Subaru

Warning: *privacy not included with this product

Subaru

Subaru
Wi-Fi Bluetooth

Review date: Aug. 15, 2023

|
|

Mozilla says

|
People voted: Super creepy

Subaru is a Japanese car company started back in the 1950s. Their all-wheel drive, sporty SUVs and cars are popular with outdoor types and the LGBT+ community (and your privacy researcher's Mom...Mom swears by Subaru and has since the 1980s). Popular models in the Outback, Forester, Crosstrek, Impreza, Legacy, the sporty WRX, and the electric Solterra. The MySubaru app and Subaru's Starlink connected services offer up all the usual connected car things like remote start/stop, lock/unlock, honk your horn and flash your lights from bedroom, automatic collision notification, multimedia services like navigation and news, trip logs, and a way to manage other people who might drive your Subaru with boundary, speed, and curfew alerts. So, do we love Subaru's privacy? Not really. But hey, they aren't the worst car company we reviewed, so there's that.

What could happen if something goes wrong?

Here's something you might not realize. The moment you sit in the passenger seat of a Subaru that uses connected services, you've consented to allow them to use -- and maybe even sell -- your personal information. According to their privacy policy, that means things like your name, location, "Audio recordings of Vehicle Occupants", and inferences they can draw about things like your "characteristics, predispositions, behavior, or attitudes." Call us bonkers, but we don't think that simply sitting in the passenger seat of someone's Subaru should mean you consent to having any of your personal information use for, well, pretty much anything at all. Let alone potentially sold to data brokers or shared with third party marketers so they can target you with ads about who knows what based on the the inferences they draw about you because you sat in the back seat of a Subaru in the mountains of Colorado. We're gonna really call out Subaru for this, because they lay it out so clearly in their privacy policy, but please know, Subaru isn't the only car company doing this sort of icky thing.

If you go read Subaru's privacy policy (or don't, we did it for you, you can just read our review here), you'll see at the very start they say this: "This Privacy Policy applies to each user of the Services, including any “Vehicle Occupant,” which includes each driver or passenger in a Subaru vehicle that uses Connected Vehicle Services, such as Subaru Starlink (such vehicle, a “Connected Vehicle”), whether or not such driver or passenger is the vehicle owner or a registered user of the Connected Vehicle Services. For the avoidance of doubt, for purposes of this Privacy Policy, “using” the Services includes being a Vehicle Occupant in a Connected Vehicle." So yeah, they don't want there to be any doubt that when you sit in a connected Subaru, you've entered the world of using their services.

Subaru then goes on to say, "By disclosing your Personal Information to us, registering or enrolling in certain Services, or otherwise using our Services, or interacting with us offline, you consent to our collection, use, and disclosure of your Personal Information as described in this Privacy Policy." This part is the doozy. So, they've already established that by getting in the connected Subaru, you're using their "services." Now they're saying you've consented to the things they lay out in their privacy policy by simply getting in that car. That doesn't exactly feel like consent to us, but hey, we're just privacy advocates who think companies -- especially car companies -- should do a LOT more to protect people's privacy.

According to that privacy policy, what exactly are you consenting to by sitting in that Subaru or using their connected services or their MySubaru app. Well, first off, you're consenting to a whole lot of data collection. Everything from name, address, phone number, social security number, vehicle identification number (VIN), browsing and search history, geolocation data (meaning your physical location and movements), vehicle telemetry data like speed and tire pressure, to audio recordings of vehicle occupants, and even inferences they can draw about your characteristics, behaviors, and predispositions. You're also consenting to allow Subaru to collect even more data about from places like data brokers (or data service companies as they call them), or possibly even "certain features of your mobile device, including its camera, location services (GPS), microphone and contacts, and collect Information from those features, such as photographs, videos, your precise location, audio recordings, and contact information."

That's a lot of information Subaru says they can collect on you! But that's not all. You're also then consenting to have that personal information shared -- or even possibly sold -- to third parties like marketing companies, those data service providers (aka data brokers), other Subaru affiliates and service providers, law enforcement and government entities. Yikes! Bet you didn't know you consented to all that just by sitting in your Mom's Subaru.

As for how good a job Subaru does at protecting all that personal and car data, well, their track record is certainly better than many of the car companies we reviewed. They did have a class action lawsuit filed against their use of biometric data -- facial and eye data from the DriverFocus features available on some Subaru models -- that a user claimed violated a specific state biometric data law in the US. However, we didn't find any recent mentions of significant data leaks or breaches, so that is very good.

Still, this is a good time to remind you of what Subaru's own privacy policies warns, "Transmission of data over the Internet is not 100% secure. Consequently, we cannot ensure or warrant the security of any Personal Information you transmit to us, and you do so at your own risk. Once we receive your transmission, we make reasonable efforts to ensure security on our systems. Subaru uses secure server software and firewalls designed to protect your Personal Information from unauthorized access, disclosure, alteration, or destruction. However, please note that this is not a guarantee that such Personal Information may not be accessed, disclosed, altered, or destroyed by breach of such firewalls and secure server software. In providing Subaru Starlink to you, your voice and data are transmitted between our response centers and your vehicle over a cellular telephone network. This network is complex and not necessarily secure. The privacy and security of conversations or data transmitted to and from the vehicle cannot be guaranteed."

So, do you as a driver or passenger of a Subaru have any options when it comes to the company collecting, sharing, and maybe even selling your data? Well, of course you do! According to Subaru, it's quite simple, actually. They offer one suggestion right there in their privacy policy, "You can stop all collection of Information via an app by uninstalling the app." Duh.

Seriously though, it's one thing to uninstall the app and not use it. But what happens if you own your Subaru and want it to stop collecting information on you, especially if Subaru happens to change up their (already not super privacy-friendly) privacy policy to say they can collect even more data on you and share it with who knows who for some crazy purpose you don't like. You can opt out of that, right? Have it deleted, at the very least? Probably not. Their privacy policy says, in giant ALL CAPS to make sure you know they mean business, " IF YOU DO NOT AGREE TO CHANGES TO THIS PRIVACY POLICY, YOU MUST STOP USING THE SERVICES AFTER THE EFFECTIVE DATE OF SUCH CHANGES (WHICH IS THE “LAST UPDATED” DATE OF THIS PRIVACY POLICY)."

Oh, and we can't confirm that all users can get their data deleted -- or just users or Subaru is required by law to guarantee the right to delete data. That's not great, Subaru. Just grant everyone the sames rights to access and delete their data, regardless of what privacy laws they live under.

It seems the best way to keep Subaru from collecting, sharing, or selling your data to people who want to sell you stuff or data brokers or law enforcement, your best bet is to never buy, drive, or ride in a Subaru. Except if you're walking on the street when a car with exterior cameras or sensors drives by. Then you might get caught up in that data collection too. So, yeah, the point is, you really don't have many great choices when it comes to protecting your privacy from connected cars these days, other than to never buy them, drive them, sit in them, or exist on the street when they drive by. This isn't just a Subaru problem -- far from it -- this is a modern connected car problem and something really needs to be done about it. We're looking at your policy makers and regulators! It's time to get on it.

So, what's the worst that could happen with your happy little Subaru Outback? Well, it would really stink to go visit your Mom, go for a ride in her new Subaru with all it's fancy, connected features, have a private conversation with Mom about how you helped your friend drive from state that outlawed abortion to one that does, and then end up have that audio recorded, then shared with law enforcement because Subaru says in their privacy policy they can share or sell that personal information, including to "detect and prevent criminal activity." That is perhaps a far fetched scenario and we really hope Subaru would never do that...but still, it seems like it is something that could happen, based on their privacy policy.

Tips to protect yourself

  • Do not give consent to tailored advertisement.
  • Opt out from selling of your personal information, as well as from Cross-context Behavioral Advertising.
  • Always do a factory reset on your car before selling or trading it away to wipe your data clean and disconnect the app.
  • Before reselling your car, make sure to notify the company
  • When buying a used car, always make the previous owner removed their connected account and performed a factory reset.
  • Always use strong passwords and set up two-factor authentication for apps and services that connect to your car
  • Only give access to your data to trusted third-parties
  • When connecting a mobile app to the car, make sure to minimize the amount of data collected through this app. You can use iOS or Android settings to limit the data collected through your phone.
  • Opt out from your mobile device's location sharing.
  • Do not use Amazon Alexa in your car if you are concerned about Amazon collecting that voice request information, IP address, and geolocation information and using it to target you with advertising.
  • mobile

Can it snoop on me? information

Camera

Device: Yes

App: No

Microphone

Device: Yes

App: No

Tracks location

Device: Yes

App: Yes

What can be used to sign up?

What data does the company collect?

How does the company use this data?

We ding this product because it sells personal information unless you opt out. Also because they collect data from third parties, including data brokers, to combine with data they have on you.

Subaru Privacy Policies

"This Privacy Policy applies to each user of the Services, including any “Vehicle Occupant,” which includes each driver or passenger in a Subaru vehicle that uses Connected Vehicle Services, such as Subaru Starlink (such vehicle, a “Connected Vehicle”), whether or not such driver or passenger is the vehicle owner or a registered user of the Connected Vehicle Services. For the avoidance of doubt, for purposes of this Privacy Policy, “using” the Services includes being a Vehicle Occupant in a Connected Vehicle."

"By disclosing your Personal Information to us, registering or enrolling in certain Services, or otherwise using our Services, or interacting with us offline, you consent to our collection, use, and disclosure of your Personal Information as described in this Privacy Policy."

"Additionally, we Sell Personal Information, subject to your right to opt-out of those Sales. We also Share Personal Information for Cross-context Behavioral Advertising, subject to your right to opt-out of such processing."

"Subaru discloses the following categories ..."
Identifiers;
Other Personal Information subject to certain laws;
Commercial information;
Internet or other similar network activity;
Geolocation data;
Inferences drawn from other Personal Information;
Recordings; and
Payment information."

"We may use, Sell, Share, or disclose the Sensitive Personal Information we collect for one or more of the following “Business Purposes:”
Assist us in providing, maintaining, and protecting the Services;
Set up, maintain, and protect accounts to use the Services;
Analyze and improve our products, Services, and operations, including the security of our products, Services and operations, and develop new products and Services;
Process transactions and other requests for products and Services;
Provide customer service;
Respond to customer inquiries;
Communicate with you, such as provide you with Subaru-related communications, newsletters, and/or other communications relating to our products and Services, including vehicle maintenance notices;
Send or display Subaru and third party offers and other content that is customized to your interests or preferences;
Conduct events, sweepstakes, promotions, and contests, which may be subject to applicable rules;
Investigate and address breaches of security or breaches of our terms of service or other agreements with customers;
Detect and prevent criminal activity and other actual or threatened harm to Subaru or third parties;
Comply with legal and regulatory requirements, including product recalls;
Manage and maintain the systems that provide the Services; and
For any other purpose described to you when we collect your Sensitive Personal Information."

"We collect and use Personal Information and Non-Personal Information for business and commercial purposes in accordance with the practices described in this Privacy Policy, including, but not limited to, in the last 12 months, to do the following: ...
Send or display Subaru and third party offers and other content that is customized to your interests or preferences ... "

"Subaru discloses Personal Information to the following categories of third parties:
Service Providers, emergency contacts, Affiliates, Distributors, API Providers, Data Providers, Retailers, Retailer Service Providers, Marketing Partners, Third Party Marketers, and governmental regulators having jurisdiction for our products or services as required to comply with the law. "

"“Data Provider” means a third party provider of data aggregation products and services. We may disclose Personal Information and Non-Personal Information to API Providers and Data Providers and, in some cases, API Providers and Data Providers may use Personal Information and Non-Personal Information for their own benefit. In such cases, their privacy policies will apply to their use of such Information."

"Third Party Marketing
We share your Personal Information with third parties (each, a “Third Party Marketer”) for their own marketing purposes from time to time. For example, we may provide Personal Information to Service Providers to permit them to market services to you for your vehicle (such as for WiFi hotspot or satellite radio services, or insurance or financial products). You may opt out of this sharing by contacting us."

"As Required by Law and Other Extraordinary Disclosures
Subaru may be required to disclose your Personal Information, including location data, if it: (i) believes it is reasonably necessary to comply with legal process (such as a court order, subpoena, search warrant, etc.) or other legal or regulatory requirements or requests of any governmental authority, (ii) would potentially mitigate our liability in an actual or potential lawsuit or investigation, (iii) is necessary to protect our rights or property or enforce our contracts, (iv) is necessary to protect the legal rights, safety or property of others, (v) will prevent, solve or prosecute a crime, or protect national security, or (vi) detect, prevent or otherwise address fraud, security or technical issues."

"HOW WE COLLECT INFORMATION
Data Services Companies
We collect Personal Information and Non-Personal Information from third parties, such as lead generation companies, API Providers (as defined below) or Data Providers (as defined below), who provide data products to us (collectively, “Data Services Companies”)."

"App and Location Technologies
You can stop all collection of Information via an app by uninstalling the app. You can also reset your device at any time through your device settings, which may allow you to limit the use of Information collected about you. You can stop all collection of precise location data through an app by uninstalling the app or withdrawing your consent through your device settings."

"Transmission of data over the Internet is not 100% secure. Consequently, we cannot ensure or warrant the security of any Personal Information you transmit to us, and you do so at your own risk. Once we receive your transmission, we make reasonable efforts to ensure security on our systems. Subaru uses secure server software and firewalls designed to protect your Personal Information from unauthorized access, disclosure, alteration, or destruction. However, please note that this is not a guarantee that such Personal Information may not be accessed, disclosed, altered, or destroyed by breach of such firewalls and secure server software.

In providing Subaru Starlink to you, your voice and data are transmitted between our response centers and your vehicle over a cellular telephone network. This network is complex and not necessarily secure. The privacy and security of conversations or data transmitted to and from the vehicle cannot be guaranteed."

"We may modify or update this Privacy Policy periodically with or without prior notice by posting the updated policy on this page. You can always check the “Last Updated” date at the top of this document to see when the Privacy Policy was last changed. If we make any material changes to this Privacy Policy, we will notify you by reasonable means, which may be by e-mail or posting a notice of the changes on our website or through the relevant Service’s mobile app prior to the changes becoming effective. We encourage you to check this Privacy Policy from time to time. IF YOU DO NOT AGREE TO CHANGES TO THIS PRIVACY POLICY, YOU MUST STOP USING THE SERVICES AFTER THE EFFECTIVE DATE OF SUCH CHANGES (WHICH IS THE “LAST UPDATED” DATE OF THIS PRIVACY POLICY)."

EU Privacy Statement

"We shall only disclose your personal data to third parties in accordance with the applicable legal framework.

In connection with the purposes described above in section 3, we may need to share your personal data with the following recipients:
• Service providers: Subaru sometimes uses third parties, such as marketing companies or IT service providers, to perform tasks on its behalf and may need to share your personal data with them to provide the services described above. Any processing of that personal data will be on our instructions and in line with the original purposes.
• Authorized distributors or dealers: your personal data might be shared with your nearest Subaru authorized distributor or dealer to establish a quick and more flexible connection to fulfil your request.
• Legal obligations: as required by law, Subaru may disclose your personal data to law enforcement officials, in order to comply with legal requirements, court orders, government or law enforcement agency requests, including to meet national security or law enforcement requirements, and including to agencies and courts in the countries where we operate. Where permitted by law, we may also disclose such information to third parties (including legal counsel) when necessary for the establishment, exercise or defense of legal claims or to otherwise enforce our rights, protect our property or the rights, property or safety of others, or as needed to support external audit, compliance and corporate governance functions.

With regard to data protection, an agreement has been concluded with all these service providers to ensure that they manage your personal data securely, with respect and with due care and diligence."

How can you control your data?

We can not confirm if all users, regardless of location, can get their data be deleted.

"We retain each category of your Personal Information for no longer than is reasonably necessary for one or more Business Purposes, subject to your right to request we delete your Personal Information. Due to the nature of the Services, it is not possible to predict the length of time that we will retain Personal Information. Instead, we use the following criteria to determine whether it remains reasonably necessary to retain your Personal Information for one or more disclosed Business Purpose(s): (i) whether there is a retention period required by statute or regulations; (ii) the existence of actual or threatened litigation for which we are required to preserve the information; (iii) the statutes of limitations for potential legal claims; and (iv) generally accepted best practices in our industry. When we determine that it is no longer reasonably necessary to retain your Personal Information for one or more disclosed Business Purposes based on the above criteria, we will delete your Personal Information."

The right to delete information is mentioned for California residents:
"You have the right to request that we delete any of your Personal Information that we collected from you and retained. Be aware, however, that certain exceptions apply to the right to delete Personal Information. We may deny your deletion request if retaining your Personal Information is necessary for us or our Service Providers to:
- complete a transaction for which we collected your Personal Information, provide goods or Services that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you;
- help ensure security and integrity, including to detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities;
- debug Services, products and websites to identify and repair errors that impair existing intended functionality;
- exercise free speech, ensure the right of another consumer to exercise their right of free speech, or exercise another right provided for by law;
- comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.);
- engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the achievement of such research, if you previously provided informed consent;
- enable solely internal uses that are reasonably aligned with the expectations of consumers; or
- comply with a legal obligation, including in connection with product recalls."

The rights are also mentioned for residents covered by GDPR:
"You have at any time the right to object to the use of your personal data for the purposes mentioned in article 2. Besides, you can make use of the following rights:

the right to access your personal data;
• the right to rectification of your personal data;
• the right to erasure of your personal data;
• the right to restriction of processing of your personal data;
• the right to object to the processing of your personal data:
• the right to data portability of your personal data;
• the right to open a claim at the privacy commission;
• the right to withdraw any previously given consent. "

What is the company’s known track record of protecting users’ data?

Average

In December 2021, a class action was taken against Subaru for a violation of the Illinois Biometric Information Privacy Act law,

Child Privacy Information

"Subaru’s Service is intended for a general audience and not directed at children under (13) years of age.

We do not knowingly gather Personal Information (as defined by the U.S. Children’s Privacy Protection Act, or “COPPA”) in a manner not permitted by COPPA. If a person under 13 submits Personal Information through any part of a Subaru Service, and we learn the person submitting the Personal Information is a child, we will attempt to delete this Personal Information as soon as possible. If you are a parent or guardian and you believe we have collected Personal Information from your child in a manner not permitted by law, contact us as set out in the “Contact Us” Section below. We will remove the data to the extent required by applicable laws."

"California Minors
We do not knowingly Sell Personal Information of minors under 16 who are residents of California without their affirmative authorization, or the affirmative authorization of their parent or guardian for minors under 13."

"We have no intention to collect any personal data of visitors of our website that are younger than 16 years. We recommend parents to be involved in the online activities of their children to prevent that Subaru processes their personal data."

Can this product be used offline?

Yes

User-friendly privacy information?

Yes

Kudos to Subaru for having basically one easy to find privacy policy that covers all their websites, apps, cars, and connected services. That was nice.

Links to privacy information

Does this product meet our Minimum Security Standards? information

Unknown

Encryption

Can’t Determine

We cannot determine if all data sitting on the car, including telematic data the car collects as well as data shared when you connect your phone sits encrypted, and if all collected data is encrypted in transit. We reached out to the company to attempt to determine this multiple times and received no response.

Strong password

N/A

Security updates

Yes

Manages vulnerabilities

Can’t Determine

We found no bug bounty program nor a public page with details on vulnerability submissions. At the same time, a bug submitted on OpenBugBounty regarding subaru.com still remains unpatched.

Privacy policy

Yes

Does the product use AI? information

Yes

EyeSight® Driver Assist Technology monitors traffic movement, optimizes cruise control, and warns you if you sway outside your lane. These features are enabled by numerous cameras, sensors and radars on the car. Subaru has sold over 1 million EyeSight-equipped vehicles.

Is this AI untrustworthy?

Can’t Determine

What kind of decisions does the AI make about you or for you?

Is the company transparent about how the AI works?

Can’t Determine

Does the user have control over the AI features?

Can’t Determine

*privacy not included

Dive Deeper

Comments

Got a comment? Let us hear it.