Man holding tablet with connected car image showing failure of privacy tests

Mozilla: Connected Cars Perform Dismally on Privacy Tests, Every Brand Collecting Excessive Personal Information

Calling it the “worst product category we have ever reviewed,” a team of privacy reporters with Mozilla have skewered connected cars in a new report that puts 25 brands through assorted privacy tests.

The reporters found that every connected car brand collects more personal data than it needs to, and employs it for non-essential purposes. The vast majority are sharing or selling customer data, and do not offer customers access to what is being hoarded and a right to delete or correct it.

Few connected cars offer data transparency, none are minimizing data collection

The report indicates that if you purchase any of the connected cars on the market, expect it to vacuum up more personal data than it needs for operation or maintenance of the vehicle. The privacy tests indicate every brand is peeking at something drivers would likely rather it didn’t, from their chosen song playlist to inferences about their sex life based on vehicle inputs.

84% of the connected cars are additionally selling at least some of this collected data to third parties, or sharing it for “research” or “business” purposes that are not well documented. 76% are straight up selling data, potentially to the sorts of data brokers that build incredibly detailed and invasive marketing profiles. 56% say they will share information with law enforcement on the basis of an “informal request,” not requiring any sort of court order or potentially even a demonstration that a valid investigation into a related crime is taking place.

Only two brands, or 8% of the sample of connected cars, offer customers the ability to access and delete their stored data. Both brands are only available in Europe, and owned by France-based Group Renault, so the inclusion of this feature is likely in response to the requirements of the EU’s General Data Protection Regulation (GDPR).

The privacy tests also indicate that none of the connected cars are encrypting the personal data that they collect. 17 of the 25 car brands included in the study have additionally had some sort of serious cybersecurity issue (a data leak or security breach) within the last three years.

Perhaps unsurprisingly, the Mozilla report’s harshest criticism is reserved for Tesla. The reporters find it the most invasive due to its inclusion of multiple cameras on every vehicle and the questionable track record of its AI autopilot, which has been implicated in a total of 736 known crashes with 17 deaths to date.

Tesla stands out from the other connected cars due to its use of AI, but others are collecting just as much data and sometimes doing even more concerning things with it. Nissan and Kia merit a special mention for attempting to log details about a driver’s “sex life” or “sexual activity” as they go about their daily life. Six brands have privacy policies that indicate they will try to collect genetic characteristics or information from their customers.

The privacy tests unfolded over 600 hours and included researching privacy policies, attempting to follow up with auto manufacturers on unclear points (very often met with silence), and attempting to determine where collected car data is being sent.

Privacy tests indicate that vehicle manufacturers are failing to live up to consumer protection principles, not even attempting informed consent

The report notes that nearly all of these brands (with the exception of Tesla and the Group Renault brands) have signed on to the Alliance for Automotive Innovation’s “Consumer Privacy Protection Principles” pledge. If they were followed, this set of principles would provide car owners with data rights approaching those offered by the GDPR. But as the privacy tests reveal, none of the manufacturers of connected cars are actually implementing these guidelines.

“Consent” is also basically nonexistent in the world of connected cars. Manufacturers consider purchase and use of the car to be sufficient implied consent to whatever they want to do with personal data. Opt-out options are rare, and may break functionality when exercised. For example, one can contact Tesla to have certain types of personal data collection disabled. However, this will end over-the-air updates and the ability to use voice commands and entertainment features. The Tesla privacy policy warns that opting out could make the vehicle “inoperable” or cause “serious damage.”

Privacy policies also strongly tend to be overly long, and written in a vague or confusing way. The privacy tests cite Toyota as a prime example, with a collection of 12 dense documents for vehicle owners to read to be fully apprised of what data is collected and how it might be used.

Most of the problems documented by the privacy test consist of what auto manufacturers might collect or do with all this data, and the fact that the consumer does not have sufficient insight into what is going on. But security is also a serious concern, as evidenced by a 2021 Volkswagen data breach and news from Toyota earlier this year that it was likely leaking customer information to the internet for 10 years due to a misconfigured database. Tesla employees were also recently busted passing private videos from user vehicles around the office as entertainment.