Forget snooping smartphones and spying smartwatches. Modern, connected cars are “the official worst category of products for privacy that we have ever reviewed,” Mozilla concluded after studying two dozen brands.
Mozilla, the not-for-profit behind the open-source Firefox browser, revealed yesterday (Sep. 6) that “every car brand we looked at collects more personal data than necessary and uses that information for a reason other than to operate your vehicle and manage their relationship with you.” And 84% of the cars sold or shared the personal data they collected, Mozilla said.
None of the 25 hackable computers-on-wheels evaluated met Mozilla’s Minimum Security Standards, because the nonprofit couldn’t determine if any of them displayed a basic security facet: encrypting all the personal information that sits in the car’s system.
Mozilla, a free software community founded in 1998 by members of the computer services company Netscape, reviews wide arrays of products for their data privacy. Cars fared poorly even in comparison to mental health apps, a category of products that fails privacy parameters miserably. Mozilla raised privacy alarms only for two-thirds of the apps it reviewed.
Cars are collecting all sorts of data from everywhere
Cars are not just collecting car-related data like mileage and geolocation—they’re collecting, storing, and sharing information about passengers, pedestrians in the vicinity, and more. They also have access to several types of information, including connected devices (read: phones) and apps like Google Maps.
A handful of cars, including GM’s Cadillac, GMC, Buick, Chevrolet, KIA and Nissan, gather genetic information. Some companies use data to infer more information. Nissan and Kia, for instance, creepily claim they can gauge details about a person’s “sexual activity” and “sex life” respectively.
By the digits: Mozilla’s privacy report card for smart cars
84%: The proportion of car brands that say they can share personal data with service providers, data brokers, and other businesses
76%: The proportion of privacy policies stating that they can sell personal data
56%: The proportion of surveyed car brands that say they can share personal information with the government or law enforcement agencies in response to a “request”—not even a legitimate court order. Hyundai explicitly says it will comply with “lawful requests, whether formal or informal.”
92%: The proportion of car brands that don’t award all drivers the right to have their personal data deleted. Only two—Renault and Dacia, owned by the same parent company—accorded drivers that right.
12: The number of long-winded privacy policies issued by Toyota, the maximum among all the brands that Mozilla studied
6: The number of car companies that claim to be able to collect “genetic information” or “genetic characteristics”
600 hours: The time Mozilla spent studying the car brands’ privacy practices—three times as much time per product than its researchers typically need
Company of interest: Tesla
Even in a sea of privacy violators, the most valuable car maker was also the blackest of sheep. Tesla failed across all criterias of assessment—data use, data control, track record, security, and AI. It was the only carmaker that got an “untrustworthy AI” label from Mozilla. Given that its AI-powered autopilot has been involved in a number of crashes and even deaths and drawn harsh regulatory scrutiny the world over, the label seems fair.
Tesla is only the second product ever that checked all of Mozilla’s “poor-privacy.” The first was an AI chatbot that Mozilla reviewed in April.
There’s one lone bright spot, though. Tesla very clearly states in its privacy documentation that it will not sell or rent people’s personal information to third parties.
Tesla could also have helped by letting drivers “opt out” and deactivate connectivity. But that is a moot point, Tesla also says its cars will essentially be rendered useless without connectivity, losing functionality for over-the-air updates, remote services, interactivity with mobile application, and in-car features such as location search and Internet radio. Tesla “will not be able to know or notify you of issues applicable to your vehicle in real time,” the company claims.
Quotable: Privacy ranks low on car buyer’s list
“People don’t comparison-shop for cars based on privacy. And they shouldn’t be expected to. That’s because there are so many other limiting factors for car buyers. Like cost, fuel efficiency, availability, reliability, and the features you need. Even if you did have the funds and the resources to comparison shop for your car based on privacy, you wouldn’t find much of a difference. Because according to our research, they are all bad!”
—The Mozilla Foundation, which is putting the onus on car companies to stop their “huge data collection” programs
🔎 California is investigating how car companies use the data they collect
💰 Tesla could face a $3.3 billion fine over a massive data leak
🇨🇳 In China, the data your car collects about you is for sale