Today, the Mozilla Foundation published its analysis of how well automakers handle the privacy of data collected by their connected cars, and the results will be unlikely to surprise any regular reader of Ars Technica. The researchers were horrified by their findings, stating that “cars are the worst product category we have ever reviewed for privacy.”
Mozilla looked at 25 car brands and found that all of them collected too much personal data, and from multiple sources—monitoring not just which buttons you push or what you do in any of the infotainment system’s apps but also data from other sources like satellite radio or third-party maps. Or even when you connect your phone—remember that prompt asking you if you wanted to share all your contacts and notes with your car when you connected it via Bluetooth?
While some gathered data seems innocuous or even helpful—feedback to improve cabin ergonomics and UIs, for example—some data is decidedly not.
(Although more sophisticated driver-monitoring systems that claim to detect emotional states have been demonstrated at shows like CES, we’re unaware of any that are in production.)
Mozilla found plenty more to worry about. Eighty-four percent of the brands they analyzed said they can share your data, and 76 percent said they can sell it. And more than half say they’ll share data with the government and law enforcement by request.
Users have very little control over what those brands do with their data. Only two of the 25 brands (Renault and Dacia) tell users they have the right to have their data deleted, and neither sell cars in the United States.
The poor state of digital security in the auto industry should also come as no surprise; in January, we reported on widespread vulnerabilities at multiple OEMs that would allow nefarious hackers to access personal information from servers or even remotely start a car’s engine. Mozilla was similarly unimpressed, saying:
Our main concern is that we can’t tell whether any of the cars encrypt all of the personal information that sits on the car. And that’s the bare minimum! We don’t call them our state-of-the-art security standards, after all.
Of the car brands Mozilla looked at, Tesla fared worst of all; it was only the second product to receive all of Mozilla’s “privacy dings” (an AI chatbot was the first), apparently. Nissan took the dubious honor of second-worst—the quoted section above should give a good idea of why.
What’s the solution?
Sadly there aren’t many practical steps that Mozilla (or Ars) can provide to ameliorate this situation. As the Mozilla report notes, there’s virtually no choice out there—I’m not sure of a single new car on sale in 2023 in the US that doesn’t contain an embedded modem, and such equipment is now mandated by law in the European Union for emergency services.
Californians might be able to look forward to some data protections; that state passed a consumer privacy law in 2018, and in August, the California Privacy Protection Agency said it would review the data privacy practices of connected vehicles and their manufacturers.
At the national level, some hope that the National Institutes of Standards and Technology and the Federal Trade Commission could include connected cars in their new labeling scheme for IoT security standards, but there’s no sign of that happening yet.
Meanwhile, Mozilla suggests that increasing awareness is the solution, and it is collecting signatures for a petition.