Man
Professional
- Messages
- 3,070
- Reaction score
- 606
- Points
- 113
What personal information do modern cars collect about you and how can you avoid surveillance or hacking of your car?
Guess in three tries which of your properties is the one that most actively collects personal information for analysis and resale?
It's a car. According to experts from the Mozilla Foundation, neither smart watches, nor smart speakers, nor surveillance cameras, nor other gadgets previously analyzed by the Privacy Not Included project can compare with it. As part of this project, experts study user agreements and privacy policies to understand how a device uses the owner's personal data.
So, for the first time in the history of the project, absolutely all (25 out of 25) checked car brands received a "red card" for unacceptably broad collection of personal information, lack of transparency in its use, poorly documented data transfer and storage practices (for example, it is unknown whether encryption is used) and the possibility of reselling the collected information, which was officially announced by 19 out of 25 brands. The icing on the cake is the almost complete impossibility for car owners to refuse the collection and transfer of this data: only two brands - Renault and Dacia - give owners the right to delete the collected personal data. However, such an opportunity still needs to be thought of.
Buried deep in the depths of the license agreements that car buyers typically accept “by default,” without reading them, are some truly outrageous violations of privacy: for example, consenting to share sexual preferences and genetic information (Nissan), disclosing information in response to informal requests from law enforcement agencies (Hyundai), collecting data on stress levels — and all this in addition to another 160 categories of data, named deliberately vaguely, such as “demographic information,” “images,” “payment information,” “geolocation,” and so on.
The anti-record holder of the rating was Tesla, which received, in addition to other possible penalty points, a special mark: “Untrustworthy artificial intelligence (AI)”.
All of them are connected to a common bus, so the car's main computer receives all this information centrally. Plus, all modern cars are equipped with GPS, a cellular module, Bluetooth and Wi-Fi. The presence of cellular communication and GPS in many countries is dictated by law (for automatic call for help in case of an accident), but manufacturers willingly use this function for the convenience of the driver - and their own. You can plot a route on the car's screen, remotely diagnose breakdowns, start the car in advance... And, of course, the bridge "sensors and cameras → car computer → cellular network" creates a constant channel for collecting information: where you are going, where and how long you are standing in the parking lot, how sharply you turn the steering wheel and accelerate, whether you use seat belts, and so on.
Additional information is collected from the driver's smartphone when it is connected to the vehicle's on-board system to make calls, listen to music, navigate, and enjoy other conveniences. And if the smartphone has a mobile application from the car manufacturer installed to control the vehicle's functions, then data can be pulled from the smartphone even when the driver is not in the car at all.
Well, cameras and microphones, Wi-Fi hotspots and Bluetooth functions help collect information about passengers. With their help, it is easy to find out who constantly rides in the car with the driver, where and when they get in and out, what smartphone they use, and so on.
Insurance sellers, for example, buy information about the driving style of a specific driver in order to more accurately predict the likelihood of an accident and adjust the cost of insurance. In 2020, 62% of cars were already equipped with this controversial feature right at the factory , and by 2025 this figure is predicted to increase to 91%.
Marketing firms are also eager to use such data and target advertising based on the income, marital status and social status of the car owner.
But even without the resale of personal data, there are many other unpleasant monetization scenarios - for example, turning on and off additional car functions by subscription, as BMW unsuccessfully tried to do with heated seats, or selling expensive cars on credit with forced blocking of the car if the payment is late.
Data leaks. Manufacturers actively collect, store, and do not adequately protect your information. Just recently, Toyota admitted to leaking 10 years of data — all collected from owners of millions of cars with cloud capabilities. Audi leaked information on 3.3 million buyers. Other automakers have also been victims of leaks and cyberattacks. If so much personal data falls into the hands of real criminals and fraudsters, and not just marketers, there will be trouble.
Car thefts. Back in 2014, we studied the possibility of car theft using “cloud” functions. Since 2015, it has become clear that remote control of a car by intruders is not science fiction, but a harsh reality. In recent years, criminal car thefts have more often exploited remote retransmission of signals from a legitimate key fob, but last year’s epidemic of “TikTok car thefts” of KIA and Hyundai was based on the smart functions of the car and required the thief to simply insert a flash drive into the USB port. At the end of this post, you can see an example of such a hack, and by no means a KIA, on video.
Tracking. When the car is not yours, but a relative or employer's, the owner can track the car's location, set the boundaries of the area where it can be used, speed limits, permitted driving time, and even the volume of the audio system! Many car brands, such as Volkswagen and BMW, offer such features . As we know from our stalkerware research and the recent AirTag tracking scandals, such features are simply doomed to abuse.
Source
Guess in three tries which of your properties is the one that most actively collects personal information for analysis and resale?
It's a car. According to experts from the Mozilla Foundation, neither smart watches, nor smart speakers, nor surveillance cameras, nor other gadgets previously analyzed by the Privacy Not Included project can compare with it. As part of this project, experts study user agreements and privacy policies to understand how a device uses the owner's personal data.
So, for the first time in the history of the project, absolutely all (25 out of 25) checked car brands received a "red card" for unacceptably broad collection of personal information, lack of transparency in its use, poorly documented data transfer and storage practices (for example, it is unknown whether encryption is used) and the possibility of reselling the collected information, which was officially announced by 19 out of 25 brands. The icing on the cake is the almost complete impossibility for car owners to refuse the collection and transfer of this data: only two brands - Renault and Dacia - give owners the right to delete the collected personal data. However, such an opportunity still needs to be thought of.
Buried deep in the depths of the license agreements that car buyers typically accept “by default,” without reading them, are some truly outrageous violations of privacy: for example, consenting to share sexual preferences and genetic information (Nissan), disclosing information in response to informal requests from law enforcement agencies (Hyundai), collecting data on stress levels — and all this in addition to another 160 categories of data, named deliberately vaguely, such as “demographic information,” “images,” “payment information,” “geolocation,” and so on.
The anti-record holder of the rating was Tesla, which received, in addition to other possible penalty points, a special mark: “Untrustworthy artificial intelligence (AI)”.
How Cars Collect Information
A modern car is literally stuffed with sensors - from sensors in the engine and chassis, showing, for example, engine temperature, steering angle or tire pressure, to much more interesting ones, such as video cameras around the perimeter of the car and in the cabin, microphones, sensors for the presence of hands on the steering wheel...All of them are connected to a common bus, so the car's main computer receives all this information centrally. Plus, all modern cars are equipped with GPS, a cellular module, Bluetooth and Wi-Fi. The presence of cellular communication and GPS in many countries is dictated by law (for automatic call for help in case of an accident), but manufacturers willingly use this function for the convenience of the driver - and their own. You can plot a route on the car's screen, remotely diagnose breakdowns, start the car in advance... And, of course, the bridge "sensors and cameras → car computer → cellular network" creates a constant channel for collecting information: where you are going, where and how long you are standing in the parking lot, how sharply you turn the steering wheel and accelerate, whether you use seat belts, and so on.
Additional information is collected from the driver's smartphone when it is connected to the vehicle's on-board system to make calls, listen to music, navigate, and enjoy other conveniences. And if the smartphone has a mobile application from the car manufacturer installed to control the vehicle's functions, then data can be pulled from the smartphone even when the driver is not in the car at all.
Well, cameras and microphones, Wi-Fi hotspots and Bluetooth functions help collect information about passengers. With their help, it is easy to find out who constantly rides in the car with the driver, where and when they get in and out, what smartphone they use, and so on.
Why do car manufacturers need this information?
To make more money. In addition to analysis for “improving the quality of products and services,” data can be resold and features can be reconfigured for the manufacturer’s greater benefit.Insurance sellers, for example, buy information about the driving style of a specific driver in order to more accurately predict the likelihood of an accident and adjust the cost of insurance. In 2020, 62% of cars were already equipped with this controversial feature right at the factory , and by 2025 this figure is predicted to increase to 91%.
Marketing firms are also eager to use such data and target advertising based on the income, marital status and social status of the car owner.
But even without the resale of personal data, there are many other unpleasant monetization scenarios - for example, turning on and off additional car functions by subscription, as BMW unsuccessfully tried to do with heated seats, or selling expensive cars on credit with forced blocking of the car if the payment is late.
What else is wrong with data collection and telematics
Even if you think that “there’s nothing wrong with advertising” and “what interesting things will they learn about me?” consider the additional risks that you and your car are exposed to due to the technologies described above.Data leaks. Manufacturers actively collect, store, and do not adequately protect your information. Just recently, Toyota admitted to leaking 10 years of data — all collected from owners of millions of cars with cloud capabilities. Audi leaked information on 3.3 million buyers. Other automakers have also been victims of leaks and cyberattacks. If so much personal data falls into the hands of real criminals and fraudsters, and not just marketers, there will be trouble.
Car thefts. Back in 2014, we studied the possibility of car theft using “cloud” functions. Since 2015, it has become clear that remote control of a car by intruders is not science fiction, but a harsh reality. In recent years, criminal car thefts have more often exploited remote retransmission of signals from a legitimate key fob, but last year’s epidemic of “TikTok car thefts” of KIA and Hyundai was based on the smart functions of the car and required the thief to simply insert a flash drive into the USB port. At the end of this post, you can see an example of such a hack, and by no means a KIA, on video.
Tracking. When the car is not yours, but a relative or employer's, the owner can track the car's location, set the boundaries of the area where it can be used, speed limits, permitted driving time, and even the volume of the audio system! Many car brands, such as Volkswagen and BMW, offer such features . As we know from our stalkerware research and the recent AirTag tracking scandals, such features are simply doomed to abuse.
How to reduce risks?
Due to the scale of the problem, there are no simple solutions, so we will offer possible options - in descending order of radicality:- Walk or ride a bike.
- Buy an older model car. Almost all cars produced before 2012 have very limited data collection and transmission capabilities.
- Buy a car with a minimum set of smart sensors and/or without a communication module. Some manufacturers have basic configurations with reduced capabilities, but this requires a detailed check and reading the operating instructions. The absence of a proper communication module (GSM/3G/4G) in a car is a fairly reliable sign of its limited capabilities. Keep in mind that more and more cars have smart functions even in the basic configuration (this road has already been paved by Smart TV - they make money by collecting and selling data).
- Don't install a car's mobile app on your phone. Sure, starting from a smartphone or remote warming up is quite attractive, but whether you should pay for them with deeply personal information in addition to money is a very controversial issue.
- Do not activate CarPlay and Android Auto on the car and phone combination. When these functions are activated, the manufacturer of the smartphone OS pulls all conceivable information from the car, and the car - from the phone.
- Do not connect the car to your phone via Bluetooth and Wi-Fi. This will again lose some functionality, but the car will not send information to the factory via the phone, nor will it download your phonebook or other personal data from the phone. You can take half measures - establish a connection via Bluetooth only for the "headset" and "headphones" protocols: you will be able to play music from your phone via the car speakers, but other types of data transfer (the same phonebook) will be unavailable.
- A bonus tip that doesn't exclude the previous ones is that Mozilla suggests signing a collective letter to car manufacturers calling on them to change their business model and stop making money by spying on customers.
Source
