A question mark in a ball (datacurious logo)

Copied!

Tobias Kupek
November 17, 2023

What does my car know about me?

Illustration for undefined

Modern cars are pretty much rolling computers. With the increasing amount of sensors, control units and entertainment systems, even non-autonomous cars are running on several million lines of code. Built-in cellular connectivity allows us to find the best route in seconds, stream music and even update cars with the latest features without visiting a service station.

But what happens with the pile of data that is collected from day to day? Who has access to your mileage, GPS locations, camera videos, and your call history? What data is shared, with whom, and for what purpose?

Two great investigations from The Markup and the Mozilla Foundation have answers. I summarized them here, adding information from other sources and my own knowledge.

What data is collected?

A modern vehicle is equipped with over 100 technical sensors. These can include engine sensors to measure the fuel efficiency, safety sensors like blind spot detection, and  all the new features that make cars so convenient today. We can call our friends with a single voice command, open the trunk with the wave of a foot or detect driver fatigue by monitoring our posture. Without connectivity, any infotainment system would be pretty limited, so of course interacting with the navigation and entertainment apps connects to the internet. Finally, connected devices like our phones and the apps on it can interact with the car.

All these sensors and devices are generating lots of data. Any interaction with your car or just by sitting in there, creates multiple digital events that are collected, processed and eventually shared for various purposes. Additionally, manufacturers collect extra information via data brokers, car dealers and connected other sources. In total, Mozilla Foundations’ analysis identified over 160 types of data that cars are collecting about you, what you do in your car, and about the world around your car.

Although some of that data can obviously be useful, like the vehicle speed or the current position required for navigation, many of them might give you the impression that they are more than unnecessary to collect. Some car manufacturers note in their privacy policy that they can collect information about how much money you make, your immigration status, race, genetic information, and sexual activity.

Why is this a problem?

When using websites and apps, we generally are aware of the data that might be collected. Website’s privacy policies are getting more common and are often mandatory. Most people have encountered consent dialogs to opt-in or opt-out of data collection. In contrast, data collection by our cars is a relatively unknown topic. Around 82% of the participants in a survey from 2020 have no idea what data their car is transmitting.

Although our cars might seem like a private space, they can and do collect much more data compared to other privacy relevant product categories such as mental health apps or smart homes. All 25 car manufacturers that were included in Mozilla Foundations’ research collect more personal data than necessary and use them for purposes other than operating your car. Due to the sensitive nature of this data, I would expect the highest privacy standards and responsible handling.

But limiting and protecting collected data seems not to be a primary concern for car manufacturers. Sharing and selling your data is a profitable business and the ecosystem around car data flows is huge. The Markup identified 37 important players in this market, including OEMs, data hubs, infotainment companies, insurances, telecom operators and telematic providers. Capgemini estimates the global revenue for vehicle data monetization by 2030 between 80 and 800 billion US dollars. No wonder that a vast majority of 84% of investigated car brands already share or sell your data.

Claiming anonymization

Despite the claims for data protection by aggregation and anonymization, actual de-identification of datasets is hard to achieve. A study published in Nature 2013 suggests that for sensitive geolocation data, only four data points (consisting of a location and time) are sufficient to uniquely identify 95% of the individuals of the dataset. With much more and  the increasingly accurate data that we have today it’s easily possible to re-identify the US president in this type of data.

What can I do about it?

If car brands have another thing in common, it’s the lack of choice when it comes to data collection consent and difficulties of opting-out. Almost no car brand mentions the possibilities to have your personal data deleted in their privacy policy. Objecting to data collection is sometimes hard, sometimes ignored and sometimes manufacturers even intimidate you with the possibly inoperability of your car.

Although things are difficult, here are some things you can do to improve your privacy:

  • Check Mozilla Foundation’s “Tips to protect yourself” for your car brand, it might have some relevant insights from the privacy policy and highlight your options.
  • On rental cars, never allow access to the contacts on your phone and delete your device from the car’s bluetooth list before returning. Always do a factory reset when you are selling or giving away your vehicle.
  • If you are living somewhere with stronger privacy laws (EU or US California), make use of your right of access and deletion of personal data.
  • Sign Mozilla Foundations’ petition to ask car companies to stop collecting, sharing and selling your personal data.

Conclusion

In the world of smartphone systems, there is a lot of effort going into strengthening users’ privacy controls and economic researchers suggest the latest privacy technologies as a competitive advantage for companies. However, with cars, the trend seems to be the opposite and only very few companies are committing to improving transparency and control over vehicle data processing.

I think that there is a strong need for a clear and informed choice about how consumers personal data is collected and utilized. With an impressive amount of high-tech solutions getting implemented in modern cars, it should not be too much to ask to also adapt modern privacy standards in the automotive industry.

Thanks to Will Monge and Jessica Traynor

Sources linked in the article

What do you want to know about data, privacy, or technology?

Data Curious is a public resource supported by Good Research LLC in collaboration with the Center for Digital Civil Society at University of San Diego.

To contact us, send us an email at hello@datacurious.org.

AboutPrivacy Policy