Advertencia: *Privacidad no incluida con este producto
Chrysler is a US-based car brand, now under parent company Fiat Chrysler Automotive (FCA) and the large car conglomerate Stellantis fits in there somewhere as well. Huge car company ownership networks can get quite confusing (but understanding huge car conglomerates isn't our job...figuring out their privacy ecosystems is though and that can also be hugely confusing). Founded back in 1925 in Michigan, Chrysler became one of the "Detroit Three" car companies in the US. Today, Chrysler models include the minivan Pacifica and Pacifica Plug-in Hybrid, and the 300 sedan. The Chrysler app and the UConnect connected services lets you do all the remote things like remote start/stop, lock/unlock, honk the horn, flash your lights, and access navigation and entertainment options. How's Chrysler at privacy? Well, you might want to pack up your minivan and head for the hills. Chrysler, and their parent company FCA, aren't at all good at privacy.
¿Qué podría pasar si algo falla?
If we had an award to give out for the worst privacy policy website, we would bestow that dubious honor to Chyrlser and parent company FCA's US privacy policy site (which also covers the privacy for Jeep Dodge, Ram, and Fiat). Holy cow is it a nightmare to navigate and read. Teeny, tiny font, the most frustrating navigation, no way to search through the privacy policy for keywords, no way to download the full privacy policy to keep a record of it. Basically, Chrysler/FCA's privacy policy site is a privacy researcher's nightmare. OK, rant over.
Now onto our next rant because it seems their actual privacy policies aren't much better. We found this line in the California Privacy Supplement (reminder, California's strong privacy law called CCPA gives residents of California better privacy protections that people who live in other states without strong privacy laws or people who live under the EU's strong privacy law known as GDPR. The US doesn't have, but desperately needs, a national consumer privacy law.) section of their privacy policy that kinda sums it up for us, "We do not sell or share personal information or sensitive personal information about California consumers who we know are younger than 16 years old." So, if you are under 16 and live in California, you might be good for privacy. Otherwise, eh..maybe not so much. For the rest of us they say, "As defined by the CCPA, we may sell or share: identifiers, usage data, customer records, geolocation, commercial information, and inferences to or with affiliates and subsidiaries, dealers, marketing and advertising partners, and analytics providers." Yeah, that's not great.
Chrysler/FCA says they can collect a massive amount of personal information and vehicle data on you from your Chrysler, the Chrysler app, and the UConnect connected services if you use them. So many things like your name, precise geolocation, Vehicle Identification Number (VIN), driver’s license number, and other government identifiers, browsing history, search history, biometric identifiers, such as fingerprints or facial templates, and more. Oh, and then they say they can also collect more data on you from third party sources such as data brokers, social media, and car dealers.
They also say they can collect a lot of data about you and your car. Things like "performance data, and other sensor data generated by your Vehicle, images, and event data generated in connection with certain Connected Services (such as autonomous driving and distracted driver features), data from third-party account services that you link to your Connected Services account (e.g., Amazon Alexa), and images captured in connection with vehicle camera record." Then there's all the driving data they say they can collect on you. Things like, "speed, acceleration and braking data; direction of travel; trip data (e.g., mileage, date, time, weather conditions, location, route taken); ignition events; steering events; cruise control data; seatbelt status; information about Vehicle incidents or events; other information about how you drive a Vehicle; and associated date/time stamps for such information."
And then they go on to say they can use much of this personal information and car data to draw inferences about you "to create a profile reflecting an individual’s preferences, characteristics, predispositions, behavior, attitudes, intelligence, abilities or aptitudes." They want those profiles on you so they can do things like market products to you based on those inferences and interests and your location, target you with what they call relevant ads, and personalize content to you to keep you using, and paying for, their services. That profile they create on you from all this data is quite valuable to them, and to other third parties, who want to know as much about you to try and sell you more stuff. In that vein, Chrysler/FCA say they can share -- or even sell -- that information to a large number of service providers, business affiliates, subsidiaries, marketing partners, data brokers, car dealers, etc etc on and on and on. None of this is good for you (or your passengers) privacy.
And don't hold your breath that you'll be able to get all that data Chrysler/FCA collects on you deleted. Their privacy policy doesn't clearly state that users who don't live under strong privacy laws like California's CCPA or Europe's GDPR can get their data deleted. And their Google Play Store Chrysler App page where they list their Data Safety information, Chrysler clearly states, "Data can’t be deleted: The developer doesn’t provide a way for you to request that your data be deleted."
Shoot, even if you decide to deactivate those connected services for privacy reasons it might not mean Chrysler/FCA actually stops collecting your data for those connected services. Indeed, their UConnect connect services privacy policy says, "Expiration or termination of your Connected Services subscription does not automatically stop all collection of Covered Data from your Vehicle." They go on to say, if you actually want them to stop collecting your data for privacy reasons you have to jump through even more hops like calling both SiriusXM and the vehicle connected services department separately and directly to have your connected services stop sending Chrysler/FCA your data. And then they add this little gem, "If you cancel for privacy reasons, wireless transmission network service will be deactivated for your Vehicle once your request has been processed, which means that: (i) remote transmission and collection of Covered Data from your Vehicle will be stopped; (ii) most Connected Services will not be available to you, including emergency and roadside services and Wi-Fi-enabled services; and (iii) your Vehicle will no longer receive updates to your in-vehicle manual or other over-the-air updates." So yeah, basically you can jump through many hoops to have Chrysler/FCA stop collecting your data for privacy reasons, but that means your Jeep's emergency and roadside services will no longer work and you'll no longer receive updates to your car's software, which we're assuming means it could stop functioning correctly or fix security vulnerabilities as they come up. Not cool FCA, not cool. People should be able to opt out of data collection and still keep their security features if they want.
Speaking of security vulnerabilities. While Chrysler/FCA's track record at protecting and securing all that data and connected services seems better now, back in 2015, they became the first car company forced to issue a recall of their vehicles based on a cybersecurity threat. Then, Wired first reported how two hackers were able to exploit vulnerabilities in a FCA-owned Jeep Cherokee entertainment system to take remote control of the car. Then they could do everything from mess with the air conditioning to turn the radio on and off, to stop the car's acceleration. That report eventually resulted in FCA issuing a recall of 1.4 million vehicles to fix the security vulnerability. That's the bad news. The good news is, we couldn't find any recent news of security vulnerabilities, data breaches or leaks from FCA.
One other thing we'd like to note about Chrysler/FCA (and this applies to every company that says they de-identify your data, not just Chrysler/FCA). The Chrysler/FCA privacy policy states, "We may collect, use, and disclose aggregate, anonymous, and other non-identifiable data about users for marketing, advertising, research, compliance, or other purposes. Where we use, disclose, or process de-identified data (data that is no longer reasonably linked or linkable to an identified or identifiable natural person, household, or personal device), we will maintain and use the information in de-identified form and not to attempt to re identify the information, except as permitted by applicable privacy laws (such as to confirm whether our de-identification processes are reasonable and adequate)." It is fairly common to see lines in company privacy policies that say similar things to this -- the company can collect data, de-identify it, and then use it however they want and keep it for as long as they like. Generally, this can be OK. However, we would like to warn that researchers have found it can be relatively easy to re-identify some personal data that has been de-identified, especially if location data is involved. What can you do about this? Well, you can ask for your data to be deleted frequently, that could help. But not everyone has the same rights to that. So the best option is to limit the personal information and location data a company collects on you as much as possible. We know this is easier said than done, especially with cars. Which is why we sure hope policy makers and regulators will step in soon to help consumers better protect their privacy.
So, what's the worst that could happen as you're cruising around in your Chrysler while using your Chrysler app and those UConnect connected services to stay online on your minivan road trip? Well, we're sure glad they fixed those security vulnerabilities they had back in 2015 that allowed hackers to take control of your car and stop it and more through UConnect system. That's pretty much a worse case scenario if that could happen again. Other than that, well, Chrysler/FCA knowing way more about you than they should, sharing that with data brokers who can then sell that to who knows who for who knows what purpose, well, that gets pretty scary too. Especially if they learn you like to take your minivan to the mall every Friday while listening to Taylor Swift on the radio and looking up news articles on the hottest TikTok fashion trends. That might set you up for way more targeted ads than you and your family could possibly afford.
Consejos para protegerte
- Opt out from sharing or selling your Covered Data with third parties.
- If you are from California, opt out from selling of your personal information.
- Do not give consent to tailored advertisement.
- Always do a factory reset on your car before selling or trading it away to wipe your data clean and disconnect the app.
- Before reselling your car, make sure to notify the company
- When buying a used car, always make the previous owner removed their connected account and performed a factory reset.
- Always use strong passwords and set up two-factor authentication for apps and services that connect to your car
- Only give access to your data to trusted third-parties
- When connecting a mobile app to the car, make sure to minimize the amount of data collected through this app. You can use iOS or Android settings to limit the data collected through your phone.
- Opt out from your mobile device's location sharing.
- Do not use Amazon Alexa in your car if you are concerned about Amazon collecting that voice request information, IP address, and geolocation information and using it to target you with advertising.
¿Me puede espiar?
Cámara
Dispositivo: Sí
Aplicación: Sí
Micrófono
Dispositivo: Sí
Aplicación: No
Rastrea la ubicación
Dispositivo: Sí
Aplicación: Sí
¿Qué se puede usar para registrarse?
Correo electrónico
Sí
Teléfono
Sí
Cuenta de terceros
No aplica
¿Qué datos recopila la empresa?
Información personal
"First and last name, address, phone number, email address, account name, SSN, other contact information, IP address, VIN, online identifiers, driver’s license number, and other government identifiers or other unique personal identifiers; records of products or services purchased or considered, records from usage of the Connected Services, or other purchase or usage histories; Inferences drawn from other personal information that we collect to create a profile reflecting an individual’s preferences, characteristics, predispositions, behavior, attitudes, intelligence, abilities or aptitudes, information about an individual’s educational history, audio, electronic, visual, thermal, olfactory, or similar information, Vehicle- and driving-related data: location data from your Vehicle or device; driving data about your Vehicle, such as dates and times of use; speed, acceleration and breaking data; direction of travel; trip data (e.g., mileage, date, time, weather conditions, location, route taken); ignition events; steering events; cruise control data; seatbelt status; information about Vehicle incidents or events; other information about how you drive a Vehicle; and associated date/time stamps for such information, odometer, mileage, MPG, and emissions data; trouble or error codes, and other diagnostic data; service and maintenance history; engine performance; tire pressure data; weather, temperature and other driving conditions; fuel levels and refueling activity; battery levels and status; images from cameras; other performance, mechanical and operational data; Vehicle settings, commands and presets, points of interest, and other information about your use of certain features; and associated date/time stamps for such information; audio, visual and other electronic data, including data related to your Vehicle usage or interactions with us, such as error codes, diagnostic and performance data, and other sensor data generated by your Vehicle, images, and event data generated in connection with certain Connected Services (such as autonomous driving and distracted driver features), data from third-party account services that you link to your Connected Services account (e.g., Amazon Alexa), and images captured in connection with vehicle camera record; profiles and inferences, Additional data pieces collected: - From FCA dealers: FCA authorized dealers (independently owned and operated businesses) may provide us with purchase, payment, and finance information (when you purchase or lease one of our vehicles from them), information about vehicle maintenance, services, repairs, warranty claims, quality, and customer support, as well as data about prospective buyers. - Third-party data: such as vehicle sales records and motor vehicle records, as well as third-party data providers that provide us with information to update and enhance our customer records and provide us with leads including lists of potential vehicle purchasers, current, or former owners. - Affiliates and partners: including third-party providers of certain features or portions of the Services or Connected Services. Also, if you take advantage of a third party or affiliate offer through the Services, we may receive information from that third party about your interaction with them."
Información biométrica
"Fingerprints or facial templates, if you enable and enroll in biometric authentication to access your Vehicle or certain Connected Services"
Información social
¿Cómo utiliza la empresa estos datos?
¿Cómo puedes controlar el uso de tus datos?
¿Qué historial tiene la compañía en cuanto a la protección de los datos de los usuarios?
In 2015, Fiat Chrysler issued a safety recall affecting 1.4m vehicles in the US, after security researchers showed that one of its cars could be hacked. The problem was fixed in a 2015 recall.
Información sobre privacidad infantil
¿El producto se puede usar sin conexión?
¿La información de privacidad es fácil de entender?
Chrysler and parent company FCA have a complicated group of privacy policies that are not easy to navigate (seriously, their privacy policy site is a nightmare to navigate), read, and understand.
Enlaces a información de privacidad
¿El producto cumple nuestros estándares mínimos de seguridad?
Cifrado
We cannot determine if all data sitting on the car, including telematic data the car collects as well as data shared when you connect your phone sits encrypted, and if all collected data is encrypted in transit. We reached out to the company to attempt to determine this multiple times and received no response.
Contraseña fuerte
Actualizaciones de seguridad
Gestiona las vulnerabilidades
FCA runs a bug bounty on BugCrowd.
Política de privacidad
In 2020, Fiat Chrysler signed an exclusive deal with Waymo (former Google self-driving project) to develop autonomous driving technology.
¿Es poco confiable esta IA?
¿Qué tipo de decisiones toma la IA acerca de ti o por ti?
¿La empresa es transparente acerca del funcionamiento de la IA?
¿Tiene el usuario control sobre las características de la IA?
Profundiza más
-
Supreme Court foregoes hearing Fiat Chrysler appeal in cybersecurity caseCyber Talk
-
Fiat Chrysler and Waymo sign exclusive deal on self-driving commercial vehiclesCNBC
-
Fiat Chrysler recalls 1.4 million cars after Jeep hackBBC
-
Fiat Chrysler and Peugeot shareholders vote to merge, creating world's fourth-largest car makerNBC News
Comentarios
¿Tienes algún comentario? Queremos escucharte.