Tesla

Warning: *Privacy Not Included with this product

Tesla

Tesla
Wi-Fi Bluetooth

Review date: Aug. 15, 2023

|
|

Mozilla says

|
People voted: Very creepy

Tesla. Is there a car brand today that commands as much love and hate as the tech-filled electric cars made by Elon Musk-led Tesla? The world's most valuable car maker (as of 2023) - Tesla sells the Model 3, Model S, Model X, and Model Y EVs with features like autopilot, self-driving capabilities, karaoke, and dog mode. The Tesla app let's owners do things like check their charging progress, remotely lock and unlock your car, track your Tesla's location, even summon your car out of your garage or that too tight parking space and run the latest update to your car's software. Yes, we know Tesla has a reputation of being a techie car for techie types. So, how is Tesla at privacy? Well, they aren't the worst car company we reviewed. So there's that. That doesn't mean they are good at privacy though. Indeed, they aren't.

What could happen if something goes wrong?

Here's the good news with Tesla when it comes to privacy -- they very clearly state in their privacy documentation that they don't sell or rent your personal information to third parties. Yay! OK, to be fair, that's a pretty low bar when it comes to privacy. Your personal information shouldn't be sold or rented to third parties. But when it comes to cars and privacy, selling and renting gobs of your personal information seems to be the way business is done these days. So, good work Tesla for clearing that low bar. We appreciate that.

Here's the bad news with Tesla when it comes to privacy -- they've shown themselves rather hard to trust. Indeed, we have serious concerns about Tesla's privacy. Those concerns are in large part due to their questionable track record at protecting and respecting the privacy of people who drive and ride in their cars and the people outside their cars who might be recorded by the cars outward-facing cameras (for the record, all cars with outward facing cameras are a privacy concern, no matter who makes them, not just Tesla). In April, 2023, Reuters reported stories from a number of former Tesla employees that videos taken from cameras in Tesla's were regularly shared over internal chat systems within the company. The content shared included videos of children, nudity, sensitive personal possessions and more. The claims were so egregious that US lawmakers demand answers from Tesla on what was going on and what they were doing to stop this privacy-violating behavior. The report was also followed by a class-action lawsuit from a Tesla driver for violating their privacy. This all came on the heels of US consumer watchdog Consumer Reports raising concerns about Tesla's use of cameras in their cars back in 2021.

Tesla's track record of questionable privacy practices doesn't end there. There's the story widely reported in May, 2023 of a Tesla whistleblower sharing over 100 gigabytes of confidential files with a German newspaper alleging Tesla attempted to downplay problems with their Autopilot system. These files contained sensitive customer, employee, and business partner data and the leak is being investigated as a serious GDPR privacy law violation. As one expert quoted in this Wired article put it, "Tesla has a track record of setting high expectations but often struggles to meet them.” That expert might not have been talking about privacy at Tesla, but we feel like his quote certainly applies to their privacy. Tesla does brag on their privacy pages about how they are committed to protecting your data privacy. However, we worry that their actions too often show otherwise.

Tesla's full privacy notice says they can collect a good amount of data on you. Everything from your name, address, email, to lots of data about your car and your use of your car, when and where you charge your car, infotainment system data, Tesla mobile app data, Autopilot data (which they define as "Vehicle equipped camera suite that provides advanced features such as Autopilot, Smart Summon, and Autopark"). There is some good here. Tesla does say that some of this data -- things like your phone contacts and messages, dashcam video, and sentry mode data from external sensors and cameras -- is processed locally on the car and not shared with Tesla. However, note that cabin camera videos (those are the cameras pointed at your face), can be shared with Tesla if you enable data sharing.

Tesla makes other promises in their privacy that sound quite good. They say they won't share your personal information with third parties for their own use unless you opt-in (don't opt-in!). They say they don't "associate the vehicle data generated by your driving with your identity or account by default." They say they your location data is "either processed directly without leaving your vehicle, is in a form that does not personally identify you, or remains inaccessible to Tesla." These things are all good. However, they also say in their privacy policy, "Tesla vehicles are equipped with a camera suite designed from the ground up to protect your privacy while providing advanced features such as Autopilot, Smart Summon, and Autopark." And we know it has been reported that images and videos from Tesla's were being shared by employees internally with little regard for privacy, so we worry that Tesla doesn't always honor all the privacy promises they make.

Beyond if Tesla honors their privacy promises, we still have concerns. It seems likely Tesla is still using your personal information for their own advertising and marketing purposes and their privacy policy isn't exactly clear on all the ways they are doing that. Also, we have no idea what getting your opt-in consent to share your personal information looks like. Does Tesla make is super clear and obvious what you are consenting to when you opt-in? Or is that consent hidden or confusing (much like their privacy notice)? We aren't sure. And we couldn't get Tesla to respond to any of our privacy related questions when we emailed the contact they listed for those, so again, while Tesla says they are committed to privacy, there is telling you about that and then there is actually showing that commitment. Our research seems to have found a lot more telling and a good deal less showing.

Tesla also mentions in their privacy notice that users can opt out of vehicle data sharing. It's actually kinda a funny section of their privacy notice. Here's what they say: "Connectivity and performance is a core part of all Tesla vehicles and why some customers choose Tesla, allowing for advanced features and an enhanced driving experience. By default, Tesla provides this seamless experience while protecting your privacy. However, if you no longer wish for us to collect vehicle data or any other data from your Tesla vehicle, please contact us to deactivate connectivity. Please note, certain advanced features such as over-the-air updates, remote services, and interactivity with mobile applications and in-car features such as location search, Internet radio, voice commands, and web browser functionality rely on such connectivity. If you choose to opt out of vehicle data collection (with the exception of in-car Data Sharing preferences), we will not be able to know or notify you of issues applicable to your vehicle in real time. This may result in your vehicle suffering from reduced functionality, serious damage, or inoperability." So, yes, Tesla does give you the option to opt out of data sharing from your car. While also warning you that if you do, your Tesla could become an expensive car-shaped brick. Call us crazy, but that doesn't feel like much of a choice.

Another concern we have with Tesla's privacy documentation -- did we mention it's more than a little confusing? On their privacy support page they say, "Tesla gives you the ability to permanently delete your Tesla Account and its associated data at any time, for any reason." That sounds good, right? However, in their privacy notice, they say, "Subject to local law, you may have the right to be informed of, and request access to, the personal data we process about you; update and correct inaccuracies in that information; have the information restricted or deleted; object or withdraw your consent to certain uses of data; and lodge a complaint with your local data protection authority." Those two statements seem to be a bit contradictory and we can't tell which one is true. We love it when companies clearly state that all users, regardless of what privacy laws they live under, are granted the same rights to access and delete their data. Tesla's seemingly contradictory statements leave us unsure if everyone has the same rights to delete their data.

One other red flag we wanted to note in Tesla's privacy policy (and this is something we see in too many privacy policies, to be fair). When it comes to sharing your personal information, they say they can share it with law enforcement or the government in fairly broad ways. They say, "We may also use and disclose information about you if we believe in good faith that that the law requires it for purposes of security, fulfilling our legal obligations (such subpoenas or court orders), law enforcement, or other issues of public importance, disclosure is necessary or appropriate. We may also share information about you, where there are legal grounds to do so, if we determine that disclosure is reasonably necessary to enforce our Terms of Use or protect our operations or customers. This could include providing information to public or governmental authorities." The way that statement is worded, we are concerned the Tesla could voluntarily disclose your personal information with law enforcement or governments, which is something we don't like to see. We prefer to see companies clearly state they will only share data with law enforcement and governments under court order and that even then, they will limit the scope of what the disclose as narrowly as possible. Tesla can collect a lot of data on their users and the people around them. Making sure that information can't be easily accessed by anyone, including law enforcement and governments seems pretty important to us. We would love to see Tesla improve this line in their privacy notice.

Here's the bottom line with Tesla. Yes, their privacy notice and documentation say some things we like to see. They clearly state they won't sell your data. Good. They say they won't share anything that personally identifies you with third parties for their marketing purposes unless you opt-in. That's OK. We'd rather they not do that at all, of course, and we always worry about how clear or confusing the opt-in consent process is. But, their privacy notice also has too many things in it we don't like to see. Really vague language, lack of clarity on sharing (lots of we "may" do this thing, "for example" this), and they also seem to hide a lot of what they could be doing behind legal terms like "fulfill other legitimate interests of Tesla." Privacy notices written with these sorts of slick, legal language leave us privacy researchers feeling uneasy. That, combined with Tesla's poor track record at protecting and respecting their users' privacy leaves us very worried about Tesla's privacy (no matter how much they mention in their privacy notice they care about your privacy, it's hard to trust them with their current track record showing otherwise). Combine this with the fact we emailed the contact listed in Tesla's privacy notice for privacy related questions multiple times over the course of our research and never heard back from them, and we're not feeling too great about their actual commitment to your privacy.

So, what's the worst that could happen with Tesla when it comes to your privacy? Well, we have to say our imaginations went to many not so great places on this one with a car carrying so many cameras, sensors, tracking technology, connected features, and more and a company that hasn't always put the best privacy interests of their customers at the forefront. That being said, it would really suck to want to opt out of data sharing in your Tesla because you are a good, privacy conscious human being. Then your expensive Tesla suffer serious damage while you're driving it because opting out of data sharing also seems to opt you out of Tesla being able to notify you of serious issues with your car. That does not sound fun at all. Actually, it sounds kind of irresponsible on Tesla's part to even have that be a possibility.

Tips to protect yourself

  • Do NOT opt-in to allow Tesla to share your personal information with third parties.
  • You may deactivate the collection of vehicle data by deactivating connectivity completely. Please note, certain advanced features such as over-the-air updates, remote services, and interactivity with mobile applications and in-car features such as location search, Internet radio, voice commands, and web browser functionality rely on such connectivity. If you choose to opt out of vehicle data collection (with the exception of in-car Data Sharing preferences), we will not be able to know or notify you of issues applicable to your vehicle in real time. This may result in your vehicle suffering from reduced functionality, serious damage, or inoperability.
  • You may choose to disable the collection of ‘Road Segment Data Analytics’ at any time within your vehicle’s touch screen by navigating to Software > Data Sharing. Please note, some advanced features such as real-time traffic and intelligent routing rely on such data.
  • To protect your privacy, you may disable the collection of segment data at any time (Software > Data Sharing). Certain features such as real-time traffic, navigation, intelligent routing, Autopilot, and Summon, may require road segment data to function as intended.
  • Opt out from selling of your personal information, as well as from Cross-context Behavioral Advertising.
  • Always do a factory reset on your car before selling or trading it away to wipe your data clean and disconnect the app.
  • Before reselling your car, make sure to notify the company
  • When buying a used car, always make the previous owner removed their connected account and performed a factory reset.
  • Always use strong passwords and set up two-factor authentication for apps and services that connect to your car
  • Only give access to your data to trusted third-parties
  • When connecting a mobile app to the car, make sure to minimize the amount of data collected through this app. You can use iOS or Android settings to limit the data collected through your phone.
  • Opt out from your mobile device's location sharing.
  • Do not use Amazon Alexa in your car if you are concerned about Amazon collecting that voice request information, IP address, and geolocation information and using it to target you with advertising.
  • mobile

Can it snoop on me? information

Camera

Device: Yes

App: Yes

Microphone

Device: Yes

App: Yes

Tracks location

Device: Yes

App: Yes

What can be used to sign up?

What data does the company collect?

How does the company use this data?

We ding this product because it collects data about you from third parties, including joint marketing partners, and is unclear how they use that data. We are also concerned about this product as they say they can share your personal information is ways that are vaguely stated and are not clear to us how your personal information is used and if you are able to always opt-out of its sharing.

Customer Privacy Notice

"We do not sell your personal data to anyone for any purpose, period."

"We do not share information that personally identifies you with third parties for their marketing purposes unless you opt-in to that sharing."

"We clearly define the vehicle data which we collect and don't collect. Tesla does not link your location with your account or identity, or keep a history of where you’ve been."

"We may also receive information about you from sources such as public databases, joint marketing partners, certified installers, affiliates and business partners, and social media platforms."

We may share information with:
Our service providers, business partners and affiliates
Third parties you authorize
Other third parties as required by law"

"We limit how, and with who, we share your personal data. Examples of when we may share your information include, payment processing, order fulfillment, product installation, customer service, marketing, financing, service or repair, and other similar services."

"The personal data we collect may be shared between Tesla and our subsidiaries, affiliates (companies that are owned or controlled by Tesla, or where we have a substantial ownership interest), third party service providers, channel partners, suppliers, and others when necessary to perform services on our or on your behalf. <...>"

"We may also use and disclose information about you if we believe in good faith that that the law requires it for purposes of security, fulfilling our legal obligations (such subpoenas or court orders), law enforcement, or other issues of public importance, disclosure is necessary or appropriate."

In addition, we may share information with:

- Third party service providers and channel partners to provide services such as website hosting, data analysis and storage, payment processing, order fulfillment and product installation, wireless connectivity to Tesla products, information technology and related infrastructure, customer service, product design, product diagnostics, maintenance or related services, email delivery, credit card processing, auditing, marketing, voice command processing, and other similar services.

- Subsidiaries and affiliates (such as Tesla Insurance Services, Inc.) to develop new and improve existing products and services, perform data analysis, and reporting. <...>

- Repair estimate providers and any insurance company to enable Tesla or third party service centers to perform services on your vehicle such as repair or maintenance. <...> Repair estimate providers may use this information in the aggregate to create and publish industry analytics.

- Other third party business partners to the extent that they are involved in the purchase, lease, or service of your Tesla products. We share limited information from or about you or your Tesla products to allow you to take advantage of those services if you elect to utilize them, with such partners as finance institutions, leasing, registration, title companies, electric utilities, permitting authorities and insurance companies.

- Third parties you authorize, such as:
-- Certified installers <...>,
-- Third party utilities or energy services companies <...>,
-- With third party service centers or providers <...>,
-- Third-party sponsors of contests and similar promotions<...>.

- Third parties when required by law or other circumstances<...>"

Tesla comments on EDPB Guidelines 1/2020

"In addition, Tesla has implemented several measures to ensure our customers have appropriate knowledge of what data may be collected at any given time, as well as the methods that are used in the process.
• Tesla applies the principles of data minimization in general and only collects specific data points (e.g. relating to speed) in the event of technical analysis or a safety critical event.
• Autopilot data sharing is off by default in our vehicles and requires explicit consent from the customer before this can be activated.
• Data sharing can be turned off at any point in time should our customer desire to do so.
• Tesla’s Privacy Notice (www.tesla.com/about/legal) is written and designed in a format that is easy to read, understand and navigate for our customers.
• Data privacy requests are handled through a formal, standardized channel for intake (www.tesla.com/support/contact) which is easily accessible and seamlessly integrated with the customer’s Tesla account. Our support page provides clear instructions explaining the data access request process (www.tesla.com/support/privacy), including frequently asked questions, as well as what kind of data the customer can expect to be provided as part of their request."

Privacy Overview page

"While we periodically review anonymous data from our global fleet, this data is not linked to you or your vehicle. VIN-associated data is only collected for remote diagnostics, for service or during a critical safety event."

How can you control your data?

We can not confirm if all users, regardless of location, can get their data be deleted.

"We retain each category of your Personal Information for no longer than is reasonably necessary for one or more Business Purposes, subject to your right to request we delete your Personal Information. Due to the nature of the Services, it is not possible to predict the length of time that we will retain Personal Information. Instead, we use the following criteria to determine whether it remains reasonably necessary to retain your Personal Information for one or more disclosed Business Purpose(s): (i) whether there is a retention period required by statute or regulations; (ii) the existence of actual or threatened litigation for which we are required to preserve the information; (iii) the statutes of limitations for potential legal claims; and (iv) generally accepted best practices in our industry. When we determine that it is no longer reasonably necessary to retain your Personal Information for one or more disclosed Business Purposes based on the above criteria, we will delete your Personal Information."

The right to delete information is mentioned for California residents:
"You have the right to request that we delete any of your Personal Information that we collected from you and retained. Be aware, however, that certain exceptions apply to the right to delete Personal Information. We may deny your deletion request if retaining your Personal Information is necessary for us or our Service Providers to:
- complete a transaction for which we collected your Personal Information, provide goods or Services that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you;
- help ensure security and integrity, including to detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities;
- debug Services, products and websites to identify and repair errors that impair existing intended functionality;
- exercise free speech, ensure the right of another consumer to exercise their right of free speech, or exercise another right provided for by law;
- comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.);
- engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the achievement of such research, if you previously provided informed consent;
- enable solely internal uses that are reasonably aligned with the expectations of consumers; or
- comply with a legal obligation, including in connection with product recalls."

The rights are also mentioned for residents covered by GDPR:
"You have at any time the right to object to the use of your personal data for the purposes mentioned in article 2. Besides, you can make use of the following rights:

the right to access your personal data;
• the right to rectification of your personal data;
• the right to erasure of your personal data;
• the right to restriction of processing of your personal data;
• the right to object to the processing of your personal data:
• the right to data portability of your personal data;
• the right to open a claim at the privacy commission;
• the right to withdraw any previously given consent. "

What is the company’s known track record of protecting users’ data?

Bad

In April 2023, it was reported that Tesla workers shared sensitive images recorded by customer cars. One ex-employee described a video of a man approaching a vehicle completely naked.

Tesla faces a lawsuit from customers for leaking their video data. This prompted US lawmakers to demand Tesla do a better job at protecting their users' privacy.

In March 2023, it was reported that a Tesla Model 3 was hacked in less than two minutes at a hacking competition, allowing the hackers to potentially open the doors of the car while it was in motion.

In August 2022, there were reports that Tesla or its dealers collect location data from vehicle despite claiming that it is anonymised. Experts believe that anonymized data could still be pieced back together and thus get deanonymize.

In May 2022, it was reported that Tesla Sentry Mode, a system available in many of the company’s models, may violate privacy or bypassers. Tesla designed the system to record not just activity that could damage the vehicle itself, but also events, people and objects that get too close; individuals passing near the vehicle can set Sentry Mode into recording.

In March 2022, a Tesla owner filed a class-action lawsuit alleging "Tesla Inc. disregards drivers’ biometric privacy rights by scanning their faces while in its vehicles."

In October 2021, it was reported that as part of the wider rollout of Tesla’s “full self-driving” option, drivers may forfeit some privacy protections around location sharing and in-car recordings that they previously had.

In March 2021, Consumer Reports raised numerous privacy concerns related to privacy of Tesla built-in cameras.

Child Privacy Information

"In addition, our products and services are not directed to individuals under the age of sixteen, and we request that such individuals not provide any information to Tesla."

Can this product be used offline?

Yes

User-friendly privacy information?

No

Tesla has easy to find privacy documentation. However, we found their privacy notice too often uses vague language and statements that lack clarity leaving us feeling uncertain and uneasy about the explanation of their privacy practices.

Links to privacy information

Does this product meet our Minimum Security Standards? information

Unknown

Encryption

Can’t Determine

Tesla did not respond to our questions to confirm if all data on their cars, in transit, and where it is stored in strongly encrypted.

Strong password

N/A

Security updates

Yes

For over-the-air updates, connectivity is required.

Manages vulnerabilities

Yes

Tesla runs a bug bounty program on bugcrowd.

Privacy policy

Yes

Does the product use AI? information

Yes

Tesla’s driver-assistance system, known as Autopilot, is equipped with eight external cameras and vision processing to provide assistance to a driver. It helps with such tasks as autoparking, summon in a tight space, lane change - or even "full self-driving capability', which is in Beta version now, and includes traffic and stop sign control: "identifies stop signs and traffic lights and automatically slows your car to a stop on approach, with your active supervision."

Is this AI untrustworthy?

Yes

What kind of decisions does the AI make about you or for you?

Regulating speed, steering and deciding the driving actions for a driver.

Is the company transparent about how the AI works?

No

Tesla is under an investigation in California over its Autopilot safety issues and false advertisement. https://www.theverge.com/2023/7/26/23809183/tesla-autopilot-investigation-false-advertising-california-attorney-general Tesla's toll reportedly includes 17 fatalities and 736 crashes. https://www.washingtonpost.com/technology/2023/06/10/tesla-autopilot-crashes-elon-musk/ “Tesla should offer customers the option to receive a full refund of Autopilot features if they are unsatisfied with the product,” said a Tesla customer, who was contacted by the AG’s office after filing a complaint with the Federal Trade Commission. https://www.cnbc.com/2023/07/26/tesla-under-investigation-by-california-attorney-general.html

Does the user have control over the AI features?

No

*Privacy Not Included

Dive Deeper

  • Senators Markey, Blumenthal Demand Tesla Protect Drivers’ Privacy
    Link opens in a new tab
  • Special Report: Tesla workers shared sensitive images recorded by customer cars
    Reuters Link opens in a new tab
  • Lawsuit: Tesla must be punished for “tasteless” sharing of car-camera images
    Ars Technica Link opens in a new tab
  • Tesla driver sues company for allegedly accessing customer videos
    CBS News Link opens in a new tab
  • Tesla’s cameras are reportedly spying on customers, but it’s not just a Tesla problem
    Vox Link opens in a new tab
  • Mein Autopilot hat mich fast umgebracht“: Tesla-Files nähren Zweifel an Elon Musks Versprechen
    Handelsblatt Link opens in a new tab
  • Is Tesla a Privacy Failure?
    The Privacy Whisperer Link opens in a new tab
  • Tesla’s Sentry Mode is a privacy violation on wheels
    JD Supra Link opens in a new tab
  • Shared Tesla owner videos, images sparks privacy concern for customers; how your shop could be affected
    Repairer Driven News Link opens in a new tab
  • You Should Be Worried About Tesla’s Trove of Private Vehicle Data
    The Drive Link opens in a new tab
  • Tesla Model 3 Hacked in Less Than 2 Minutes at Pwn2Own Contest
    Dark Reading Link opens in a new tab
  • Tesla's In-Car Cameras Raise Privacy Concerns
    Consumer Reports Link opens in a new tab
  • Tesla’s ‘full self-driving’ rolls back its privacy protection of trip videos
    CNN Business Link opens in a new tab
  • Who Actually Owns Tesla’s Data?
    IEEE Spectrum Link opens in a new tab
  • Tesla's AI Hype Collides With Reality
    The Wall Street Journal Link opens in a new tab
  • As cars hoover up more and more driver data, is it time to regulate the industry?
    The Record Link opens in a new tab

Comments

Got a comment? Let us hear it.