EFFecting Digital Freedom
Privacy Shouldn't Be This Hard: Car Makers Need to Do Better
by Thorin Klosowski
For many people, cars are a window into their personal lives in a way that other devices are not. They take us to work, school, and home. They take us to protests, doctor offices, and fast food restaurants.
In doing so, they collect more data than just about any other device out there. It's increasingly clear that car makers desperately want to be tech companies, but they've learned all the wrong lessons from that industry about how to handle data sharing and collection.
The privacy practices of these cars and their connected apps don't reflect the sensitivity one would expect from a machine that takes us everywhere we need to go, and car makers' privacy policies often detail overzealous collection of personal data alongside inferences about everything you can think of, ranging from gender to religious affiliation.
There's no standard or requirement for turning any of this data collection off. On any modern smartphone, you'll find a privacy and security section in the settings where you can review what data the phone has access to, what gets shared with other apps, and what details the phone's manufacturer collects.
But on most modern cars, you're lucky to find barebones privacy options, and often you'll find nothing at all in the car itself. Instead, you're forced to download an app to search for settings there. Even then, you still might end up empty-handed. It's a mess. But it doesn't have to be this way.
Most cars produced in the last five years - if not older - have more sensors, cameras, and wireless transmitters than smartphones or laptops. Any time you interact with your car in any way - opening a door, parking, putting air in a tire, slamming on the brakes - there's probably a record of it. Years ago, this data was only stored locally, mostly for diagnostic purposes to help with repairs, but now it's often uploaded by your car and stored on a server somewhere. This shift to expansive data collection has not been going well.
A car's data sharing and collection gets very confusing, and what a car is capable of often depends on the year, make, model, and even the trim level. This makes it hard to figure out what your car is even capable of, let alone what it's actually doing. But if you plot out all these potential data flows, you'll find it's going to a variety of places with different risks:
- Driving data that's shared with insurance companies (often through intermediaries and data brokers).
- Analytics or diagnostics data that's shared with the car company.
- Personal data that's used or shared by the car company for advertising or marketing purposes.
- Data that is shared with law enforcement and data that is gathered by law enforcement.
- Data that's inadvertently shared with a partner, ex-partner, parent, etc. for non-consensual tracking.
- Data you're inadvertently sharing through your smartphone.
- Data shared through breaches, or misused by a rogue employee.
We're only just learning of novel methods used by the government to track an automobile, like taking the seemingly innocuous little wireless chirps sent from a car's pressure sensor to its central computer that tells it whether or not the tire is inflated, and using that to track a car's movement.
Combined with other tools law enforcement has, like Automated License Plate Readers (ALPRs) and real-time location tracking, it's increasingly easy for them to access all sorts of driver data - many times without a warrant. That is something we are fighting to change.
Then there's information about your driving habits, sometimes referred to as "driving data" or "driver behavior information," which might include everything from braking statistics to the time of day you tend to drive. If this sort of information gets shared with insurance companies, it can alter your premiums.
But it's not just abuse by companies for profit and law enforcement for surveillance that we have to worry about. There's also the fact that many cars feature connected services that make them rolling surveillance devices for controlling partners or family members. Many cars connect to an app that can track where you go or where you park. Some apps even have geofencing features to send an alert if the car leaves a specific area, or the ability to limit the speed and stereo volume of another driver. This tracking is often unclear to the person driving the car.
But there are some small things you can do right now to take control. If you have a car with a connected app, open that app and make sure you're not accidentally sharing information with insurance companies. Car makers tend to name these "features" things like "Driver Score" or "Driver Feedback." If you're lucky enough to actually find a "Privacy" page in that app or in the car's infotainment system, then go through and opt out of any surveillance you can.
If you share a car with a partner or family and you haven't ever looked at the app yourself, then it's also time to research what background information might be shared without your knowledge, like real-time location or parking location.
Finally, if you're in a state with a data privacy law, file a request with the car maker to opt-out of data sharing and sale. This should at least stop the sale of your data for marketing purposes, and may also cut off some of what's shared with data brokers that ends up with insurance companies.
It's not difficult to envision a very bad future if these car makers continue on this path. Perhaps cars will someday be able to repossess themselves, automatically turn into rolling ALPRs during "emergencies," or remotely turn off and lock you inside if you're suspected of a crime.
None of us should need to go through dozens of steps just to protect very basic private information from getting in the hands of greedy companies and law enforcement. But without a national law that puts privacy first, there is little we can do to stop this sort of data sharing. We need much more than these consumer rights to know, to delete, and to opt-out of disclosure: we also need laws that automatically require corporations to minimize the data they process about us, only use data for the purposes described to us, get our opt-in consent before processing our data, and allow us to enforce those rights.