Man
Professional
- Messages
- 3,077
- Reaction score
- 614
- Points
- 113
A modern car is not just a means of transportation, but rather a computer on wheels. About half of its cost is electronics and software: sensors, controllers, computer components and control software.
Unfortunately, following the manufacturers of televisions and other household appliances, automakers have also discovered a new source of income - collecting data about their users (i.e. car owners). Such conclusions can be drawn from the recent report "Privacy Not Enabled" by Mozilla. According to the document, a modern car is a real combine harvester for collecting personal data.
Mozilla tested cars from 25 major brands and found none of them safe. All of them collect and use excessive amounts of user data and suffer from vulnerabilities, violating the security criteria set for this test.
84% of brands admit that they may share drivers’ personal data with service providers, data brokers, and other companies. Nineteen (76%) claim that they may sell drivers’ personal data to third parties. Tellingly, current legislation does not oblige a company to report to whom exactly it has provided or sold personal data (which is not even considered “personal” in anonymized form) and for what purpose.
17 out of 25 car brands received an additional minus in the “track record” column for leaks, hacks, and violations that threaten drivers’ privacy.
Surprisingly, only 56% of automakers claim that they may hand over data to the government or law enforcement agencies in response to a “request.” Mozilla emphasizes that this is not a legal request, but an informal, non-official request that could be made via email or phone.
Usually, in such a dire privacy situation, Mozilla recommends avoiding dangerous products and choosing those that can be trusted. But with cars, the situation is different, because absolutely all of them violate the rules for collecting confidential data. In this situation, there are some steps you can take that will partially limit the collection of personal data, including:
For specific advice for each car brand, see here.
But compared to the data collection that drivers have no control over, these steps seem like a drop in the bucket: “Navigating the vast and confusing ecosystem of privacy policies for cars, in-car apps, connected services, and more is something most people don’t have the time or expertise to do,” Mozilla writes.
In some cases, taking any precautions at all is pointless. For example, Subaru’s privacy policy states that by getting in, all occupants of a car consent to the use and possibly sale of their personal information simply by being in the car. So when a car company says it only collects data with “opt-in,” it often means consent by default. If you refuse to collect data, companies can threaten to “severely damage” your car:
Some car companies manipulate the driver’s consent by requiring him to “inform all users and passengers of the car about the services, features and limitations of the system, the terms of the Agreement, including the terms regarding the collection and use of data and privacy, as well as the privacy policy.”
Since the collected data is anonymous, it is not considered personal, and the collection and sale of such data does not violate the current legislation of many countries.
At the same time, it is known that specialized data brokers purchase information and de-anonymize profiles for customers, combining dozens of databases of "anonymous" sources. For example, anonymous databases from mobile operators with the coordinates of the movement of "anonymized" users are combined with anonymous databases from car manufacturers with the same coordinates, and then with databases of retail chains about transactions on bank cards and discount programs, profiles from social networks.
As a result, a detailed profile of a supposedly "anonymous" person is compiled, with full information about his personality, including address, place of work, age, gender, phone number, marital status, political interests and personal preferences in life.
Formally, this profile remains anonymous, although the marketing agency knows much more about a person than his relatives. In particular, it can partially predict his behavior and model actions in various scenarios.
According to some experts, such profiling of a large number of citizens allows even group models to be created for large groups, including the population of entire countries. In other words, it is possible to predict or model in advance the popularity of a new product on the market or the rating of a politician with certain characteristics. Some experts express the opinion that these modeling technologies have already been used in the real world to promote specific products on the market.
Source
Unfortunately, following the manufacturers of televisions and other household appliances, automakers have also discovered a new source of income - collecting data about their users (i.e. car owners). Such conclusions can be drawn from the recent report "Privacy Not Enabled" by Mozilla. According to the document, a modern car is a real combine harvester for collecting personal data.
Mozilla tested cars from 25 major brands and found none of them safe. All of them collect and use excessive amounts of user data and suffer from vulnerabilities, violating the security criteria set for this test.
84% of brands admit that they may share drivers’ personal data with service providers, data brokers, and other companies. Nineteen (76%) claim that they may sell drivers’ personal data to third parties. Tellingly, current legislation does not oblige a company to report to whom exactly it has provided or sold personal data (which is not even considered “personal” in anonymized form) and for what purpose.
17 out of 25 car brands received an additional minus in the “track record” column for leaks, hacks, and violations that threaten drivers’ privacy.
Surprisingly, only 56% of automakers claim that they may hand over data to the government or law enforcement agencies in response to a “request.” Mozilla emphasizes that this is not a legal request, but an informal, non-official request that could be made via email or phone.
Some interesting facts
- The personal data collection agreement specifies the types of information that will be recorded and transmitted to a remote server for further profiling and use, including by third parties. One manufacturer lists the car owner's "sexual activity." Another manufacturer also mentions "sexual life." The documents do not specify how this information is collected.
- Six more car companies said they could collect "genetic information" or "genetic characteristics" of the driver.
- Almost all of the car brands on the list have signed the Consumer Protection Principles, compiled by the American automobile group ALLIANCE FOR AUTOMOTIVE INNOVATION, INC. This list includes such important privacy principles as “minimization of collected data,” “transparency,” and “choice.” But in fact, none of the brands follow the signed declaration.
Usually, in such a dire privacy situation, Mozilla recommends avoiding dangerous products and choosing those that can be trusted. But with cars, the situation is different, because absolutely all of them violate the rules for collecting confidential data. In this situation, there are some steps you can take that will partially limit the collection of personal data, including:
- Do not use the car app or restrict its permissions on your phone using iOS or Android settings
- Do not consent to personalized advertising
- Opt out of the sale of your personal data, as well as cross-context behavioral advertising
- Always perform a factory reset before selling or trading your vehicle to clear data and disable the app.
- Before reselling the car, be sure to notify the company about it.
- When purchasing a used vehicle, ensure that the previous owner has deleted their connected account and performed a factory reset
- Use strong passwords and two-factor authentication for apps and services connected to the car
- Provide access to your data only to trusted people
- Opt out of sharing mobile device location data
- Do not use Amazon Alexa in your car because Amazon may collect information about your voice queries, IP address, and geolocation, and use this information to send you advertising.
For specific advice for each car brand, see here.
But compared to the data collection that drivers have no control over, these steps seem like a drop in the bucket: “Navigating the vast and confusing ecosystem of privacy policies for cars, in-car apps, connected services, and more is something most people don’t have the time or expertise to do,” Mozilla writes.
In some cases, taking any precautions at all is pointless. For example, Subaru’s privacy policy states that by getting in, all occupants of a car consent to the use and possibly sale of their personal information simply by being in the car. So when a car company says it only collects data with “opt-in,” it often means consent by default. If you refuse to collect data, companies can threaten to “severely damage” your car:
Some car companies manipulate the driver’s consent by requiring him to “inform all users and passengers of the car about the services, features and limitations of the system, the terms of the Agreement, including the terms regarding the collection and use of data and privacy, as well as the privacy policy.”
Personality profiling and behavior model
Since the collected data is anonymous, it is not considered personal, and the collection and sale of such data does not violate the current legislation of many countries.
At the same time, it is known that specialized data brokers purchase information and de-anonymize profiles for customers, combining dozens of databases of "anonymous" sources. For example, anonymous databases from mobile operators with the coordinates of the movement of "anonymized" users are combined with anonymous databases from car manufacturers with the same coordinates, and then with databases of retail chains about transactions on bank cards and discount programs, profiles from social networks.
As a result, a detailed profile of a supposedly "anonymous" person is compiled, with full information about his personality, including address, place of work, age, gender, phone number, marital status, political interests and personal preferences in life.
Formally, this profile remains anonymous, although the marketing agency knows much more about a person than his relatives. In particular, it can partially predict his behavior and model actions in various scenarios.
According to some experts, such profiling of a large number of citizens allows even group models to be created for large groups, including the population of entire countries. In other words, it is possible to predict or model in advance the popularity of a new product on the market or the rating of a politician with certain characteristics. Some experts express the opinion that these modeling technologies have already been used in the real world to promote specific products on the market.
Source
