Mozilla Says Modern Cars Are Data Collection Nightmares on Wheels

Mozilla’s *Privacy Not Included team has evaluated the privacy stances of 25 carmakers, introducing its extensive report with:

Car makers have been bragging about their cars being “computers on wheels” for years to promote their advanced features. However, the conversation about what driving a computer means for its occupants’ privacy hasn’t really caught up. While we worried that our doorbells and watches that connect to the internet might be spying on us, car brands quietly entered the data business by turning their vehicles into powerful data-gobbling machines. Machines that, because of their all those brag-worthy bells and whistles, have an unmatched power to watch, listen, and collect information about what you do and where you go in your car.

All 25 car brands we researched earned our *Privacy Not Included warning label — making cars the official worst category of products for privacy that we have ever reviewed.

These findings fall into the category of “I had no idea, but I guess I’m not surprised.” Mozilla concluded that car companies are terrible about privacy because they collect too much personal data, share or sell collected data, give drivers little to no control over their data, and don’t publish useful security details, such as whether all that data is encrypted at rest. Nor are they good at protecting what they collect—Honda, Mercedes-Benz, Nissan, Toyota, and Volkswagen have suffered breaches affecting millions of drivers.

What might that data include? The full list is far too long to transcribe here, but it’s notable that, for instance, Nissan says it may collect:

Sensitive personal information, including driver’s license number, national or state identification number, citizenship status, immigration status, race, national origin, religious or philosophical beliefs, sexual orientation, sexual activity, precise geolocation, health diagnosis data, and genetic information.

At least the source of those particular data types is “Direct contact with users”—your Nissan Leaf isn’t detecting backseat nookie. But between today’s sensor- and camera-laden vehicles and their accompanying apps, carmakers can hoover up a vast amount of information about how you drive. Along with geolocation data, Hyundai says it may collect:

driving data about the operation of a Vehicle, such as speed, acceleration and braking data; direction of travel; trip data (mileage, date, length, conditions); ignition events; steering events; cruise control data; seatbelt status; information about Vehicle incidents or events; other information about how you drive a Vehicle; as well as associated date/time stamps for such information.

What remains unknown is just how real the privacy risks are. Just because carmakers craft their privacy policies to say they can collect data about your tooth enamel doesn’t mean they’re doing it or sharing the details with fly-by-night dentists. However, even if nothing is actually happening now, it’s still troubling that carmakers are giving themselves legal cover for whatever they decide to do in the future.

Mozilla’s reports on each carmaker offer suggestions for reducing the impact of this data collection, but there’s not much you can do and little difference between manufacturers. Perhaps signing Mozilla’s petition and helping to spread the word can embarrass some of these companies into doing better.