Mozilla Calls Cars From 25 Automakers 'data Privacy Nightmares On Wheels'
Updated Privacy-invading data harvesting by smartphones, wearable devices, smart doorbells, and reproductive health apps are well known, but the Mozilla Foundation has found the worst threat to your privacy may be parked in your driveway.
The foundation, the Firefox browser maker’s netizen-rights org, assessed the privacy policies and practices of 25 automakers and found all failed its consumer privacy tests and thereby earned its Privacy Not Included (PNI) warning label.
If you care even a little about privacy, stay as far away from Nissan's cars as you possibly can
In research published Tuesday, the org warned that manufacturers may collect and commercially exploit much more than location history, driving habits, in-car browser histories, and music preferences from today's internet-connected vehicles. Instead, some makers may handle deeply personal data, such as – depending on the privacy policy – sexual activity, immigration status, race, facial expressions, weight, health, and even genetic information, the Mozilla team found.
Cars may collect at least some of that info about drivers and passengers using sensors, microphones, cameras, phones, and other devices people connect to their network-connected cars, according to Mozilla. And they collect even more info from car apps – such as Sirius XM or Google Maps – plus dealerships, and vehicle telematics.
Some car brands may then share or sell this information to third parties. Mozilla found 21 of the 25 automakers it considered say they may share customer info with service providers, data brokers, and the like, and 19 of the 25 say they can sell personal data.
More than half (56 percent) also say they share customer information with the government or law enforcement in response to a "request." This isn't necessarily a court-ordered warrant, and can also be a more informal request.
And some – like Nissan – may also use this private data to develop customer profiles that describe drivers' "preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes."
Yes, you read that correctly. According to Mozilla's privacy researchers, Nissan says it can infer how smart you are, then sell that assessment to third parties.
- Mozilla finds 18 of 25 popular reproductive health apps share your data
- Twitter says it may harvest biometric, employment data from its addicts
- Cops told: Er, no, you need a wiretap order if you want real-time Facebook snooping
- Microsoft ain't happy with Russia-led UN cybercrime treaty
"Why does a car company need to make an inference about my intelligence? It gets creepy really fast," PNI program director Jen Caltrider told The Register.
Nissan, according to the research, is "probably the worst car company we reviewed, and that says something because all car companies are really bad at privacy."
"Please people, if you care even a little about privacy, please stay as far away from Nissan's cars, apps, and connected services as you possibly can," it continues.
According to the Nissan USA privacy notice, the automaker may collect and share a ton data for targeted marketing purposes, including:
"Nissan's privacy policy stands out as one of the most amazing things I've ever read," Caltrider said. "They aren't shy about saying they could collect all of this stuff."
But Nissan isn't the only brand to collect information that seems completely irrelevant to the vehicle itself or the driver's transportation habits.
"Kia mentions sex life," Caltrider said. "General Motors and Ford both mentioned race and sexual orientation. Hyundai said that they could share data with government and law enforcement based on formal or informal requests. Car companies can collect even more information than reproductive health apps in a lot of ways."
(Some) car brands respond
A Nissan spokesperson provided the following comment to The Register: "We're just being made aware of this report so it will take a bit of time to review it and provide a response."
Caltrider said the Privacy Not Included team contacted Nissan and all of the other brands listed in the research: that's Lincoln, Mercedes-Benz, Acura, Buick, GMC, Cadillac, Fiat, Jeep, Chrysler, BMW, Subaru, Dacia, Hyundai, Dodge, Lexus, Chevrolet, Tesla, Ford, Honda, Kia, Audi, Volkswagen, Toyota and Renault.
Only three – Mercedes-Benz, Honda, and Ford – responded, we're told.
"Mercedes-Benz did answer a few of our questions, which we appreciate," Caltrider said. "Honda pointed us continually to their public privacy documentation to answer your questions, but they didn't clarify anything. And Ford said they discussed our request internally and made the decision not to participate."
This makes Mercedes' response to The Register a little puzzling. "We are committed to using data responsibly," a spokesperson told us. "We have not received or reviewed the study you are referring to yet and therefore decline to comment to this specifically."
A spokesperson for the four Fiat-Chrysler-owned brands (Fiat, Chrysler, Jeep, and Dodge) told us: "We are reviewing accordingly. Data privacy is a key consideration as we continually seek to serve our customers better."
Representatives for Kia, meanwhile, told us it doesn't harvest details of people's sex lives, though it includes it in its privacy policy as an example of what could be collected: “While we may collect certain types of personal information, including 'sensitive personal information' as defined by the California Consumer Privacy Act of 2018, not all types of personal or sensitive personal information are collected by us – as stated in our privacy policy.
"Whether certain information is collected by us depends on the context in which a consumer interacts with us. To clarify, Kia does not and has never collected 'sex life or sexual orientation' information from vehicles or consumers in the context of providing the Kia Connect Services.
"This category of information is included in our privacy policy, which tracks the CCPA, as an example of the type of information defined as 'sensitive personal information' under Section 1708.140(ae) of the CCPA.”
"The privacy of consumers is important to Kia America," the automaker's team added.
BMW told us, through a spokesperson, that the carmaker "takes data privacy and data security of our customers very seriously" and sent the following response:
The Mozilla Foundation also called out consent as an issue some automakers have placed in a blind spot.
"I call this out in the Subaru review, but it's not limited to Subaru: it's the idea that anybody that is a user of the services of a connected car, anybody that's in a car that uses services is considered a user, and any user is considered to have consented to the privacy policy," Caltrider said.
Opting out of data collection is another concern.
Tesla, for example, appears to give users the choice between protecting their data or protecting their car. Its privacy policy does allow users to opt out of data collection but, as Mozilla points out, Tesla warns customers: "If you choose to opt out of vehicle data collection (with the exception of in-car Data Sharing preferences), we will not be able to know or notify you of issues applicable to your vehicle in real time. This may result in your vehicle suffering from reduced functionality, serious damage, or inoperability."
While technically this does give users a choice, it also essentially says if you opt out, "your car might become inoperable and not work," Caltrider said. "Well, that's not much of a choice." ®
Updated to add
After publication of this article Nissan, which was excoriated by Mozilla's report, issued the following update.
"Nissan takes privacy and data protection for our consumers and employees very seriously. When we do collect or share personal data, we comply with all applicable laws and provide the utmost transparency," it told The Register.
"Nissan’s Privacy Policy incorporates a broad definition of Personal Information and Sensitive Personal Information, as expressly listed in the growing patchwork of evolving state privacy laws, and is inclusive of types of data it may receive through incidental means."
From Chip War To Cloud War: The Next Frontier In Global Tech Competition
The global chip war, characterized by intense competition among nations and corporations for supremacy in semiconductor ... Read more
The High Stakes Of Tech Regulation: Security Risks And Market Dynamics
The influence of tech giants in the global economy continues to grow, raising crucial questions about how to balance sec... Read more
The Tyranny Of Instagram Interiors: Why It's Time To Break Free From Algorithm-Driven Aesthetics
Instagram has become a dominant force in shaping interior design trends, offering a seemingly endless stream of inspirat... Read more
The Data Crunch In AI: Strategies For Sustainability
Exploring solutions to the imminent exhaustion of internet data for AI training.As the artificial intelligence (AI) indu... Read more
Google Abandons Four-Year Effort To Remove Cookies From Chrome Browser
After four years of dedicated effort, Google has decided to abandon its plan to remove third-party cookies from its Chro... Read more
LinkedIn Embraces AI And Gamification To Drive User Engagement And Revenue
In an effort to tackle slowing revenue growth and enhance user engagement, LinkedIn is turning to artificial intelligenc... Read more