Warning: *privacy not included with this product
"Enter your comfort zone," says Mercedes website when you drop it to check out their cars (and privacy policies). Few car brands are more synonymous with luxury than German car manufacturer Mercedes-Benz. They makes luxury cars, sports cars, Sprinter vans, as well as commercial vehicles. Mercedes-Benz history includes founder Karl Benz credited with creating the first internal combustion engine patented in 1886 and Mercedes has been selling cars to since 1901.
Today they sell models with names like GLS, V-Class, electric cars in the EQ family, and the ritzy, pricey Maybach. Users can connect to their Mercedes-Benz cars through the Mercedes me connect app (for cars 2019 and newer, for older cars it's the Mercedes me app). The app lets you do the usual stuff -- start your car remotely, unlock or lock your doors, find your car on the map, and see your car's data like tire pressure, fuel level, and more. So, how does Mercedes-Benz do at privacy? Well, turns out their privacy practices aren't great -- in fact, we'd say with all the data they collect on you and your car, your Mercedes might feel like anything but a "comfort zone."
What could happen if something goes wrong?
Mercedes-Benz vehicles are known for their high-end price and luxury. Unfortunately, we can't say they should be known for their privacy. Our review of Mercedes-Benz privacy policies, practices, and track record earned them all three of our privacy-related dings, which means they comes with our *Privacy Not Included warning label. Even worse, we can't confirm they meet our Minimum Security Standards.
We did reached out them with our privacy and security related questions, hoping to gain some clarity. Mercedes-Benz did respond to us (unlike most other car companies who completely ignored our emails), however, they didn't quite answer our questions with as much clarify as we'd hoped. They said, "Because products and services change over time to meet the demands of the market and changing cultural and regulatory landscapes, it is not possible to provide universal answers to your questions. We endeavor to be transparent in what our products and services do through publications such as our website and operation manuals and thus, we encourage you to examine these materials for specific information as to how the features and services related to our vehicles process information."
And Mercedes does indeed say they collect a good deal of information on you and your car, including "information reflecting your preferences, characteristics, predispositions, behavior, attitude, and any other inferences drawn from your personal information." So much data. Remember, this includes things like your name, email, Vehicle Identification Number (VIN), driver's license number, internet searches, browsing history, lots of geolocation information about you and your movements, purchasing tendencies, sensory data ("including audio, electronic, visual, or similar information"), how fast your drive your car, where you drive it, when you drive it, what the weather is like when you drive it, where you charge it, and on and on.
What does Mercedes-Benz say they can do with that personal information, car and location data, and inferences? Well, for one, they say they can share, and possibly even sell, some of it to "marketing service providers" for targeted advertising purposes. Yes, those inferences Mercedes makes about things like how fast you drive, where you drive, and more could be used to target you with ads they think will make you buy more stuff. Alas, this is the way of the world these days...it just keeps getting worse and worse.
They also say they can share your information with "Law enforcement, government agencies, and other entities where disclosure is deemed reasonably necessary to comply with law, cooperate with lawful investigations, participate in government programs, obtain government benefits, or protect the rights, property, or safety of you, us, or others." The thing is, lines like that are fairly common in the privacy policies of car makers. The concern is, what does "reasonably necessary" mean when it comes to sharing data with law enforcement or governments? And who gets to decide that? This all gets a bit more frightening when you consider there are too many law enforcement agencies and governments around the world that might not have good intentions when wanting to access this information about you, your car, where you go, and who you go with.
Let's review here: Mercedes collects a lot of personal information and car data, draws inferences on you and shares or maybe even sells those to third parties for targeted advertising purposes. None of that is good for privacy. But they at least have good track record of protecting and respecting all that data, right? Well, not exactly. In fact, they disclosed a pretty big data leak -- 1.6 million customers -- in June, 2022. And security researchers have also found a number of security vulnerabilities over the past few years. And then there was an app glitch that exposed personal information back in 2019. As far as we can tell, they did work to fix these security issues in a timely manner.
Oh, and here's a head scratcher when it comes to privacy protections, Mercedes made the odd decision to integrate video app TikTok into their Mercedes E-class sedans early in 2023. Yeah, TikTok isn't exactly known to be a privacy-respecting app, so having it pre-installed on your car seems...not great. Now is a good time to remind you that Mercedes-Benz's own connected vehicle services privacy notice states, "Please note, however, that no information system is 100% secure and we cannot guarantee the security of your information." A good reminder that your information is never really safe out there anywhere on the internet. And when a car and app and connected services collects SO MUCH information, well, yeah...it's depressing to consider that not being safe and secure, isn't it?
Tips to protect yourself
- Do not give consent to tailored advertisement.
- Opt out from selling of your personal information, as well as from cross-context behavioral advertising.
- Always do a factory reset on your car before selling or trading it away to wipe your data clean and disconnect the app.
- Before reselling your car, make sure to notify the company
- When buying a used car, always make the previous owner removed their connected account and performed a factory reset.
- Always use strong passwords and set up two-factor authentication for apps and services that connect to your car
- Only give access to your data to trusted third-parties
- When connecting a mobile app to the car, make sure to minimize the amount of data collected through this app. You can use iOS or Android settings to limit the data collected through your phone.
- Opt out from your mobile device's location sharing.
- Do not use Amazon Alexa in your car if you are concerned about Amazon collecting that voice request information, IP address, and geolocation information and using it to target you with advertising.
What can be used to sign up?
What data does the company collect?
"Name, address, payment information, telephone number, email address, and date of birth, precise geolocation. Driver Behavior Information: Information about how you drive the vehicle,such as vehicle speed, seat belt use, acceleration, trip duration, and breaking habits Vehicle- and driving-related information: Data about your vehicle, including data generated by the sensors and software in your vehicle, such as diagnostic trouble codes, maintenance conditions, engine performance, system temperatures, mileage, tire pressure, fuel level, door and window status, sensor status, climate control settings, charging status, charger type, battery status, impact data, and fuel economy. Vehicle data may include your vehicle’s VIN, Driver Behavior Information and Geolocation Information, charging station information, your chosen routes, calendar entries, contact numbers, points of interest, eligibility for services, available parking spaces, information requests, traffic information, hazard information, service activation requests, and credentials for multimedia services. We may also collect information including your address book, calendar, tasks, and emails, to the extent you authorize such collection; information about how you interact with vehicle systems, including use of multimedia screens, recent service requests, purchases, and presets."
Vehicle Data may include voice recordings made to support voice-activated services
How does the company use this data?
How can you control your data?
What is the company’s known track record of protecting users’ data?
In January 2023, a security researcher discovered API flaws in Mercedes-Benz systems that reportedly could have "allowed threat actors to access internal systems, giving them access to GitHub instances, private chats, servers, AWS instances, and more." According to reports, sensitive personal information was vulnerable.
In June 2022 Mercedes-Benz disclosed a data leak on the part of a third-party vendor that exposed the personal information of up to 1.6 million prospective and actual customers, including names, street addresses, email addresses and phone numbers. The leak also included sensitive personal information such as social security numbers and credit card information for "less than a thousand" people as part of this data breach.
Child Privacy Information
Can this product be used offline?
User-friendly privacy information?
Links to privacy information
- Datenschutzrichtlinie EU
- Mercedes-Benz International Website Privacy Statement
- EU Data Protection Policy
- Mercedes-Benz USA Privacy Statement
- Privacy Notice for Mercedes me connect Connected Vehicle Services
- Connected Vehicle Services Page
Does this product meet our Minimum Security Standards?
Here is Mercedes Benz vulnerability reporting policy and submission form. It's nice to note that Mercedes even has a "Hall of Fame" section where they acknowledge security researchers who have been the first reporter of a vulnerability.
Mercedes-Benz is the first automotive company to certify SAE Level 3 conditionally automated driving system for U.S. market. Thus, Mercedes-Benz is first to get approval to sell partially autonomous vehicles in California.
DRIVE PILOT can offer to take over the dynamic driving task, up to the speed of 40 mph.
The exact location of a Mercedes-Benz equipped with DRIVE PILOT is determined using a high-precision positioning system that is more precise than GPS systems.
Is this AI untrustworthy?
What kind of decisions does the AI make about you or for you?
Is the company transparent about how the AI works?
Does the user have control over the AI features?
Major security flaws found in Mercedes, Ferrari and other top luxury carsTechRadar Pro
Mercedes Reveals EQE and EQS 'Acceleration Increase' Subscription PricingCar and Driver
Why You Need A Mercedes Software UpdatePremier Service
1.6 million hit in possible Mercedes-Benz data breach — what you need to knowTom's Guide
Security bugs let these car hackers remotely control a Mercedes-BenzTechCrunch
TikTok works its way into car consoles with Mercedes-Benz dealThe Washington Post
Millions of Vehicles at Risk: API Vulnerabilities Uncovered in 16 Major Car BrandsThe Hacker News
From Ferrari to Ford, Cybersecurity Bugs Plague Automotive SafetyDark Reading
Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and MoreSam Curry
Critical flaws found in Ferrari, Mercedes, BMW, Porsche, and other carmakersSecurity Affairs
Black Hat 2020: Mercedes-Benz E-Series Rife with 19 BugsThreatpost
Privacy Concerns Aren't Keeping Automakers From Selling Massive Amounts of Your DataNewsweek
Mercedes caught up in privacy storm over car trackersCNN
Privacy Fear Over Mercedes-Benz that Track Driver's Every MoveThe Times
Got a comment? Let us hear it.