How cars spy on you: Most shocking takeaways from Mozilla's report
We love Mozilla, and we mean it. From implementing Google’s restrictive Manifest V3 extension API in an ad blocker-friendly way to strengthening its own anti-tracking protections, the Firefox maker does a lot of good in the digital world. But arguably its biggest, and somewhat overlooked, contribution to privacy is its edutainment work. In the latest ‘Privacy Not Included’ survey, Mozilla tore into the top-of-the-range representatives of the sprawling modern vehicles family. And what it discovered under the hood was nothing short of shocking.
We have studied the report and want to share with you the most eyebrow-raising and heckle-inducing things (in our opinion) that Mozilla has uncovered. But before we dive into these, let’s take a step back and review how car companies collect user data.
To many access points, too little control
First and foremost, manufacturers collect your data when you interact directly with the car, such as when you turn the steering wheel, use the brakes or roll down the windows. The more electronics, cameras and sensors your car is fitted with, the more information it can gobble up about you or your surroundings through them.
For example, if you want to take advantage of assisted driving technology, be prepared to be monitored by a driver-facing camera that makes sure you keep your eyes on the road and records who knows what else in the process. If you want to give your car voice commands, accept the fact that it will record your speech (and not just when you give your car directions, but also while it’s waiting for you to say a ‘wake word’). Apart from your movements and biometrics, manufacturers can collect information about you from your car’s app, connected services (GPS and the like), infotainment systems, and, by extension, from your phone. For example, infortainment system computers were previously found to harvest data from drivers’ smartphones if they plugged them in via Bluetooth or cable. Last but not least, car manufacturers can obtain information about you from third parties, such as data brokers, social media, and car dealers.
Given all of this, it’s perhaps no surprise that Mozilla ranked modern cars last in terms of privacy out of all the products they’ve ever reviewed, including apps.
There’s probably no other product that can collect as much information about what you do, where you go, what you say, and even how you move your body (“gestures”) than your car.
We highly recommend that you read the Mozilla study in its entirety — it is not only enlightening, but also entertaining. The researchers spent 600 hours combing through the privacy policies of 25 automakers and found that they all failed to meet the minimum privacy requirements. A big fat “F.” So if you’re a driver, we encourage you to take a look — especially if you own one of these:
Nissan, Dacia, BMW, Subaru, FIAT, Jeep, Chrysler, Dodge, Volkswagen, Toyota, Lexus, Ford, Lincoln, Audi, Mercedes-Benz, Honda, Acura, Kia, Chevrolet, Buick, General Motors, Cadillac, Hyundai, Nissan, Tesla.
You won’t believe until you see it
For this article, we’ve picked the most outrageous, amusing, and eyebrow-raising examples from Mozilla’s report. So, here are the juiciest bits in our opinion:
For none of the car companies Mozilla looked at, they were able to confirm whether or not they encrypt all of the personal data that is stored on their cars.
By getting into a Subaru as a passenger, you agree that it may share and sell your personal information, including for the purpose of “detecting and preventing criminal activity.”
Tesla warns that if you choose to stop the collection of vehicle data or other data from your vehicle, it may result in “reduced functionality, serious damage, or inoperability.” In other words, if you opt out of Tesla’s data collection, your car will turn into a brick.
Nissan, ranked last out of all car companies reviewed by Mozilla, may collect your sexual activity, health diagnosis, and genetic information. What’s more, using the data collected about you, it can then draw inferences from it to create your detailed profile that would reflect your “psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.”
Not to be outdone by Nissan, Kia collects your “genetic information” and “sex life” data… as well as information about your “medical condition, physical or mental disability,” “racial or ethnic origin,” and “religious or philosophical beliefs.” To top that all off, the automaker also apparently can collect “the contents of certain mail, emails, and text messages.”
Hyundai collects data about “disability status,” “citizenship” as well as “medical information.” It can also collect… “olfactory information” or the information relating to the sense of smell. Intrigued? We are too. What’s more, the South Korean carmaker says that it will comply with “law enforcement requests, whether formal or informal”. “Hey, could you be so kind to give me that car’s data, pretty please?” — apparently, this is enough to access your vehicle data.
And one more about Nissan: according to the car maker’s Terms of Service, as a Nissan owner you “promise to educate and inform all users and occupants of your Vehicle about the NissanConnect Services and system features and limitations, the terms of the Agreement,” including with regards to data collection. So, not only your sex data, but also that of your passengers may be collected and potentially shared or sold.
Some more stats
If you think that these are probably outliers, and that the majority of car brands are far more privacy-friendly, or at least not so openly defiant of any reasonable privacy expectations, Mozilla has bad news for you. In fact, the vast majority of car manufacturers do not seem to care about your privacy at all. Here some of the findings from the report in support of this somber conclusion:
84% of car brands Mozilla reviewed declare they can share your personal data
76% openly say they can sell your personal data
56% are ready to share user information with government and law enforcement upon request
92% of the car brands reviewed do not give all drivers the right to delete their data (the only two brands that do allow that are available exclusively in the EU, where the strict General Data Protection Regulation is in force)
The researchers concluded that “dating apps and sex toys publish more detailed security information than cars.” And having read the whole report… well, sex toys, especially some kinky ones of shady origins, may be just as bad, but modern cars still manage to win this dubious competition by a nose.
If you’re not ready to jump right into Mozilla’s (rather lengthy) report, but want to read more about the curious case of modern cars and the pitfalls that await their drivers, we’ve got you covered.
The thing is, modern cars are not only a privacy nightmare, they are also turning into a subscription hell. Car manufacturers dream of putting as many features as possible behind a paywall and charging you for them on a monthly or yearly basis (with the option of increasing your subscription fee at any time). Sometimes this approach backfires — enter BMW’s recent decision to drop the $18 monthly subscription for heated seats (hooray!!). However, sometimes it sticks.
For our in-depth take on the subscription-based model for cars and what we fear will come out of its ongoing adoption, check our article. For more insights into the future of the car industry — check our other article about Ford, who (apparently) wants cars to be able to repossess themselves, that is drive away from you and sometimes even self-liquidate if you’re back on a loan.
To challenge car companies on their questionable privacy practices and dubious innovations, and to prevent this dystopia from becoming reality, we need to first be aware of what is happening in the car industry. Namely, we need to know what the implications are for our data, security, and freedom.
While we are already used to websites collecting information about our online personas and know how to minimize our digital footprint (sort of), data collection by cars remains largely uncharted privacy territory. Many car owners and their passengers remain in the dark about the extent to which car manufacturers collect and sell data. So the first step we need to take is to educate ourselves, as well as our friends and family, about that ugly side of the modern sensor-driven car industry. We also need to make sure our voices are heard by the automakers and the government.
If you don’t like how car companies are handling your data, consider signing Mozilla’s petition urging car manufacturers to respect customer privacy. You might say it’s a drop in the bucket, but it is the case when every drop counts.