BMW

Attention : *Confidentialité non incluse avec ce produit

BMW

BMW
Wi-Fi Bluetooth

Passé en revue le : 15 août 2023

|
Mozilla a effectué 24 heures de recherches
|

L’avis de Mozilla :

|
Vote du public : Très flippant

Renowned German car manufacturer BMW made its first car way back in 1928. Nearly 100 years later, BMW cars are now known for their luxury, their expensive price tag, and increasingly, their connected features. They aren't exactly known for their fun car names though. Current BMW models include the X1, X3, X4, X5, X6, X7,. 2, 3, 4, 5, 6, 7, 8, Z4, i4, i5, i7, iX, XM, and the BMW M.

The My BMW app does things like remotely lock and unlock your car, see where you vehicle is located, take pictures from the "vehicle environment", pay your car payment, navigate to where you want to go, find a parking spot, find a place to charge your electric vehicle, and more. So, how does BMW fair at privacy? Well, they aren't the worst car brand we reviewed. Unfortunately that bar is really low, so while they aren't the worst, we wouldn't exactly say they are great at privacy either.

Que pourrait-il se passer en cas de problème ?

Here's some good-ish news in the nightmare world of cars and privacy. BMW isn't actually the worst car company we reviewed. Don't get us wrong, they are far from great. But compared to many of the other car companies' privacy and security we've reviewed, they are better than most. Yes, the bar is low. But alas, we're looking for something we can point to that isn't terrible in this bleak landscape. BMW is it.

BMW cars and their My BMW app absolutely collect huge piles of data on you and your car. Soooo much personal information, driving data, location data, app and internet usage data, and more. They don't do much, if any, better than any car company we reviewed on this front. They still know all the things like: your name, email, phone number, address, Vehicle Identification Number (VIN), location data on you and your car, your contacts' names and phone numbers (if you give them access to them, of course), vehicle images, including 3-D images around your car, environmental information like the temperature and if it is raining, sensor information which they describe as "e.g. radar, ultrasonic devices, gestures, voice, etc.", how fast you drive, where you drive.

BMW also says they can collect even more personal information about you from third parties, such as data brokers, data aggregators, social media networks, the government, publicly available databases, and more. They say that personal information could include your buying habits and interests and other publicly observed data (such as from social media) as well as demographic information such as your age, gender, ethnicity. Yikes! That's a lot of data. But they aren't done yet. BMW also says they can take all this personal information and other data they collect on you, your car, how your drive your car, what websites you click on, what you do in their app, and then use it to make inferences about you regarding your preferences and habits. Yes, that is a lot. Unfortunately, this is also pretty common among car companies. Your data is big business for them.

BMW goes on to say they can share that data a whole bunch of places. They share it within their BMW Automotive Group family of companies, which is a pretty good sized corporate conglomerate. They also say they can share this data with third party dealers, services providers, and business partners (this is all pretty common sharing, but it's good to remind you that this can be a vast network of places your data lands that you have to hope protect and respect it.).

Here's where we think -- emphasis on think -- that BMW might be a little better than many other car companies. While the absolutely use all that personal information and location data and inferences they draw from data they say they can gather about you for data brokers or collect from social media networks for targeted interest-based advertising, we can't quite tell if they share (or sell) all that data with other third parties for their advertising purposes as well. This might sound a bit like splitting hairs, and it is, but so many car companies flat out state they do this. They collect your personal information, build a big profile on you, and then make money giving other companies access to that personal information to target you with ads. From our reading of BMW's privacy policy, they might not do this. But we're also not 100% sure they don't -- their privacy policy left us some concerns that we haven't been able to clarify. And unfortunately, BMW didn't respond to our emailed requests to answer our privacy questions, so we just don't know. We want to believe BMW is better than others. We're just not 100% sure. But they are using all that personal information and car data to target you with interest-based, so yeah, they are still not great.

One bad thing we do want to point out about BMW -- we've no idea if you can get your data deleted if you live somewhere that right isn't guaranteed by law. In fact, we're pretty sure you can't get your data deleted if you don't live somewhere that right is protected by law. Indeed, the Data Safety section of the My BMW app page in the Google Play store specifically states, "Data can’t be deleted. The developer doesn't provide a way for you to request that your data be deleted." So yeah, that's bad. It's also, unfortunately, not uncommon. We always ding companies that don't guarantee everyone the same rights to access and delete their data, no matter what privacy laws they live under, because it's just the right thing to do. We're sure love to see BMW step up and do the right thing here.

As for their track record of protecting and respecting all that personal information and driving information they collect, BMW does seem to have had fewer serious security breaches and data leaks than some of the other car companies we've reviewed. They aren't perfect. We did find a couple of recent incidents, including one that could have exposed the sensitive personal information of BMW customers, and a few older incidents reported back in 2015 and 2018. The good news is, as far as we can tell, BMW is generally proactive and responsive when security vulnerabilities are brought to their attention. They even have a section on their website where they recognized and thank security researchers that have pointed out vulnerabilities to them, which we think is pretty cool.

However, now is a good time to remind you that BMW's own privacy policy warns, "We maintain some physical, electronic, and procedural safeguards designed to protect personal information. However, we cannot guarantee that your personal information will not be lost, accessed without authorization, disclosed, altered, or destroyed. Any information you provide to us is at your own risk." That's right folks, nothing you ever share on the internet is 100% safe, including that late night drive you took out into the middle of that remote area with that heavy weight in the trunk of your car....Oh, sorry, your privacy researcher might have watched a few too many crime dramas.

So, yay, BMW isn't the worst car company we reviewed when it comes to privacy! Still, they are far from great. So, what's the worst that could happen? Well, we must admit when reading about their Digital Key Connected Drive feature that allows BMW owners to share access to their cars with up to five friends or family members all while limiting things like speed, radio volume, and then being able to revoke that digital key at any time, our brains went crazy with worst case scenarios. Can you imagine if you shared your car with an abusive spouse who only allowed you access to drive your BMW through the Digital Key features and thus revoke your access to your car at any time, or limit the speed you could drive all while tracking your location at all times? Yikes! To be fair, this isn't only a concern with BMW connected car features. But sheesh, playing out worst case scenarios with connected cars can get scary fast. Oh yeah, there's also the fact that while BMW hasn't had any major data leaks or security breaches yet, with all that crazy amount of personal information and location information and knowing how fast you like to drive, here's hoping that never happens in the future. You might not want your insurance company to know about your lead foot....except, there's a pretty high likelihood they already do.

Conseils pour vous protéger

  • If you use BMW CarData, only give access to your data to trusted third-parties.
  • Do not give consent to tailored advertisement.
  • Opt out from selling of your personal information, as well as from Cross-context Behavioral Advertising.
  • Always do a factory reset on your car before selling or trading it away to wipe your data clean and disconnect the app.
  • Before reselling your car, make sure to notify the company
  • When buying a used car, always make the previous owner removed their connected account and performed a factory reset.
  • Always use strong passwords and set up two-factor authentication for apps and services that connect to your car
  • Only give access to your data to trusted third-parties
  • When connecting a mobile app to the car, make sure to minimize the amount of data collected through this app. You can use iOS or Android settings to limit the data collected through your phone.
  • Opt out from your mobile device's location sharing.
  • Do not use Amazon Alexa in your car if you are concerned about Amazon collecting that voice request information, IP address, and geolocation information and using it to target you with advertising.
  • mobile

Ce produit peut-il m’espionner ? informations

Caméra

Appareil : Oui

Application : Oui

Microphone

Appareil : Oui

Application : Non

Piste la géolocalisation

Appareil : Oui

Application : Oui

Que peut-on utiliser pour s’inscrire ?

Quelles données l’entreprise collecte-t-elle ?

Comment l’entreprise utilise-t-elle les données ?

We ding this product because they obtain personal data from third parties (possibly data brokers) and combine the obtained data with data collected directly from you to draw inferences about you. Based on the privacy documentation of BMW, it is unclear if they are buying data from data brokers and if they are sharing personal data with third parties for their own advertisement purposes.

BMW NA Privacy Notice

"We collect information from third parties, such as our service providers, data providers, or partners"

"We may collect personal information about you from third parties. In some instances, we may combine the personal information we collect about you from third parties with personal information we collect from you. Depending on your relationship with us, this personal information we collect from third parties may include:

Name, address, email address, and phone number;
Information on your buying habits and interests and other publicly observed data (such as from social media);
Demographic information;
Information we obtain when you connect to BMW NA through social media; or
Device identification information about your mobile phone, tablet, vehicle, or other device.

We may also use the personal information that we collect from you and about you to draw inferences, such as information regarding your preferences or habits."

"We may share your personal information for marketing purposes. This includes the sharing of your information with our BMW NA service providers, affiliates, dealers, or centers. You may opt out of the marketing emails or exercise rights under applicable laws as described below."

BMW may collect personal information about you from third parties, including data brokers. BMW may also combine the personal information they collect about you from third parties with personal information they collect from you. BMW may use the personal information they collect from you and about you to draw inferences, such as information regarding your preferences or habits. Your use of BWM's websites or apps, your vehicle, or from information provided by them by their service providers can be used to drawn inferences about you for advertising and marketing purposes.

The personal information they collect from third parties may include: Name, address, email address, and phone number; Information on your buying habits and interests and other publicly observed data (such as from social media); Demographic information; Information they obtain when you connect to BMW NA through social media; or Device identification information about your mobile phone, tablet, vehicle, or other device.

BMW NA says they will obtain your consent before collecting sensitive personal information where required to do so under applicable laws.

"We may use your information in a variety of ways, including to: Provide you with customized content, targeted offers, and advertising; For marketing research and other marketing and service related purposes; Evaluate advertisement interactions relating to our Services; For internal business analysis or other business purposes consistent with our mission; and Carry out other purposes that are disclosed to you and to which you consent. We may also use your information as otherwise described to you at the point of collection."

"We may also maintain aggregate data or other deidentified information about you, such as usage statistics, online traffic patterns and user feedback. In addition to using this information for the purposes discussed in this privacy policy, we may disclose this aggregated or other deidentified information to third parties without restriction."

"We may share your personal information for marketing purposes. This includes the sharing of your information with our BMW NA service providers, affiliates, dealers, or centers."

"We also share personal information with non-affiliated companies that market our products and services such as our authorized BMW dealers who are distinct entities and have their own privacy policies."

BMW shares data for marketing if you give consent. "Marketing communications and market research. Provided you have given your consent to any further use of your personal data, your personal data may be used and, to the extent necessary, passed on to third parties in accordance with the scope of the consent granted, for example, for promotional purposes (e.g. for selected products and services of the BMW Group and promotional partners) and/or market research. The details in this regard can be found on the respective consent form. Consent may be withdrawn at any time."

"We maintain some physical, electronic, and procedural safeguards designed to protect personal information. However, we cannot guarantee that your personal information will not be lost, accessed without authorization, disclosed, altered, or destroyed. Any information you provide to us is at your own risk."

BMW ConnectedDrive Privacy Policy

For performance of these services, the following information which may or may not be personal data (meaning information which is relating to an identified or identifiable natural person) and which originates from the vehicle is processed and possibly stored by BMW and commissioned service providers for such performance:
- Vehicle status information (e.g. mileage, battery voltage, door and hatch status, etc.)
- Position and movement data (e.g. time, position, speed, etc.)
- Vehicle service data (e.g. due date of next service visit, oil level, brake wear, etc.)
- Dynamic traffic information (e.g. traffic jams, obstacles, signs, parking spaces, etc.)
- Environmental information (e.g. temperature, rain, etc.)
- User profile (personal profile picture/ avatar, settings as navigation, media, communication, driver’s
position, climate/light, driver assistance, etc.)
- Sensor information (e.g. radar, ultrasonic devices, gestures, voice, etc.) Sensor information (e.g. radar, ultrasonic devices, gestures, voice, etc.)

Marketing communications and market research
Provided you have given your consent to any further use of your personal data, your personal data may be used and, to the extent necessary, passed on to third parties in accordance with the scope of the consent granted, for example, for promotional purposes (e.g. for selected products and services of the BMW Group and promotional partners) and/or market research. The details in this regard can be found on the respective consent form. Consent may be withdrawn at any time.

Comment pouvez-vous contrôler vos données ?

We can not confirm that all users regardless of location can get their data deleted.

BMW NA Privacy Policy
You may have the following rights with respect to your personal information depending on the applicable state consumer privacy laws. Deletion. The right to request that we delete the personal information we have about you. We may not be required to delete information under particular circumstances.

"BMW NA may deidentify or aggregate your personal information in compliance with the CCPA and CPRA. In those situations, we are not obligated to provide access to or delete this information in response to a request."

BMW ConnectedDrive Privacy Policy
Under certain conditions you have the right to require us to:
- Provide you with further detail on the use we make of your information
- Provide you with a copy of your information
- Update any inaccuracies in the information we hold about you
- Delete any information about you that we no longer have a lawful ground to use
- Remove you from any direct marketing lists when you object or withdraw your consent
- Provide you with your personal data in a usable electronic format and transmit it to a third party (right to
data portability)
- Restrict our use of your personal data
- Cease carrying out certain processing activities based on the legitimate interests ground unless our reasons for undertaking that processing outweigh any prejudice to your data protection rights
Your exercise of these rights is subject to certain exemptions to safeguard the public interest (e.g. the prevention or detection of crime), our interests (e.g. the maintenance of legal privilege) and the rights of third parties.

"The processed personal data is deleted automatically after 4 weeks if it is no longer needed for provision of the specific service. The ConnectedDrive Account is assigned specifically to you and is personal to you. Therefore, your driver profile (if it’s mapped with a ConnectedDrive Account) can just be activated within one vehicle."

"When a user's personal information changes (such as ZIP code) or if a user no longer is interested in our service and we are notified of such changes, we will endeavor to correct or update that user's personal information. In addition, the personal information in your online profile can be updated by you at any time on the ’My Profile’ page of the My BMW website. All personal information stored in your online My BMW profile requires a unique password and Login ID to access it (your BMW Login). With this password you can edit, delete or add to information you have shared while visiting our Sites. Additionally, the information you include in a credit application is secure while in transit to us."

"Your personal data is saved for only as long as the specific purpose it requires. If the data is processed for several purposes, the data is deleted automatically or saved in a form so that it cannot be traced back to you once the last specified purpose has been met"

"Personal data is processed by BMW and BMW AG employees, BMW dealers and by service providers who have been commissioned, with preference given to those within the EU/EEA. If data is processed in countries outside the EU/EEA, BMW AG uses EU standard agreements, including suitable technical and organizational measures, to ensure that your personal data is processed in accordance with the European level of data privacy."

Quel est l’historique de l’entreprise en matière de protection des données des utilisateurs et utilisatrices ?

Moyen

In April 2023, one independent dealer of BMW France suffered a data breach. Play Ransomware group has claimed responsibility for the cyber attack on BMW France. BMW stepped in and offered to help the independent dealer address the problem.

In January 2023, a security researcher discovered API flaws in BMW's that reportedly could have allowed access to BMW's customer files and revealed sensitive personal information of their customers. BMW fixed the security issue after they were made aware of it.

Informations liées à la vie privée des enfants

"We do not knowingly collect or use any personal information from children (we define 'children' as minors younger than 13) on our Sites without prior, verifiable parental consent. We do not knowingly allow children to order our products, communicate with us, or use any of our online services.

If you become aware that a child has provided us with personal information, please contact us at [email protected] or write: BMW of North America, Privacy Office, PO Box 1227, Westwood NJ 07675-1227. We will take all reasonable measures to delete the information as soon as possible and to not use such information for any purpose, except where necessary to protect the safety of the child or others as required by law."

Ce produit peut-il être utilisé hors connexion ?

Oui

Informations relatives à la vie privée accessibles et compréhensibles ?

Non

BMW had few links to various privacy policies than other car companies we reviewed. However, their privacy notices were still long, complicated, and full of legalese that was often difficult to follow and understand clearly.

Liens vers les informations concernant la vie privée

Ce produit respecte-t-il nos critères élémentaires de sécurité ? informations

Inconnu

Chiffrement

Impossible à déterminer

BMW say, "Collected data is transferred only in encrypted form. Sensitive data is also saved only in encrypted form." However, we cannot determine if all data sitting on the car, including telematic data the car collects as well as data shared when you connect your phone sits encrypted, and if all collected data is encrypted in transit. We reached out to the company to attempt to determine this multiple times and received no response.

Mot de passe robuste

Oui

All personal information stored in your online My BMW profile requires a unique password and Login ID to access it (your BMW Login). With this password you can edit, delete or add to information you have shared while visiting our Sites.

Mises à jour de sécurité

Oui

"We periodically release software updates so the vehicle has the latest compatible SYNC version."

Gestion des vulnérabilités

Oui

Politique de confidentialité

Oui

BMW runs a bug bounty at HackerOne. Not only that, BMW has a section on their website recognizing and thanking security researchers who have helped them identify security issues. Not gonna lie, that's pretty good. Good work BMW.

Le produit utilise-t-il une IA ? informations

Oui

"Available in many models since the end of 2018, the Intelligent Personal Assistant uses AI and makes it easier for the customer to operate the vehicle. With the command "Hey BMW" the driver can activate the IPA and control many functions by voice command and without predetermined commands."

Cette IA est-elle non digne de confiance ?

Impossible à déterminer

Quel genre de décisions l’IA prend-elle à votre sujet ou pour vous ?

L’entreprise est-elle transparente sur le fonctionnement de l’IA ?

Impossible à déterminer

Les fonctionnalités de l’IA peuvent-elles être contrôlées par l’utilisateur ou l’utilisatrice ?

Impossible à déterminer

*Confidentialité non incluse

Pour aller plus loin

  • Your Car Is Tracking You Just as Much as Your Smartphone Is—and Your Data Is at Risk
    The Drive Le lien s’ouvre dans un nouvel onglet
  • From Ferrari to Ford, Cybersecurity Bugs Plague Automotive Safety
    Dark Reading Le lien s’ouvre dans un nouvel onglet
  • Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More
    Sam Curry Le lien s’ouvre dans un nouvel onglet
  • Critical flaws found in Ferrari, Mercedes, BMW, Porsche, and other carmakers
    Security Affairs Le lien s’ouvre dans un nouvel onglet
  • BMW claims data breach limited to local dealer
    Cybernews Le lien s’ouvre dans un nouvel onglet
  • Toyota, Mercedes, BMW API flaws exposed owners’ personal info
    Bleeping Computer Le lien s’ouvre dans un nouvel onglet
  • BMW Potential Data Breach Puts Customers Information At Risk!
    The Cyber Express Le lien s’ouvre dans un nouvel onglet
  • The Potential Risks Of Digital Car Keys
    Slash Gear Le lien s’ouvre dans un nouvel onglet
  • Apple and BMW’s digital car key hints at the future of the iPhone
    Wired Le lien s’ouvre dans un nouvel onglet
  • BMW and the Digital Key Plus support for Pixel and Samsung
    Medium Le lien s’ouvre dans un nouvel onglet
  • Over a dozen vulnerabilities uncovered in BMW vehicles
    ZD Net Le lien s’ouvre dans un nouvel onglet
  • BMW fixes security flaw in its in-car software
    Reuters Le lien s’ouvre dans un nouvel onglet
  • BMW racing to patch 14 security vulnerabilities found in its cars
    Digital Trends Le lien s’ouvre dans un nouvel onglet
  • BMW cars found to contain more than a dozen flaws
    BBC Le lien s’ouvre dans un nouvel onglet
  • Car buyers balk at monthly fees for add-on features
    Axios Le lien s’ouvre dans un nouvel onglet

Commentaires

Vous avez un commentaire ? Dites-nous tout.