Attention : *Confidentialité non incluse avec ce produit
Renowned German car manufacturer BMW made its first car way back in 1928. Nearly 100 years later, BMW cars are now known for their luxury, their expensive price tag, and increasingly, their connected features. They aren't exactly known for their fun car names though. Current BMW models include the X1, X3, X4, X5, X6, X7,. 2, 3, 4, 5, 6, 7, 8, Z4, i4, i5, i7, iX, XM, and the BMW M.
The My BMW app does things like remotely lock and unlock your car, see where you vehicle is located, take pictures from the "vehicle environment", pay your car payment, navigate to where you want to go, find a parking spot, find a place to charge your electric vehicle, and more. So, how does BMW fair at privacy? Well, they aren't the worst car brand we reviewed. Unfortunately that bar is really low, so while they aren't the worst, we wouldn't exactly say they are great at privacy either.
Que pourrait-il se passer en cas de problème ?
Here's some good-ish news in the nightmare world of cars and privacy. BMW isn't actually the worst car company we reviewed. Don't get us wrong, they are far from great. But compared to many of the other car companies' privacy and security we've reviewed, they are better than most. Yes, the bar is low. But alas, we're looking for something we can point to that isn't terrible in this bleak landscape. BMW is it.
BMW cars and their My BMW app absolutely collect huge piles of data on you and your car. Soooo much personal information, driving data, location data, app and internet usage data, and more. They don't do much, if any, better than any car company we reviewed on this front. They still know all the things like: your name, email, phone number, address, Vehicle Identification Number (VIN), location data on you and your car, your contacts' names and phone numbers (if you give them access to them, of course), vehicle images, including 3-D images around your car, environmental information like the temperature and if it is raining, sensor information which they describe as "e.g. radar, ultrasonic devices, gestures, voice, etc.", how fast you drive, where you drive.
BMW also says they can collect even more personal information about you from third parties, such as data brokers, data aggregators, social media networks, the government, publicly available databases, and more. They say that personal information could include your buying habits and interests and other publicly observed data (such as from social media) as well as demographic information such as your age, gender, ethnicity. Yikes! That's a lot of data. But they aren't done yet. BMW also says they can take all this personal information and other data they collect on you, your car, how your drive your car, what websites you click on, what you do in their app, and then use it to make inferences about you regarding your preferences and habits. Yes, that is a lot. Unfortunately, this is also pretty common among car companies. Your data is big business for them.
BMW goes on to say they can share that data a whole bunch of places. They share it within their BMW Automotive Group family of companies, which is a pretty good sized corporate conglomerate. They also say they can share this data with third party dealers, services providers, and business partners (this is all pretty common sharing, but it's good to remind you that this can be a vast network of places your data lands that you have to hope protect and respect it.).
Here's where we think -- emphasis on think -- that BMW might be a little better than many other car companies. While the absolutely use all that personal information and location data and inferences they draw from data they say they can gather about you for data brokers or collect from social media networks for targeted interest-based advertising, we can't quite tell if they share (or sell) all that data with other third parties for their advertising purposes as well. This might sound a bit like splitting hairs, and it is, but so many car companies flat out state they do this. They collect your personal information, build a big profile on you, and then make money giving other companies access to that personal information to target you with ads. From our reading of BMW's privacy policy, they might not do this. But we're also not 100% sure they don't -- their privacy policy left us some concerns that we haven't been able to clarify. And unfortunately, BMW didn't respond to our emailed requests to answer our privacy questions, so we just don't know. We want to believe BMW is better than others. We're just not 100% sure. But they are using all that personal information and car data to target you with interest-based, so yeah, they are still not great.
One bad thing we do want to point out about BMW -- we've no idea if you can get your data deleted if you live somewhere that right isn't guaranteed by law. In fact, we're pretty sure you can't get your data deleted if you don't live somewhere that right is protected by law. Indeed, the Data Safety section of the My BMW app page in the Google Play store specifically states, "Data can’t be deleted. The developer doesn't provide a way for you to request that your data be deleted." So yeah, that's bad. It's also, unfortunately, not uncommon. We always ding companies that don't guarantee everyone the same rights to access and delete their data, no matter what privacy laws they live under, because it's just the right thing to do. We're sure love to see BMW step up and do the right thing here.
As for their track record of protecting and respecting all that personal information and driving information they collect, BMW does seem to have had fewer serious security breaches and data leaks than some of the other car companies we've reviewed. They aren't perfect. We did find a couple of recent incidents, including one that could have exposed the sensitive personal information of BMW customers, and a few older incidents reported back in 2015 and 2018. The good news is, as far as we can tell, BMW is generally proactive and responsive when security vulnerabilities are brought to their attention. They even have a section on their website where they recognized and thank security researchers that have pointed out vulnerabilities to them, which we think is pretty cool.
However, now is a good time to remind you that BMW's own privacy policy warns, "We maintain some physical, electronic, and procedural safeguards designed to protect personal information. However, we cannot guarantee that your personal information will not be lost, accessed without authorization, disclosed, altered, or destroyed. Any information you provide to us is at your own risk." That's right folks, nothing you ever share on the internet is 100% safe, including that late night drive you took out into the middle of that remote area with that heavy weight in the trunk of your car....Oh, sorry, your privacy researcher might have watched a few too many crime dramas.
So, yay, BMW isn't the worst car company we reviewed when it comes to privacy! Still, they are far from great. So, what's the worst that could happen? Well, we must admit when reading about their Digital Key Connected Drive feature that allows BMW owners to share access to their cars with up to five friends or family members all while limiting things like speed, radio volume, and then being able to revoke that digital key at any time, our brains went crazy with worst case scenarios. Can you imagine if you shared your car with an abusive spouse who only allowed you access to drive your BMW through the Digital Key features and thus revoke your access to your car at any time, or limit the speed you could drive all while tracking your location at all times? Yikes! To be fair, this isn't only a concern with BMW connected car features. But sheesh, playing out worst case scenarios with connected cars can get scary fast. Oh yeah, there's also the fact that while BMW hasn't had any major data leaks or security breaches yet, with all that crazy amount of personal information and location information and knowing how fast you like to drive, here's hoping that never happens in the future. You might not want your insurance company to know about your lead foot....except, there's a pretty high likelihood they already do.
Conseils pour vous protéger
- If you use BMW CarData, only give access to your data to trusted third-parties.
- Do not give consent to tailored advertisement.
- Opt out from selling of your personal information, as well as from Cross-context Behavioral Advertising.
- Always do a factory reset on your car before selling or trading it away to wipe your data clean and disconnect the app.
- Before reselling your car, make sure to notify the company
- When buying a used car, always make the previous owner removed their connected account and performed a factory reset.
- Always use strong passwords and set up two-factor authentication for apps and services that connect to your car
- Only give access to your data to trusted third-parties
- When connecting a mobile app to the car, make sure to minimize the amount of data collected through this app. You can use iOS or Android settings to limit the data collected through your phone.
- Opt out from your mobile device's location sharing.
- Do not use Amazon Alexa in your car if you are concerned about Amazon collecting that voice request information, IP address, and geolocation information and using it to target you with advertising.
Ce produit peut-il m’espionner ?
Caméra
Appareil : Oui
Application : Oui
Microphone
Appareil : Oui
Application : Non
Piste la géolocalisation
Appareil : Oui
Application : Oui
Que peut-on utiliser pour s’inscrire ?
Adresse e-mail
Oui
Téléphone
Oui
Compte tiers
Ne s’applique pas
Quelles données l’entreprise collecte-t-elle ?
Personnelles
"Last name, first name, address, email address, phone number. Potentially gender, age, or marital status, calendar events, including event title, location, or start or end times; your contacts, including names, addresses, or phone numbers; Inferences, ""Examples include information BMW NA collects to create a profile about a consumer reflecting the consumer's preferences, characteristics, marketing, analytics, and preference data, brand loyalty, behavior, or attitudes."" Vehicle- and driving-related data: Geolocation data, Vehicle status information (e.g. mileage, battery voltage, door and hatch status, etc.), Position and movement data (e.g. time, position, speed, etc.), Vehicle service data (e.g. due date of next service visit, oil level, brake wear, etc.), Dynamic traffic information (e.g. traffic jams, obstacles, signs, parking spaces, etc.), Vehicle images, including 3-D images around your vehicle;, Environmental information (e.g. temperature, rain, etc.), User profile (personal profile picture/ avatar, settings as navigation, media, communication, driver’s position, climate/light, driver assistance, etc.), Sensor information (e.g. radar, ultrasonic devices, gestures, voice, etc.), analytics pertaining to your use of the Services, such as click events or app launch events"
Corporelles
"Audio, electronic, visual, thermal, olfactory, or similar information. Gestures, voice and other sensor-collected data. BMW NA's privacy policy says they do not collect biometric information about you."
Sociales
Comment l’entreprise utilise-t-elle les données ?
Comment pouvez-vous contrôler vos données ?
Quel est l’historique de l’entreprise en matière de protection des données des utilisateurs et utilisatrices ?
In April 2023, one independent dealer of BMW France suffered a data breach. Play Ransomware group has claimed responsibility for the cyber attack on BMW France. BMW stepped in and offered to help the independent dealer address the problem.
In January 2023, a security researcher discovered API flaws in BMW's that reportedly could have allowed access to BMW's customer files and revealed sensitive personal information of their customers. BMW fixed the security issue after they were made aware of it.
Informations liées à la vie privée des enfants
Ce produit peut-il être utilisé hors connexion ?
Informations relatives à la vie privée accessibles et compréhensibles ?
BMW had few links to various privacy policies than other car companies we reviewed. However, their privacy notices were still long, complicated, and full of legalese that was often difficult to follow and understand clearly.
Liens vers les informations concernant la vie privée
Ce produit respecte-t-il nos critères élémentaires de sécurité ?
Chiffrement
BMW say, "Collected data is transferred only in encrypted form. Sensitive data is also saved only in encrypted form." However, we cannot determine if all data sitting on the car, including telematic data the car collects as well as data shared when you connect your phone sits encrypted, and if all collected data is encrypted in transit. We reached out to the company to attempt to determine this multiple times and received no response.
Mot de passe robuste
All personal information stored in your online My BMW profile requires a unique password and Login ID to access it (your BMW Login). With this password you can edit, delete or add to information you have shared while visiting our Sites.
Mises à jour de sécurité
"We periodically release software updates so the vehicle has the latest compatible SYNC version."
Gestion des vulnérabilités
Politique de confidentialité
BMW runs a bug bounty at HackerOne. Not only that, BMW has a section on their website recognizing and thanking security researchers who have helped them identify security issues. Not gonna lie, that's pretty good. Good work BMW.
"Available in many models since the end of 2018, the Intelligent Personal Assistant uses AI and makes it easier for the customer to operate the vehicle. With the command "Hey BMW" the driver can activate the IPA and control many functions by voice command and without predetermined commands."
Cette IA est-elle non digne de confiance ?
Quel genre de décisions l’IA prend-elle à votre sujet ou pour vous ?
L’entreprise est-elle transparente sur le fonctionnement de l’IA ?
Les fonctionnalités de l’IA peuvent-elles être contrôlées par l’utilisateur ou l’utilisatrice ?
Pour aller plus loin
-
Your Car Is Tracking You Just as Much as Your Smartphone Is—and Your Data Is at RiskThe Drive
-
From Ferrari to Ford, Cybersecurity Bugs Plague Automotive SafetyDark Reading
-
Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and MoreSam Curry
-
Critical flaws found in Ferrari, Mercedes, BMW, Porsche, and other carmakersSecurity Affairs
-
BMW claims data breach limited to local dealerCybernews
-
Toyota, Mercedes, BMW API flaws exposed owners’ personal infoBleeping Computer
-
BMW Potential Data Breach Puts Customers Information At Risk!The Cyber Express
-
The Potential Risks Of Digital Car KeysSlash Gear
-
Apple and BMW’s digital car key hints at the future of the iPhoneWired
-
BMW and the Digital Key Plus support for Pixel and SamsungMedium
-
Over a dozen vulnerabilities uncovered in BMW vehiclesZD Net
-
BMW fixes security flaw in its in-car softwareReuters
-
BMW racing to patch 14 security vulnerabilities found in its carsDigital Trends
-
BMW cars found to contain more than a dozen flawsBBC
-
Car buyers balk at monthly fees for add-on featuresAxios
Commentaires
Vous avez un commentaire ? Dites-nous tout.