Warning: *Privacy Not Included with this product
Subaru is a Japanese car company started back in the 1950s. Their all-wheel drive, sporty SUVs and cars are popular with outdoor types and the LGBT+ community (and your privacy researcher's Mom...Mom swears by Subaru and has since the 1980s). Popular models in the Outback, Forester, Crosstrek, Impreza, Legacy, the sporty WRX, and the electric Solterra. The MySubaru app and Subaru's Starlink connected services offer up all the usual connected car things like remote start/stop, lock/unlock, honk your horn and flash your lights from bedroom, automatic collision notification, multimedia services like navigation and news, trip logs, and a way to manage other people who might drive your Subaru with boundary, speed, and curfew alerts. So, do we love Subaru's privacy? Not really. But hey, they aren't the worst car company we reviewed, so there's that.
What could happen if something goes wrong?
Here's something you might not realize. The moment you sit in the passenger seat of a Subaru that uses connected services, you've consented to allow them to use -- and maybe even sell -- your personal information. According to their privacy policy, that means things like your name, location, "Audio recordings of Vehicle Occupants", and inferences they can draw about things like your "characteristics, predispositions, behavior, or attitudes." Call us bonkers, but we don't think that simply sitting in the passenger seat of someone's Subaru should mean you consent to having any of your personal information use for, well, pretty much anything at all. Let alone potentially sold to data brokers or shared with third party marketers so they can target you with ads about who knows what based on the the inferences they draw about you because you sat in the back seat of a Subaru in the mountains of Colorado. We're gonna really call out Subaru for this, because they lay it out so clearly in their privacy policy, but please know, Subaru isn't the only car company doing this sort of icky thing.
If you go read Subaru's privacy policy (or don't, we did it for you, you can just read our review here), you'll see at the very start they say this: "This Privacy Policy applies to each user of the Services, including any “Vehicle Occupant,” which includes each driver or passenger in a Subaru vehicle that uses Connected Vehicle Services, such as Subaru Starlink (such vehicle, a “Connected Vehicle”), whether or not such driver or passenger is the vehicle owner or a registered user of the Connected Vehicle Services. For the avoidance of doubt, for purposes of this Privacy Policy, “using” the Services includes being a Vehicle Occupant in a Connected Vehicle." So yeah, they don't want there to be any doubt that when you sit in a connected Subaru, you've entered the world of using their services.
Subaru then goes on to say, "By disclosing your Personal Information to us, registering or enrolling in certain Services, or otherwise using our Services, or interacting with us offline, you consent to our collection, use, and disclosure of your Personal Information as described in this Privacy Policy." This part is the doozy. So, they've already established that by getting in the connected Subaru, you're using their "services." Now they're saying you've consented to the things they lay out in their privacy policy by simply getting in that car. That doesn't exactly feel like consent to us, but hey, we're just privacy advocates who think companies -- especially car companies -- should do a LOT more to protect people's privacy.
According to that privacy policy, what exactly are you consenting to by sitting in that Subaru or using their connected services or their MySubaru app. Well, first off, you're consenting to a whole lot of data collection. Everything from name, address, phone number, social security number, vehicle identification number (VIN), browsing and search history, geolocation data (meaning your physical location and movements), vehicle telemetry data like speed and tire pressure, to audio recordings of vehicle occupants, and even inferences they can draw about your characteristics, behaviors, and predispositions. You're also consenting to allow Subaru to collect even more data about from places like data brokers (or data service companies as they call them), or possibly even "certain features of your mobile device, including its camera, location services (GPS), microphone and contacts, and collect Information from those features, such as photographs, videos, your precise location, audio recordings, and contact information."
That's a lot of information Subaru says they can collect on you! But that's not all. You're also then consenting to have that personal information shared -- or even possibly sold -- to third parties like marketing companies, those data service providers (aka data brokers), other Subaru affiliates and service providers, law enforcement and government entities. Yikes! Bet you didn't know you consented to all that just by sitting in your Mom's Subaru.
As for how good a job Subaru does at protecting all that personal and car data, well, their track record is certainly better than many of the car companies we reviewed. They did have a class action lawsuit filed against their use of biometric data -- facial and eye data from the DriverFocus features available on some Subaru models -- that a user claimed violated a specific state biometric data law in the US. However, we didn't find any recent mentions of significant data leaks or breaches, so that is very good.
Still, this is a good time to remind you of what Subaru's own privacy policies warns, "Transmission of data over the Internet is not 100% secure. Consequently, we cannot ensure or warrant the security of any Personal Information you transmit to us, and you do so at your own risk. Once we receive your transmission, we make reasonable efforts to ensure security on our systems. Subaru uses secure server software and firewalls designed to protect your Personal Information from unauthorized access, disclosure, alteration, or destruction. However, please note that this is not a guarantee that such Personal Information may not be accessed, disclosed, altered, or destroyed by breach of such firewalls and secure server software. In providing Subaru Starlink to you, your voice and data are transmitted between our response centers and your vehicle over a cellular telephone network. This network is complex and not necessarily secure. The privacy and security of conversations or data transmitted to and from the vehicle cannot be guaranteed."
So, do you as a driver or passenger of a Subaru have any options when it comes to the company collecting, sharing, and maybe even selling your data? Well, of course you do! According to Subaru, it's quite simple, actually. They offer one suggestion right there in their privacy policy, "You can stop all collection of Information via an app by uninstalling the app." Duh.
Seriously though, it's one thing to uninstall the app and not use it. But what happens if you own your Subaru and want it to stop collecting information on you, especially if Subaru happens to change up their (already not super privacy-friendly) privacy policy to say they can collect even more data on you and share it with who knows who for some crazy purpose you don't like. You can opt out of that, right? Have it deleted, at the very least? Probably not. Their privacy policy says, in giant ALL CAPS to make sure you know they mean business, " IF YOU DO NOT AGREE TO CHANGES TO THIS PRIVACY POLICY, YOU MUST STOP USING THE SERVICES AFTER THE EFFECTIVE DATE OF SUCH CHANGES (WHICH IS THE “LAST UPDATED” DATE OF THIS PRIVACY POLICY)."
Oh, and we can't confirm that all users can get their data deleted -- or just users or Subaru is required by law to guarantee the right to delete data. That's not great, Subaru. Just grant everyone the sames rights to access and delete their data, regardless of what privacy laws they live under.
It seems the best way to keep Subaru from collecting, sharing, or selling your data to people who want to sell you stuff or data brokers or law enforcement, your best bet is to never buy, drive, or ride in a Subaru. Except if you're walking on the street when a car with exterior cameras or sensors drives by. Then you might get caught up in that data collection too. So, yeah, the point is, you really don't have many great choices when it comes to protecting your privacy from connected cars these days, other than to never buy them, drive them, sit in them, or exist on the street when they drive by. This isn't just a Subaru problem -- far from it -- this is a modern connected car problem and something really needs to be done about it. We're looking at your policy makers and regulators! It's time to get on it.
So, what's the worst that could happen with your happy little Subaru Outback? Well, it would really stink to go visit your Mom, go for a ride in her new Subaru with all it's fancy, connected features, have a private conversation with Mom about how you helped your friend drive from state that outlawed abortion to one that does, and then end up have that audio recorded, then shared with law enforcement because Subaru says in their privacy policy they can share or sell that personal information, including to "detect and prevent criminal activity." That is perhaps a far fetched scenario and we really hope Subaru would never do that...but still, it seems like it is something that could happen, based on their privacy policy.
Tips to protect yourself
- Do not give consent to tailored advertisement.
- Opt out from selling of your personal information, as well as from Cross-context Behavioral Advertising.
- Always do a factory reset on your car before selling or trading it away to wipe your data clean and disconnect the app.
- Before reselling your car, make sure to notify the company
- When buying a used car, always make the previous owner removed their connected account and performed a factory reset.
- Always use strong passwords and set up two-factor authentication for apps and services that connect to your car
- Only give access to your data to trusted third-parties
- When connecting a mobile app to the car, make sure to minimize the amount of data collected through this app. You can use iOS or Android settings to limit the data collected through your phone.
- Opt out from your mobile device's location sharing.
- Do not use Amazon Alexa in your car if you are concerned about Amazon collecting that voice request information, IP address, and geolocation information and using it to target you with advertising.
Can it snoop on me?
Camera
Device: Yes
App: No
Microphone
Device: Yes
App: No
Tracks location
Device: Yes
App: Yes
What can be used to sign up?
Yes
Phone
Yes
Third-party account
N/A
What data does the company collect?
Personal
"A real name, username or alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, vehicle information (such as model and year), vehicle identification number (VIN), vehicle telemetry data, or other similar identifiers, name, signature, Social Security number, address, telephone number, driver’s license or state identification card number, geolocation. Vehicle- and driving-related information: vehicle and service-related information, including but not limited to VIN and vehicle description; vehicle maintenance information; mechanical condition or incidents involving the vehicle such as crash severity sensor data; time, LOCATION and speed of vehicle; a Vehicle Occupant’s search content; your personal identification number (“PIN”); and information about calls related to the Services or your account, such as the date, time and duration of the call, the identity and phone number of the caller, and contents of or notes about the call. In addition, your vehicle may be equipped with one or more sensing or diagnostic modules capable of automatically retrieving, recording, transmitting, or storing certain vehicle data, including but not limited to trouble codes, tire pressure, battery voltage, coolant temperature, and service requirements. We may collect and retain data from any such modules in your vehicle."
Body related
Audio recordings of Vehicle Occupants
Social
How does the company use this data?
How can you control your data?
What is the company’s known track record of protecting users’ data?
In December 2021, a class action was taken against Subaru for a violation of the Illinois Biometric Information Privacy Act law,
Child Privacy Information
Can this product be used offline?
User-friendly privacy information?
Kudos to Subaru for having basically one easy to find privacy policy that covers all their websites, apps, cars, and connected services. That was nice.
Links to privacy information
Does this product meet our Minimum Security Standards?
Encryption
We cannot determine if all data sitting on the car, including telematic data the car collects as well as data shared when you connect your phone sits encrypted, and if all collected data is encrypted in transit. We reached out to the company to attempt to determine this multiple times and received no response.
Strong password
Security updates
Manages vulnerabilities
We found no bug bounty program nor a public page with details on vulnerability submissions. At the same time, a bug submitted on OpenBugBounty regarding subaru.com still remains unpatched.
Privacy policy
EyeSight® Driver Assist Technology monitors traffic movement, optimizes cruise control, and warns you if you sway outside your lane. These features are enabled by numerous cameras, sensors and radars on the car. Subaru has sold over 1 million EyeSight-equipped vehicles.
Is this AI untrustworthy?
What kind of decisions does the AI make about you or for you?
Is the company transparent about how the AI works?
Does the user have control over the AI features?
Dive Deeper
-
A New Subaru Lawsuit Says Forester DriverFocus Violates Your PrivacyTorque News
-
Exclusive: Vulnerabilities Could Unlock Brand-New SubarusBankInfoSecurity
-
Class Action Lawsuit Accuses Subaru of Violating Biometric Data Privacy LawMy Car Voice
-
Possible MySubaru remote vulnerability - may have already been mitigated but not sure.Subaru Outback Owners Forum
-
Subaru plans self-driving cars that ride out lost data connectionsNikkei Asia
-
Judge allows suit over Subaru driver monitoring to proceed to trialRepairer Driven News
Comments
Got a comment? Let us hear it.