Mozilla has analyzed 25 major car brands and gave all of them failing marks for privacy and security. They collect significant amounts of personal data and they can share it with others, often without the customer’s explicit permission.
As part of its ‘Privacy Not Included’ project, Mozilla has analyzed privacy policies and apps provided by car manufacturers. Targeted brands include BMW, Renault, Subaru, Fiat, Jeep, Chrysler, Volkswagen, Toyota, Lexus, Ford, Audi, Mercedes-Benz, Honda, Lincoln, Acura, Kia, GMC, Chevrolet, Hyundai, Nissan, and Tesla.
The research showed that privacy policy documents provided by these companies inform customers about a wide range of data being collected, including health and genetic information, race, immigration status, weight, facial expressions, location, driving speed, multimedia content, and even sexual activity.
The data is collected through mobile apps, dealerships, company websites, vehicle telematics, sensors, cameras, microphones, and phones connected to the vehicle.
Mozilla has ranked companies based on data use, data control, track record, and security. The best are Renault and its subsidiary Dacia, which are European companies required to comply with the EU’s General Data Protection Regulation (GDPR).
At the other end of the chart are Nissan and Tesla. The former stands out for harvesting ‘creepy’ data about the user’s sexual activity, while the latter is the worst because — in addition to failing every privacy and security check — it uses what Mozilla describes as ‘untrustworthy AI’.
Major car manufacturers often disclose data breaches impacting their customers’ personal data. In addition, privacy policies for more than half of the brands reveal that they can share collected information with law enforcement and other government agencies. Furthermore, 84% say they can share personal data with service providers, data brokers and others, while 76% state that they can sell the harvested personal data.
In the case of many products with a cyber component, the consumer needs to specifically accept a privacy policy before using that product. In the case of cars, however, consent is often presumed simply by being a passenger.
“For example, Subaru states that by being a passenger, you are considered a user — and by being a user, you have consented to their privacy policy. Several car brands also note that it is a driver’s responsibility to tell passengers about the vehicle’s privacy policies,” Mozilla said.
The organization also noted, “While consumers can choose to not use a car app or try not to use connected services, that might mean their car doesn’t work properly — or at all. Consumers have almost zero control and options in regard to privacy, other than simply buying an older model. Regulators and policy makers are behind on this front.”
Mozilla researchers attempted to reach out to each of the analyzed brands for clarifications on their privacy policies, but only Mercedes responded with a vague statement.
Mozilla concluded that of all the types of products covered by its Privacy Not Included project, cars are the worst.
“We’re worried about the amount and the sensitivity of the information car companies collect about you. Based on their track records alone, we don’t trust them to keep it safe. And we don’t think a lot of the ways that your information is being shared or sold benefits drivers or anyone besides the businesses who exist to make money off of your data,” Mozilla said.
“We’re also worried that this is just the beginning. We’re worried that new sensor technology could help car companies create, collect, combine, and sell even more information about you,” it added.
Related: Tesla Discloses Data Breach Related to Whistleblower Leak
Related: Toyota Discloses New Data Breach Involving Vehicle, Customer Information
Related: Ferrari Says Ransomware Attack Exposed Customer Data
