Mercedes-Benz

Warning: *privacy not included with this product

Mercedes-Benz

Mercedes-Benz
Wi-Fi Bluetooth

Review date: Aug. 15, 2023

|
|

Mozilla says

|
People voted: Very creepy

"Enter your comfort zone," says Mercedes website when you drop it to check out their cars (and privacy policies). Few car brands are more synonymous with luxury than German car manufacturer Mercedes-Benz. They makes luxury cars, sports cars, Sprinter vans, as well as commercial vehicles. Mercedes-Benz history includes founder Karl Benz credited with creating the first internal combustion engine patented in 1886 and Mercedes has been selling cars to since 1901.

Today they sell models with names like GLS, V-Class, electric cars in the EQ family, and the ritzy, pricey Maybach. Users can connect to their Mercedes-Benz cars through the Mercedes me connect app (for cars 2019 and newer, for older cars it's the Mercedes me app). The app lets you do the usual stuff -- start your car remotely, unlock or lock your doors, find your car on the map, and see your car's data like tire pressure, fuel level, and more. So, how does Mercedes-Benz do at privacy? Well, turns out their privacy practices aren't great -- in fact, we'd say with all the data they collect on you and your car, your Mercedes might feel like anything but a "comfort zone."

What could happen if something goes wrong?

Mercedes-Benz vehicles are known for their high-end price and luxury. Unfortunately, we can't say they should be known for their privacy. Our review of Mercedes-Benz privacy policies, practices, and track record earned them all three of our privacy-related dings, which means they comes with our *Privacy Not Included warning label. Even worse, we can't confirm they meet our Minimum Security Standards.

We did reached out them with our privacy and security related questions, hoping to gain some clarity. Mercedes-Benz did respond to us (unlike most other car companies who completely ignored our emails), however, they didn't quite answer our questions with as much clarify as we'd hoped. They said, "Because products and services change over time to meet the demands of the market and changing cultural and regulatory landscapes, it is not possible to provide universal answers to your questions. We endeavor to be transparent in what our products and services do through publications such as our website and operation manuals and thus, we encourage you to examine these materials for specific information as to how the features and services related to our vehicles process information."

So yes, Mercedes admits that understanding the privacy and security of their vehicles is complicated and their solution is to send you off on a privacy policy scavenger hunt with a hardy "Good luck!" Good news! Your diligent privacy researchers did just that. And dang, it wasn't easy or fun to track down relevant privacy information for Mercedes-Benz cars across locations like California and Virginia in the US or their international privacy policy, the Mercedes me app privacy notice, their Mercedes me Connected Vehicle Services privacy notice, and more. We feel super sorry for consumers who care about privacy and want to learn more before buying a Mercedes. We recognize most people don't have days to track down, read, and understand all the privacy documentation Mercedes has that outlines (too often in vague and legalese terms) how they collect and use your personal information, biometric data, geolocation data, car data, sensory data, app usage, inferences they make about you based on your data, and more.

And Mercedes does indeed say they collect a good deal of information on you and your car, including "information reflecting your preferences, characteristics, predispositions, behavior, attitude, and any other inferences drawn from your personal information." So much data. Remember, this includes things like your name, email, Vehicle Identification Number (VIN), driver's license number, internet searches, browsing history, lots of geolocation information about you and your movements, purchasing tendencies, sensory data ("including audio, electronic, visual, or similar information"), how fast your drive your car, where you drive it, when you drive it, what the weather is like when you drive it, where you charge it, and on and on.

What does Mercedes-Benz say they can do with that personal information, car and location data, and inferences? Well, for one, they say they can share, and possibly even sell, some of it to "marketing service providers" for targeted advertising purposes. Yes, those inferences Mercedes makes about things like how fast you drive, where you drive, and more could be used to target you with ads they think will make you buy more stuff. Alas, this is the way of the world these days...it just keeps getting worse and worse.

They also say they can share your information with "Law enforcement, government agencies, and other entities where disclosure is deemed reasonably necessary to comply with law, cooperate with lawful investigations, participate in government programs, obtain government benefits, or protect the rights, property, or safety of you, us, or others." The thing is, lines like that are fairly common in the privacy policies of car makers. The concern is, what does "reasonably necessary" mean when it comes to sharing data with law enforcement or governments? And who gets to decide that? This all gets a bit more frightening when you consider there are too many law enforcement agencies and governments around the world that might not have good intentions when wanting to access this information about you, your car, where you go, and who you go with.

Let's review here: Mercedes collects a lot of personal information and car data, draws inferences on you and shares or maybe even sells those to third parties for targeted advertising purposes. None of that is good for privacy. But they at least have good track record of protecting and respecting all that data, right? Well, not exactly. In fact, they disclosed a pretty big data leak -- 1.6 million customers -- in June, 2022. And security researchers have also found a number of security vulnerabilities over the past few years. And then there was an app glitch that exposed personal information back in 2019. As far as we can tell, they did work to fix these security issues in a timely manner.

Oh, and here's a head scratcher when it comes to privacy protections, Mercedes made the odd decision to integrate video app TikTok into their Mercedes E-class sedans early in 2023. Yeah, TikTok isn't exactly known to be a privacy-respecting app, so having it pre-installed on your car seems...not great. Now is a good time to remind you that Mercedes-Benz's own connected vehicle services privacy notice states, "Please note, however, that no information system is 100% secure and we cannot guarantee the security of your information." A good reminder that your information is never really safe out there anywhere on the internet. And when a car and app and connected services collects SO MUCH information, well, yeah...it's depressing to consider that not being safe and secure, isn't it?

What's the worst that could happen as you drive your sweet Mercedes-Benz with the Mercedes me app and connected services around town? Well, back to that part of their privacy policy where they say they can share "sensory data," -- things like audio, video, and other electronic sensing information from your car -- with law enforcement and government agencies. That sort of things starts to feel pretty creepy to us when you consider all the potential ways governments and law enforcement could overreach and abuse that. Driving to an abortion clinic from a state in the US that bans abortion to one that doesn't? It's possible law enforcement could force Mercedes-Benz to give up your location and use that information to prosecute you for seeking reproductive health care. Live in a country where authoritarian leadership takes over the government and demands the ability to track people they deem political adversaries? Again, it's not too far fetched in our ever-growing world of connected cars that Mercedes-Benz could be compelled by the government to turn over location data or "sensory information" they can collect on you. We do want to be clear that these sorts of concerns are ones we have for all connected cars with similar privacy policy language regarding sharing with government and law enforcement, not just Mercedes-Benz. However, it is something we think car buyers of all car brands, including Mercedes-Benz, should consider in our ever more connected car world. Yes, we are indeed worried that Mercedes cars, app, and connected services come with *privacy not included.We also can't confirm they meet our Minimum Security Standards.

Tips to protect yourself

  • Do not give consent to tailored advertisement.
  • Opt out from selling of your personal information, as well as from cross-context behavioral advertising.
  • Always do a factory reset on your car before selling or trading it away to wipe your data clean and disconnect the app.
  • Before reselling your car, make sure to notify the company
  • When buying a used car, always make the previous owner removed their connected account and performed a factory reset.
  • Always use strong passwords and set up two-factor authentication for apps and services that connect to your car
  • Only give access to your data to trusted third-parties
  • When connecting a mobile app to the car, make sure to minimize the amount of data collected through this app. You can use iOS or Android settings to limit the data collected through your phone.
  • Opt out from your mobile device's location sharing.
  • Do not use Amazon Alexa in your car if you are concerned about Amazon collecting that voice request information, IP address, and geolocation information and using it to target you with advertising.
  • mobile

Can it snoop on me? information

Camera

Device: Yes

App: Yes

Microphone

Device: Yes

App: No

Tracks location

Device: Yes

App: Yes

What can be used to sign up?

What data does the company collect?

How does the company use this data?

We ding this product for potentially selling personal identifiers, and for sharing personal information and inferences drawn from personal information with marketing services providers.

Mercedes-Benz Privacy Policy Statement:

"Below we have listed the categories of personal information we have shared with our marketing partners in a way that may be considered a “sale” for CCPA purposes:
- Personal identifiers
- Internet or other network activity
- Purchasing history
We have also disclosed the following sensitive personal information to facilitate renewable energy credit claims:

Precise geolocation information

We do not “sell” or “share” sensitive personal information and we do not knowingly “sell” or “share” the personal information of minors under 16 years of age."

According to Mercedes-Benz CCPA privacy statement, "Information reflecting your preferences, characteristics, predispositions, behavior, attitude, and any other inferences drawn from your personal information." may be shared or "sold" to third parties for advertising purposes.

According to CCPA policy, "photographs and audio recordings" can be shared with "Authorized MBUSA dealers" and "Vehicle services providers" to "provide you with connected vehicle and customer services.". Also, "information reflecting your preferences, characteristics, predispositions, behavior, attitude, and any other inferences drawn from your personal information" as well as "purchasing history and tendencies including records of personal property, products, or services purchased, obtained, or considered" can be shared to "marketing services providers".

Mercedes me connect app Privacy Statement:

"Please note that certain services may involve the sharing of information, including Geolocation Information and Driving Behavior Information, with other authorized users of Mercedes me connect services associated with the vehicle (e.g., household members or fleet owners). For example, authorized users can view Geolocation and Driving Behavior Information when Tracking Services and Vehicle Monitoring are active. Please review applicable service descriptions for more information."

"Note that ad networks and similar entities may collect information directly from your device, including data about how you interact with the app, the content and ads you have viewed, and your activities on the app and other mobile applications, websites, and online services for advertising and analytics. We do not honor do not track signals."

"We may share your personal information with authorized Mercedes-Benz dealers and our affiliates. The following
categories of your personal information may be shared for our business purposes:
 Personal identifiers
 Device identifiers
 Geolocation data
 Demographics
 App usage history and information
 Financial Information
Under California law, a sale is broadly defined to include any selling, renting, releasing, disclosure, disseminating, making available, and transferring of a consumer’s personal information for monetary or other valuable consideration. While we do not provide your personal information in exchange for monetary value, our disclosure of your name and e-mail address to our marketing partners may still qualify as a sale under California law."

Mercedes me connect Connected Vehicle Services Privacy Statement:

"By purchasing or using a vehicle equipped with Mercedes me connect services, using Mercedes me connect services, subscribing to Mercedes me connect services, making a purchase through Mercedes me connect services, or creating a Mercedes me account, you consent to the practices described in this notice."

"Even if you have not activated Mercedes me connect services, the vehicle may collect and transmit geolocation information and driver behavior information in a collision or potential emergency. See the vehicle’s Operator’s Manual for more information. Geolocation information may also be accessed without activation of Mercedes me connect services by third-party services providers in accordance with your agreements with them."

"We share information with third-party content providers to provide you with the information or services you request. For example, we may share information with a third party service provider to process orders, deposits, or payments when you make a purchase through the Mercedes meconnect Store. We may also share information that does not reasonably identify you or your vehicle with third parties that provide traffic or other location-based information or services."

"Personal profiles established by your user account may be available to other vehicle users. To delete profiles from the vehicle, you may need to delete the profile within the Mercedes me connect Customer Portal as well as within the vehicle.”

"We may share the information we collect consistent with your authorization or consent, such as when you activate third-party services. You should confirm that you are legally authorized to share information with us, including business communication information, before doing so. This applies in particular to persons who are subject to professional confidentiality requirements."

"We are committed to using the information we collect only in ways that are consistent with the context in which we collected the information and consistent with the choices that you make. We may anonymize or aggregate information we collect so that it does not reasonably identify you or your vehicle and use or share it for any purpose. We may use the information we collect to: <...> Conduct surveys and marketing, including interest-based marketing and advertising for us and on behalf of third parties (subject to any required consents)"

"We may share information that does not reasonably identify you with third parties for any purpose."

"We endeavor to protect the data we collect. We use commercially reasonable physical, technical, and administrative security measures designed to protect information against loss and unauthorized access or use. Please note, however, that no information system is 100%
secure and we cannot guarantee the security of your information,"

"If you have activated the encryption of your device and have set a password/PIN, the App will store personal information in an encrypted form. Should you not use the encryption of your device or if no password/PIN has been set, encryption of personal information cannot be ensured."

Mercedes-Benz International Privacy Statement:
"Deleting your personal data
Your IP address and the name of your Internet service provider, which we store for security reasons, are deleted after seven days. Moreover, we delete your personal information as soon as the purpose for which it was collected and processed has been fulfilled. Beyond this time period, data storage only takes place to the extent made necessary by the legislation, regulations or other legal provisions to which we are subject in the EU or by legal provisions in third-party countries if these have an appropriate level of data protection..."

How can you control your data?

We can not confirm that all users regardless of location can get their data deleted.

"You may be able to opt out of the collection of data via certain Mercedes me connect services by deactivating those specific services through the Mercedes me connect portal. Please note opt out and deactivation rights may be limited to Vehicle owners, lessees, or their designees. Contact Mercedes me connect Support for additional information on how to opt out of data collection or deactivating services: 1 (800) 367-6372 or [email protected]."

"California residents have the right to request deletion of the personal information we have collected from them. You or your authorized agent can submit a deletion request here or by calling 1-833-808-5050. In order to respond to your request, we will need to verify your identity by asking for certain personal information to match with the information we have on file. The personal information that we use to verify your identity will not be used for any other purpose."

"You may request to review and update your personal information at any time by emailing [email protected]."

"You can delete Geolocation Information used for Parked Vehicle Locator, Vehicle Tracker, Geofencing, Last Mile Navigation, Trip Statistics, Valet Protect and Curfew Minder and Speed Alert by deactivating the services, to the extent these services are offered on your vehicle. To deactivate certain location-based services, you may need to contact the CAC without using your vehicle’s communications features. This prevents unauthorized disabling of location services. Please note deletion and deactivation rights may be limited to Vehicle owners, lessees, or their designees."

What is the company’s known track record of protecting users’ data?

Bad

In January 2023, a security researcher discovered API flaws in Mercedes-Benz systems that reportedly could have "allowed threat actors to access internal systems, giving them access to GitHub instances, private chats, servers, AWS instances, and more." According to reports, sensitive personal information was vulnerable.

In June 2022 Mercedes-Benz disclosed a data leak on the part of a third-party vendor that exposed the personal information of up to 1.6 million prospective and actual customers, including names, street addresses, email addresses and phone numbers. The leak also included sensitive personal information such as social security numbers and credit card information for "less than a thousand" people as part of this data breach.

In 2020, security researchers found more than a dozen vulnerabilities in a Mercedes-Benz E-Class car that allowed them to remotely open its doors and start the engine.

Child Privacy Information

"The categories of third parties to whom the above information MBUSA does not have actual knowledge that it sells the personal information of minors under 16 years of age."

Can this product be used offline?

Yes

User-friendly privacy information?

No

Mercedes-Benz offers up a confusing host of privacy policies, statements, notices, and terms of use documentation that is difficult and time consuming to sort through and understand.

Links to privacy information

Does this product meet our Minimum Security Standards? information

Unknown

Encryption

Can’t Determine

The Mercedes me connect app Terms of Use reads "If the User has activated the encryption of his device and has set a password/PIN, the App will store personal data in an encrypted form. Should the User not use the encryption of his device or if no password/PIN has been set, encryption of personal data cannot be ensured." "Provider is not responsible for the acts of third parties who may access the App and information via your mobile device. You should use all security features of the devices that you use to access and use the App, including any password, locking, or encryption features, to help secure access to the App" However, we cannot determine if all data sitting on the car, including telematic data the car collects as well as data shared when you connect your phone sits encrypted, Mercedes did respond to our questions and confirmed that much data sitting on the car is encrypted, however they could not confirm that all personal information sitting on the car is encrypted.

Strong password

Can’t Determine

The Mercedes me connect app Terms of Use reads "If the User has activated the encryption of his device and has set a password/PIN, the App will store personal data in an encrypted form. Should the User not use the encryption of his device or if no password/PIN has been set, encryption of personal data cannot be ensured." "Provider is not responsible for the acts of third parties who may access the App and information via your mobile device. You should use all security features of the devices that you use to access and use the App, including any password, locking, or encryption features, to help secure access to the App"

Security updates

Yes

Manages vulnerabilities

Yes

Here is Mercedes Benz vulnerability reporting policy and submission form. It's nice to note that Mercedes even has a "Hall of Fame" section where they acknowledge security researchers who have been the first reporter of a vulnerability.

Privacy policy

Yes

Does the product use AI? information

Yes

Mercedes-Benz is the first automotive company to certify SAE Level 3 conditionally automated driving system for U.S. market. Thus, Mercedes-Benz is first to get approval to sell partially autonomous vehicles in California.

DRIVE PILOT can offer to take over the dynamic driving task, up to the speed of 40 mph.

The exact location of a Mercedes-Benz equipped with DRIVE PILOT is determined using a high-precision positioning system that is more precise than GPS systems.

Is this AI untrustworthy?

Can’t Determine

What kind of decisions does the AI make about you or for you?

Is the company transparent about how the AI works?

Can’t Determine

Does the user have control over the AI features?

Can’t Determine

*privacy not included

Dive Deeper

  • Major security flaws found in Mercedes, Ferrari and other top luxury cars
    TechRadar Pro Link opens in a new tab
  • Mercedes Reveals EQE and EQS 'Acceleration Increase' Subscription Pricing
    Car and Driver Link opens in a new tab
  • Why You Need A Mercedes Software Update
    Premier Service Link opens in a new tab
  • 1.6 million hit in possible Mercedes-Benz data breach — what you need to know
    Tom's Guide Link opens in a new tab
  • Security bugs let these car hackers remotely control a Mercedes-Benz
    TechCrunch Link opens in a new tab
  • TikTok works its way into car consoles with Mercedes-Benz deal
    The Washington Post Link opens in a new tab
  • Millions of Vehicles at Risk: API Vulnerabilities Uncovered in 16 Major Car Brands
    The Hacker News Link opens in a new tab
  • From Ferrari to Ford, Cybersecurity Bugs Plague Automotive Safety
    Dark Reading Link opens in a new tab
  • Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More
    Sam Curry Link opens in a new tab
  • Critical flaws found in Ferrari, Mercedes, BMW, Porsche, and other carmakers
    Security Affairs Link opens in a new tab
  • Black Hat 2020: Mercedes-Benz E-Series Rife with 19 Bugs
    Threatpost Link opens in a new tab
  • Privacy Concerns Aren't Keeping Automakers From Selling Massive Amounts of Your Data
    Newsweek Link opens in a new tab
  • Mercedes caught up in privacy storm over car trackers
    CNN Link opens in a new tab
  • Privacy Fear Over Mercedes-Benz that Track Driver's Every Move
    The Times Link opens in a new tab

Comments

Got a comment? Let us hear it.