Report: Connected Cars Already Know Everything About You

Matt Posky
by Matt Posky

Vehicular privacy is one of those things we never thought we’d have to gripe about but, as automotive connectivity becomes the norm, it’s become one of the most nagging issues in the industry.

Taking a cue from tech giants like Google, Facebook, and pretty much every other website you’ve ever connected to, automakers have begun leveraging customer data on a massive scale. Always-on internet connections exacerbated this problem (feature?), but it’s extremely difficult to tell exactly what kind of information is being shot up into the cloud before ending up at a manufacturer’s data center.

While we’ve seen cars hacked for the purpose of assessing how they’d stand up to malicious entities bent on wreaking havoc, few have attempted to decode the surplus of information emitted by your vehicle. We know this because people would probably be pretty upset to learn of the pathetic level of anonymity currently afforded to them. Despite spending tens of thousands of dollars on a new vehicle, privacy is rarely considered standard equipment.

Borrowing some techniques from crime scene investigators, The Washington Post recently attempted to figure out what kind of information automakers are most interested in. It contacted Jim Mason, an ARCCA engineer that helps reconstruct vehicle accidents, and chose a 2017 Chevrolet Volt.

General Motors has a substantial lead in data acquisition, and it’s been pretty open about its interest in vehicular connectivity. (We’ve covered the evolution of OnStar, the rise of Marketplace, and GM’s research into customer behavior before.) And that background is why The Post went with a Chevy for its tests.

Mason gave the outlet a rundown on how modern vehicles utilize multiple computers and often have an array of sensors (thanks to advanced driving aids) that can store information on internal hard drives in order to be transmitted back to base when convenient. Getting that data as the manufacturer is easy. However, doing so at home requires loads of expertise, time, special equipment, and enough sweat to disassemble part of the car.

From The Washington Post:

It was worth the trouble when Mason showed me my data. There on a map was the precise location where I’d driven to take apart the Chevy. There were my other destinations, like the hardware store I’d stopped at to buy some tape.

Among the trove of data points were unique identifiers for my and [the Volt’s owner] Doug’s phones, and a detailed log of phone calls from the previous week. There was a long list of contacts, right down to people’s address, emails and even photos.

For a broader view, Mason also extracted the data from a Chevrolet infotainment computer that I bought used on eBay for $375. It contained enough data to reconstruct the Upstate New York travels and relationships of a total stranger. We know he or she frequently called someone listed as “Sweetie,” whose photo we also have. We could see the exact Gulf station where they bought gas, the restaurant where they ate (called Taste China) and the unique identifiers for their Samsung Galaxy Note phones.

Mason said he’s also hacked into Fords that recorded positional data every few minutes, regardless of whether you’re using the navigation system, and German models with 300 gigabyte hard drives exclusively used for data storage. He also referenced Tesla Model 3s that collected video clips from the cameras used for Autopilot. Creepily, Mason added that, in most instances, he’s really only able to get a fraction of the data these cars collect.

The vehicle’s owner, Doug, contacted GM to see what kind of data was being transmitted from his vehicle and was simply directed to examine the company’s privacy policy. Following up with dual written request to see his data under California’s “Shine the Light” law (passed in 2003), he was reportedly met with silence.

GM spokesman David Caldwell declined to offer specifics on Doug’s Chevy but said the data GM collects generally falls into three categories: vehicle location, vehicle performance and driver behavior. “Much of this data is highly technical, not linkable to individuals and doesn’t leave the vehicle itself,” he said.

The company, he said, collects real-time data to monitor vehicle performance to improve safety and to help design future products and services.

While we absolutely believe the latter claim, the former borders on a bald-faced lie. “Not linkable to individuals?” Get real. Not only does this hacking experiment prove that the data GM is shifting is personal data (names, addresses, emails, locations, etc.), its corporate privacy policy explicitly says it can do this. The OnStar privacy statement claims GM can store and share your information “for as long as necessary.”

But there were clues to what more GM knows on its website and app. It offers a Smart Driver score — a measure of good driving — based on how hard you brake and turn and how often you drive late at night. They’ll share that with insurance companies, if you want. With paid OnStar service, I could, on demand, locate the car’s exact location. It also offers in-vehicle WiFi and remote key access for Amazon package deliveries. An OnStar Marketplace connects the vehicle directly with third-party apps for Domino’s, IHOP, Shell and others.

This would feel a lot less ominous if automakers kept their promises. In 2014, twenty of the world’s largest automotive manufacturers collectively agreed to meet or exceed commitments contained in the Automotive Consumer Privacy Protection Principles and protect personal information collected through in-car technologies. Unfortunately, it hasn’t amounted to much. Carmakers are collecting more data than ever and feverishly attempting to find ways to monazite it in the coming years.

Many automakers, including General Motors, claim they’ve found a way to protect customers by using “anonymized data.” But it’s practically meaningless when all the information being collected is building a user profile as distinct as a fingerprint — which is then shared with third parties GM can’t tell you about.

The Washington Post article goes into additional detail about how these changes are impacting right-to-repair laws, government surveillance concerns, targeted advertising, unsavory insurance programs, and a bunch of other stuff we’ve already complained about. It wants you to be weary of data acquisition and address the need for more transparency within the industry. Right now, we’ve basically given automakers the ability to access the same information phone carriers and social media firms do with less protection.

Mason recommended those interested in maintaining their privacy simply drive an older vehicle assembled before connectivity was a concern. More realistically, one could purchase a lighter adaptor to charge their phone — as simply connecting it to a USB port would be enough for most vehicles to sweep up every scrap of data you had on it. He also suggested telling the dealer you want to become an expert on turning off connected services. However, this would only stop automakers from collecting certain kinds of data (usually location) and isn’t a feature most newer models possess.

[Images: General Motors]

Matt Posky
Matt Posky

A staunch consumer advocate tracking industry trends and regulation. Before joining TTAC, Matt spent a decade working for marketing and research firms based in NYC. Clients included several of the world’s largest automakers, global tire brands, and aftermarket part suppliers. Dissatisfied with the corporate world and resentful of having to wear suits everyday, he pivoted to writing about cars. Since then, that man has become an ardent supporter of the right-to-repair movement, been interviewed on the auto industry by national radio broadcasts, driven more rental cars than anyone ever should, participated in amateur rallying events, and received the requisite minimum training as sanctioned by the SCCA. Handy with a wrench, Matt grew up surrounded by Detroit auto workers and managed to get a pizza delivery job before he was legally eligible. He later found himself driving box trucks through Manhattan, guaranteeing future sympathy for actual truckers. He continues to conduct research pertaining to the automotive sector as an independent contractor and has since moved back to his native Michigan, closer to where the cars are born. A contrarian, Matt claims to prefer understeer — stating that front and all-wheel drive vehicles cater best to his driving style.

More by Matt Posky

Join the conversation
5 of 51 comments
  • TomLU86 TomLU86 on Dec 19, 2019

    On any given day, there are thousands of cars built between 1965 and 1995 that are relatively rust-free and in good shape, or serviceable. As others mentioned, that is your best bet if closing this gaping loophole to your privacy is imoportant to you. If you live in a salt-free area, you can get another 20-40 years out of it, if parts remain available (and the more people who have old cars, the more likely this is). If not, if you have the means and garage space, get two. The Air Force is still flying B-52s and KC-135s that predate the Ford Mustang. Of course, their resources are greater, but keeping an aircraft going is very challenging. We lived in a 'golden era', in North America, from 1945 till now. Especially 1945-1973, the golden summer, which I missed out on, as I was not an adult, with an Indian summer of sort from 1983-2001 Times change, and people's increasing wants, driven by personal attitudes and more importantly, the demographics of aging, at the same time as the economy/society's ability to provide for them is declining is not a happy combination. Technology has helped mitigate the gap, but with side effects. Now, technology will be explicitly hailed as the 'savior' of our world, if only we accept it (and the big entities than usually control it), and adopt certain changes. Data tracking is one way to 'optimize', or 'control' depending on one's perspective. "Traffic calming" is another the name of 'pedestrian' and 'bicyclist' 'road access', let's strangle the traffic. In the USA, a suburban society, where much of the country has snow and cold 3-5 months a year, this is pretty stupid, but is is happening. Even in Michigan! Even our money is being used to keep things going! We are drowning in debt, yet things are going well. Some countries have negative interest rates, we have near zero in the US. It's all good! Or is it? As a side note, it's interesting to observe that of the major carmakers, GM is at the forefront of the drive to gather your personal data, monetize it, get you into an electric car, and ultimately into an autonomous vehicle.

    • See 2 previous
    • Arthur Dailey Arthur Dailey on Dec 19, 2019

      @boxcar: The US government sold off all their shares in GM just over 6 years ago. During the Obama administration. The Chinese government probably has more input into GM's practices now than the American government. Ask @Deadweight.

  • -Nate -Nate on Dec 20, 2019

    Good thing I keep the ear flaps on my tin foil hat well adjusted =8-) . "This is exactly why national legislation is necessary." So then, more big gub'mint is the solution ? . The GM bailout was begun by President Bush, not that uppity guy you're still afraid of.... I'm glad I don't live in the rust belt, "thousands of serviceable vehicles" isn't going to help the millions of Americans who apparently need data free transportation . -Nate

  • Varezhka The biggest underlying issue of Mitsubishi Motors was that for most of its history the commercial vehicles division was where all the profit was being made, subsidizing the passenger vehicle division losses. Just like Isuzu.And because it was a runt of a giant conglomerate who mainly operated B2G and B2B, it never got the attention it needed to really succeed. So when Daimler came in early 2000s and took away the money making Mitsubishi-Fuso commercial division, it was screwed.Right now it's living off of its legacy user base in SE Asia, while its new parent Nissan is sucking away at its remaining engineering expertise in EV and kei cars. I'd love to see the upcoming US market Delica, so crossing fingers they will last that long.
  • ToolGuy A deep-dive of the TTAC Podcast Archives gleans some valuable insight here.
  • Tassos I heard the same clueless, bigoted BULLSHEET about the Chinese brands, 40 years ago about the Japanese Brands, and more recently about the Koreans.If the Japanese and the Koreans have succeeded in the US market, at the expense of losers such as Fiat, Alfa, Peugeot, and the Domestics,there is ZERO DOUBT in my mind, that if the Chinese want to succeed here, THEY WILL. No matter what one or two bigots do about it.PS try to distinguish between the hard working CHINESE PEOPLE and their GOVERNMENT once in your miserable lives.
  • 28-Cars-Later I guess Santa showed up with bales of cash for Mitsu this past Christmas.
  • Lou_BC I was looking at an extended warranty for my truck. The F&I guy was trying to sell me on the idea by telling me how his wife's Cadillac had 2 infotainment failures costing $4,600 dollars each and how it was very common in all of their products. These idiots can't build a reliable vehicle and they want me to trust them with the vehicle "taking over" for me.