Warning: *Privacy Not Included with this product
"Enter your comfort zone," says Mercedes website when you drop it to check out their cars (and privacy policies). Few car brands are more synonymous with luxury than German car manufacturer Mercedes-Benz. They makes luxury cars, sports cars, Sprinter vans, as well as commercial vehicles. Mercedes-Benz history includes founder Karl Benz credited with creating the first internal combustion engine patented in 1886 and Mercedes has been selling cars to since 1901.
Today they sell models with names like GLS, V-Class, electric cars in the EQ family, and the ritzy, pricey Maybach. Users can connect to their Mercedes-Benz cars through the Mercedes me connect app (for cars 2019 and newer, for older cars it's the Mercedes me app). The app lets you do the usual stuff -- start your car remotely, unlock or lock your doors, find your car on the map, and see your car's data like tire pressure, fuel level, and more. So, how does Mercedes-Benz do at privacy? Well, turns out their privacy practices aren't great -- in fact, we'd say with all the data they collect on you and your car, your Mercedes might feel like anything but a "comfort zone."
What could happen if something goes wrong?
Mercedes-Benz vehicles are known for their high-end price and luxury. Unfortunately, we can't say they should be known for their privacy. Our review of Mercedes-Benz privacy policies, practices, and track record earned them all three of our privacy-related dings, which means they comes with our *Privacy Not Included warning label. Even worse, we can't confirm they meet our Minimum Security Standards.
We did reached out them with our privacy and security related questions, hoping to gain some clarity. Mercedes-Benz did respond to us (unlike most other car companies who completely ignored our emails), however, they didn't quite answer our questions with as much clarify as we'd hoped. They said, "Because products and services change over time to meet the demands of the market and changing cultural and regulatory landscapes, it is not possible to provide universal answers to your questions. We endeavor to be transparent in what our products and services do through publications such as our website and operation manuals and thus, we encourage you to examine these materials for specific information as to how the features and services related to our vehicles process information."
So yes, Mercedes admits that understanding the privacy and security of their vehicles is complicated and their solution is to send you off on a privacy policy scavenger hunt with a hardy "Good luck!" Good news! Your diligent privacy researchers did just that. And dang, it wasn't easy or fun to track down relevant privacy information for Mercedes-Benz cars across locations like California and Virginia in the US or their international privacy policy, the Mercedes me app privacy notice, their Mercedes me Connected Vehicle Services privacy notice, and more. We feel super sorry for consumers who care about privacy and want to learn more before buying a Mercedes. We recognize most people don't have days to track down, read, and understand all the privacy documentation Mercedes has that outlines (too often in vague and legalese terms) how they collect and use your personal information, biometric data, geolocation data, car data, sensory data, app usage, inferences they make about you based on your data, and more.
And Mercedes does indeed say they collect a good deal of information on you and your car, including "information reflecting your preferences, characteristics, predispositions, behavior, attitude, and any other inferences drawn from your personal information." So much data. Remember, this includes things like your name, email, Vehicle Identification Number (VIN), driver's license number, internet searches, browsing history, lots of geolocation information about you and your movements, purchasing tendencies, sensory data ("including audio, electronic, visual, or similar information"), how fast your drive your car, where you drive it, when you drive it, what the weather is like when you drive it, where you charge it, and on and on.
What does Mercedes-Benz say they can do with that personal information, car and location data, and inferences? Well, for one, they say they can share, and possibly even sell, some of it to "marketing service providers" for targeted advertising purposes. Yes, those inferences Mercedes makes about things like how fast you drive, where you drive, and more could be used to target you with ads they think will make you buy more stuff. Alas, this is the way of the world these days...it just keeps getting worse and worse.
They also say they can share your information with "Law enforcement, government agencies, and other entities where disclosure is deemed reasonably necessary to comply with law, cooperate with lawful investigations, participate in government programs, obtain government benefits, or protect the rights, property, or safety of you, us, or others." The thing is, lines like that are fairly common in the privacy policies of car makers. The concern is, what does "reasonably necessary" mean when it comes to sharing data with law enforcement or governments? And who gets to decide that? This all gets a bit more frightening when you consider there are too many law enforcement agencies and governments around the world that might not have good intentions when wanting to access this information about you, your car, where you go, and who you go with.
Let's review here: Mercedes collects a lot of personal information and car data, draws inferences on you and shares or maybe even sells those to third parties for targeted advertising purposes. None of that is good for privacy. But they at least have good track record of protecting and respecting all that data, right? Well, not exactly. In fact, they disclosed a pretty big data leak -- 1.6 million customers -- in June, 2022. And security researchers have also found a number of security vulnerabilities over the past few years. And then there was an app glitch that exposed personal information back in 2019. As far as we can tell, they did work to fix these security issues in a timely manner.
Oh, and here's a head scratcher when it comes to privacy protections, Mercedes made the odd decision to integrate video app TikTok into their Mercedes E-class sedans early in 2023. Yeah, TikTok isn't exactly known to be a privacy-respecting app, so having it pre-installed on your car seems...not great. Now is a good time to remind you that Mercedes-Benz's own connected vehicle services privacy notice states, "Please note, however, that no information system is 100% secure and we cannot guarantee the security of your information." A good reminder that your information is never really safe out there anywhere on the internet. And when a car and app and connected services collects SO MUCH information, well, yeah...it's depressing to consider that not being safe and secure, isn't it?
What's the worst that could happen as you drive your sweet Mercedes-Benz with the Mercedes me app and connected services around town? Well, back to that part of their privacy policy where they say they can share "sensory data," -- things like audio, video, and other electronic sensing information from your car -- with law enforcement and government agencies. That sort of things starts to feel pretty creepy to us when you consider all the potential ways governments and law enforcement could overreach and abuse that. Driving to an abortion clinic from a state in the US that bans abortion to one that doesn't? It's possible law enforcement could force Mercedes-Benz to give up your location and use that information to prosecute you for seeking reproductive health care. Live in a country where authoritarian leadership takes over the government and demands the ability to track people they deem political adversaries? Again, it's not too far fetched in our ever-growing world of connected cars that Mercedes-Benz could be compelled by the government to turn over location data or "sensory information" they can collect on you. We do want to be clear that these sorts of concerns are ones we have for all connected cars with similar privacy policy language regarding sharing with government and law enforcement, not just Mercedes-Benz. However, it is something we think car buyers of all car brands, including Mercedes-Benz, should consider in our ever more connected car world. Yes, we are indeed worried that Mercedes cars, app, and connected services come with *privacy not included.We also can't confirm they meet our Minimum Security Standards.
Tips to protect yourself
- Do not give consent to tailored advertisement.
- Opt out from selling of your personal information, as well as from cross-context behavioral advertising.
- Always do a factory reset on your car before selling or trading it away to wipe your data clean and disconnect the app.
- Before reselling your car, make sure to notify the company
- When buying a used car, always make the previous owner removed their connected account and performed a factory reset.
- Always use strong passwords and set up two-factor authentication for apps and services that connect to your car
- Only give access to your data to trusted third-parties
- When connecting a mobile app to the car, make sure to minimize the amount of data collected through this app. You can use iOS or Android settings to limit the data collected through your phone.
- Opt out from your mobile device's location sharing.
- Do not use Amazon Alexa in your car if you are concerned about Amazon collecting that voice request information, IP address, and geolocation information and using it to target you with advertising.
Can it snoop on me?
Camera
Device: Yes
App: Yes
Microphone
Device: Yes
App: No
Tracks location
Device: Yes
App: Yes
What can be used to sign up?
Yes
Phone
Yes
Third-party account
N/A
What data does the company collect?
Personal
"Name, address, payment information, telephone number, email address, and date of birth, precise geolocation. Driver Behavior Information: Information about how you drive the vehicle,such as vehicle speed, seat belt use, acceleration, trip duration, and breaking habits Vehicle- and driving-related information: Data about your vehicle, including data generated by the sensors and software in your vehicle, such as diagnostic trouble codes, maintenance conditions, engine performance, system temperatures, mileage, tire pressure, fuel level, door and window status, sensor status, climate control settings, charging status, charger type, battery status, impact data, and fuel economy. Vehicle data may include your vehicle’s VIN, Driver Behavior Information and Geolocation Information, charging station information, your chosen routes, calendar entries, contact numbers, points of interest, eligibility for services, available parking spaces, information requests, traffic information, hazard information, service activation requests, and credentials for multimedia services. We may also collect information including your address book, calendar, tasks, and emails, to the extent you authorize such collection; information about how you interact with vehicle systems, including use of multimedia screens, recent service requests, purchases, and presets."
Body related
Vehicle Data may include voice recordings made to support voice-activated services
Social
How does the company use this data?
How can you control your data?
What is the company’s known track record of protecting users’ data?
In January 2023, a security researcher discovered API flaws in Mercedes-Benz systems that reportedly could have "allowed threat actors to access internal systems, giving them access to GitHub instances, private chats, servers, AWS instances, and more." According to reports, sensitive personal information was vulnerable.
In June 2022 Mercedes-Benz disclosed a data leak on the part of a third-party vendor that exposed the personal information of up to 1.6 million prospective and actual customers, including names, street addresses, email addresses and phone numbers. The leak also included sensitive personal information such as social security numbers and credit card information for "less than a thousand" people as part of this data breach.
In 2020, security researchers found more than a dozen vulnerabilities in a Mercedes-Benz E-Class car that allowed them to remotely open its doors and start the engine.
Child Privacy Information
Can this product be used offline?
User-friendly privacy information?
Mercedes-Benz offers up a confusing host of privacy policies, statements, notices, and terms of use documentation that is difficult and time consuming to sort through and understand.
Links to privacy information
- Datenschutzrichtlinie EU
- Mercedes-Benz USA Privacy Statement
- Mercedes me connect App Terms of Use & Privacy Policy
- Privacy Notice for Mercedes me connect Connected Vehicle Services
- Connected Vehicle Services Page
- Mercedes me USA Terms of Use
- California CCPA Privacy Policy
- Mercedes-Benz International Website Privacy Statement
- EU Data Protection Policy
Does this product meet our Minimum Security Standards?
Encryption
The Mercedes me connect app Terms of Use reads "If the User has activated the encryption of his device and has set a password/PIN, the App will store personal data in an encrypted form. Should the User not use the encryption of his device or if no password/PIN has been set, encryption of personal data cannot be ensured." "Provider is not responsible for the acts of third parties who may access the App and information via your mobile device. You should use all security features of the devices that you use to access and use the App, including any password, locking, or encryption features, to help secure access to the App" However, we cannot determine if all data sitting on the car, including telematic data the car collects as well as data shared when you connect your phone sits encrypted, Mercedes did respond to our questions and confirmed that much data sitting on the car is encrypted, however they could not confirm that all personal information sitting on the car is encrypted.
Strong password
The Mercedes me connect app Terms of Use reads "If the User has activated the encryption of his device and has set a password/PIN, the App will store personal data in an encrypted form. Should the User not use the encryption of his device or if no password/PIN has been set, encryption of personal data cannot be ensured." "Provider is not responsible for the acts of third parties who may access the App and information via your mobile device. You should use all security features of the devices that you use to access and use the App, including any password, locking, or encryption features, to help secure access to the App"
Security updates
Manages vulnerabilities
Here is Mercedes Benz vulnerability reporting policy and submission form. It's nice to note that Mercedes even has a "Hall of Fame" section where they acknowledge security researchers who have been the first reporter of a vulnerability.
Privacy policy
Mercedes-Benz is the first automotive company to certify SAE Level 3 conditionally automated driving system for U.S. market. Thus, Mercedes-Benz is first to get approval to sell partially autonomous vehicles in California.
DRIVE PILOT can offer to take over the dynamic driving task, up to the speed of 40 mph.
The exact location of a Mercedes-Benz equipped with DRIVE PILOT is determined using a high-precision positioning system that is more precise than GPS systems.
Is this AI untrustworthy?
What kind of decisions does the AI make about you or for you?
Is the company transparent about how the AI works?
Does the user have control over the AI features?
Dive Deeper
-
Major security flaws found in Mercedes, Ferrari and other top luxury carsTechRadar Pro
-
Mercedes Reveals EQE and EQS 'Acceleration Increase' Subscription PricingCar and Driver
-
Why You Need A Mercedes Software UpdatePremier Service
-
1.6 million hit in possible Mercedes-Benz data breach — what you need to knowTom's Guide
-
Security bugs let these car hackers remotely control a Mercedes-BenzTechCrunch
-
TikTok works its way into car consoles with Mercedes-Benz dealThe Washington Post
-
Millions of Vehicles at Risk: API Vulnerabilities Uncovered in 16 Major Car BrandsThe Hacker News
-
From Ferrari to Ford, Cybersecurity Bugs Plague Automotive SafetyDark Reading
-
Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and MoreSam Curry
-
Critical flaws found in Ferrari, Mercedes, BMW, Porsche, and other carmakersSecurity Affairs
-
Black Hat 2020: Mercedes-Benz E-Series Rife with 19 BugsThreatpost
-
Privacy Concerns Aren't Keeping Automakers From Selling Massive Amounts of Your DataNewsweek
-
Mercedes caught up in privacy storm over car trackersCNN
-
Privacy Fear Over Mercedes-Benz that Track Driver's Every MoveThe Times
Comments
Got a comment? Let us hear it.