Every car brand Mozilla examined in 2023 failed the organization's privacy and security standards. Cars, the Firefox maker concluded, were "the worst product category we have ever reviewed for privacy."
The data collection starts the moment you sit down. Modern vehicles harvest precise location data about everywhere you go, who's in the car with you, what's playing on the radio, whether you buckle your seatbelt, and how aggressively you accelerate or brake. Some gather weight, age, race, and facial expressions through interior cameras pointed at the driver's seat. Most ship this data off continuously via built-in internet connections.
Your data, once collected, becomes a revenue stream. Mozilla found 19 of 25 car companies said they might sell your data. General Motors allegedly sold driver location information to LexisNexis, a data broker. One driver who obtained his LexisNexis file found 130 pages detailing every trip he and his wife took over six months. His insurance costs jumped 21%; an agent told him the data was a factor. The US Federal Trade Commission barred GM from selling vehicle data for five years, but the company can resume afterward with express consent. LexisNexis and other brokers continue selling vehicle data from other manufacturers and driving apps.
Who buys this data and what they do with it remains largely opaque. Car companies do not have to disclose purchasers. Law enforcement can buy car data when they cannot obtain a search warrant. Companies may use it for marketing, hiring decisions, or building psychological and political profiles.
Jen Caltrider, the Mozilla privacy analyst who led the car research:
"They're taking all the information they collect on you, which is a lot, and using it to make inferences about who you are, how intelligent you are, what your psychological profile is, what your political beliefs are. That's the stuff people don't necessarily think about."
Consent, where it exists, is buried. Car companies obtain permission through infotainment system setup forms and privacy policies that appear when you connect apps or sometimes every time you start the engine. Most drivers do not read them. The United States has no national privacy law; state protections are piecemeal. Europe and the UK offer stronger rights to access, delete, and opt out of data sales, but enforcement remains inconsistent.
A federal mandate will soon expand collection further. US law requires automakers to install "advanced impaired-driving prevention technology" using infrared biometric cameras and other systems to detect drunk or tired drivers through body language and eye tracking. The law includes no provisions governing what happens to the health and behavioral data these systems generate.
Caltrider:
"We need to keep drunk drivers off the road, and it would be great if there was a guarantee that the data won't be used for other purposes, but that's not what's happening. So many of the data collecting advances we see in cars are done under the guise of safety."
Some limits are possible. Do not enroll in insurance telematics programs if privacy concerns outweigh potential discounts. Maryland state analysis found only 31% of telematics participants saw rate decreases; 24% saw increases and 45% saw no change. In the UK, EU, and some US states, you can request your data, opt out of sales, and demand deletion. Some infotainment systems and companion apps offer privacy settings that may limit collection. These steps help, but they place the burden on you to stop companies from extracting value from your daily movements.
McKinsey found 50% of cars on US roads in 2021 had internet connections and predicts 95% by 2030. The question is not whether your vehicle collects data, but whether you can determine where it goes and who profits from it. Source: bbc