How to Keep Your Car From Sharing Your Sensitive Data Behind Your Back
Modern cars generate a ton of data on their drivers and occupants, not all of which you’d like to share with the broader world. Yet that’s exactly the issue uncovered in a recent New York Times report: drivers found that their driving history was making its way to data brokers, who in turn sold the information to insurance companies, often resulting in higher insurance rates. Sadly, that’s just one of many examples as to why it’s more important than ever to know exactly who has access to your car’s information — and what red flags to look for when purchasing a new car or signing up for a new service.
Related: IIHS Study Says Partial Automation May Not Prevent Crashes
Lots of Data, Little Security
A modern connected car generates nearly 25 gigabytes of data per hour, per S&P Global Mobility, with that data ranging from location and driving history to even more sensitive personally identifiable information. That’s an unfathomably large amount of data to most of us given that even the flashiest, most picture-heavy PDF I can find on my hard drive is roughly 0.06% of that.
Many of the basic features you interact with in a newer car are an opportunity to collect data, including “embedded features including geolocation and navigation, companion apps, biometrics, voice recognition, on-board diagnostics and driver assistance,” notes S&P Mobility Senior Research Analyst Vivek Beriwal. “Additionally, cars can collect data in the background via cameras, microphones, sensors, and connected phones and apps.”
Some of the data collected by cars or included in connected systems’ terms of service may strike users as a bit creepy. In Honda’s vehicle data privacy notice, for example, the company says it collects precise vehicle location information at specific points in time that’s accurate to within a radius of 1,850 feet or less — precisely the kind of data that could be dangerous if the wrong person gains access to it. Modern Hondas can also store data on what you’ve searched for through the car’s infotainment system, recordings of vocal commands you’ve given the car, and call history information for any phones connected through the car’s systems (although call data and previous navigation destinations can be wiped through the infotainment system).
Cameras are particularly concerning, especially since they can show views both inside and outside the car. Tesla employees were caught sharing images captured from its cars’ cameras in chatrooms, including one video of a child being hit by a car. While some automakers including Tesla claim to anonymize these views by blurring faces and other measures, these recordings can show very personal or disturbing images, and sometimes contain enough external information or location data to reconnect them with a given car.
That’s a lot of private information to worry about, and there are good reasons to be concerned about who has access. Researchers at the Mozilla Foundation deemed cars the worst product category they’d ever reviewed in terms of data privacy and information security. All of the 25 car companies in their survey had some major privacy-related red flag, with 84% of the companies either selling or sharing data in some way.
Over half of those companies also said that they can share private information obtained with the government or law enforcement in response to a request — not a warrant or other legal order, but a simple request. Even if you’re a model citizen, the decision to allow an invasive search of your car’s data should belong to you, not your car’s manufacturer. Even legal activities like visiting a mental health professional or seeking certain forms of health care across state lines could potentially be used against you by an official abusing their power.
Car companies aren’t great about keeping the data they collect very secure, either. Seventeen of the 25 brands Mozilla looked at had a “bad track record” in the past three years for “leaks, hacks and breaches that threatened their drivers’ privacy.” Worse yet, Mozilla found that some of these were because of mistakes on the manufacturer’s end, not some talented feat of hacking. These data breaches can expose sensitive information about millions of customers at once.
Real-World Consequences
Automakers’ lackadaisical attitude toward data collection and security has had horrifying real-world consequences for owners. Worse yet, it’s hard to tell where all of your sensitive information goes when some automakers share data with third parties in ways customers may not fully understand.
Apps that track and rate driving habits, such as those offered by Honda, Kia, Hyundai and GM, came under fire in the New York Times report for logging extremely detailed data on how customers drive and precisely when — complete with noted instances of hard acceleration, hard braking, speeding and driving late at night — and then allowing data brokers like LexisNexis and Verisk that work with the insurance industry to access that data.
The terms and conditions for GM’s program, OnStar Smart Driver, were so unclear about its data-sharing policies that it even caught out the New York Times’ reporter who covers data privacy issues in the tech industry. Like the other GM customers profiled in her story, she had enrolled in the Smart Driver program without noticing any disclosures that the data would be shared with any third parties.
Customers who did not expect this information to be shared with insurance companies soon found their premiums getting raised. As with certain insurance policies that track driver behavior with apps or devices to set pricing, perfectly safe driving behavior — such as swerving to avoid an object in the road, braking hard when traffic comes to a halt or even going to a track day to learn better car control — is sent to data brokers devoid of its real-world context and labeled as “risky” behavior by default. GM has since discontinued sharing this driver behavioral information with insurance companies, and Hyundai and Kia discontinued its similar Drive Score program shortly afterward.
LexisNexis and Verisk weren’t the only data brokers automotive companies shared drivers’ information with, however. While mobility companies get anonymized data sets, they often get extremely granular information from that data. GM shared data from 10 million connected cars with now-shuttered data broker Wejo, which received not only precise location information, but other operational data down to whether or not the windshield wipers were turned on. High Mobility is another similar data broker highlighted by Mozilla, which partnered with over a third of the companies Mozilla studied and whose data set includes not just cars’ precise location, but data on driver fatigue and even heart rate.
Selling users’ personal data to data brokers is just one way that car companies can make a profit. Eighty-eight percent of the companies studied by Mozilla — which includes every one that sells cars in North America — creates inferences about customers based on other data. Consider this like building a profile, where they can assume other characteristics about you based on the locations you visit, podcasts you listen to, your job and other shared information. Nine of the 24 car companies reserved the right to sell those inferences to third parties.
Connected cars can also pose much greater threats to users’ lives, as apps connected to vehicles include sensitive data (e.g., the car’s precise location) and controls connected to the car itself. This is especially concerning when it comes to abusive relationships where both partners either have access to online services or where the abusive partner is able to set up remote access to various controls and location services, sometimes without the victim’s knowledge.
Red Flags on New Cars
Automakers’ use of drivers’ data sometimes feels a bit too much like “ask forgiveness, not permission,” operating off the assumption that you’ve read and understood the broad, complicated legalese in their privacy policies. Specific items to be concerned about often change as features are introduced and discontinued. Still, there are some universal items that you should look out for when signing up for new services, purchasing a car or making adjustments to how the car you already own handles your data.
The biggest step you can take is taking the time to read the fine print you’re presented at the dealership, even if it might take a while, said Electronic Frontier Foundation Director of Cybersecurity Eva Galperin in an interview with Cars.com. “Insist on taking the time to read through them,” she added. “Don’t let the salesperson pressure you into simply signing them site unseen.”
There are certain terms you should look out for as you go through any purchase or sign-up process related to your car, which includes not just the car itself, but any third-party applications or services that might be on your car (such as a satellite radio or Wi-Fi), any mobile apps related to your car and even paperwork related to the dealership.
“Look out for words like ‘sell’ and ‘share’ to see what is happening to your data,” said Jen Caltrider, Program Director for Mozilla’s Privacy Not Included project, in an email response to Cars.com. “And then pay attention to who it’s being sold to and shared with.”
Another thing to be wary of is any service offered that doesn’t come with a mound of physical paperwork.
“Frequently…a salesperson is entering all of the information about what you are signing up for into the computer, and you can’t see what they’re typing. This can include opting the purchaser into all kinds of services that they don’t want,” said Galperin. “I think that the most important thing is that if your salesperson is entering a bunch of information into the computer, ask to see it.”
Because dealership staff aren’t always the most knowledgeable about all the ins and outs of each feature’s privacy policy, Caltrider suggests skipping any walk-through of the car’s technology when you pick a new car up from the dealership. Car salespeople often get commissions for signing up customers to connected services and other add-ons, and sometimes this is an additional opportunity to get you to opt into extra data-sharing systems. If you can review that information outside of the high-stress dealership environment, that’s a better option.
Once you take delivery of the car, review its settings as well as the settings on any connected mobile apps to make sure you aren’t opted into anything you don’t want.
“Look for settings like ‘Data Privacy’ or ‘Data Usage,’” says the EFF. “When possible, opt out of sharing any data with third-parties, or for behavioral advertising.” Be wary of opting out of anything that could disable features that you want to keep enabled, however, most cars we’ve tested are good about displaying a warning if you’re about to do that.
If you specifically want to avoid sharing with insurance companies, watch out for any app that might score your driving behavior. Chances are, if the feature is named something like “Smart Driver” or “Driving Score,” it may have an option to share with your insurance company, the EFF writes, and you’ll want to check for this option on both the car’s infotainment menus as well as in any connected phone apps.
The Mozilla Foundation suggests even skipping the use of your car’s mobile app, or at the very least, severely limiting what other information it can access on your phone. You can also avoid connecting your phone to your car if you’re worried about sharing sensitive data like contacts or texts. However, Caltrider realizes that skipping the app isn’t always an option.
“With new models, there aren’t a whole lot of ways to minimize data collection; it’s built into the experience. Some models even require the use of an app and other software,” she said.
While we’d love to tell you that avoiding data-oversharing surprises is as simple as reading through the legalese on each contract you sign, the fact that data privacy policies are buried in legalese is a significant problem in its own right. Galperin said it’s “kind of ridiculous” to expect customers to understand every word of a car’s fine print, especially when you aren’t presented with enough time to read through it all and the employees selling the car may not understand all of it, either. Less than 12% of dealerships even inform customers that their car’s data may be shared with third parties, according to Privacy4Cars research cited by CNBC.
“If you’re really concerned about your privacy, your best bet is simply buying an older model — the kind with a tape deck or CD player,” said Caltrider.
More From Cars.com:
- Study: The 10 Most Wanted Features in New Cars
- IIHS Study Says Partial Automation May Not Prevent Crashes
- Next-Gen Apple CarPlay to Integrate More Vehicle Functions
- What to Know Before Purchasing an Electric Vehicle: A Buying Guide
- Find Your Next Car
What You Can Do About Your Data
While it’s best to prevent as much of your sensitive data as possible from being shared in the first place, it’s also a good idea to see what data of yours might already be out there. LexisNexis lets you request a copy of your own Consumer Disclosure Report for free, which lets you know what kinds of data might be getting shared without your knowledge. Verisk announced in May that it stopped receiving driver data from car companies and that it would discontinue offering its Driver Behavior Data History Report to insurers; you can still see what data Verisk collected and compiled in these reports, however.
Privacy4Cars built a useful tool to help consumers learn what kinds of data car companies collect, how that information is collected, and what policies the company has when it comes to privacy and data security. The tool offers advice on how to disable the features, apps and services that share more data than you would prefer.
While Privacy4Cars offers a form to request an opt-out from sharing personal data with third parties, marketing communications and targeted advertising, policies on consumer data vary from manufacturer to manufacturer and you may want to deal with these opt-out requests separately by looking up your automaker’s privacy request form. Most of these forms are available online, and some offer alternate means of submitting your requests through the mail or via phone. Some, like Subaru, tailor their policy to the strictest state’s laws and offer the same opt-outs and data deletion options to every customer in the U.S.; others, such as Stellantis, have different policies on customer data based on where a consumer lives.
It’s Not Just You — This Is Confusing
If this all sounds difficult to navigate as a consumer, well, that’s because it is. The fact that car companies require opting in for invasive data collection policies to use desirable features on a car makes it feel like there’s little to nothing you can do to protect your own data. Even the experts we spoke with agree that owning a connected car inherently means making some compromises when it comes to data privacy.
“Without a national law that puts privacy first, there’s little that most people can do to stop this sort of data sharing,” writes the EFF. “That’s why we need much more than these consumer rights to know, to delete and to opt-out of disclosure. We also need laws that automatically require corporations to minimize the data they process about us, and to get our opt-in consent before processing our data.”
So, if you’re unhappy with the idea that private or personally identifiable data may be shared beyond your car, it’s not just you. Ninety-six percent of the drivers surveyed by insurance savings app Jerry said that they wanted to own all of the data associated with their car, while 78% of those drivers were uncomfortable with the idea of automakers collecting data from them in the first place. So, we at least have some hope that the sheer number of consumers who aren’t happy about connected cars’ deceptive sales tactics or invasive data requirements may force automakers to offer clearer, more consumer-friendly policies in the future.
Cars.com’s Editorial department is your source for automotive news and reviews. In line with Cars.com’s long-standing ethics policy, editors and reviewers don’t accept gifts or free trips from automakers. The Editorial department is independent of Cars.com’s advertising, sales and sponsored content departments.