Warning: *privacy not included with this product
Subaru is a Japanese car company started back in the 1950s. Their all-wheel drive, sporty SUVs and cars are popular with outdoor types and the LGBT+ community (and your privacy researcher's Mom...Mom swears by Subaru and has since the 1980s). Popular models in the Outback, Forester, Crosstrek, Impreza, Legacy, the sporty WRX, and the electric Solterra. The MySubaru app and Subaru's Starlink connected services offer up all the usual connected car things like remote start/stop, lock/unlock, honk your horn and flash your lights from bedroom, automatic collision notification, multimedia services like navigation and news, trip logs, and a way to manage other people who might drive your Subaru with boundary, speed, and curfew alerts. So, do we love Subaru's privacy? Not really. But hey, they aren't the worst car company we reviewed, so there's that.
What could happen if something goes wrong?
That's a lot of information Subaru says they can collect on you! But that's not all. You're also then consenting to have that personal information shared -- or even possibly sold -- to third parties like marketing companies, those data service providers (aka data brokers), other Subaru affiliates and service providers, law enforcement and government entities. Yikes! Bet you didn't know you consented to all that just by sitting in your Mom's Subaru.
As for how good a job Subaru does at protecting all that personal and car data, well, their track record is certainly better than many of the car companies we reviewed. They did have a class action lawsuit filed against their use of biometric data -- facial and eye data from the DriverFocus features available on some Subaru models -- that a user claimed violated a specific state biometric data law in the US. However, we didn't find any recent mentions of significant data leaks or breaches, so that is very good.
Still, this is a good time to remind you of what Subaru's own privacy policies warns, "Transmission of data over the Internet is not 100% secure. Consequently, we cannot ensure or warrant the security of any Personal Information you transmit to us, and you do so at your own risk. Once we receive your transmission, we make reasonable efforts to ensure security on our systems. Subaru uses secure server software and firewalls designed to protect your Personal Information from unauthorized access, disclosure, alteration, or destruction. However, please note that this is not a guarantee that such Personal Information may not be accessed, disclosed, altered, or destroyed by breach of such firewalls and secure server software. In providing Subaru Starlink to you, your voice and data are transmitted between our response centers and your vehicle over a cellular telephone network. This network is complex and not necessarily secure. The privacy and security of conversations or data transmitted to and from the vehicle cannot be guaranteed."
Oh, and we can't confirm that all users can get their data deleted -- or just users or Subaru is required by law to guarantee the right to delete data. That's not great, Subaru. Just grant everyone the sames rights to access and delete their data, regardless of what privacy laws they live under.
It seems the best way to keep Subaru from collecting, sharing, or selling your data to people who want to sell you stuff or data brokers or law enforcement, your best bet is to never buy, drive, or ride in a Subaru. Except if you're walking on the street when a car with exterior cameras or sensors drives by. Then you might get caught up in that data collection too. So, yeah, the point is, you really don't have many great choices when it comes to protecting your privacy from connected cars these days, other than to never buy them, drive them, sit in them, or exist on the street when they drive by. This isn't just a Subaru problem -- far from it -- this is a modern connected car problem and something really needs to be done about it. We're looking at your policy makers and regulators! It's time to get on it.
Tips to protect yourself
- Do not give consent to tailored advertisement.
- Opt out from selling of your personal information, as well as from Cross-context Behavioral Advertising.
- Always do a factory reset on your car before selling or trading it away to wipe your data clean and disconnect the app.
- Before reselling your car, make sure to notify the company
- When buying a used car, always make the previous owner removed their connected account and performed a factory reset.
- Always use strong passwords and set up two-factor authentication for apps and services that connect to your car
- Only give access to your data to trusted third-parties
- When connecting a mobile app to the car, make sure to minimize the amount of data collected through this app. You can use iOS or Android settings to limit the data collected through your phone.
- Opt out from your mobile device's location sharing.
- Do not use Amazon Alexa in your car if you are concerned about Amazon collecting that voice request information, IP address, and geolocation information and using it to target you with advertising.
What can be used to sign up?
What data does the company collect?
"A real name, username or alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, vehicle information (such as model and year), vehicle identification number (VIN), vehicle telemetry data, or other similar identifiers, name, signature, Social Security number, address, telephone number, driver’s license or state identification card number, geolocation. Vehicle- and driving-related information: vehicle and service-related information, including but not limited to VIN and vehicle description; vehicle maintenance information; mechanical condition or incidents involving the vehicle such as crash severity sensor data; time, LOCATION and speed of vehicle; a Vehicle Occupant’s search content; your personal identification number (“PIN”); and information about calls related to the Services or your account, such as the date, time and duration of the call, the identity and phone number of the caller, and contents of or notes about the call. In addition, your vehicle may be equipped with one or more sensing or diagnostic modules capable of automatically retrieving, recording, transmitting, or storing certain vehicle data, including but not limited to trouble codes, tire pressure, battery voltage, coolant temperature, and service requirements. We may collect and retain data from any such modules in your vehicle."
Audio recordings of Vehicle Occupants
How does the company use this data?
How can you control your data?
What is the company’s known track record of protecting users’ data?
In December 2021, a class action was taken against Subaru for a violation of the Illinois Biometric Information Privacy Act law,
Child Privacy Information
Can this product be used offline?
User-friendly privacy information?
Links to privacy information
Does this product meet our Minimum Security Standards?
We cannot determine if all data sitting on the car, including telematic data the car collects as well as data shared when you connect your phone sits encrypted, and if all collected data is encrypted in transit. We reached out to the company to attempt to determine this multiple times and received no response.
EyeSight® Driver Assist Technology monitors traffic movement, optimizes cruise control, and warns you if you sway outside your lane. These features are enabled by numerous cameras, sensors and radars on the car. Subaru has sold over 1 million EyeSight-equipped vehicles.
Is this AI untrustworthy?
What kind of decisions does the AI make about you or for you?
Is the company transparent about how the AI works?
Does the user have control over the AI features?
A New Subaru Lawsuit Says Forester DriverFocus Violates Your PrivacyTorque News
Exclusive: Vulnerabilities Could Unlock Brand-New SubarusBankInfoSecurity
Class Action Lawsuit Accuses Subaru of Violating Biometric Data Privacy LawMy Car Voice
Possible MySubaru remote vulnerability - may have already been mitigated but not sure.Subaru Outback Owners Forum
Subaru plans self-driving cars that ride out lost data connectionsNikkei Asia
Judge allows suit over Subaru driver monitoring to proceed to trialRepairer Driven News
Got a comment? Let us hear it.