Your New Car Is Tracking You In Ways You Don't Even Realize - And Tesla Is The Worst
Between in-dash systems and connected mobile apps, cars have become intimately personal computing devices as much as laptops, smartphones, smartwatches, fitness trackers, and smart TVs. This means that they're collecting a lot of data for the car manufacturers, most of which are then sharing or outright selling the data to others. On Wednesday, the Mozilla Foundation's Privacy Not Included blog released a new, wide-ranging analysis of car data collection habits and privacy policies, and the news contained therein is not good. The authors dubbed current cars "the worst product category we have ever reviewed for privacy."
As a result, every single brand reviewed earned Mozilla's "Privacy Not Included" warning. The blog post stresses that every choice is less than desirable, but it comes down to degrees and which concessions owners will be least uncomfortable with. That ranges from Tesla being the second product ever reviewed by the blog (after the Replika AI chatbot) to be "dinged" in every single privacy category it tracks to bizarre granularities like Nissan and Kia warning that they can collect information about your sex life to very tangible problems like Hyundai admitting that it will turn over your data to law enforcement without a court order. With that in mind, let's take a deeper look at what all of this entails and the steps you can take to mitigate personal privacy issues.
Tesla isn't all bad when it comes to privacy, just mostly
On one hand, Privacy Not Included's deeper dive into Tesla notes that Elon Musk's electric car company pledges in its privacy policy your data will never be "sold, tracked or shared without your permission or knowledge." On the other hand, Tesla's past actions have shown that the company can't entirely be trusted in that regard. Back in April, Reuters reported that photos and videos taken by Tesla vehicles' outside-facing cameras were freely shared among company employees. This included everything from a random customer approaching his car naked to a peek inside Musk's garage. The following month, a whistleblower helped break a story about customer data breaches, as well.
There are other issues, too. While Tesla gives the option to opt out of data collection, it stresses that the data collection is required for "certain advanced features such as over-the-air updates, remote services, and interactivity with mobile applications and in-car features such as location search, Internet radio, voice commands, and web browser functionality." It gets worse, though: Tesla further states that "This may result in your vehicle suffering from reduced functionality, serious damage, or inoperability" because "we will not be able to know or notify you of issues applicable to your vehicle in real time." Yes, Tesla says that opting out of data collection could brick your car.
Overall? Not great.
Nissan's and Kia's privacy policies are a unique kind of creepy
In the fifth episode of the 1998/1999 season of "Saturday Night Live," the monologue was followed by the usual commercial parody, albeit a particularly memorable one. That would be the Mercury Mistress, a car that men could literally have relations with. It's the kind of crude, but well-executed bit that the sketch show was known for in those days, and if Nissan and Kia's data collection policies are any indication, it may have inspired some future car company employees.
As noted in the Privacy Not Included assessments of Nissan and Kia, the two company's privacy policies are startlingly specific about the kind of information they can collect about, among other things, your sex life. Nissan's privacy policy has a handy chart breaking down what data can be collected under what circumstances, and it's, in a word, weird. The chart breaks down how "[d]irect contact with users and Nissan employees" could lead to the collection of "sensitive personal information" that includes, among other things, "religious or philosophical beliefs, sexual orientation, sexual activity, precise geolocation, health diagnosis data, and genetic information."
Yes, really.
The specific reasons given don't really matter because the list ends with "and for other purposes in the ordinary course of employment or the provision of other services according to the terms that govern those programs." And they can share this with "Service Providers or affiliates." At no point is it explained why any of this would come up. Kia's privacy policy, meanwhile, includes similar language about collecting "genetic data" as well as "sex life or sexual orientation information."
Why is this happening? Who knows.
Hyundai will happily give the government your data
If law enforcement and other government access to your data is a particular concern of yours, then you'd be best off avoiding Hyundai cars going forward. Privacy Not Included's deep dive on Hyundai notes that the South Korean car company's privacy policy has a particularly worrisome note about "[l]egal compliance and lawful requests." In that section, Hyundai says that it may disclose your data "to comply with applicable legal or regulatory obligations, including as part of a judicial proceeding, in response to a subpoena, warrant, court order, or other legal process, or to cooperate with investigations or lawful requests, whether formal or informal, from law enforcement or government entities." (Emphasis ours.)
The suggestion appears to be that Hyundai would be happy to turn your personal data over to law enforcement without a warrant, subpoena, or court order. At least waiting for a formal, adjudicated request does not feel like a particularly low bar to clear, yet Hyundai just ... won't.
On top of all that? Hyundai had a major data breach in April and has been having a difficult time patching an exploit that made stealing its cars almost trivial.
What can you do to maintain your privacy?
All of the car companies reviewed by Privacy Not Included have myriad issues, so any advice can only go so far, but there are some simple steps that can be taken to make the situation less severe. Some of these are basic internet and device security steps that don't apply exclusively to cars. Don't opt into anything personalized, opt out of whatever you can, use strong passwords, utilize two-factor authentication, and do a factory reset if you're selling the car just as you would with your phone. Some are less obvious, like using Android or iOS privacy controls to restrict what your car's mobile app — or other apps that interface with your car — has access to.
This doesn't address everything, of course, since some of the aforementioned issues go way beyond what you can do on your end or even the limits of the in-car computer in general. After all, Nissan's strangely invasive privacy policy's most strangely invasive section specifically governs "[d]irect contact with users and Nissan employees." So if you want to keep overly personal data from somehow being mined, you need to make sure that you never say a word about it to anyone working for the car company. Not that you would have a reason to in the first place, but you're not the one who set the policy requiring you to consciously consider this problem.