Warning: *Privacy Not Included with this product
Tesla
Tesla. Is there a car brand today that commands as much love and hate as the tech-filled electric cars made by Elon Musk-led Tesla? The world's most valuable car maker (as of 2023) - Tesla sells the Model 3, Model S, Model X, and Model Y EVs with features like autopilot, self-driving capabilities, karaoke, and dog mode. The Tesla app let's owners do things like check their charging progress, remotely lock and unlock your car, track your Tesla's location, even summon your car out of your garage or that too tight parking space and run the latest update to your car's software. Yes, we know Tesla has a reputation of being a techie car for techie types. So, how is Tesla at privacy? Well, they aren't the worst car company we reviewed. So there's that. That doesn't mean they are good at privacy though. Indeed, they aren't.
What could happen if something goes wrong?
Here's the good news with Tesla when it comes to privacy -- they very clearly state in their privacy documentation that they don't sell or rent your personal information to third parties. Yay! OK, to be fair, that's a pretty low bar when it comes to privacy. Your personal information shouldn't be sold or rented to third parties. But when it comes to cars and privacy, selling and renting gobs of your personal information seems to be the way business is done these days. So, good work Tesla for clearing that low bar. We appreciate that.
Here's the bad news with Tesla when it comes to privacy -- they've shown themselves rather hard to trust. Indeed, we have serious concerns about Tesla's privacy. Those concerns are in large part due to their questionable track record at protecting and respecting the privacy of people who drive and ride in their cars and the people outside their cars who might be recorded by the cars outward-facing cameras (for the record, all cars with outward facing cameras are a privacy concern, no matter who makes them, not just Tesla). In April, 2023, Reuters reported stories from a number of former Tesla employees that videos taken from cameras in Tesla's were regularly shared over internal chat systems within the company. The content shared included videos of children, nudity, sensitive personal possessions and more. The claims were so egregious that US lawmakers demand answers from Tesla on what was going on and what they were doing to stop this privacy-violating behavior. The report was also followed by a class-action lawsuit from a Tesla driver for violating their privacy. This all came on the heels of US consumer watchdog Consumer Reports raising concerns about Tesla's use of cameras in their cars back in 2021.
Tesla's track record of questionable privacy practices doesn't end there. There's the story widely reported in May, 2023 of a Tesla whistleblower sharing over 100 gigabytes of confidential files with a German newspaper alleging Tesla attempted to downplay problems with their Autopilot system. These files contained sensitive customer, employee, and business partner data and the leak is being investigated as a serious GDPR privacy law violation. As one expert quoted in this Wired article put it, "Tesla has a track record of setting high expectations but often struggles to meet them.” That expert might not have been talking about privacy at Tesla, but we feel like his quote certainly applies to their privacy. Tesla does brag on their privacy pages about how they are committed to protecting your data privacy. However, we worry that their actions too often show otherwise.
Tesla's full privacy notice says they can collect a good amount of data on you. Everything from your name, address, email, to lots of data about your car and your use of your car, when and where you charge your car, infotainment system data, Tesla mobile app data, Autopilot data (which they define as "Vehicle equipped camera suite that provides advanced features such as Autopilot, Smart Summon, and Autopark"). There is some good here. Tesla does say that some of this data -- things like your phone contacts and messages, dashcam video, and sentry mode data from external sensors and cameras -- is processed locally on the car and not shared with Tesla. However, note that cabin camera videos (those are the cameras pointed at your face), can be shared with Tesla if you enable data sharing.
Tesla makes other promises in their privacy that sound quite good. They say they won't share your personal information with third parties for their own use unless you opt-in (don't opt-in!). They say they don't "associate the vehicle data generated by your driving with your identity or account by default." They say they your location data is "either processed directly without leaving your vehicle, is in a form that does not personally identify you, or remains inaccessible to Tesla." These things are all good. However, they also say in their privacy policy, "Tesla vehicles are equipped with a camera suite designed from the ground up to protect your privacy while providing advanced features such as Autopilot, Smart Summon, and Autopark." And we know it has been reported that images and videos from Tesla's were being shared by employees internally with little regard for privacy, so we worry that Tesla doesn't always honor all the privacy promises they make.
Beyond if Tesla honors their privacy promises, we still have concerns. It seems likely Tesla is still using your personal information for their own advertising and marketing purposes and their privacy policy isn't exactly clear on all the ways they are doing that. Also, we have no idea what getting your opt-in consent to share your personal information looks like. Does Tesla make is super clear and obvious what you are consenting to when you opt-in? Or is that consent hidden or confusing (much like their privacy notice)? We aren't sure. And we couldn't get Tesla to respond to any of our privacy related questions when we emailed the contact they listed for those, so again, while Tesla says they are committed to privacy, there is telling you about that and then there is actually showing that commitment. Our research seems to have found a lot more telling and a good deal less showing.
Tesla also mentions in their privacy notice that users can opt out of vehicle data sharing. It's actually kinda a funny section of their privacy notice. Here's what they say: "Connectivity and performance is a core part of all Tesla vehicles and why some customers choose Tesla, allowing for advanced features and an enhanced driving experience. By default, Tesla provides this seamless experience while protecting your privacy. However, if you no longer wish for us to collect vehicle data or any other data from your Tesla vehicle, please contact us to deactivate connectivity. Please note, certain advanced features such as over-the-air updates, remote services, and interactivity with mobile applications and in-car features such as location search, Internet radio, voice commands, and web browser functionality rely on such connectivity. If you choose to opt out of vehicle data collection (with the exception of in-car Data Sharing preferences), we will not be able to know or notify you of issues applicable to your vehicle in real time. This may result in your vehicle suffering from reduced functionality, serious damage, or inoperability." So, yes, Tesla does give you the option to opt out of data sharing from your car. While also warning you that if you do, your Tesla could become an expensive car-shaped brick. Call us crazy, but that doesn't feel like much of a choice.
Another concern we have with Tesla's privacy documentation -- did we mention it's more than a little confusing? On their privacy support page they say, "Tesla gives you the ability to permanently delete your Tesla Account and its associated data at any time, for any reason." That sounds good, right? However, in their privacy notice, they say, "Subject to local law, you may have the right to be informed of, and request access to, the personal data we process about you; update and correct inaccuracies in that information; have the information restricted or deleted; object or withdraw your consent to certain uses of data; and lodge a complaint with your local data protection authority." Those two statements seem to be a bit contradictory and we can't tell which one is true. We love it when companies clearly state that all users, regardless of what privacy laws they live under, are granted the same rights to access and delete their data. Tesla's seemingly contradictory statements leave us unsure if everyone has the same rights to delete their data.
One other red flag we wanted to note in Tesla's privacy policy (and this is something we see in too many privacy policies, to be fair). When it comes to sharing your personal information, they say they can share it with law enforcement or the government in fairly broad ways. They say, "We may also use and disclose information about you if we believe in good faith that that the law requires it for purposes of security, fulfilling our legal obligations (such subpoenas or court orders), law enforcement, or other issues of public importance, disclosure is necessary or appropriate. We may also share information about you, where there are legal grounds to do so, if we determine that disclosure is reasonably necessary to enforce our Terms of Use or protect our operations or customers. This could include providing information to public or governmental authorities." The way that statement is worded, we are concerned the Tesla could voluntarily disclose your personal information with law enforcement or governments, which is something we don't like to see. We prefer to see companies clearly state they will only share data with law enforcement and governments under court order and that even then, they will limit the scope of what the disclose as narrowly as possible. Tesla can collect a lot of data on their users and the people around them. Making sure that information can't be easily accessed by anyone, including law enforcement and governments seems pretty important to us. We would love to see Tesla improve this line in their privacy notice.
Here's the bottom line with Tesla. Yes, their privacy notice and documentation say some things we like to see. They clearly state they won't sell your data. Good. They say they won't share anything that personally identifies you with third parties for their marketing purposes unless you opt-in. That's OK. We'd rather they not do that at all, of course, and we always worry about how clear or confusing the opt-in consent process is. But, their privacy notice also has too many things in it we don't like to see. Really vague language, lack of clarity on sharing (lots of we "may" do this thing, "for example" this), and they also seem to hide a lot of what they could be doing behind legal terms like "fulfill other legitimate interests of Tesla." Privacy notices written with these sorts of slick, legal language leave us privacy researchers feeling uneasy. That, combined with Tesla's poor track record at protecting and respecting their users' privacy leaves us very worried about Tesla's privacy (no matter how much they mention in their privacy notice they care about your privacy, it's hard to trust them with their current track record showing otherwise). Combine this with the fact we emailed the contact listed in Tesla's privacy notice for privacy related questions multiple times over the course of our research and never heard back from them, and we're not feeling too great about their actual commitment to your privacy.
So, what's the worst that could happen with Tesla when it comes to your privacy? Well, we have to say our imaginations went to many not so great places on this one with a car carrying so many cameras, sensors, tracking technology, connected features, and more and a company that hasn't always put the best privacy interests of their customers at the forefront. That being said, it would really suck to want to opt out of data sharing in your Tesla because you are a good, privacy conscious human being. Then your expensive Tesla suffer serious damage while you're driving it because opting out of data sharing also seems to opt you out of Tesla being able to notify you of serious issues with your car. That does not sound fun at all. Actually, it sounds kind of irresponsible on Tesla's part to even have that be a possibility.
Tips to protect yourself
- Do NOT opt-in to allow Tesla to share your personal information with third parties.
- You may deactivate the collection of vehicle data by deactivating connectivity completely. Please note, certain advanced features such as over-the-air updates, remote services, and interactivity with mobile applications and in-car features such as location search, Internet radio, voice commands, and web browser functionality rely on such connectivity. If you choose to opt out of vehicle data collection (with the exception of in-car Data Sharing preferences), we will not be able to know or notify you of issues applicable to your vehicle in real time. This may result in your vehicle suffering from reduced functionality, serious damage, or inoperability.
- You may choose to disable the collection of ‘Road Segment Data Analytics’ at any time within your vehicle’s touch screen by navigating to Software > Data Sharing. Please note, some advanced features such as real-time traffic and intelligent routing rely on such data.
- To protect your privacy, you may disable the collection of segment data at any time (Software > Data Sharing). Certain features such as real-time traffic, navigation, intelligent routing, Autopilot, and Summon, may require road segment data to function as intended.
- Opt out from selling of your personal information, as well as from Cross-context Behavioral Advertising.
- Always do a factory reset on your car before selling or trading it away to wipe your data clean and disconnect the app.
- Before reselling your car, make sure to notify the company
- When buying a used car, always make the previous owner removed their connected account and performed a factory reset.
- Always use strong passwords and set up two-factor authentication for apps and services that connect to your car
- Only give access to your data to trusted third-parties
- When connecting a mobile app to the car, make sure to minimize the amount of data collected through this app. You can use iOS or Android settings to limit the data collected through your phone.
- Opt out from your mobile device's location sharing.
- Do not use Amazon Alexa in your car if you are concerned about Amazon collecting that voice request information, IP address, and geolocation information and using it to target you with advertising.
Can it snoop on me?
Camera
Device: Yes
App: Yes
Microphone
Device: Yes
App: Yes
Tracks location
Device: Yes
App: Yes
What can be used to sign up?
Yes
Phone
Yes
Third-party account
N/A
What data does the company collect?
Personal
"Your name, address, region, email, phone number, contact preference; location. Vehicle- and driving-related data: vehicle year, make, model, vehicle identification number, configuration, telemetry regarding performance, usage, operation, and health of your vehicle, charging station used, utilization, charge rate, battery analytics and performance, logs for identifying and troubleshooting unexpected software or connectivity issues, and other debugging log reports, analytics regarding infotainment usage such as function, successfully or unsuccessfully loaded; Vehicle equipped camera suite that provides advanced features such as Autopilot, Smart Summon, and Autopark; "
Body related
If you opt-in*, cabin camera data, autopilot camera data. *it has been reported Tesla might review some camera data from users whether they opt-in or not. See our Known Track Record section below for more information on these reports.
Social
How does the company use this data?
How can you control your data?
What is the company’s known track record of protecting users’ data?
In April 2023, it was reported that Tesla workers shared sensitive images recorded by customer cars. One ex-employee described a video of a man approaching a vehicle completely naked.
Tesla faces a lawsuit from customers for leaking their video data. This prompted US lawmakers to demand Tesla do a better job at protecting their users' privacy.
In March 2023, it was reported that a Tesla Model 3 was hacked in less than two minutes at a hacking competition, allowing the hackers to potentially open the doors of the car while it was in motion.
In August 2022, there were reports that Tesla or its dealers collect location data from vehicle despite claiming that it is anonymised. Experts believe that anonymized data could still be pieced back together and thus get deanonymize.
In May 2022, it was reported that Tesla Sentry Mode, a system available in many of the company’s models, may violate privacy or bypassers. Tesla designed the system to record not just activity that could damage the vehicle itself, but also events, people and objects that get too close; individuals passing near the vehicle can set Sentry Mode into recording.
In March 2022, a Tesla owner filed a class-action lawsuit alleging "Tesla Inc. disregards drivers’ biometric privacy rights by scanning their faces while in its vehicles."
In October 2021, it was reported that as part of the wider rollout of Tesla’s “full self-driving” option, drivers may forfeit some privacy protections around location sharing and in-car recordings that they previously had.
In March 2021, Consumer Reports raised numerous privacy concerns related to privacy of Tesla built-in cameras.
Child Privacy Information
Can this product be used offline?
User-friendly privacy information?
Tesla has easy to find privacy documentation. However, we found their privacy notice too often uses vague language and statements that lack clarity leaving us feeling uncertain and uneasy about the explanation of their privacy practices.
Links to privacy information
Does this product meet our Minimum Security Standards?
Encryption
Tesla did not respond to our questions to confirm if all data on their cars, in transit, and where it is stored in strongly encrypted.
Strong password
Security updates
For over-the-air updates, connectivity is required.
Manages vulnerabilities
Tesla runs a bug bounty program on bugcrowd.
Privacy policy
Tesla’s driver-assistance system, known as Autopilot, is equipped with eight external cameras and vision processing to provide assistance to a driver. It helps with such tasks as autoparking, summon in a tight space, lane change - or even "full self-driving capability', which is in Beta version now, and includes traffic and stop sign control: "identifies stop signs and traffic lights and automatically slows your car to a stop on approach, with your active supervision."
Is this AI untrustworthy?
What kind of decisions does the AI make about you or for you?
Is the company transparent about how the AI works?
Does the user have control over the AI features?
Dive Deeper
-
Senators Markey, Blumenthal Demand Tesla Protect Drivers’ Privacy
-
Special Report: Tesla workers shared sensitive images recorded by customer carsReuters
-
Lawsuit: Tesla must be punished for “tasteless” sharing of car-camera imagesArs Technica
-
Tesla driver sues company for allegedly accessing customer videosCBS News
-
Tesla’s cameras are reportedly spying on customers, but it’s not just a Tesla problemVox
-
Mein Autopilot hat mich fast umgebracht“: Tesla-Files nähren Zweifel an Elon Musks VersprechenHandelsblatt
-
Is Tesla a Privacy Failure?The Privacy Whisperer
-
Tesla’s Sentry Mode is a privacy violation on wheelsJD Supra
-
Shared Tesla owner videos, images sparks privacy concern for customers; how your shop could be affectedRepairer Driven News
-
You Should Be Worried About Tesla’s Trove of Private Vehicle DataThe Drive
-
Tesla Model 3 Hacked in Less Than 2 Minutes at Pwn2Own ContestDark Reading
-
Tesla's In-Car Cameras Raise Privacy ConcernsConsumer Reports
-
Tesla’s ‘full self-driving’ rolls back its privacy protection of trip videosCNN Business
-
Who Actually Owns Tesla’s Data?IEEE Spectrum
-
Tesla's AI Hype Collides With RealityThe Wall Street Journal
-
As cars hoover up more and more driver data, is it time to regulate the industry?The Record
Comments
Got a comment? Let us hear it.