Toyota

Attention : *Confidentialité non incluse avec ce produit

Toyota

Toyota
Wi-Fi Bluetooth

Passé en revue le : 15 août 2023

|
Mozilla a effectué 24 heures de recherches
|

L’avis de Mozilla :

|
Vote du public : Super flippant

Japanese car maker Toyota is the global leader in car sales around the world. Toyota's brands include regular cars like the Corolla and Camry, trucks like the Tacoma and Tundra, minivans like the Sienna, SUVs like the 4Runner, Highlander, and Rav4, and of course their popular electric Prius. While Toyota might not be known as the coolest car brand, they sure are reliable, dependable, and popular.

The Toyota app lets you start and stop, lock and unlock, set predetermined privileges for guest drivers, find your car in a parking lot, and even monitor how you drive to tell you if you're a terrible driver (or to help you become more efficient, we suppose). The app works for users of most Toyotas 2018 and newer and some older vehicles as well. So, how does Toyota do at protecting your privacy? Let's just say this privacy researcher is pretty happy she drives a old 2002 Toyota with none of the sensors and connected features. Toyotas are reliable, yes. Private, maybe not so much.

Que pourrait-il se passer en cas de problème ?

Oof....Toyota. As the most popular car brand in the world, we really hoped you would have better privacy practices and track records for respecting and protecting the huge amounts of personal information you say you can collect. Unfortunately, that is not what we found in our research. We're afraid Toyota's "Let's Go Places" slogan means they really want to tag along and learn all they can about you on the way.

Where to start with our concerns about Toyota's privacy practices? Maybe with the fact that Toyota promotes itself as very privacy friendly while doing too many things that are anything but. For example, on Toyota's Privacy Hub, they mention right off the top that they "play a key role in the development and adoption of the Automotive Consumer Privacy Protection Principles." This sounds great, right? Well, it does until you look at it more closely. Those privacy principles were created by the automakers themselves back in 2014 to show they were taking privacy seriously.

However, if you look closely, you'll see that Toyota, and nearly all the automakers we reviewed, don't actually follow their own principles for privacy. Those include things like "Data Minimization" (the idea they collected only what data is needed), "Data Security" (securing the data they do collect), "Transparency" (providing users clear, meaningful privacy information), and "Choice" (offering users choice in how their data use and collecting, and "Respect for Context" (using and sharing information only for what it was collected). Our research shows that Toyota (and pretty much every other car maker we reviewed who signed onto these principles) absolutely do not follow these promises at all. Toyota collects a ton of data -- way more than is likely necessary, they admit to sharing and even selling some of it with third parties for their own marketing purposes, they've had security lapses that put their users' personal information at risk, and they continue to expand their data collect to make more money off of the treasure trove of data they collect. Toyota isn't alone in this, but they are the ones bragging about playing a key role in setting up automotive privacy principles that they themselves don't seem to follow.

That being said, we do give Toyota a thumbs up for granting all people in the US, not just those covered by California's strong CCPA privacy law, the same rights to do things like have their data deleted or opt out of having some of their data sold. These are good rights that we feel should absolutely be granted to everyone, regardless of whether they live under stronger privacy laws like California's CCPA or the EU's GDPR. We can't confirm if Toyota grants everyone, everywhere the same rights to access, delete, and control their data though, which is not good. We would love to see them step up and clearly say they will do this.

We also give Toyota some bonus points for having a North American Privacy Hub where consumers can more easily track down some of the many privacy policies Toyota has that covers their cars, apps, connected services, and more. But this outlines another gripe we have with Toyota. There are so many privacy policies, notices, statements, etc for all of their cars, connected services, apps, on-board cameras, and more. Tracking them down was quite the task. We even learned that Toyota's app for managing their connected car service works with all their car brands -- except the Toyota Supra. Which has its own Toyota Supra Connect app that, interestingly, links to BMW's privacy policy. It's quite the complicated privacy scavenger hunt to track down all of Toyota's privacy documentation and make sense of it. We did our best, but it made our heads spins. Don't worry though, we found another Toyota slogan that applies here! "Imagine a world without limits"...on the number of privacy notices we expect people to read. Shoot, Toyota even admits in their EU privacy policy that their privacy policy landscape is quite complicated, "This Policy contains general rules and explanations. It is complemented with separate specific privacy notices relating to particular services, tools, applications, websites, portals, (online) sales promotions, marketing actions, sponsored social media platforms, etc. provided or operated by or on behalf of Toyota." Your head is probably spinning now too.

Toyota says they can collect a whole heap of personal information on you through your car, the Toyota app, and their connected services. This includes everything from personally identifying information such as name, address, phone number, email, online identifier, social media ID, and demographic information such as your age, to driving behavior such as acceleration and speed, steering, and breaking functionality, and travel direction, to lots of information about your car including VIN (Vehicle Identification Number), interior and exterior image data from cameras and sensors in your car, facial geometric features. They even can collect sensitive personal information such as precise geolocation data, biometric information. On top of all this, they say they can collect lots of information about you from other sources such as social media, public sources, data brokers, data providers, your friends, and more. Toyota is collecting a whole lot of information on you. Oh, and if you use any of those mobile services like SiriusXM radio, wi-fi connectivity, navigation, or even let your insurance track your usage, well, those places can all collect your personal information too.

So, what does Toyota say they can do with this treasure trove of information? Well, some of it they seem to treat responsibly. Like the facial geometric features they get when they scan your face to identify your for your driver profile they say will only be processed and stored on your car. That is good. Unfortunately, Toyota says they can do lots more with so much of all that other information they collect on you. For one, they say they can share or sell your personal information to third parties for targeted advertising purposes. Even worse, they don't 100% commit to not processing, or potentially even sharing, your sensitive personal information -- things like your precise geolocation data, biometric information for the purpose of uniquely identifying an individual, and financial information. In fact, they qualify the use of that sensitive information in ways that leave us uncomfortable. They say, "Where required by law, we will obtain your consent before processing your sensitive Personal Information. We will also generally use your sensitive Personal Information for limited purposes..." This vague, qualifying language about how they say they can handle and share your sensitive personal information does not leave us feeling good about Toyota's overall privacy practices.

Toyota's ecosystem of parent companies and affiliates, dealers and distributors is also vast. These include things like Toyota Financial Services and your local "dealer advertising associations." These are all places Toyota says they can share your personal information. We also found Toyota Connected Europe, which seems to be a Toyota-affiliated data business that uses all the vast amounts of data cars, car apps, and car mobile services can collect to develop better connected cars, understand driver behavior better, make cars safer (yay!), help drivers develop more energy efficient driving behavior, and more. Some of these things are very useful and beneficial to society. Some of them might not be. And remember, Toyota is in the business of selling more cars, and thus, collecting more data to sell more cars. Toyota Connected Europe describe data as follows: "It’s the lifeblood of our business and powers everything we do." We share this as a reminder that for car companies like Toyota, data is a huge and growing business as cars become ever more connected (Toyota Connected Europe describe themselves on their web page as a "young business".) Guess what, we've got another Toyota slogan that applies here! "You are what drives us." Another way of saying your data is what drives our business (to be fair, data is what drives most businesses these days…unfortunately for privacy it's the way the world now works).

Toyota does love their slogans. They say, Peace of mind comes standard. Well, maybe not so much when it comes to their track record of protecting and respecting all that personal information they collect. They have a couple of serious security lapses over the past few years that raise eyebrows. In May, 2023 Toyota admitted that it had left the location data of over 2 million Toyota and Lexus users exposed and unsecured for ten years. A couple weeks later, Toyota again admitted it left the data of another 260,000 car owners exposed in a different security incident. And back in 2020, security researchers found flaws in the encryption for the car keys that let drivers start their cars in Toyota vehicles. Hyundai and Kia car keys were also found to have the same flaws. These security and privacy oopsies on Toyota's part don't exactly give us a lot of peace of mind that they truly understand what it takes to protect all that information they are collecting on us as we drive their cars. In fact, they themselves warn in their Connected Services privacy policy, "Please note, however, that we cannot completely ensure or warrant the security of any information transmitted to us by you or your vehicle. Your use of your vehicle’s Connected Services and App Suite is at your own risk." Is that what Toyota was going for with their slogan. "The power of choice is yours"? Probably not, but it works!

What's the worst that could happen in your Toyota car with Toyota's app and Connected Services and on-board cameras sharing data with their parent companies, business affiliate, car dealers, third party advertisers, and more? Well, Toyota could know everywhere you drive (they probably do) and know where you like to shop and when and then you could have "relevant to your location" ads follow you all around targeting you to buy more stuff. That could be OK. It also could suck if you're trying to drink less alcohol and every time you drive near a liquor store you get an ad for beer. OK, maybe that's not the worst things that could happen. We can actually think of many worse things. But this is something that could way too easily happen and it is bad enough. Hey Toyota, maybe we can ask you to be "Inspired by what's possible" and collect way less personal information on your car owners and give people more of an ability to protect their privacy when driving your cars. Now that would be privacy "Built for how you live." Unfortunately we have a slogan of our own for Toyota: *Privacy Not Included.

Conseils pour vous protéger

  • Do not give consent to tailored advertisement.
  • Opt out from selling of your personal information, as well as from Cross-context Behavioral Advertising.
  • Always do a factory reset on your car before selling or trading it away to wipe your data clean and disconnect the app.
  • Before reselling your car, make sure to notify the company
  • When buying a used car, always make the previous owner removed their connected account and performed a factory reset.
  • Always use strong passwords and set up two-factor authentication for apps and services that connect to your car
  • Only give access to your data to trusted third-parties
  • When connecting a mobile app to the car, make sure to minimize the amount of data collected through this app. You can use iOS or Android settings to limit the data collected through your phone.
  • Opt out from your mobile device's location sharing.
  • Do not use Amazon Alexa in your car if you are concerned about Amazon collecting that voice request information, IP address, and geolocation information and using it to target you with advertising.
  • mobile

Ce produit peut-il m’espionner ? informations

Caméra

Appareil : Oui

Application : Oui

Microphone

Appareil : Oui

Application : Oui

Piste la géolocalisation

Appareil : Oui

Application : Oui

Que peut-on utiliser pour s’inscrire ?

Quelles données l’entreprise collecte-t-elle ?

Comment l’entreprise utilise-t-elle les données ?

We ding this product as it is selling or sharing your personal information with third parties

Toyota Privacy Statement

"We may sell your Personal Information to third parties or share your Personal Information with third parties for targeted advertising. However, we do not knowingly sell, share, use for targeted advertising, or disclose the Personal Information of minors under the age of 16."

Toyota says the following categories of information maybe have been sold and/or shared with third parties for their own marketing purposes.
Contact information including name, email address, phone, physical address, and demographic information; Consumer product and service data; Consumer interaction data, which may be considered "audio, visual or other similar information; Consumer online activity; Vehicle originated data, which may be considered "inferences," such as data collected as part of vehicle remote services or driving behavior data; Marketing; Research data.

"Where required by law, we will obtain your consent before processing your sensitive Personal Information. We will also generally use your sensitive Personal Information for limited purposes, such as to provide the goods or services you requested; to prevent, detect, and investigate security incidents; to resist malicious, deceptive, fraudulent or illegal actions; to ensure physical safety; and to verify or maintain the quality or safety of our products, services or devices."

In the last 12 months, Toyota sold the following data to third parties who offer their own services to you and for their own marketing purposes:
- Contact information: attributes that identify a natural person, which may be considered an "identifier" or information covered under the California Customer Records Act. Examples include name, address, phone number, email, owner account information, online identifier, user ID, social media ID, and site visitor details (names, addresses, etc.) and demographic information (such as ZIP code, age).
- Consumer product and service data, which may be considered "commercial information," such as consumer vehicle ownership records associated with the consumer's current and/or prior owned vehicles. Examples include vehicle ownership transactions, Retail Delivery Report (RDR) records, recall records, warranty records, repair order records, part order records, Toyota Insurance Management Solutions insurance product records, and incentive offers accepted by a consumer.
- Consumer interaction data, which may be considered "audio, visual or other similar information," such as consumer's interaction with Toyota via telephone, email, chat, text and/or postal mail. Examples include call center records and screen, audio and/or video recordings.
- Consumer online activity, which may be considered "identifiers" and "internet or other electronic network activity information," such as consumer's online interactions with Toyota. Examples include online accounts, browsing history, cookies, IP addresses, social media information.
- Vehicle originated data, which may be considered "inferences," such as data collected as part of vehicle remote services or driving behavior data. Examples include use of connected services and vehicle application suite services; driving behavior such as acceleration and speed, steering, and breaking functionality, and travel direction.
- Marketing, which may be considered "identifiers," "inferences," or information covered under the California Customer Records Act. This includes information under the pre- and post-sale marketing interactions with a consumer. Examples include information collected at events, vehicle purchase negotiation information, vehicle service marketing information, direct marketing information, and retention marketing information.
- Research data, which may be considered "identifiers," "inferences," or information covered under the California Customer Records Act. This includes information collected by Toyota related to consumer and product research. Examples include survey information, syndicated product and/or service studies, predictive behavioral studies, focus-group information.

"Under United States privacy laws, certain types of Personal Information are considered “sensitive” Personal Information or data and require additional data privacy rights and obligations. We collect precise geolocation data, biometric information for the purpose of uniquely identifying an individual, account login information, and financial information, which may be considered “sensitive” Personal Information under privacy laws. Where required by law, we will obtain your consent before processing your sensitive Personal Information. We will also generally use your sensitive Personal Information for limited purposes, such as to provide the goods or services you requested; to prevent, detect, and investigate security incidents; to resist malicious, deceptive, fraudulent or illegal actions; to ensure physical safety; and to verify or maintain the quality or safety of our products, services or devices."

Toyota uses the information they collect on you to:
- Provide advertisements to you, including via electronic and physical means, and tailor any content, opportunities or other offers we serve you, including by providing more relevant content, advertisements, and offers over time and across multiple devices;
- Offer other products and services to you that you may be interested in;
- Internal research, design, marketing analysis, and analytics purposes, including to improve customer satisfaction and the Platforms, our vehicles and other products, and our services;
- Carry out B2B functions

"You may share your location with us and we may use it for the purpose of providing you with offers and other information relevant to your location."

"We also share Personal Information with companies affiliated with Toyota and our authorized dealers and their holding companies, dealer advertising associations and distributors for their own use."

"We, Web publishers, and other Web sites on which we advertise may target advertisements for products and services in which you might be interested based on your visits to both the Platforms and other Web sites."

Toyota Connected Services Privacy Notice for the US

"Where applicable, we use Location Data, Driving Data, Vehicle Health Data, data derived from Safety Connect (which includes automatic collision notification, roadside, emergency and stolen vehicle assistance), navigation, Remote Connect, Service Connect, and Wi-Fi connectivity for the following purposes:
Improve Safety.
Develop New Vehicles and Features.
Confirm Quality.
Analyze Data (e.g., Vehicle Trends).
Prevent Fraud or Misuse.
As Required by Law or Legal Process."

"We contractually bind our service providers to handle your Account Information in accordance with this Privacy Notice. For example, Toyota Connected North America, Inc. provides customer support and the other services that are part of your Connected Services, and apps, such as Amazon will store and use the information you provide to them in order to verify your account and provide you with their services. "

Comment pouvez-vous contrôler vos données ?

We ding this product as we cannot confirm that all users regardless of location can get their data deleted.

"Please note that these rights might be limited under the applicable national data protection law and that we do not intend to identify you and may not be able to identify you. "

"When the California Consumer Privacy Act took effect in 2020, we provided the privacy rights it affords to all U.S. consumers, not just those residing in California. "

"Your Privacy Rights. We provide you with choices with respect to your personal information that we have collected about you. You may exercise your privacy rights by visiting the Toyota Motor North America Privacy Hub at https://privacy.toyota.com or by contacting us.

- Right to Delete. You may have the right to request us to delete the personal information we have collected about you.

"Driving Data. We will store Driving Data in an identifiable format for a period of time not to exceed 15 years from the date of creation. "

"We will store Location Data in an identifiable format for a period of time not to exceed 10 years from the date of creation ."

"If you do not notify us of a sale or transfer of your vehicle, we may continue to send reports and data about the vehicle or Connected Services account to the subscriber’s Account Information currently on file with us. In such case, we are not responsible for any privacy related damages you may suffer. "

Quel est l’historique de l’entreprise en matière de protection des données des utilisateurs et utilisatrices ?

Mauvais

Toyota leaked data of 2.15 million users over 10 years between 2013 and 2023. The information exposed in the misconfigured database includes:
- the in-vehicle GPS navigation terminal ID number,
- the chassis number, and
- vehicle location information with time data.

Another possible leak that affected 300,000 users was revealed by Toyota in 2022. Toyota discovered that a portion of the T-Connect site source code was mistakenly published on GitHub and contained an access key to the data server that stored customer email addresses and management numbers.

In 2020, a major vulnerability has been revealed that affected the encryption systems used by Toyota, Hyundai, and Kia.

Informations liées à la vie privée des enfants

The Platforms are not directed to children under 13. We do not knowingly collect, use or disclose personally identifiable information from anyone under 13 years of age. If we determine upon collection that a user is under this age, we will not use or maintain his/her Personal Information without the parent/guardian's consent. If we become aware that we have unknowingly collected personally identifiable information from a child under the age of 13, we will make reasonable efforts to delete such information from our records.

Ce produit peut-il être utilisé hors connexion ?

Oui

Informations relatives à la vie privée accessibles et compréhensibles ?

Non

Toyota has a vast number of privacy policies, notices, statements, and the like for their vehicles, onboard cameras, apps, and seperate Toyota Supra app made by BMW that leaves a user searching and sorting through multiple privacy documents and various company privacy policies.

Liens vers les informations concernant la vie privée

Ce produit respecte-t-il nos critères élémentaires de sécurité ? informations

Inconnu

Chiffrement

Impossible à déterminer

Toyota says it "employs layers of defense to drive strong safeguarding practices, such as, where appropriate, code and design reviews, security testing, firewalls, intrusion detection systems, signing and encryption." However, we cannot determine if all data sitting on the car, including telematic data the car collects as well as data shared when you connect your phone sits encrypted, and if all collected data is encrypted in transit. We reached out to the company to attempt to determine this multiple times and received no response.

Mot de passe robuste

Ne s’applique pas

Mises à jour de sécurité

Oui

Gestion des vulnérabilités

Oui

Toyota runs a bug bounty program on HackerOne.

Politique de confidentialité

Oui

Le produit utilise-t-il une IA ? informations

Oui

Toyota Safety Sense™ uses radars and cameras to offer Pre-Collision System with Pedestrian Detection, Lane Tracing Assist, Road Sign Assist, etc. These features are enabled by numerous cameras, sensors and radars on the car.

Cette IA est-elle non digne de confiance ?

Impossible à déterminer

Quel genre de décisions l’IA prend-elle à votre sujet ou pour vous ?

L’entreprise est-elle transparente sur le fonctionnement de l’IA ?

Impossible à déterminer

Les fonctionnalités de l’IA peuvent-elles être contrôlées par l’utilisateur ou l’utilisatrice ?

Impossible à déterminer

*Confidentialité non incluse

Pour aller plus loin

  • Privacy Concerns Aren't Keeping Automakers From Selling Massive Amounts of Your Data
    Newsweek Le lien s’ouvre dans un nouvel onglet
  • From Ferrari to Ford, Cybersecurity Bugs Plague Automotive Safety
    Dark Reading Le lien s’ouvre dans un nouvel onglet
  • Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More
    Sam Curry Le lien s’ouvre dans un nouvel onglet
  • Critical flaws found in Ferrari, Mercedes, BMW, Porsche, and other carmakers
    Security Affairs Le lien s’ouvre dans un nouvel onglet
  • Toyota Reveals Data Leak of 300,000 Customers
    Infosecurity Magazine Le lien s’ouvre dans un nouvel onglet
  • Toyota: Car location data of 2 million customers exposed for ten years
    Bleeping Computer Le lien s’ouvre dans un nouvel onglet
  • More than 2 million Toyota users face risk of vehicle data leak in Japan
    Reuters Le lien s’ouvre dans un nouvel onglet
  • Toyota confirms another years-long data leak, this time exposing at least 260,000 car owners
    TechCrunch Le lien s’ouvre dans un nouvel onglet
  • Toyota Discloses Decade-Long Data Leak Exposing 2.15M Customers' Data
    Dark Reading Le lien s’ouvre dans un nouvel onglet
  • SiriusXM Software Flaw Let Researchers Unlock And Start Cars Remotely
    Motor 1 Le lien s’ouvre dans un nouvel onglet
  • Hackers Can Clone Millions of Toyota, Hyundai, and Kia Keys
    Wired Le lien s’ouvre dans un nouvel onglet

Commentaires

Vous avez un commentaire ? Dites-nous tout.