How Much Privacy Do You Really Have In Modern Vehicles?

Matt Posky
by Matt Posky

how much privacy do you really have in modern vehicles

Whenever the issue of vehicular privacy comes up, the discussion almost immediately pivots to individuals either defending or condemning the status quo. But this often happens without either side of the argument having a firm understanding of how much information is actually being obtained inside today’s automobiles.

While we’ve covered the topic frequently, articles have typically focused on specific issues rather than overall scope. But things are different this time, with the Mozilla Foundation recently issuing a study trying to assess just how far-reaching the automotive industry’s quest for data has become.

Based upon the data provided in the Mozilla report, and some additional data furnished by Axios, things look pretty bad. Older vehicles equipped with any amount of connectivity amassed loads of information regarding control inputs, positional data, music preferences, and just about everything that went through a car’s ECU. But newer models are equipped with sensor arrays, exterior camera systems, interior microphones, and maybe even an in-cabin camera that keeps tabs on the driver in real-time.

McKinsey & Company claims that’s sufficient for the average vehicle to compile and then transmit roughly 25 gigabytes of data per hour. For the sake of comparison, streaming a 2-hour video at 1080p HD and 60 frames per second is only about 6 gigabytes. That’s a truly staggering amount of information and that estimate comes from several years ago — presumably meaning newer vehicles are even better equipped to harvest data.

For those taking solace in the fact that over a dozen major automotive brands signed a voluntary set of automotive privacy principles in 2014, Mozilla claims that not one of them has actually adhered to them. It looked into 25 popular brands representing a majority of the vehicles people tend to buy and determined that none of them are seriously interested in protecting your privacy.

Though they weren’t all equal. Despite literally every brand investigated yielding serious privacy concerns Mozilla considered totally unacceptable, a few brands took data harvesting to legitimately scary places. For example, Nissan has a privacy notice that says the company can share "sensitive personal information, including driver's license number, national or state identification number, citizenship status, immigration status, race, national origin, religious or philosophical beliefs, sexual orientation, sexual activity, precise geolocation, health diagnosis data, and genetic information."

Genetic information? Religious or philosophical beliefs? Sexual activity?! Never mind how creepy that is. How in the world would a company even manage to access that kind of information?

Still, Nissan products ended up receiving the same negative score as the vehicles being offered up by Volkswagen, General Motors, Ford, Mercedes-Benz, Toyota, Honda, and Hyundai and all of its subsidiaries.

Stellantis brands (e.g. Jeep and Dodge), BMW, and Subaru performed marginally better. However, Mozilla still made it crystal clear that they too were engaged in unsavory data shenanigans — adding that the issue was so vast and murky that it likely had only scratched the surface.

This wasn’t due entirely to how much data was being collected. It also stemmed from the fact that it wasn’t clear whether the data collected was even being encrypted or anonymized. Ultimately, the report determined that no automaker was doing a good job protecting user data and all of them were sucking it up as fast as possible.

From the Mozilla Foundation report:

It’s so strange to us that dating apps and sex toys publish more detailed security information than cars. Even though the car brands we researched each had several long-winded privacy policies (Toyota wins with 12), we couldn’t find confirmation that any of the brands meet our Minimum Security Standards.
Our main concern is that we can’t tell whether any of the cars encrypt all of the personal information that sits on the car. And that’s the bare minimum! We don’t call them our state-of-the-art security standards, after all. We reached out (as we always do) by email to ask for clarity but most of the car companies completely ignored us. Those who at least responded (Mercedes-Benz, Honda, and technically Ford) still didn’t completely answer our basic security questions.
A failure to properly address cybersecurity might explain their frankly embarrassing security and privacy track records. We only looked at the last three years, but still found plenty to go on with 17 [or 68 percent] of the car brands earning the “bad track record” ding for leaks, hacks, and breaches that threatened their drivers’ privacy.

“We spent over 600 hours researching the car brands’ privacy practices,” explained the report. “That’s three times as much time per product than we normally do. Even still, we were left with so many questions. None of the privacy policies promise a full picture of how your data is used and shared. If three privacy researchers can barely get to the bottom of what’s going on with cars, how does the average time-pressed person stand a chance?”

Here’s what we do know.

Roughly 84 percent of the companies investigated share or sell the personal data they accrue and 56 will share data with law enforcement in response to an informal request. That latter issue means the company will hand over information about you to the government sans any kind of official warrant or legal backing. Additionally, the average driver spends about 300 hours per year driving and literally every second of that involves some kind of data capture that’s then beamed back to the company that sold you the vehicle.

There also seems to be a general consensus that Tesla is among the worst offenders (if not the worst) in terms of data harvesting and customer privacy. Axios noted this in 2019 and Mozilla backed it in its recent report.

However, chalking it up to companies wanting to spy on you is a massive oversimplification. Data sales is already a multi-billion-dollar industry and McKinsey has estimated that the automotive component will be worth between $450-750 billion by 2030. Still, minimizing the harm this could cause feels unwise and is already tragically commonplace.

One of the preferred ways of downplaying invasions of privacy is to suggest that one’s privacy has already been violated. People will make remarks about how their credit card company, phone, internet service provider, and other businesses are already spying on them — suggesting that another entity taking a peek into your personal doings is of little consequence.

This is a less-than-serious argument made by people who lack standards for themselves and those who have been so badly abused that subsequent abuse no longer registers as harm. One doesn’t suddenly stop being injured once their assailant has thrown a dozen punches and the issue is no different in terms of enduring privacy violations.

Your data is extremely valuable. Every company in the world wouldn’t be bending over backward to procure it otherwise. Social media companies' entire business model revolves around commodifying user data and other industries are quickly following suit. While customers do sometimes get something out of the arrangement (e.g. a deluge of analytics helping to yield a better product), that’s hardly a guarantee and it’s more common to see data being harvested just for the sake of having it on hand for later.

This could be resolved by limiting data harvesting to specific tasks. For example, something like Ford Pro offers scads of analytics to fleet operators with the Blue Oval raking in data that can be further used to improve its products. Regardless of how lopsided the deal is, the customer is still getting something in return.

But this reciprocation becomes less evident when we move to private vehicle ownership. Drivers may benefit from over-the-air updates (though they often seem like an excuse to dodge more complicated and costly repairs) and future products. However, it’s ultimately the company that benefits monetarily with the customer having no real way of opting out.

Similar to how various data-hungry websites offer lengthy terms and conditions nobody has time to read that come into effect the second you log in, automakers are making it extremely difficult to opt out of so-called vehicle data agreements.

“Many people have lifestyles that require driving. So unlike a smart faucet or voice assistant, you don’t have the same freedom to opt out of the whole thing and not drive a car,” stated Mozilla. “We’ve talked before about the murky ways that companies can manipulate your consent. And car companies are no exception. Often, they ignore your consent. Sometimes, they assume it. Car companies do that by assuming that you have read and agreed to their policies before you step foot in their cars. Subaru’s privacy policy says that even passengers of a car that uses connected services have ‘consented’ to allow them to use — and maybe even sell — their personal information just by being inside.”

While there are a few countries and states that have enacted privacy legislation designed to protect against all the above, they’re in the minority and it rarely prevents companies from ending data procurement in its entirety. There also doesn’t seem to be any automaker that’s going against the grain by electing not to harvest your personal information. This not only blurs the line in terms of who actually owns the vehicle you’ve spent so much money on, it also sets an ugly precedent for future privacy violations.

There are a few solutions. Customers can attempt to disable the connectivity features on their vehicles. However, this would nullify any features tied to those services and almost assuredly void aspects of your warranty. One could also exclusively buy older vehicles that lack connectivity features. But that’s not convenient for everyone and there will come a day when those models are difficult to come by in decent condition.

That basically just leaves customers finally coming together to tell the industry they’ve had enough of this. However, that could be easier said than done. Data procurement has spent the last two decades being normalized in a slew of industries and the government seems ill-equipped to even understand the concept of mass data harvesting, let alone how best to regulate such things.

Mozilla offered a petition asking car companies to “respect drivers’ privacy and to stop collecting, sharing and selling our very personal information.” But your author is inclined to believe that it’s going to take a lot more than that to undo what’s now the status quo.

The industry has already said it cannot comply with right-to-repair laws that are already on the books and they'll undoubtedly use similar arguments in regard to privacy concerns. There's little hope of automakers abandoning mass data harvesting without a fight. Raising awareness is absolutely essential in winning that battle. However, the data is simply too lucrative for companies to willingly abandon. Consumers will need to do more than simply acknowledge how unfair this is and that applies to more than just what's going on in the automotive sector.

[Image: Nissan]

Become a TTAC insider. Get the latest news, features, TTAC takes, and everything else that gets to the truth about cars first by  subscribing to our newsletter.

Join the conversation
2 of 42 comments
  • Sobhuza Trooper Sobhuza Trooper 7 days ago

    Last month we rented a 2022 Toyota Highlander for an extended trip. While passing another vehicle, my wife noted a "WOLF" name its back hatch and asked me "What is a Wolf?". Before I could suggest it was probably the name of the dealership which sold it, our car piped up, telling us that a wolf was a predator animal native to North America.

    Not a fan.

  • Sgeffe Sgeffe 7 days ago

    I'll take the privacy hit required for the telematics to be able to remote-start/lock/etc. the car from anywhere in the world. Beyond that, the lesser the better, even though if I believed that would ever happen, I'd also call myself delusional.

  • Dukeisduke I'm not convinced that the "software update" installed by Hyundai/Kia dealers on later cars without an immobilizer (like my middle daughter's 2014 Kia Forte sedan) actually does anything. I'm able to lock the car with the remote, which is supposed to disable the ignition, then reach in through an open driver's window, insert the key, and start the car. That shouldn't happen.I opened a case with Kia corporate two weeks ago and haven't gotten a response.
  • Wjtinfwb I see all three backing away quietly and slowly. Between political winds and corporate green mandates plus the previously mentioned mandates, automakers will have to thread a needle between public demand and acceptance, and the extremely loud voices of the minority screaming for fossil fuels to be abandoned by 2030, which of course won't happen. Ford jumped in early with the Lightning and Mach-E, but since has tempered their enthusiasm and probably spent less money as the Lightning shares a lot with the gas F-150. GM however has built some bespoke platforms out on the edge that will end up being a gigantic waste of money. The Hummer EV is a joke and the new Silverado EV while impressive is both expensive and less practical than an electric version of the current gas Silverado could have been. The Cadillac EVs are the dumbest move yet, especially their upcoming 400k model. Ford seems to have a leg up on GM in Hybrid which would seem like a better interim measure, I'd be surprised if a Hybrid Explorer isn't in the works and could see a Gas/Electric Expedition and Super Duty being successful as well. US energy policy and gas prices into the next administration will play a significant role in consumer demand, if prices stay high and supplies artificially constrained, demand will increase for more efficient cars and trucks. If we go back to a self-sufficient energy policy and prices drop, demand for Hybrid's and EVs will moderate even more.
  • Wjtinfwb Poor cousin to the Blazer & Bronco that dominated this segment. The 1st Gen Ramcharger was a much better and better looking truck, with the 440 available and without the AMC Pacer style real windows. The Bronco and Blazer felt and looked much more modern and cohesive than the Mopar's, and that's not saying very much. Probably attractive to the Mopar faithful but for the rest of us... No thanks at any price.
  • Not Ford will have a great reckoning with its EV production goals. Their EVs haven’t been as popular as initially anticipated and have been dealing quality issues (persistent recalls on Mach E) or disappointing performance (cold weather and towing greatly diminishing range on Lightning).Their top selling vehicle remains the ICE powered F-series. Consumers will only tolerate so much price increase as Ford tries to subsidize the massive losses it incurs with EV production. Being forced to eat profit off of 2-3 ICE F-series to offset losses from a single Lightning will quickly prove to be unsustainable business. This is the very same company that abandoned cars entirely to focus on more profitable trucks.
  • LYNN DELANEY Mine is a 2001 Pure White Miata. I bought it at Concord Mazda. I love it but Imay be about to get rid of it I guess. It's been in my garage for quite awhile. Why? 1. I don't have a lot of money (I'm a retired teacher) And I've had issues with it that require financing. For example when you insert the key and turn it nothing happens. Why? I got it at Concord Mazda and somehow. it came to my condo shared garage to die and has remained such to this day. If you want to experience it you put the key in the keyhole and turn it but silence ensues and you wonder why but you know it's because the key was "programmed and it worked when you brought it home but not since.I'm told it requires a new battery but I've not had the financial energy to deal with it. I love my Miata but will I keep it? I'm unsure. Next step? Install a new battery...When it came home from Concord Mazda it was perfect for a quick minute. I tested it. I drove it around my block in Oakland, California just one time. That was the end of it. Since them I'm told it needs a new battery. It's a 2001. Shall I go ahead and splurge?