Modern cars collect more personal data than necessary, the Mozilla Foundation said in a report on Wednesday, describing automobiles as “powerful data-gobbling machines” designed to harvest sensitive information like your race, genetic information, facial expression, and even sexual activity.
After reviewing 25 top car brands, Mozilla found that none of them meet its requirements for privacy.
“That’s right: every car brand we looked at collects more personal data than necessary and uses that information for a reason other than to operate your vehicle and manage their relationship with you,” the report said.
All 25 carmakers earned the “Privacy Not Included” warning label, “making cars the worst category of products for privacy that we have ever reviewed,” Mozilla said.
Mozilla couldn’t even confirm if they meet basic security standards like encryption because carmakers didn’t share this data.
“A failure to properly address cybersecurity might explain their frankly embarrassing security and privacy track records,” the report said.
Meanwhile, according to McKinsey, 95% of cars sold globally will be “connected” by 2030 as cars that run on fossil fuel are expected to be phased out by many countries to combat global climate change and reduce air pollution.
Cars Harvest Tons of Personal Data
Modern connected cars have sensors, cameras, microphones, GPS, and more. While these features enhance convenience, they also record every interaction a driver has with the vehicle, the routes they travel, the apps they access on their phones, the conversations they have, and so much more.
Not only do carmakers use this data for marketing and research, but 84% of them say they can share users’ personal data with “service providers, data brokers, and other businesses…”
Meanwhile, 76% of automobile companies said they may sell this data, and 56% said they may share it with law enforcement or the government when requested — even if it’s an “informal request.”
Only two of the 25 carmakers reviewed — Renault and Dacia — assert that drivers can ask for their data to be deleted. According to Mozilla, this is possibly because these cars are only available in Europe, where personal data is highly guarded by the General Data Protection Regulation.
“In other words: car brands often do whatever they can legally get away with to your personal data,” Mozilla noted.
A Failure to Address Cybersecurity
Not only do carmakers fail at privacy, but they also fail to implement proper cybersecurity safeguards, Mozilla said, noting that 68% of the car brands have a history of “leaks, hacks, and breaches that threatened their drivers’ privacy.”
Mozilla’s Minimum Security Standards include adequate encryption, software security updates and vulnerability management, strong passwords, and a strong privacy policy. According to the Foundation, none of the carmakers satisfy these requirements.
On the subject of security, Mozilla offered examples of carmakers’ “bad track record” over the years. For instance, In 2021, Volkswagen and its subsidiary Audi experienced a data breach affecting 3.3 million users. Toyota suffered a prolonged leak over a decade, compromising the data of 2.15 million users between 2013 and 2023. The Japanese carmaker giant also suffered other high-profile incidents, such as a cyberattack that forced it to temporarily shut down all its manufacturing plants in Japan in 2022.
Meanwhile, Mercedes-Benz disclosed a data leak in June 2022, perpetrated by a third-party vendor, which exposed the personal information of up to 1.6 million potential and existing customers.
These incidents exposed sensitive user data like names, street addresses, email addresses, and phone numbers.
‘Consent Is an Illusion’
According to the Mozilla Foundation, carmakers often compel drivers to agree to their privacy policies. The report highlighted two examples of this manipulative approach to user consent. For instance, Subaru’s policy assumes that passengers in their cars have automatically “consented” to data collection and potential resale of their personal information by merely being inside the vehicle.
Meanwhile, Tesla offers an opt-out for data collection but warns that this could compromise the vehicle’s functionality or even lead to “serious damage, or inoperability.”
Some other carmakers, like Nissan, go a step further by placing the onus on car owners to inform passengers about privacy policies, making the owner complicit in securing “consent” from others.
“Consumers have very little control. While consumers can choose to not use a car app or try not to use connected services, that might mean their car doesn’t work properly — or at all. Consumers have almost zero control and options in regard to privacy, other than simply buying an older model. Regulators and policy makers are behind on this front,” Jen Caltrider, Director of Mozilla’s *Privacy Not Included guide, told VPNOverview.
With access to so much data, carmakers can infer other information about drivers. For example, giving up access to the “title,” “artist,” or “genre” of the music you listen to in your car may seem innocuous. However, when combined with other information like your employment and route history, these musical preferences could reveal more about you than you might think, potentially filling in blanks about your personal “preferences.”
How to Protect Your Data From Carmakers
Generally, Mozilla advises against using car apps or limiting the permissions these apps ask for on your device.
The Mozilla Foundation is calling on drivers to sign a petition that will “ask car companies to respect drivers’ privacy and to stop collecting, sharing and selling our very personal information.”
We recommend checking your car system’s menus for a security or privacy menu and ensuring you scrutinize and adjust these settings to increase your privacy and safety. Read our guide to staying safe online for more security tips.
As with any tech product, we urge drivers to scrutinize carmakers’ data collection policies. Consult the Mozilla Foundation’s buyer’s guide for tips on protecting your data from different carmakers.
For more user privacy insights, follow us on X (Twitter), Threads, and Mastodon!
