Connect with us

Hi, what are you looking for?



25 Major Car Brands Get Failing Marks From Mozilla for Security and Privacy 

Mozilla has analyzed the privacy and security of 25 major car brands and found that they collect a lot of data and can share it or sell it to third parties. 

Mozilla car privacy

Mozilla has analyzed 25 major car brands and gave all of them failing marks for privacy and security. They collect significant amounts of personal data and they can share it with others, often without the customer’s explicit permission.

As part of its ‘Privacy Not Included’ project, Mozilla has analyzed privacy policies and apps provided by car manufacturers. Targeted brands include BMW, Renault, Subaru, Fiat, Jeep, Chrysler, Volkswagen, Toyota, Lexus, Ford, Audi, Mercedes-Benz, Honda, Lincoln, Acura, Kia, GMC, Chevrolet, Hyundai, Nissan, and Tesla.

The research showed that privacy policy documents provided by these companies inform customers about a wide range of data being collected, including health and genetic information, race, immigration status, weight, facial expressions, location, driving speed, multimedia content, and even sexual activity.

The data is collected through mobile apps, dealerships, company websites, vehicle telematics, sensors, cameras, microphones, and phones connected to the vehicle.

Mozilla has ranked companies based on data use, data control, track record, and security. The best are Renault and its subsidiary Dacia, which are European companies required to comply with the EU’s General Data Protection Regulation (GDPR).

At the other end of the chart are Nissan and Tesla. The former stands out for harvesting ‘creepy’ data about the user’s sexual activity, while the latter is the worst because — in addition to failing every privacy and security check — it uses what Mozilla describes as ‘untrustworthy AI’. 

Major car manufacturers often disclose data breaches impacting their customers’ personal data. In addition, privacy policies for more than half of the brands reveal that they can share collected information with law enforcement and other government agencies. Furthermore, 84% say they can share personal data with service providers, data brokers and others, while 76% state that they can sell the harvested personal data.  

Advertisement. Scroll to continue reading.

In the case of many products with a cyber component, the consumer needs to specifically accept a privacy policy before using that product. In the case of cars, however, consent is often presumed simply by being a passenger. 

“For example, Subaru states that by being a passenger, you are considered a user — and by being a user, you have consented to their privacy policy. Several car brands also note that it is a driver’s responsibility to tell passengers about the vehicle’s privacy policies,” Mozilla said.

The organization also noted, “While consumers can choose to not use a car app or try not to use connected services, that might mean their car doesn’t work properly — or at all. Consumers have almost zero control and options in regard to privacy, other than simply buying an older model. Regulators and policy makers are behind on this front.”

Mozilla researchers attempted to reach out to each of the analyzed brands for clarifications on their privacy policies, but only Mercedes responded with a vague statement. 

Mozilla concluded that of all the types of products covered by its Privacy Not Included project, cars are the worst. 

“We’re worried about the amount and the sensitivity of the information car companies collect about you. Based on their track records alone, we don’t trust them to keep it safe. And we don’t think a lot of the ways that your information is being shared or sold benefits drivers or anyone besides the businesses who exist to make money off of your data,” Mozilla said.

“We’re also worried that this is just the beginning. We’re worried that new sensor technology could help car companies create, collect, combine, and sell even more information about you,” it added.

Related: Tesla Discloses Data Breach Related to Whistleblower Leak

Related: Toyota Discloses New Data Breach Involving Vehicle, Customer Information

Related: Ferrari Says Ransomware Attack Exposed Customer Data

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...


Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...


Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...


The proposed UK Online Safety Bill is the enactment of two long held government desires: the removal of harmful internet content, and visibility into...

Cloud Security

AWS has announced that server-side encryption (SSE-S3) is now enabled by default for all Simple Storage Service (S3) buckets.