the privacy of the people who drive your cars. Unfortunately, we have to warn that modern Ford/Lincoln vehicles and the LincolbPass app come with *privacy not included.
Tips to protect yourself
- Read your vehicle owner’s manual and familiarize yourself with how the vehicle you are driving (or riding in) is equipped, for example vehicle connectivity options and data sharing settings.
- Read this Connected Vehicle Privacy section so you are aware of what Connected Vehicle Information may be collected and how it is used.
- Inform passengers and other drivers of the vehicle that Connected Vehicle Information is being collected and used by us and our vendors.
- Prior to selling or transferring ownership of the vehicle, complete a MASTER RESET (see below) to remove imported personal data like contact lists, names of paired devices and/or connected networks to return the vehicle to the default factory settings and:
a. For vehicles with modems: this will also disassociate any FordPass/Lincoln Way account(s) connected to the vehicle and stop any account-related data sharing
b. For vehicles with a Connectivity Device: you must remove the VIN from your FordPass/Lincoln Way account(s) to disassociate the vehicle from the account and stop any account-related data sharing
Note: Account-related data sharing will continue unless (a) or (b) is performed. Please contact us if you have any questions. - If you purchase or lease a pre-owned Ford or Lincoln vehicle, please check here for Ford vehicles, and here for Lincoln vehicles to see if your vehicle has connectivity technology. Based on how the vehicle is equipped, perform a MASTER RESET and complete the appropriate action detailed in number 4 (above). Please read the “How to Tell If a Vehicle Is Sharing Data” section below to learn more. Connected Services such as FordPass Connect (SYNC Connect) and Lincoln Connect, if equipped and activated, may send us Connected Vehicle Information and may have associated multiple accounts that may allow the account user to access vehicle location and services, such as remote start, lock and unlock, and information about vehicle status, such as fuel level.
- Review the terms and conditions and privacy notices for any third-party services or applications to which you subscribe and/or use while in a Ford or Lincoln vehicle.
- If you rent a connected vehicle, perform a MASTER RESET before you drive the vehicle and before you return the vehicle to the rental company. Please contact the rental company with any questions.
- Do not give consent to tailored advertisement.
- Opt out from selling of your personal information, as well as from Cross-context Behavioral Advertising.
- Always do a factory reset on your car before selling or trading it away to wipe your data clean and disconnect the app.
- Before reselling your car, make sure to notify the company
- When buying a used car, always make the previous owner removed their connected account and performed a factory reset.
- Always use strong passwords and set up two-factor authentication for apps and services that connect to your car
- Only give access to your data to trusted third-parties
- When connecting a mobile app to the car, make sure to minimize the amount of data collected through this app. You can use iOS or Android settings to limit the data collected through your phone.
- Opt out from your mobile device's location sharing.
- Do not use Amazon Alexa in your car if you are concerned about Amazon collecting that voice request information, IP address, and geolocation information and using it to target you with advertising.
Can it snoop on me?
Camera
Device: Yes
App: Yes
Microphone
Device: Yes
App: Yes
Tracks location
Device: Yes
App: Yes
What can be used to sign up?
Yes
Phone
Yes
Third-party account
N/A
What data does the company collect?
Personal
Name, email address, postal address, phone number, age range, nationality, gender, inferred preferences Vehicle- and driving-related data: information about the vehicle, its components and parts, including their status and performance, and diagnostics of vehicle systems (such as VIN, hardware model and part numbers, odometer, tire pressure, fuel and fluid levels, battery and lock status, trouble codes, warning indicators, alerts, and SYNC diagnostics), vehicle charging information (if applicable), and other information about how the vehicle is performing, information about how the vehicle is operated and used (such as speed, use of accelerator, brakes, steering, seat belts, etc.), precise location/GPS information about the vehicle, including current location, travel direction, speed, charging locations used (if applicable), and information about the environment where the vehicle is operated (such as weather, road segment data, road surface conditions, traffic signs, and other surroundings), information about the usage of vehicle features, services, and technology (such as which features are used), information about what is listened to in the vehicle (such as radio presets, volume, channels, media sources, title, artist, and genre).
Body related
Voice commands, audio/visual data
Social
Email addresses of others, for example if you use a “tell-a-friend” tool
How does the company use this data?
How can you control your data?
What is the company’s known track record of protecting users’ data?
In 2021, a bug on Ford Motor Company's website allowed for accessing sensitive systems and obtaining proprietary data, such as customer databases, employee records, internal tickets, etc.
Child Privacy Information
Can this product be used offline?
User-friendly privacy information?
Ford/Lincoln. has numerous privacy policies for their website, cars, connected services, FordPass app, and more. It is time consuming to sort through them all. And while they aren't the most difficult to read privacy policies we've ever seen, they are certainly not easy to digest and understand.
Links to privacy information
Does this product meet our Minimum Security Standards?
Encryption
Ford says, "The connected device sends encrypted data (such as the VIN, SYNC module serial number or other component identifier, odometer, enabled apps, usage statistics and debugging information) to us." However, we cannot determine if all data sitting on the car, including telematic data the car collects as well as data shared when you connect your phone sits encrypted, and if all collected data is encrypted in transit. We reached out to the company to attempt to determine this multiple times and received no response.
Strong password
Security updates
"We periodically release software updates so the vehicle has the latest compatible SYNC version."
Manages vulnerabilities
Ford runs a bug bounty program under https://hackerone.com/ford
Privacy policy
Lincoln employs Driver assist technology in the newer models. It includes pre-collision assist, lane-keeping system, etc. These features are enabled by numerous cameras, sensors and radars on the car.
Is this AI untrustworthy?
What kind of decisions does the AI make about you or for you?
Is the company transparent about how the AI works?
Does the user have control over the AI features?
Dive Deeper
-
From Ferrari to Ford, Cybersecurity Bugs Plague Automotive SafetyDark Reading
-
Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and MoreSam Curry
-
Ford bug exposed customer and employee records from internal systemsBleeping Computer
-
Ford Narrowly Avoided A Massive Cybersecurity Leak Thanks To Friendly HackersCar Scoops
-
Ford Announces Baidu-Powered SYNC+ for ChinaThe News Wheel
-
The Amazing Ways The Ford Motor Company Uses Artificial Intelligence And Machine LearningBernard Marr and Co.
-
Ford and Google to Accelerate Auto Innovation, Reinvent Connected Vehicle ExperienceFord Media Center
-
Popular connected cars from Ford and Volkswagen could put your security, privacy and safety at risk, Which? findsWhich?
-
Ford Infotainment Privacy Class Action Lawsuit – Illegally Storing & Sharing Private SMS With Law Agencies?Consider The Consumer
-
Mark Jones, et al v. Ford Motor CompanyJustia
Comments
Got a comment? Let us hear it.