Mozilla calls cars from 25 automakers 'data privacy nightmares on wheels'
Does your vehicle really need to know about your bedroom antics?
Updated Privacy-invading data harvesting by smartphones, wearable devices, smart doorbells, and reproductive health apps are well known, but the Mozilla Foundation has found the worst threat to your privacy may be parked in your driveway.
The foundation, the Firefox browser maker’s netizen-rights org, assessed the privacy policies and practices of 25 automakers and found all failed its consumer privacy tests and thereby earned its Privacy Not Included (PNI) warning label.
If you care even a little about privacy, stay as far away from Nissan's cars as you possibly can
In research published Tuesday, the org warned that manufacturers may collect and commercially exploit much more than location history, driving habits, in-car browser histories, and music preferences from today's internet-connected vehicles. Instead, some makers may handle deeply personal data, such as – depending on the privacy policy – sexual activity, immigration status, race, facial expressions, weight, health, and even genetic information, the Mozilla team found.
Cars may collect at least some of that info about drivers and passengers using sensors, microphones, cameras, phones, and other devices people connect to their network-connected cars, according to Mozilla. And they collect even more info from car apps – such as Sirius XM or Google Maps – plus dealerships, and vehicle telematics.
Some car brands may then share or sell this information to third parties. Mozilla found 21 of the 25 automakers it considered say they may share customer info with service providers, data brokers, and the like, and 19 of the 25 say they can sell personal data.
More than half (56 percent) also say they share customer information with the government or law enforcement in response to a "request." This isn't necessarily a court-ordered warrant, and can also be a more informal request.
And some – like Nissan – may also use this private data to develop customer profiles that describe drivers' "preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes."
Yes, you read that correctly. According to Mozilla's privacy researchers, Nissan says it can infer how smart you are, then sell that assessment to third parties.
- Mozilla finds 18 of 25 popular reproductive health apps share your data
- Twitter says it may harvest biometric, employment data from its addicts
- Cops told: Er, no, you need a wiretap order if you want real-time Facebook snooping
- Microsoft ain't happy with Russia-led UN cybercrime treaty
"Why does a car company need to make an inference about my intelligence? It gets creepy really fast," PNI program director Jen Caltrider told The Register.
Nissan, according to the research, is "probably the worst car company we reviewed, and that says something because all car companies are really bad at privacy."
"Please people, if you care even a little about privacy, please stay as far away from Nissan's cars, apps, and connected services as you possibly can," it continues.
According to the Nissan USA privacy notice, the automaker may collect and share a ton data for targeted marketing purposes, including:
Sensitive personal information, including driver's license number, national or state identification number, citizenship status, immigration status, race, national origin, religious or philosophical beliefs, sexual orientation, sexual activity, precise geolocation, health diagnosis data, and genetic information.
"Nissan's privacy policy stands out as one of the most amazing things I've ever read," Caltrider said. "They aren't shy about saying they could collect all of this stuff."
But Nissan isn't the only brand to collect information that seems completely irrelevant to the vehicle itself or the driver's transportation habits.
"Kia mentions sex life," Caltrider said. "General Motors and Ford both mentioned race and sexual orientation. Hyundai said that they could share data with government and law enforcement based on formal or informal requests. Car companies can collect even more information than reproductive health apps in a lot of ways."
(Some) car brands respond
A Nissan spokesperson provided the following comment to The Register: "We're just being made aware of this report so it will take a bit of time to review it and provide a response."
Caltrider said the Privacy Not Included team contacted Nissan and all of the other brands listed in the research: that's Lincoln, Mercedes-Benz, Acura, Buick, GMC, Cadillac, Fiat, Jeep, Chrysler, BMW, Subaru, Dacia, Hyundai, Dodge, Lexus, Chevrolet, Tesla, Ford, Honda, Kia, Audi, Volkswagen, Toyota and Renault.
Only three – Mercedes-Benz, Honda, and Ford – responded, we're told.
"Mercedes-Benz did answer a few of our questions, which we appreciate," Caltrider said. "Honda pointed us continually to their public privacy documentation to answer your questions, but they didn't clarify anything. And Ford said they discussed our request internally and made the decision not to participate."
This makes Mercedes' response to The Register a little puzzling. "We are committed to using data responsibly," a spokesperson told us. "We have not received or reviewed the study you are referring to yet and therefore decline to comment to this specifically."
A spokesperson for the four Fiat-Chrysler-owned brands (Fiat, Chrysler, Jeep, and Dodge) told us: "We are reviewing accordingly. Data privacy is a key consideration as we continually seek to serve our customers better."
Representatives for Kia, meanwhile, told us it doesn't harvest details of people's sex lives, though it includes it in its privacy policy as an example of what could be collected: “While we may collect certain types of personal information, including 'sensitive personal information' as defined by the California Consumer Privacy Act of 2018, not all types of personal or sensitive personal information are collected by us – as stated in our privacy policy.
"Whether certain information is collected by us depends on the context in which a consumer interacts with us. To clarify, Kia does not and has never collected 'sex life or sexual orientation' information from vehicles or consumers in the context of providing the Kia Connect Services.
"This category of information is included in our privacy policy, which tracks the CCPA, as an example of the type of information defined as 'sensitive personal information' under Section 1708.140(ae) of the CCPA.”
"The privacy of consumers is important to Kia America," the automaker's team added.
BMW told us, through a spokesperson, that the carmaker "takes data privacy and data security of our customers very seriously" and sent the following response:
For transparency, BMW NA provides our customers with comprehensive data privacy notices regarding the collection of their personal information. For individual control, BMW NA allows vehicle drivers to make granular choices regarding the collection and processing of their personal information. We voluntarily comply with a customer's data privacy requests (for example, request for access, deletion, correction) even in states where we are not required to do so. Further, we allow our customers to delete their data whether on their apps, vehicles or online.
BMW NA does not sell our customer's in-vehicle personal information.
BMW NA provides our customers the opportunity to opt out of BMW targeted behavioral advertising on the internet. With respect to data security, we take comprehensive measures to protect our customers' data. Please understand we cannot comment further without having seen the survey or its results.
The Mozilla Foundation also called out consent as an issue some automakers have placed in a blind spot.
"I call this out in the Subaru review, but it's not limited to Subaru: it's the idea that anybody that is a user of the services of a connected car, anybody that's in a car that uses services is considered a user, and any user is considered to have consented to the privacy policy," Caltrider said.
Opting out of data collection is another concern.
Tesla, for example, appears to give users the choice between protecting their data or protecting their car. Its privacy policy does allow users to opt out of data collection but, as Mozilla points out, Tesla warns customers: "If you choose to opt out of vehicle data collection (with the exception of in-car Data Sharing preferences), we will not be able to know or notify you of issues applicable to your vehicle in real time. This may result in your vehicle suffering from reduced functionality, serious damage, or inoperability."
While technically this does give users a choice, it also essentially says if you opt out, "your car might become inoperable and not work," Caltrider said. "Well, that's not much of a choice." ®
Updated to add
After publication of this article Nissan, which was excoriated by Mozilla's report, issued the following update.
"Nissan takes privacy and data protection for our consumers and employees very seriously. When we do collect or share personal data, we comply with all applicable laws and provide the utmost transparency," it told The Register.
"Nissan’s Privacy Policy incorporates a broad definition of Personal Information and Sensitive Personal Information, as expressly listed in the growing patchwork of evolving state privacy laws, and is inclusive of types of data it may receive through incidental means."
Biting the hand that feeds IT
