We're the Researchers who looked into the privacy of 25 of the top car brands. All of them failed our review. AMA!

Which manufacturer is the least bad and why?

Misha, *Privacy Not Included: The least bad among the 25 reviewed are Renault and Dacia (also part of Renault Group). Renault grants GDPR rights to its users, which means that you may request to access & delete your data. Renault also has a relatively decent track record of securing customers’ data in the last 3 years. Finally, Renault has a vulnerability disclosure policy. Nevertheless, we had to give Renault a ding for other privacy & security issues.

Any brands to consider for those of us in the US that don't have all the protections Europeans enjoy?

Zoë, *Privacy Not Included:

Hmm.. Unfortunately, all of the cars we looked at that serve the US earned our *Privacy Not Included warning label. Usually in that case we’d suggest you avoid buying those products. But with cars, so many people don’t have the choice not to buy a car or even to choose their car based on something like its privacy settings.
The best thing you can do if you want more and better options is get mad! And fight for a federal privacy law in the US that would take these predatory data collection/sharing/selling practices off the table. Join us and learn more about what we’re planning on that front here → https://foundation.mozilla.org/en/privacynotincluded/articles/is-this-even-legal-our-top-cars-and-privacy-question-answered/

Thanks for doing this work.

Were Google and Apple integrations the major culprits here, or were OEMs just as brazen with their own systems?

Jen Caltrider, *Privacy Not Included:

Great question!
Our *Privacy Not Included research looked into the privacy policies and practices of the car companies. And they are terrible. They seem to us even more brazen, if that is possible, than Google and Apple. Their privacy policies seem to have been written without any sort of idea for consumer privacy in mind. When you see car companies say they can collect things like “sexual activity” “sex life”, “genetic information”, olfactory information, and so much more our eyebrows got pretty raised and stay there. I’ll let Andrea from Privacy4Cars say more about how Apple and Google fit in here. But know that the car companies are awful at privacy -- they sell data, collect way too much, don’t give users real opportunities to consent to data collect, or even real good ways to opt-out, and they don’t have great track records at protecting and respecting the personal information they do collect.

​

Andrea , Privacy4Cars:

Little known fact: when you connect your phone to your vehicle (bluetooth, USB, etc) even if you use a screen mirroring technology like Apple CarPlay or Android Auto, two things happen: (1) your car sucks out a lot of data from your phone (e.g. your text message database, identifiers, and much more) and (2) your phone has access to vehicle data that is sent out via the phone. Android Auto is well known to be able to send over 120 datapoints per second (mileage, speed, direction, etc. etc.). Google also has something called Automotive Android, which sounds the same- but is not. It’s an operating system and that gives Google even more access to data if automakers (OEMs) use it in their infotainment systems.

Wow, thanks.

Are there any ways to disable these "features?"

Like by pulling out a fuse, or removing some components? Or is this all too built in to the infotainment system?

Andrea, Privacy4Cars:
Some car manufacturers do permit owners to disable these features in the infotainment system but often require them to do this every time or even have to continuously disable it throughout their entire drive as a pop-up. This may make the driver lose focus from driving in order to opt-out, which would have serious safety implications…

Like by pulling out a fuse, or removing some components? Or is this all too built in to the infotainment system?

Andrea, Privacy4Cars:
we advise against tampering with the electronics. Yes, you can pull a fuse or remove an antenna, but this will for sure void the warranty (now you have reduced the value of your car by thousands of dollars) and possibly you are disabling safety features (which also has personal liability implications in litigious countries like the USA).
We are running a free pilot program at Privacy4Cars where we act as your agent and try to minimize your data footprint. Give us a try:

https://privacy4cars.com/personal-use/assert-your-data-rights/

Can you explain more about how the data is actually transmitted out of the car that doesn't have its own internet connection? If someone drives a simple car (like a new Miata with a factory stereo), not using any car-specific apps, but they do plug their phone in to use Android Auto or Carplay, can data still make its way to Mazda?

Is the data stored by the vehicle and available to law enforcement?

Andrea, Privacy4Cars:

Here is a cheat sheet we created at Privacy4Cars to explain different levels of connectivity technologies and how data makes it out of the car: https://privacy4cars.com/data-in-cars/p4cs-five-levels-of-vehicle-connectivity/
Of course data can also be taken out locally in a variety of ways. Not-so-fun-fact: data in cars, including sensitive personal information, is often stored unencrypted and does you car has a password? Nope, the key is the only (poor) “factor of authentication”: if you have the key, you have full access.

You may want to look into the work of nonprofit S.T.O.P. https://www.stopspying.org/ who published a detailed report on how government entities worldwide use car data.

Jen Caltrider, *Privacy Not Included:
Most modern cars -- cars built in the last 3 or so years -- have ways to transmit data over cellular or wifi. You might not ever see this or know about this. You car data can also be collected when you take it to the dealer and they can gather if from your car there and potentially share it. Car dealers have their own privacy policies too (which we didn’t read). And yes, lots of your perosnal information is stored on the cars. And we could not confirm in our research if any of the car companies fully encrypt all the personal information that sits on their cars.

As for sharing information with law enforcement. We say way too many companies have very very lax statements in their privacy policies saying how they can share data with law enforcement and governments. What you want to see is a company say they will never share data with law enforcement or governments without a court order and even then that they will limit the data sharing as much as possible and alert you to the court request. What we say was companies saying they could share personal information with government and law enforcements based on “formal” or even “informal” requests. That is scary!

Great work, underlining that this is just getting worse and worse. TVs, PCs, cars, your mobile phone - how can we put an end to this ongoing, invasive spying on everyone?

Zoë, *Privacy Not Included:Phew, great question and something that we ask ourselves often. At PNI, we try to give consumers the information that they need to make better, more informed decisions when shopping for products that connect to the internet. But! Sometimes (like with cars) there are really no great options out there – every single car brand we looked at failed our criteria (miserably).So what we’ve been encouraging people to do is get mad! …And speak to their local legislator to make these data collecting/sharing/selling practices illegal. Leaving it up to companies’ good conscience clearly is not working. You can read more about what we’re planning on this front (in the context of the US) - here https://foundation.mozilla.org/en/privacynotincluded/articles/is-this-even-legal-our-top-cars-and-privacy-question-answered/ Join us!

Because this is an AMA im going to ask here because i think its an important clarification, i skimmed the full report but didnt immediately see it. Where is this data collected from? Is it pulling the data when your phone connects? Would not using carplay or something similar negate the issue? It seems to me it would be difficult to know most of the information collected without access to a phone. Can permissions on a phone be changed to not give that info? I understand there isnt much you could do about information you give in person or on paper, but besides those avenues or aquiring data, the only other thing i could see them collecting is location data of the car itself and driving habbits. Can you clarify how they are getting sexual and genetic info?

Andrea, Privacy4Cars:

Data comes from two sources: the sensors in the vehicle and - you are right - your smartphone when you connect. Not connecting your phone will not eliminate data collection. Also, we are suckers for safety, and there are serveral studies showing that if you plan to use a phone, handsfree is much safer (and the only legal way to do so in many states).
I should add, if you connect and say “no” to the permissions in the contacts for instance, the car will not take your contacts - but take everything else!

Jen Caltrider, *Privacy Not Included
To answer the question about how car companies can gather information about this like sexual activity and genetic info. The answer is, we just don’t know. And that’s the problem. They give themselves the right to collect that information about your when they say you consent to their privacy policy by including all that sensitive personal information in their privacy policy. How they can collect that info about you, that’s a good question. This is why we need better laws and transparency to protect our privacy!

May I ask what evidence you have of it? Not doubting you at all, I'd just like to see who's doing it, at least.

Jen Caltrider, *Privacy Not Included
Nissan’s Privacy Policy that mentions “sexual activity”:
Our review of Nissan:
https://foundation.mozilla.org/en/privacynotincluded/nissan/
https://www.nissanusa.com/privacy.html
Kia’s Privacy Policies that mention “sex life”
https://www.kia.com/us/en/privacy
https://owners.kia.com/content/owners/en/privacy-policy.html
https://www.kia.com/uk/privacy/
Our review of Kia
https://foundation.mozilla.org/en/privacynotincluded/kia/

Why was Mazda not included? Too small? They would seem to "win" in the sense that they allow an opt-out.

Jen Caltrider, *Privacy Not Included
Oh man, how I wish we had included Mazda. We’re a team of three and had to narrow down our product list to the most popular car brands in North America and the EU. Mazda was right on the cusp there and just missed the cut. As did Volvo.
The funny thing is, right in the middle of doing this research my wife’s car died and we had to buy a new car and Mazda is what we picked. Not for privacy reasons though -- because we’re like most people, we had to look at things like price, features, and reliability first when buying a car. Being a privacy nerd though, I did take a quick look into Mazada’s privacy policies. And while they aren’t the worst car brand out there, they still, like all the others, are pretty dang terrible. They do say they can sell your information (although they say they don’t sell sensitive personal information of people under 16, so, yay I suppose /s). And when I went to their website to ask them to delete any data they had collect on my, when I told them I live in Vermont (a state without a strong privacy law like Caifornia), they basically laughed in my face and said, yeah, we’ll keep your data as long as we want.
So, yeah, Mazda is bad like all the rest, unfortunately.
Mazda’s privacy policies:
https://www.mazdausa.com/site/privacy
https://privacy.mazdausa.com/us/california
https://www.mazdausa.com/site/privacy-connectedservices

Andrea, Privacy4Cars:

We have Mazda vehicles at https://vehicleprivacyreport.com. We currently cover ~300 million vehicles between the US and Canada. EU + UK are coming later this year. We will soon release version 2.0 which will go beyond the manufacturer and cover some service providers, mobile apps, etc.

Your website appears to be about getting the word out. As an electrical engineer working in reverse engineering, I want to know how engineers out in the world can contribute to rectifying the situation. After reading your website, I'm no more equipped to reduce my car's dependency on the privacy-violating software and hardware than before.

This may be an example of a hammer seeing a problem as a nail, but shouldn't we be fixing the problem? What are the fixes? Implementing changes to the law, sure, and your public service announcements help with that, but where you see Right to Repair implemented, you see it weakened and exceptions carved out. Economics aren't going to fix it until a massive reorganization of China make the present design of cars infeasible and we fall back onto dumber models for lack of semiconductors. Even the global chip shortage just stalled production and didn't percolate into redesign.

It seems to me that the fix is to fight with tools. Locate all the micros/cpus, firmware dump them, reverse the software, strip the malicious code out, and recompile.

I have access to equipment and a 5th gen Toyota RAV4, and a willingness to get my hands dirty.

Jen Caltrider, *Privacy Not Included:
Wonderful! I think it will take all of us to fix this problem. As an engineer, you have technical skills that most of us don’t have. But research into your own vehicles and then publishing results could help drive this conversation as well. We also recognize that so many people don’t have the technical ability to tackle data collection from their cars and will need to rely on better regulations and policies to protect them.
Andrea, Privacy4Cars: we advise against tampering with the electronics. Yes, you can pull a fuse or remove an antenna, but this will for sure void the warranty (now you have reduced the value of your car by thousands of dollars) and possibly you are disabling safety features (which also has personal liability implications in litigious countries like the USA). We have done ethical disclosures before to tens of manufacturers and other companies, but that is where the line should be drawn with hacking cars.
We are running a free pilot program at Privacy4Cars where we act as your agent and try to minimize your data footprint. Give us a try: https://privacy4cars.com/personal-use/assert-your-data-rights/

How does a car collect information about my sex life?

Jen Caltrider, *Privacy Not Included
Great question! And we’re not sure, to be honest. All we know is that two car companies said they could. Nissan’s privacy policy says they can collect information about “sexual activity” through “Direct contact with users and Nissan employees” to do things like “facilitate more targeted marketing.” And Kia says they can collect information about your “sex life.” How they do this, or even if they actually do do this, is not something we can tell. We just know they say they can and you know what Maya Angalou says, “When someone tells you who they are, believe them the first time.” Kia has been telling journalists they don’t collect information on “sex life.” But then, why would they say in their privacy policy they can?
Nissan Privacy Policy: https://www.nissanusa.com/privacy.html
Kia Privacy Policy: https://owners.kia.com/content/owners/en/privacy-policy.html

Since publishing, have you been contacted by any of the subjects of your report to explain things from their perspective or to provide assurances that they are open to change? And have you been contacted by anyone in a position of authority to investigate things further, such as a politician or government department?

In other words, I’d anything substantial regarding purchaser privacy happening because of your report that you are aware of?

Great question! We have not heard much from the car companies, no. Which isn’t a huge surprise to us as when we were doing our research, they didn’t seem interested in answering our privacy and security questions either. I think they really hoped that this issue would keep flying under the radar and they would continue to get away with their pretty awful privacy practices.
The good news is, we have absolutely heard from policymakers about our research. Staffers from a key Congressional committee reached out to us almost immediately to discuss what could be done to help reign some of the issues in the short term. We’ve also talked with experts and people who work on these issues in the EU about ways to put pressure on car companies over there to do better.
Hopefully this is all just the beginning. We’re also still getting a number of requests from people in the media to keep talking about this issue and they are even looking into using their resources to dig deeper, which is great. We’re a non-profit, so our resources are limited. But the more people who get aware, get mad, and take some action, whether it be big or small, will be what helps drive change.
One last thing. A reminder that car companies don’t exactly have a long history of ethical behavior (hello, Ford Pinto). The things that push them to change are people -- us -- geting loud and demanding that. This is step one and I think we’re on our way! Thank you.

If I don't connect my phone to my vehicle, can the vehicle send out info by itself? Or is it just the phone that's really the problem with this situation?

Misha, *Privacy Not Included:

The problem is not just the phone. The car itself collects tons of data, including precise location, data from the camera & microphones, etc. And the car often sends this data to be stored & processed at the data center. Later, this data may be shared & sold with third parties, such as data brokers, advertisers, etc. Connecting your phone to the vehicle increased data collection and data sharing, for sure.

Andrea, Privacy4Cars:

Privacy4Cars: you can check you your car has its own native cellular connection at https://vehicleprivacyreport.com - if it says your car is like “a smartphone on wheels”, you have telematics (and they may be sending data out even if you are not subscribing to the connectivity service)

Thanks for your research, great article.
I was wondering what is up with Chinese manufacturers, like NIO, Polestar, etc. They gain a lot of interest and market share in Europe recently (leading to discussions about restricting their sales in Europe). I was wondering if there's a reason I couldn't find them in the report. Or are they included in some of the other tested brands as a sub-brand?

Misha, *Privacy Not Included: Unfortunately, we have not looked at the Chinese manufacturers you are listing, since they were still relatively small in US & Europe by market share. We will make sure to include some when we do the revision of the guide, to include the rising EV-manufacturers from China. We are especially interested in the AI trustworthiness and self-driving cars regulations in China. Tune in!

Andrea, Privacy4Cars:

When we will launch https://vehicleprivacyreport.com in Europe in the next month or two we will cover the main Chinese brands. One thing that personally concerns me is that some Chinese manufacturers of telecom equipment (e.g. Huawei) are banned from selling equipment in the US because of alleged spying and other national security reasons... but they continue to be a major provider of the telecom equipment that goes in vehicles (“telematics”). Why it is bad for somebody to put an electronic board and software in a cell tower but it is totally cool to put it inside a 2-ton moving piece of metal? I honestly don't get it nor I get why the Federal Communication Commission is not overseeing vehicles since they have become telecom equipment.

How can this possibly be compliant with GDPR in Europe?

Andrea, Privacy4Cars: oh, automobiles are regulated both under GDPR and ePrivacy laws and unfortunately we can name many issues. GDPR requires privacy-by-design… not sure how that has been implemented. We know that it is clearly mandatory https://edpb.europa.eu/sites/default/files/consultation/edpb\_guidelines\_202001\_connectedvehicles.pdf to make sure personal data captured by vehicles is deleted so it is not exposed to unauthorized parties e.g. after every rental or when a vehicle is traded in/returned at the end of a lease. We are not aware of any company (dealership, fleet, rental car company, etc.) who complies with that. GDPR requires that data subjects are clearly notified of data collection, purposes, and collection needs to be commensurate, but a recent EU study shows that consumers almost never get any information - or the correct information - at dealerships about what vehicle’s data practices are (https://op.europa.eu/en/publication-detail/-/publication/d241ad9e-a699-11ed-b508-01aa75ed71a1/language-en/format-PDF) … shall we go on?
Misha, *Privacy Not Included: While we love GDPR, it is unfortunately poorly enforced. Let’s imagine you see a GDPR violation: you do not get your requested data copy within 30 days, or you see that some data is collected without your consent.. What are you going to do about it is the question. Without proper training and loads of energy, you can barely go after the Volkswagens and Teslas of the world. Large collective action works at times. That is why we support privacy advocate non-profits and consumer protection groups that have legal powers to push authorities to push companies to do better. European bureaucracy is rather slow, though. And from our experience, they are too busy going after the bigger fish - the Big Tech - to look at the car manufacturers. Finally, automotive manufacturing is the key industry in Europe itself, so perhaps data protection authorities are rather reluctant to punish them. In any case, a user is the one who loses from the poor enforcement of GDPR.

Can I suggest changing that graphic? Is it better to be on the top or bottom? Are the X's good or bad? Use manufacturer names, too. There's a few logos I don't even recognize.

Jen Caltrider, *Privacy Not Included
You can also click on our Cars category page and read our reviews of each car brand from there if it is easier for you. Here’s the link! https://foundation.mozilla.org/privacynotincluded/categories/cars/

Did your research stumble upon many additional privacy issues that didn't make your final reporting and if so, might any of them find their way into follow up work?

Zoë, *Privacy Not Included
Omg, the self-repossessing technology patent. I read a lot of things over the course of our research that made me laugh/cry but I think this one takes the cake.
Earlier this year, Ford filed a patent for “self-repossessing” technology – which is exactly what it sounds like! Basically, if you don’t make your car payments your car could drive itself to an impound lot – or, even worse, to a junkyard – if the value of your car isn’t worth recouping. Before your car drives itself off into the sunset, it would inflict little terrors on you to, I guess, encourage you to make those payments quickly. Those “punishments” include turning off some of your car’s features (like air conditioning) or making an annoying sound that will not stop whenever you’re in your car.
What really got me is that this patent gave us a little peek behind the curtain, of what car-makers might be planning to do with all this data/connectivity. And honestly – their imagination is way better than mine at dreaming up privacy nightmares.
You can read the full patent here → https://image-ppubs.uspto.gov/dirsearch-public/print/downloadPdf/20230055958
You can also read about this and more of our privacy nightmares here →
https://foundation.mozilla.org/en/privacynotincluded/articles/after-researching-cars-and-privacy-heres-what-keeps-us-up-at-night/

Jen Caltrider, *Privacy Not Included
Oh absolutely, yes. There is so much more to this issue that we could research in a few months. We didn’t look into the data collection and sharing of some of the big connected services like SiriusXM and Waze and the like. We didn’t read car dealers’ privacy policies, they all have their own. Insurance companies and financial services are another huge area of data collection and sharing floating around the car industry. We’re starting to see car companies make moves into becoming their own data brokers with things called Vehicle Data Hubs. And all of this still feels like the tip of the iceberg.
When cars have sensors that can detect how much you weigh or possibly even things like your heart rate, when they have microphones, cameras facing in, cameras facing out, and more, they can learn a whole lot about you and maybe even your emotional state. And as data collection gets more vast when companies collecting tons of data can go and buy even more to make inferences about things like your intelligence and abilities, yeah, there’s lots to dig into here. Oh, and then there is the growing use of AI in cars…that’s something we barely touched on but is growing rapidly. We’re really hoping our research starts the conversation and that the conversation grows from here. Andrea from Privacy4Cars has also been doing an excellent job pushing this conversation into the mainstream and we really appreciate that.
And if you really get frightened, read what my colleague Zoe has to say here about self-re-possesing car technology. It’s creepy as hell!

First off, thank you for doing all this work and compiling it into an easy to digest format! I have a question about the sexual activity part though, do you know what (if any) mechanisms exist to collect that information? Obviously you can get some insight using GPS information but sexual activity tracking can go a lot farther than that. Do you think that surveillance is happening right now, or is this the automakers just asking for everything they can ask for now and sorting out what they can actually procure later?

Andrea, Privacy4Cars:
Not very clear here. Inferences from GPS make sense… and then there is also this: https://www.theguardian.com/technology/2023/apr/07/tesla-intimate-car-camera-images-shared
Misha, *Privacy Not Included:
We are also puzzled by this question. First of all, we do not entirely understand what is meant by ‘sexual activity’ or ‘sex life’ data. We can imagine that there are technical means to collect some of such data, given the presence of microphones, cameras and sensors in modern cars. We would love to get more information from the manufacturer, and we encourage all drivers of Nissans and KIAs to ask the manufacturer. We are very concerned about the very possibility of such data collection.
On the second part of the question, I believe that the truth is the combination of both. They definitely list all possible data in the policies, to have hands free to do it in the future. And they might already start doing their ‘magic’ to figure out how to collect it.

Can I turn off the data collection?

Misha, *Privacy Not Included:

Not really. You can try to opt out from selling your data (if you are based in California) or from usage of your data for behavioural advertising, but you can not opt out from data collection fully. You can minimize the data collection though if you chose a vintage car that is not connected to the Internet, has no built-in telematic devices or apps connected to it.

Andrea, Privacy4Cars:

Your privacy mileage may vary depending on your vehicle. As Misha points out, there are things you can do, and it is often painful for consumers to navigate what is often a maze of forms, documents, etc. You can check what your current vehicle can do at https://vehicleprivacyreport.com for free, don;t forget to ask your dealer to delete your data (in front of you or to send you a written proof, we often see promises not being consistently delivered), and you can enroll for free in our pilot program to help consumer minimize their data footprint. https://privacy4cars.com/personal-use/

Hey guys.

The Mozilla leadership has suggested steps to be taken to “silence or permanently remove bad actors” on platforms in this post by Mozilla’s Mitchell Baker:

https://blog.mozilla.org/en/mozilla/we-need-more-than-deplatforming/

This obviously is a privacy concern as that requires extensive data collection, and can clearly be used maliciously against someone.

It is clear that cars will become advanced enough to maliciously use data to possibly disable functions of the car against the customer’s will.

What steps can car companies take to prevent such malicious use of data collection that Mozilla has recommended to use on platforms?

Jen Caltrider, *Privacy Not Included
What we would love to see in the US is for a strong consumer-focused federal privacy law to pass that would protect all consumers from outrageous data collect and grant everyone the rights to things like being able to delete their data, making consent clear and explicit when data is collected, and making as much data collection opt-in rather than opt-out.
https://blog.mozilla.org/netpolicy/2022/08/24/its-time-to-pass-u-s-federal-privacy-legislation/

Playing devils advocate here, im 100% against data collection, however could "sexual activity/sex life" be covering their ass legally in a situation with a self driving car where someone needs to be at the hospital NOW like going into labor and put a priority on getting there and allerting 911? Or could it be that because it integrates with your phone, it needs similar permissions to use the apps on the car interface? A period tracking app would fall directly into that category.

Misha, *Privacy Not Included:

On the devil’s advocate side, we acknowledge the existence of the conflict between safety features and privacy. For example, a built-in microphone that allows calling 911 in the car may be justified. We would however appreciate much clearer argumentation and discussion around where the line lies.
In case of sex life data, it seems unfortunately as bad as it sounds. Both Nissan and Kia say they may be selling collected data, or sharing it for personalized advertisement. We believe that everyone has to make sure that sex life data does not leave the car, and under no condition gets in the hands of data brokers/marketers. Same applies to gender, race, immigration status, genetic (?!) data and other categories that too many manufacturers list in their policies. Therefore, we can no stress more the importance of louder discussion and the implementation of Federal Privacy Law ASAP.
Finally, be aware that deleting data that’s already collected is notoriously difficult if possible at all. Oops.

Hey guys, what (if any) long-term impacts do you think these findings will have? Will car companies voluntarily correct these issues? Will Congress beef up data privacy regulations? Etc.

Zoë, *Privacy Not Included:
First of all, we are so happy that so many people are interested in our research and are just as appalled as we are about car companies’ frankly terrible privacy and security practices as we are. We were curious about modern cars, because of their increasing sophistication and connectivity, but we really didn’t expect them to be this bad.
As far as car companies voluntarily correcting these issues… We don’t have too much hope for that. I think they’ll continue to do whatever makes them the most money as long as the law permits it. If they actually cared about consumers’ right to privacy, they wouldn’t be doing these things in the first place.
It’s worth mentioning that none of the car companies reached out to us after we published our research – which is also not normal. Usually, if companies are sincere in their desire to improve their privacy and security, they’ll engage us in conversation and be willing to hear us out. And in those cases we’re happy to help!
But we’re not holding our breath for car companies to come around, especially since they don’t have the best track records for doing the right thing. What we really hope, with so many people now paying attention, is that enough people will be mad enough to inspire stronger, more privacy-preserving legislation.
To sum up: 1. That we’ll increase the awareness of concerning privacy/security practices. 2. Probably not. 3. Hopefully!

Andrea, Privacy4Cars:
Fortunately we were able to convince hundreds of auto finance companies, fleets, and dealerships to start taking steps to create some sensible protections for consumers. Here is a list of companies who are starting to set safety nets for consumers: https://privacy4cars.com/privacy-stars-wholesalers/ and you can also find dealers near you who will delete data from your car prior to reselling it by going to https://vehicleprivacyreport.com Is there a LOT more to be done? Yes, yes there is, but we are hopeful that the more companies see that consumers care about their data, and more they will care about making privacy not just something their lawyers tell them to do but something they want to tell consumers about to show they should be earning their trust and business. So the best thing you can do is tell your dealer, call your manufacturer, or email your auto finance and tell them you care about your personal data being respected and protected - including in your car.
In the meantime regulators are not sitting idle: California’s Privacy PRotection Agency just announced their first investigation, and it’s about cars! https://cppa.ca.gov/announcements/2023/20230731.html
Illinois also just passed the first law in the United States (IL-SB 800) that makes it mandatory to delete the data of consumers from vehicles if they are repossessed, recognizing that cars collect more and more data, and that leaving it behind (which sadly is the norm) can put consumers at risk in a variety of ways.
We expect more and more actions.
Misha, *Privacy Not Included:
We are indeed aiming for the regulators to step in. We are advocating the Federal Privacy Regulation in the US, and more enforcement of GDPR and ePrivacy Act in Europe. Specific regulation for connected and self-driving cars would also help a ton.
We also want inform consumers about the data-related risks, so that they push for more transparency. This said, we are skeptical that the Big Car industry will reform itself.

Andrea,Privacy4Cars:
We just answered a similar question, but in short: (a) a lot of progress is needed, so your involvement is crucial, (b) more and more regulators are looking into this, (c) there are some good actors in the broader auto ecosystem (fleets, banks, dealers, etc.) who are starting to take action. The voice of the customer (you) is what ultimately will get companies to change their ways. I often tell people privacy in cars today is where safety was 30 years ago: you could not go to a dealer lot and understand which of two cars was safer, and nobody was (seriously) investing into safety… but today you have safety ratings and companies compete on who has the safest car. Hopefully it wont’ take nearly that long for that to happen with privacy as well.

Thanks for the AMA, could you guys release more information about Canadian cars or car data in Canada?

Andrea, Privacy4Cars:

Great question. There are quite a few differences between American and Canadian privacy policies, which may be reflective of their respective privacy laws. This is reflected in the documents companies publish, so the same car, north or south of the US-Canada border has very different declarations. Each car is different but by and large Canadian policies are shorter (good) but because they skip a lot more details and tables (not good).

If you enter the VIN of your car into https://vehicleprivacyreport.com and toggle the “Country of Residence” feature to select Canada you can see for yourself. :-)

What are you finding the information car companies collect is most commonly used for?

Jen Caltrider, *Privacy Not Included
There are some legitimate reasons car companies need to collect data. Things like vehicle safety and helping you make sure you get your car serviced in the right ways are the right times are good. We don’t really have a problem with data collection from car companies with the goal of getting us from point A to point B safely. Unfortunately, car companies go way way way beyond that with their data collection these days. Too much of their data collection now seems to be about making them more money off you and your personal information without your explicit consent or ability to opt-out.

Andrea, Privacy4Cars:

Agree with Jen here, and specifically I want to draw the line between collection and use, and between safety and non safety. We love safe cars, and for instance, would you want an ambulance to show up in case of an accident? Well, that requires the manufacturer to know where you are (GPS) and share this information with first responders. The issue is when you are consenting to subscribe to (sometimes premium) safety services, the same consent is also giving companies the rights to use many years of precise geolocation for a variety of other purposes. At Privacy4Cars be believe that consents for safety and consent for other purposes should always be debundled and not buried into the “fine lines”.

Taken from Kia's online privacy policy:

Biometric:

"This category may include: imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a face print, a minutiae template, or a voiceprint, can be extracted."

Vein patterns!?

Sensitive personal information:

"This category may include Social Security number, driver’s license, state identification card, or passport number; account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; precise geolocation; racial or ethnic origin, religious or philosophical beliefs; union membership; genetic data; unique biometric information; contents of certain mail, emails, and text messages; or health, sex life or sexual orientation information."

This shit is terrifying man. They literally included everything they possibly could in order to obtain all of this info. We're getting doxxed by fkn car companies now? How dystopian.

What can we do to fight back?

Zoë, *Privacy Not Included:
Ugh, Kia! Your comment is taking me back to being in the depths of our research. I completely agree that it’s all very terrifying and dystopian. If you read the Kia review, you no doubt heard about the “Kia challenge” as well and the research that revealed a vulnerability in giving others’ remote access to your car… It’s going way beyond creepy territory, into harmful.
This reminds me of something we haven’t gotten to speak too much about yet, but the car companies also do not have a good track record of securing your data. So when they’re not using it for their own “business purposes,” it’s possible that it could get into even “wronger” hands. One last thing about Kia is that they are also one of the brands that will comply with a “government request.” (I could go on!)
But on to your question! What we can do is get mad and make some noise – that these practices are unacceptable. We hope that legislators are listening.
If you’re based in the US, you can learn more about our efforts on that front here (and join us!) → https://foundation.mozilla.org/en/privacynotincluded/articles/is-this-even-legal-our-top-cars-and-privacy-question-answered/
No matter where you live, you can also sign our petition asking car companies to respect their drivers’ right to privacy → https://foundation.mozilla.org/en/privacynotincluded/articles/car-companies-stop-your-huge-data-collection-programs-en/

Andrea, Privacy4Cars: here is some advice: (1) we literally just launched this morning a new feature on https://vehicleprivacyreport.com where you can express your opinion on how much this data is worth to you, meaning how many dollars you think those companies should pay to have the rights to this data. You can also see how other responded to the poll. Right now companies think it is ok to just get this data and use it for whatever declared purpose because nobody told them otherwise; (2) since you are getting exactly $0.00 right now, you can join our pilot program to help you reduce your data footprint. https://privacy4cars.com/personal-use/assert-your-data-rights/ ; (3) call your manufacturer and tell them what you think. A new car is $50,000, that is a lot of money and companies will listen if enough consumers tell them they care about their privacy enough that they would purchase a different vehicle, and (4) call your dealer and tell them what you think, same considerations as above.