The Chaos of Automotive Data Privacy

Regulators and other privacy advocates believe vehicle-related data collection and brokering is in overdrive. One expert believes the day of reckoning is coming.

Many vehicle owners are willing to trade a certain amount of data security for the safety and convenience features made possible with increasingly sophisticated vehicle connectivity, such as with GM’s groundbreaking OnStar telematics. (GM)

Surveillance of vehicles and the people in them has been happening virtually since the time there was more than a handful of automobiles on the road. But in today’s vehicles that are increasingly software-based, with seamless connections to Apple CarPlay, Android Auto and all manner of convenience apps simply a screen away, the information that can be gathered about vehicle occupants ranges into the “terror-bytes.”

Occupant-monitoring systems are vital to derive the most from ADAS technology, but some privacy advocates are concerned about constant camera surveillance of the vehicle cabin. (Bosch)

In the fight for privacy, smart vehicles are a significant battleground that deserves more consideration. A headline from the Mozilla Foundation’s *Privacy Not Included research initiative ( https://foundation.mozilla.org/en/privacynotincluded/  ) flatly said, “It’s Official: Cars are the Worst Product Category We Have Ever Reviewed for Privacy.”

Modern vehicles are tracking our data and are connected in ways that share driver location and behaviors, with no way for the vehicle occupants to know how the collected data is being used or how – or if it’s even possible – to turn it off. This is why a new agency in California designed to protect people’s privacy just announced it is opening a probe.

A group called Privacy4Cars launched an online tool to allow consumers to view key privacy facts about a vehicle by looking up its VIN. The tool is available for free at vehicleprivacyreport.com  .

Over-the-air (OTA) updates and automakers’ desire to offer more revenue-generating content are the latest vectors to consumer data. The 2022 Jeep Grand Cherokee offered streaming of Amazon Fire TV. (Stellantis)

Current laws allow third parties, including law enforcement and insurance companies, to monitor travel and driving behaviors whenever they see fit. Unfortunately for drivers, onboard cameras have been routinely accessed by third parties  .

Arguments about who owns that data – automakers or Apple and Microsoft and the myriad of app suppliers – will continue long after midnight. But, be warned: they are collecting immense amounts of data about you and your driving habits and using that data to make money. Lots of money.

“Companies have an extreme desire to collect as much data as they can,” Janet Haven, executive director of the think tank Data and Society, said. “This is the business model – to collect data and build products around that data, or to sell that data to data brokers.”

SAE Media recently spoke with John Gilmore, Head of Research, at DeleteMe, the first service of its specific kind: a one-stop-shop, consumer data broker opt-out service. Gilmore said DeleteMe  is a company that “makes it quick, easy and safe to remove your personal data online”.

Gilmore has a 20-year background in business-intelligence research, having started at Datamonitor with DeleteMe founder Rob Shavell. Gilmore joined DeleteMe five years ago as the company expanded and has been closely involved in its development of a B2B service providing privacy services to institutions.

SAEM: Auto data – how it’s collected, who owns it – is big news these days.
John Gilmore, DeleteMe head of research. (DeleteMe)

Gilmore: Yes. The Mozilla Foundation published a report about car data privacy. And it's gotten a lot of media attention. For instance, the California Attorney General's Office is initiating an investigation of how cars handle consumer data and is it compliant with state privacy law as it stands.

Mozilla created the Firefox browser. They're really the only independent browser company in the world. So Mozilla has always had a strong focus on how to improve online privacy data for users. Recently, Mozilla released three reports focusing on automotive privacy. They ranked several auto companies on how they protect their car owners’ privacy. Not one company passed the test about what data is being tracked and to whom that data is sold.

SAEM: How is that possible?

GILMORE: As of 2018, there were no real auto consumer data protection laws. Essentially, we lived in the Wild West, and any company providing an app for a mobile phone, or anybody providing services to drivers could pretty much track any data they wanted, without asking permission.

SAEM: Where are we today?

Gilmore: Since 2018, several things have happened; Europe passed the GDPR (General Data Protection Requirement), which has completely bifurcated Europe and the U.S. over data privacy, because their rules are way different than our rules. The Feds have not yet passed any federal consumer privacy legislation. As a consequence, several states began passing their own versions of GDPR between 2019 and 2023. And these rules, in theory, apply to any services provided by automotive in our cars.

A lot of services – Apple CarPlay, Android Auto, Sirius radio, other apps – may be in violation of the law, because they do not ask permission. And they also don't provide notice of what they do with the data that is being collected. All of that needs to be disclosed today in ways that it did not need to be disclosed last year.

SAEM: What can vehicle buyers do?

Gilmore: I’m paraphrasing Mozilla here. Consumers have very little control. They can choose to not use a car app or try not to use connected services, but that might mean their car doesn’t work properly – or at all. Consumers have almost zero control and options in regard to privacy other than simply buying an older model.

Regulators and policymakers are behind on this front. But momentum for protection is rapidly growing on the consumer side, and within the next 12 months we could have a series of lawsuits against car companies.

SAEM: What is DeleteMe doing in this area?

Gilmore: As a privacy company, we have nothing to do with protecting car data. We talk about this issue, because we are very up-to-date on the current regulatory regimes and the trends they're taking. For consumers, we can remove their data from location brokers.

Ride-hail and rideshare vehicles are a potentially rich source for user data-mining. This driverless vehicle is part of a Los Angeles pilot program between Lyft and AV developer Motional. (Lyft)
SAEM: From the Mozilla report, a selection of what some auto companies said about automotive privacy: “Data breaches are common. Serious data leaks and breaches are ordinary in the industry.”
  • “Some brands have more than five different privacy-policy documents, an unreasonable number for consumers to engage with.”
  • Companies can share data with law enforcement and governments based on “formal or informal” requests.”
  • “They can share and sell consumers’ “preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes” to data brokers, law enforcement, and other third parties.”
  • “By being a passenger, you are considered a user — and by being a user, you have consented to their privacy policy. Several car brands also note that it is a driver’s responsibility to tell passengers about the vehicle's privacy policies.”
SAEM: How do you see the auto industry responding?

Gilmore: When I said most automakers are probably in violation of U.S. state laws at the moment, which is true, they are definitely in violation of GDPR. And the Europeans eventually are going to come after them in Europe. The big tectonic shift in how cars have changed over the last decade is that it used to be the owner of a vehicle could access how the car functions and improve or disable things as needed. Today, because all of the computer systems are integrated in a vehicle, you can't actually change anything without needing to update the entire car's operating system. So if you replaced a part with a non-compliant part, it could affect all of your car's systems. You wouldn't be breaking the law if you altered the software that controls your vehicle, but you would be in violation of the user agreement that the car companies have given you.

SAEM: That sounds rather one-sided.

Gilmore: Yes. It's changed the nature of the relationship between the individual and vehicle so that the owner does not have control over the basic functions of the car. And even where those controls exist, they don't necessarily tell you, as the user of that vehicle, how to disable or enable certain features; all of the features are enabled by default. And no one at any point ever asks your permission. So for instance, from day one of owning a modern car, your telemetry, meaning how the car functions, how many miles it does, how fast it's driven – all of that telemetry is being gathered.

SAEM: Has Tesla played a large role in how automotive technology has evolved?

Gilmore: Yes, car companies are becoming like Tesla: technology companies. They collect a lot of data and sell a lot of data. And they're doing a lot of data processing. But unlike technology companies, they move really slowly.

But the data-privacy issue went from being nothing five years ago to being worldwide, both Europe and the United States rapidly changing the rules. Very few people are as conscious of this as we are because we're a privacy company. The tech industry is very conscious of it, because they're getting sued left and right. Currently, the car industry is not conscious. They're not there yet.

For the last five years, they've kind of looked at this and said, customers don't care. And they would have been right. They would have been right three years ago. But they are not right in 2023. This is rapidly becoming an area where consumers are paying a lot of attention. Surveys done this year say when people are told their location data is being tracked, 75 percent said they would turn it off if they could.

SAEM: How do you see this issue being resolved?

Gilmore: When you bought a car, you made an implicit agreement that you will allow the car company to collect whatever data they want from your vehicle. And no one asked your permission. But that does not meet notice and consent requirements under many existing laws. And as soon as Attorneys General have figured this out, they're gonna go after the car companies because they like big targets – and there are few bigger targets than big tech and big car companies.