The Mozilla Foundation spent about 600 hours investigating the security of 25 car brands.
Here are the highlights of what they found:
Of all the products that have been investigated by the Mozilla Foundation for security and privacy, cars have emerged as the most insecure. Health apps are the next least secure category.
Subaru’s privacy policy says that even passengers of a car that uses connected services have “consented” to allow them to use — and maybe even sell — their personal information just by being inside.
Twenty-two of the car brands (88% – 22 out of 25) mentioned creating inferences — assumptions about users based on other data.
84% of the car brands say they can share user’s personal data — with service providers, data brokers, and other businesses we know little or nothing about. 76% (19 brands) say they can sell this collected personal data.
Only TWO car companies – Renault and Dacia, say that users have the right to have their data erased. Both of these companies operate only in Europe, where the strict GDPR Rules apply.
Of the 25 car brands, Tesla received the worst score. This was the only company that got a poor score for its Artificial Intelligence implementation. Tesla’s AI driven autopilot cars are now reportedly involved in 17 deaths and 736 crashes. This feature is being investigated by many governments.
Tesla’s privacy notice contains this gem:
“If you no longer wish for us to collect vehicle data or any other data from your Tesla vehicle, please contact us to deactivate connectivity. Please note, certain advanced features such as over-the-air updates, remote services, and interactivity with mobile applications and in-car features such as location search, Internet radio, voice commands, and web browser functionality rely on such connectivity. If you choose to opt out of vehicle data collection (with the exception of in-car Data Sharing preferences), we will not be able to know or notify you of issues applicable to your vehicle in real time. This may result in your vehicle suffering from reduced functionality, serious damage, or inoperability.”
What is wrong with this language is that it creates undue pressure on the user to accept this connectivity, even though millions of cars around the world have run just fine without being connected to the central servers of their makers. Cars are expected to last. That is what quality is for. This kind of manipulative language leads to a decision by the user that appears to be informed, but is actually not.
Nissan‘s privacy policy makes the user “promise to educate and inform all users and occupants of your Vehicle about the Services and System features and limitations, the terms of the Agreement, including terms concerning data collection and use and privacy, and the Nissan Privacy Policy.
In plainspeak, not only does Nissan expect the user to read and understand the technical Terms of Use, it also puts the burden of informing every single passenger of the car that their data is being collected – on the owner. Also, it allows Nissan to collect the data of users who sit in the vehicle.
More information: This report by Mozilla explains data collection and sharing by car companies.
Question for you: Would you like to sit in a taxi that collects your data from your phone when you sit in it?