What does my car know about me?
Modern cars are pretty much rolling computers. With the increasing amount of sensors, control units and entertainment systems, even non-autonomous cars are running on several million lines of code. Built-in cellular connectivity allows us to find the best route in seconds, stream music and even update cars with the latest features without visiting a service station.
But what happens with the pile of data that is collected from day to day? Who has access to your mileage, GPS locations, camera videos, and your call history? What data is shared, with whom, and for what purpose?
What data is collected?
A modern vehicle is equipped with over 100 technical sensors. These can include engine sensors to measure the fuel efficiency, safety sensors like blind spot detection, and all the new features that make cars so convenient today. We can call our friends with a single voice command, open the trunk with the wave of a foot or detect driver fatigue by monitoring our posture. Without connectivity, any infotainment system would be pretty limited, so of course interacting with the navigation and entertainment apps connects to the internet. Finally, connected devices like our phones and the apps on it can interact with the car.
All these sensors and devices are generating lots of data. Any interaction with your car or just by sitting in there, creates multiple digital events that are collected, processed and eventually shared for various purposes. Additionally, manufacturers collect extra information via data brokers, car dealers and connected other sources. In total, Mozilla Foundations’ analysis identified over 160 types of data that cars are collecting about you, what you do in your car, and about the world around your car.
Why is this a problem?
When using websites and apps, we generally are aware of the data that might be collected. Website’s privacy policies are getting more common and are often mandatory. Most people have encountered consent dialogs to opt-in or opt-out of data collection. In contrast, data collection by our cars is a relatively unknown topic. Around 82% of the participants in a survey from 2020 have no idea what data their car is transmitting.
Although our cars might seem like a private space, they can and do collect much more data compared to other privacy relevant product categories such as mental health apps or smart homes. All 25 car manufacturers that were included in Mozilla Foundations’ research collect more personal data than necessary and use them for purposes other than operating your car. Due to the sensitive nature of this data, I would expect the highest privacy standards and responsible handling.
But limiting and protecting collected data seems not to be a primary concern for car manufacturers. Sharing and selling your data is a profitable business and the ecosystem around car data flows is huge. The Markup identified 37 important players in this market, including OEMs, data hubs, infotainment companies, insurances, telecom operators and telematic providers. Capgemini estimates the global revenue for vehicle data monetization by 2030 between 80 and 800 billion US dollars. No wonder that a vast majority of 84% of investigated car brands already share or sell your data.
Despite the claims for data protection by aggregation and anonymization, actual de-identification of datasets is hard to achieve. A study published in Nature 2013 suggests that for sensitive geolocation data, only four data points (consisting of a location and time) are sufficient to uniquely identify 95% of the individuals of the dataset. With much more and the increasingly accurate data that we have today it’s easily possible to re-identify the US president in this type of data.
What can I do about it?
Although things are difficult, here are some things you can do to improve your privacy:
- On rental cars, never allow access to the contacts on your phone and delete your device from the car’s bluetooth list before returning. Always do a factory reset when you are selling or giving away your vehicle.
- If you are living somewhere with stronger privacy laws (EU or US California), make use of your right of access and deletion of personal data.
- Sign Mozilla Foundations’ petition to ask car companies to stop collecting, sharing and selling your personal data.
In the world of smartphone systems, there is a lot of effort going into strengthening users’ privacy controls and economic researchers suggest the latest privacy technologies as a competitive advantage for companies. However, with cars, the trend seems to be the opposite and only very few companies are committing to improving transparency and control over vehicle data processing.
I think that there is a strong need for a clear and informed choice about how consumers personal data is collected and utilized. With an impressive amount of high-tech solutions getting implemented in modern cars, it should not be too much to ask to also adapt modern privacy standards in the automotive industry.
Thanks to Will Monge and Jessica Traynor
Sources linked in the article