Advertencia: *Privacidad no incluida con este producto
Kia is a South Korean car company founded in 1944 as a maker of bike parts. Today Kia -- owned in part by the other major South Korean car maker, Hyundai -- is known as one of the most reliable car brands in the world. Models include the Sportage, Soul, Sorento, Forte, Rio, and EVs the Niro and EV6. Their Kia Access app and Kia Connect connected services all owners to do remote things like lock/unlock the car, find your car, set your car's cabin temperature, send locations to your cars navigation system, check your EVs charing status, find charging stations, and even pair the app with your smartwatch. So, how is happy little Kia at privacy? Holy cow, they are terrible! That makes us anything but happy.
¿Qué podría pasar si algo falla?
Kia’s approach to privacy is all over the map. But mostly, it’s bad. Let’s cut to the chase: Kia says they can collect a lot of sensitive and personal information they have no business collecting. The list is long and includes some of the creepiest data categories we have ever seen (since reviewing Nissan, at least) like your “genetic information” and “sex life.” Could there be a “good” reason for your car maker to have that information? Probably not. If there is, we definitely didn’t find it in Kia’s privacy policy. We did learn that they may use your personal information to “deliver advertising or marketing communications based on your interests.” Boooo.
Kia can also collect, according to their US Privacy Policy, information about your “medical condition, physical or mental disability,” “racial or ethnic origin,” and “religious or philosophical beliefs.” They even say they can collect “the contents of certain mail, emails, and text messages.” Huh? We can only assume that means your communications with Kia, but that’s such a weird and vague way to put that. We have so many questions. Like, how? But also, why?
Now, Kia does say that they don’t collect sensory data (like audio and visual data). Phew! That is a relief since it’s pretty common for car makers to collect the data created by vehicle features that use microphones and cameras. They also say that they do not collect biometric data (like your face and fingerprints). That’s another load off, since sharing that information comes with certain risks. But wait, “unique biometric information” is listed as an example of “Sensitive Personal Information” that they do collect. Hmm. It seems like some of Kia’s data-collecting disclosures were written to cast as wide a data-catching net as possible. That is a technique we privacy researchers really hate to see when we read privacy policies. Their policy even mentions “Personal information described in California Civil Code Section 1798.80(e)” which we learned from reviewing Honda and others car companies, means just about any personal information under the sun “capable of being associated with you.” Yikes!
In their Kia Connected Services privacy policy, Kia says they can collect many of the same categories of personal information listed in their US Privacy Policy, including the creepy ones we mentioned earlier. That’s especially uncool since connected services can open up a third-party can o’ worms. Here’s what we mean: Even though the connected services you get through your Kia are provided by Kia, they sometimes rely on third-party providers who may need “access to user information to carry out the services they are performing for you or for [them].” Which services and which service providers? We can’t be sure of all of them because Kia only lists the categories of companies with a few examples.
Another thing about Kia’s connected services: some of them are a bit creepy. Kia’s “My Car Zone” lets you set alerts that log other drivers’ behavior in your car. Called “Curfew Alerts, Geo-Fence, & Speed Watch,” car-owners can create settings that collect information about other drivers’ habits, “such as when the Vehicle is being driven and whether the Vehicle is being driven beyond a pre-determined speed limit or boundary location.” This feature is pitched with a parent-child relationship in mind but it’s ripe for abuse by controlling partners or family members.
And it’s not just your car’s connected services that can give away access to your data. Kia has apparently no control over how the third-party apps available through your car’s dashboard treat your information. That’s why they suggest in their privacy policy that you “review any available policies” for those apps before interacting with them in your car. Cool cool cool, thanks for the tip! We will definitely consider doing that in all our free time. It's got to be only like, what, another 5 or 6 or 10 privacy policies, right?
Keep in mind all the data collected about you is in addition to detailed information about your car and what you do in it: how fast you drive, when you pump the brakes and buckle your seatbelts. Also, your geolocation, which can include “physical location or movements.” Hm? That’s a new one. Anyway, it’s a whole lot! But Kia doesn’t stop at drivers’ car, phone, and connected services in their quest to “Learn more about [their] customers and their [customers’] experiences” (that’s another thing that Kia says they can do with your information). They also collect information about you from “affiliates,” “partners,” “service providers,” “advertising and social networks,” as well as “data analytics, data enhancement, and market research providers” -- which sounds to us like a wordier way of saying data brokers.
What does Kia do with all that info? Ugh, we’d really like to know. Aside from marketing purposes, getting to know you better, and some other purposes that actually do sound legitimate, Kia lists a couple vague ones, like “Conduct[ing] internal research” and “Support[ing] our internal business operations.” Alrighty.
Kia also uses this mountain of data to create more data about you, called “inferences.” Practically all the car makers we looked at do. Poor form, everyone! Those inferences or assumed facts about you can be created from any of the personal information Kia has on you, reflecting your “preferences, characteristics, predispositions, behavior, attitudes, or similar behavioral information.” That’s extra creepy when you consider that they know some very intimate things about you, like everywhere you go.
One other thing that Kia does seem to do with your data is sell it. Yuck! We really hate that because they collect so much data and then say they can sell it to make more money. Nearly all the car companies we reviewed did this as well, and it sucks with everyone. They also share it with a lot of the same places they collect your data from. That list includes (once again) “affiliates,” “partners,” “service providers,” “advertising and social networks,” as well as “data analytics, data enhancement, and market research providers.” Kia might also comply with “governmental requests” for your data. Ugh, that word! At Mozilla, we believe your personal information should only be shared with the government and law enforcement when there is a legal obligation to do it. And, even then, as minimally as possible. Kia, please help yourself to our verbiage and do better. Governments shouldn't simply be able to "request" people's precise location data and information about their "sex life".
One unique line that we saw in Kia's privacy policy that we don't recall seeing in other car companies privacy policies was this one, "Moreover, we reserve the right to disclose and transfer the information we collect: (i) to a subsequent owner, co-owner, or operator of the Services or associated databases." We're not actually really sure what to make of that line. We can see instances where transfering some car data might be useful for a future owner, but potentially sharing your personal information with a future owner just seems weird to us. And what the heck does "associated databases" mean? Seriously people, we read privacy policies for a living and way too often they leave us scratching our heads in dismay and confusion.
So, what control do drivers have over their data and can they ask Kia to delete it? Unfortunately, unless you won the location-based privacy lottery, then probably not. Residents of strong-privacy-law states in the US (California, Colorado, Connecticut, Virginia and Utah) have the special right to request that their data be deleted. People living in Europe under GDPR have the right to delete their data too. But call us crazy, we think everyone should have the right to get their data deleted, not just the lucky ones who live under strong privacy laws.
Speaking of having control of your data, Kia… doesn’t always. Earlier this year, the car brand went viral for the worst reason. The “Kia Challenge” on TikTok led to hundreds of car thefts, including 14 reported crashes and eight fatalities, according to the United States’ National Highway Traffic Safety Administration. Thieves known as “The Kia Boyz” posted instructional videos about how to bypass the vehicles’ security system using only a USB cable. Kia ended up having to patch eight million cars to fix it. Dang, that is really not good. Call us a tough customer, but we believe taking control of someone else’s car should be more challenging than charging your phone.
Then there was the security researchers who discovered a security vulnerability in Kia (and Honda, Infiniti, Nissan, Acura), that he said could allow hackers to do things like use the vehicle's VIN number to remotely lock/unlock the car, start/stop the car, flash the lights, honk the horn, take over the user's account, disclose personal information, lock the user out of managing their vehicle, change ownership, and "for Kia’s specifically, we could remotely access the 360-view camera and view live images from the car." Not good.
Kia's stakeholder company, the Hyundai Motor Group also suffered a data breach that exposed the personal information of French and Italian car owners who booked a test drive. And last year the company made (another) pretty embarrassing misstep when they used an encryption key that was copied from an example, allowing a software developer to “hack” a Hyundai’s software with a simple Google search. Ouf. Finally, we couldn't confirm whether Kia meets our Minimum Security Standards because we're not sure if all the data that sits on the car is encrypted. We asked, but Kia didn't answer any of our emails.
Kia’s slogan is “Movement that inspires” but after reading their privacy policies all we’re feeling inspired to do is take the bus. What could happen if something goes wrong? We don’t have to think too hard because of the ways Kia’s poor privacy and security practices have already impacted drivers. Kia’s stores of ultra-private information about you could get into worse hands because of their sloppy security. Or, TikTokers might find another embarrassingly simple way to take control of Kia owners’ cars that puts drivers' lives at risk. Kia, the next time you go to workshop your logo, we suggest you take another stab at your privacy policies instead. Until then, you should know that Kia comes with *Privacy Not Included.
Consejos para protegerte
- Be mindful that Kia Connect Services may contain content that is supplied by third parties. For example, a link may take you away from a Kia Connect Services page and onto a third party's website or application. These other websites and applications are subject to different privacy policies.
- When presented with an option on Kia Connect Services to receive certain information and/or marketing offers directly from third parties or to have Kia send certain information to third parties or give them access to it, say NO.
- Do not give consent to tailored advertisement.
- Opt out from selling of your personal information, as well as from Cross-context Behavioral Advertising.
- Always do a factory reset on your car before selling or trading it away to wipe your data clean and disconnect the app.
- Before reselling your car, make sure to notify the company
- When buying a used car, always make the previous owner removed their connected account and performed a factory reset.
- Always use strong passwords and set up two-factor authentication for apps and services that connect to your car
- Only give access to your data to trusted third-parties
- When connecting a mobile app to the car, make sure to minimize the amount of data collected through this app. You can use iOS or Android settings to limit the data collected through your phone.
- Opt out from your mobile device's location sharing.
- Do not use Amazon Alexa in your car if you are concerned about Amazon collecting that voice request information, IP address, and geolocation information and using it to target you with advertising.
¿Me puede espiar?
Cámara
Dispositivo: Sí
Aplicación: Sí
Micrófono
Dispositivo: Sí
Aplicación: No
Rastrea la ubicación
Dispositivo: Sí
Aplicación: Sí
¿Qué se puede usar para registrarse?
Correo electrónico
Sí
Teléfono
Sí
Cuenta de terceros
No aplica
¿Qué datos recopila la empresa?
Información personal
"Name, postal address, unique personal identifiers, online identifiers, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers; signature, Social Security number, physical characteristics, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education or employment information, financial account numbers, medical information, or health insurance information; age, race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex and gender information, veteran or military status, or genetic information; precise geolocation, racial or ethnic origin, religious or philosophical beliefs; union membership; genetic data; unique biometric information; contents of certain mail, emails, and text messages; or health, sex life or sexual orientation information, education records directly related to a student maintained by an educational institution or party acting on its behalf (e.g., grades, transcripts, schedules, and student ID numbers), Inferences drawn from the above information that may reflect your preferences, characteristics, predispositions, behavior, attitudes, or similar behavioral information. Vehicle Information: "information about your Vehicle's operation, performance and condition, including such things as diagnostic trouble codes, oil life remaining, tire pressure, fuel economy and odometer readings, battery use management information, battery charging history, battery deterioration information, electrical system functions; (ii) driver behavior information, such as the actual or approximate speed of your Vehicle, seat belt use, information about braking habits and information about collisions involving your Vehicle and which air bags have deployed; (iii) information about your use of the Vehicle and its features, such as whether you have paired a mobile Device with your Vehicle; (iv) the precise geographic location of your Vehicle; (v) data about remote services we may make available such as remote lock/unlock, start/stop charge, parking location, climate control, charge schedules, and Vehicle status check; (vi) when there is a request for service made; and (vii) information about the Vehicle itself (such as the vehicle identification number (VIN), model, model year, trim, selling dealer, servicing dealer, date of purchase or lease and service history"
Información biométrica
“unique biometric information”
Información social
¿Cómo utiliza la empresa estos datos?
¿Cómo puedes controlar el uso de tus datos?
¿Qué historial tiene la compañía en cuanto a la protección de los datos de los usuarios?
In February 2023, Kia and Hyundai had to patch 8 million cars, after the so-called “Kia Challenge” on the social media platform had led to hundreds of car thefts nationwide, including at least 14 reported crashes and eight fatalities, according to the National Highway Traffic Safety Administration. Thieves known as “the Kia Boyz” would post instructional videos about how to bypass the vehicles’ security system using tools as simple as a USB cable. The problem was so bad, some car insurers stopped insuring the impacted models of Kia and Hyundai cars."
In January 2023, a security researcher released information on security flaws in Kia's cars that could all hackers to use the vehicle's VIN number to do things like remotely lock/unlock the car, start/stop the car, flash the lights, honk the horn, take over the user's account, diclose personal information, lock the user out of managing their vehicle, change ownership, and "for Kia’s specifically, we could remotely access the 360-view camera and view live images from the car."
In February 2021, Kia Motors America suffered a ransomware attack by the DoppelGanger gang, demanding $20 million for a decryptor and not to leak stolen data.
Información sobre privacidad infantil
¿El producto se puede usar sin conexión?
¿La información de privacidad es fácil de entender?
Kia's privacy policies too often left us confused and wondering what exactly they meant with many of their privacy policies and practices.
Enlaces a información de privacidad
¿El producto cumple nuestros estándares mínimos de seguridad?
Cifrado
We cannot determine if all data sitting on the car, including telematic data the car collects as well as data shared when you connect your phone sits encrypted, and if all collected data is encrypted in transit. We reached out to the company to attempt to determine this multiple times and received no response.
Contraseña fuerte
Actualizaciones de seguridad
In February 2023, Kia and Hyundai had to patch 8 million cars, after the so-called “Kia Challenge” on the social media platform had led to hundreds of car thefts nationwide, including at least 14 reported crashes and eight fatalities, according to the National Highway Traffic Safety Administration. Thieves known as “the Kia Boyz” would post instructional videos about how to bypass the vehicles’ security system using tools as simple as a USB cable. "
Gestiona las vulnerabilidades
You can report vulnerabilities here.
Política de privacidad
Kia Advanced Driving Assistance Systems includes Forward Collision-Avoidance Assist, Blind-Spot Collision Warning, Lane Keeping Assist, etc. These features are enabled by numerous cameras, sensors and radars on the car.
¿Es poco confiable esta IA?
¿Qué tipo de decisiones toma la IA acerca de ti o por ti?
¿La empresa es transparente acerca del funcionamiento de la IA?
¿Tiene el usuario control sobre las características de la IA?
Profundiza más
-
Your Car Is Tracking You Just as Much as Your Smartphone Is—and Your Data Is at RiskThe Drive
-
Hyundai and Kia forced to update software on millions of vehicles because of viral TikTok challengeThe Verge
-
Kia, Hyundai are easy targets for thieves, insurance data confirmsCNN
-
Kia Motors America suffers ransomware attack, $20 million ransomBleeping Computer
-
From Ferrari to Ford, Cybersecurity Bugs Plague Automotive SafetyDark Reading
-
Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and MoreSam Curry
-
Hackers Can Clone Millions of Toyota, Hyundai, and Kia KeysWired
Comentarios
¿Tienes algún comentario? Queremos escucharte.