Thursday, September 7, 2023

Mozilla Report on Auto Privacy

Mozilla (via Dan Gillmor, Hacker News):

Car makers have been bragging about their cars being “computers on wheels” for years to promote their advanced features. However, the conversation about what driving a computer means for its occupants’ privacy hasn’t really caught up. While we worried that our doorbells and watches that connect to the internet might be spying on us, car brands quietly entered the data business by turning their vehicles into powerful data-gobbling machines. Machines that, because of their all those brag-worthy bells and whistles, have an unmatched power to watch, listen, and collect information about what you do and where you go in your car.

All 25 car brands we researched earned our *Privacy Not Included warning label -- making cars the official worst category of products for privacy that we have ever reviewed.


That’s right: every car brand we looked at collects more personal data than necessary and uses that information for a reason other than to operate your vehicle and manage their relationship with you.


The ways that car companies collect and share your data are so vast and complicated that we wrote an entire piece on how that works. The gist is: they can collect super intimate information about you -- from your medical information, your genetic information, to your “sex life” (seriously), to how fast you drive, where you drive, and what songs you play in your car -- in huge quantities. They then use it to invent more data about you through “inferences” about things like your intelligence, abilities, and interests.

I didn’t see where it says how the data gets back to the car companies. Do vehicles have cellular connections to phone home, even when there are no user-facing features that can use this connection? Does it get transferred via a direct connection when you take the car to a dealer?

Surely, using CarPlay is better than using the built-in software. But I’m seeing conflicting reports about whether CarPlay data stays on the phone or needs to be manually deleted when you sell a car or return a rental.

Thomas Germain (Hacker News):

Mozilla said it was unable to determine whether the brands encrypt any of the data they collect, and only Mercedes-Benz responded to the organization’s questions.

Mozilla also found that many car brands engage in “privacy washing,” or presenting consumers with information that suggests they don’t have to worry about privacy issues when the exact opposite is true. Many leading manufacturers are signatories to the Alliance for Automotive Innovation’s “Consumer Privacy Protection Principles.” According to Mozilla, these are a non-binding set of vague promises organized by the car manufacturers themselves.


Questions around consent are essentially a joke as well. Subaru, for example, says that by being a passenger in the car, you are considered a “user” who has given the company consent to harvest information about you.

Nick Heer:

It is entirely possible these privacy policies reflect an overly broad approach, that cars do not actually collect vast amounts of personal information, and that the data brokers who have partnered with automakers are marketing themselves more ambitiously than they are able to deliver. But is that better? Automakers either collect vast amounts of private information which they share with data brokers and use for targeted advertising efforts, or they are lying and only wish they were collecting and sharing vast amounts of private information.


Update (2023-09-14): See also: Bruce Schneier and Rob Beschizza.

8 Comments RSS · Twitter · Mastodon

The quick answer to your question is yes: the majority of new cars have cellular connectivity built in, and send back telemetry data. In the US, apparently, 91% of all new cars have this.


I was slightly terrified to see that the default privacy setting for my car is to always allow google to know my location through the cellular connection in the car (as opposed to only when using the maps app). The optimist is that this is for traffic reasons, but let's be honest, it's google. I also don't know if having the map displayed in my dashboard counts as using the app. It's terribly frightening given all the apps preinstalled on the car.

I don’t think you have to worry about CarPlay. Checked you link and it matched my guess… as long as you don’t sync contacts to the unit (outside of CarPlay, via Bluetooth), you should be fine.

She quotes VW’s Spokesman Mark Gillies, “For every paired Bluetooth phone, the car stores the phone ID and pairing information. The phonebook data and calling lists are transferred to the car. When you disconnect the phone, the call information is removed from the car’s memory and updated on a following reconnect. The phonebook data persists in the car in order to be available immediately after a next connect.”

@Ruffin I’ll have to check, but I thought my car was showing some call information on its gauges display even though I didn’t opt into Bluetooth syncing. Certainly, it has access to the audio from both sides of the call…

Just wait until insurance companies demand access to telemetry in order to get a "discount" that just happens to lower rates closer to what you pay today vs. a lot more.
I'm kind of shocked they haven't tried it already. It's why I'll hopefully be buried in my late 90's cars. Can't give them access to something I don't have. Ugh.


Unfortunately, this article did not answer an important question.

When is the embedded cellular modem actually activated on the cellular network?

Is it only activated if I subscribe to (for example) an OnStar service? (or take advantage of the included trial with a new vehicle?)

I find it hard to believe that GM would pay AT&T to keep active the cellular modems of non-subscribers.

@Mike Richardson There are deeply discounted low speed data plans that run at "best effort"; basically excess cellular capacity. If a car company buys in bulk the data rates are indeed miniscule. Well worth the telemetry data alone. They aren't paying anywhere near consumer data plan rates.

@Ian If only Michael could have asked that question in the headline ;)

Leave a Comment