Can carmakers be trusted with our data?

Mozilla finds that car companies are harvesting every byte of information on us that they can

Big car manufacturers have admitted to selling customer data obtained through connected cell phones and apps.
Big car manufacturers have admitted to selling customer data obtained through connected cell phones and apps.

Your car is generating about 25,000-megabytes of data. Per hour. Let’s put that in perspective. That’s enough to completely fill the memory chip of 97 mid-spec iPhones, every 60 minutes. If information is power, then your car is practically omnipotent.

According to Statista, that 25,000 megabytes includes music streaming, sat-nav data, and even online browsing. In other words, your car knows where you are and where you’re going, what you’re listening to, and what you just clicked on.

In Europe, in theory, that data is protected and must be thoroughly rinsed and anonymised before it can be used by that carmaker, or sold on to an interested third party — thanks to the GDPR laws which govern the use of personal data across the EU.

In other markets, things are not so tightly regulated and Mozilla’s Privacy Not Included project — part of the same Mozilla Foundation that designs the Firefox internet browser — has started ringing some major alarm bells about how people’s in-car data is being harvested and used by big carmakers in the US.

READ MORE

Mozilla has dug into the terms and conditions small print that everyone generally ignores and just presses the agree button so that they can get to the touchscreen menu that they want. According to the Privacy Not Included team, those terms and conditions, in some cases, go way beyond what you might expect.

Mozilla points out that General Motors brands — including Cadillac, Chevrolet, and Buick — are getting people to agree that they can collect data regarding your “genetic, physiological, behavioural, and biological characteristics”. Quite how a car can harvest that kind of information is an unanswered question, but surely it’s worrying enough that any carmaker might want to legally cover themselves for collecting it at all?

Think this is a US-specific problem? Not quite … Kia and Nissan are also mentioned by Mozilla, as companies that can, with your legal consent, collect “genetic information”.

Nissan actually goes a little further and says that once you press the absent-minded agree button, it’s also collecting data on your “intelligence” and “sexual activity”.

Other carmakers called out by the Mozilla report include Hyundai, Toyota, Volkswagen, BMW, Tesla, Ford and Mercedes

Mozilla then points out that Nissan’s US operations suffered a significant data breach in January of this year, affecting almost 18,000 of its customers. Mozilla further pointed out that: “We couldn’t confirm if any of the car brands we researched meet our Minimum Security Standards. That’s really bad and not normal. Mostly, we can’t tell if all that personal data is encrypted at rest on the car. It’s a scary thought to think the data your car collects and the data your phone shares with your car could be sitting unprotected on your car.”

Other carmakers called out by the Mozilla report include Hyundai, Toyota, Volkswagen, BMW, Tesla, Ford, and Mercedes.

It’s not just data collection and collation, nor how secure that data might be. Mozilla is also expressing concerns about the race towards ever-higher levels of vehicle connectivity. Mostly, carmakers sell this tech to use as benign, even useful — such as systems that allow you to speed-limit your car when a particular key is being used.

Or indeed, to set up alerts for when the car is driven outside of a defined geographical area when that same key is being used. As Mozilla points out, while car makers generally tout such a function as being about keeping teenage drivers safe and monitored, they could also be used by coercive or abusive partners who wish to monitor and control where and when someone can travel. “Even if you don’t share a car with anyone who might use these features to spy on or control your behaviour, you probably don’t want those drivers to be able to see your location whenever you’re driving,” said Mozilla.

Such concerns appear to be the tip of a very unpleasant data iceberg. If a patent filed by Ford is anything to go by, then the next thing might be cars that repossess themselves.

No, this doesn’t mean a car that needs to be doused with holy water and reported to some secretive agency in the Vatican. It means a car that can simply drive itself back to the dealership if you fall behind in your personal contract plan payments.

Again, this is more of an issue in the US than in Europe, where financial providers are more likely to engage with a customer who’s defaulted on payment to sort things out with a new repayment plan. In the US, things can be more aggressive when it comes to falling behind on your loans, and the Ford tech is the autonomous new tip of that spear.

There are others who report that the car industry in general is simply not taking data security seriously

The patent — titled pretty plainly “Systems and Methods to Repossess a Vehicle” — includes a few interventions before the final act. First, the on-board screens will start reminding you that you’ve missed a loan payment. Then, the vehicle will, petulantly, start disabling popular features such as your phone connection, or maybe the air conditioning, or the heated seats.

Mozilla points out that the patent also includes the potential to use the car’s features, such as the infotainment system, windows, and air conditioning, so that you “experience ‘certain’ and then ‘additional level[s] of discomfort’ that, we guess, will motivate you to make those payments. In another scenario, the car will play an annoying (’unpleasant’ — according to the patent) sound that won’t stop until the payment is made. These are especially cruel ideas in the context of the United States (where the patent was filed) since a not-insignificant number of people live in their cars.”

There are others who report that the car industry in general is simply not taking data security seriously. According to a report by the influential HackerOne website, the car industry, in total, paid out $483,809 in so-called “bug bounties”. These are payments made to “white-hat” hackers — computer experts who investigate and try to circumvent software security in order to report it and gain a reward, rather than for malicious purposes.

That was by far the lowest payout for the eight industrial sectors that HackerOne surveyed. The financial services industry, for example, paid out $3.4 million to those reporting bugs and gaps in software security. The software industry paid out more than $ 8.7 million.

What’s concerning is that this is coming at a time when carmakers are increasingly trying to portray themselves as tech giants, rather than traditional steel and plastics industries. Cars are ever-more being portrayed as “smartphones on wheels” — mostly because that’s what car company chief executives assume younger demographics want to buy.

Worse yet, we are now seeing the rise of car companies introducing their own app stores to in-car touchscreens, and increasing expectations that customers will have accounts, backed by credit card or bank payments, to pay for rolling subscriptions. If all that is to come to pass, carmakers might want to start being more generous with white-hat hackers who pass along details of gaps in the software.

We see there are lessons that can be learned. It’s critical to focus on building the right defences to prepare for and thwart attacks

—  IBM Ireland general manager Paul Farrell

The commerce and retail sectors, along with software in general, were the types of industries most attacked by hackers in the past year, according to HackerOne. Transport featured much less, rated at 21 per cent, but if your car becomes a rolling home to commerce and retail, driven by software …

“We see there are lessons that can be learned. It’s critical to focus on building the right defences to prepare for and thwart attacks,” said IBM Ireland general manager Paul Farrell. “How? By practising preparedness and experiencing attacks before they happen. Through simulation tests government entities and companies can learn how to better react under pressure and ensure they have a robust, effective and quick incident response plan in place. Also, backing up data is a vital step toward cyber resilience. Ensuring not only that that they have effective backups of critical systems but that they’re also testing these backups — this can determine the size and scale of impact that a cyberattack could have.”

It might be that many of us assume that this is a problem only for those outside the EU, where we are theoretically protected by the GDPR laws. Not so, however.

The EU is promulgating a new Data Act, but this covers specific areas, leaving others open to exploitation. For example, while the Data Act says that your location and journeys cannot be tracked and reported by the car’s sat-nav system, it does not cover data that is regarded as “self-generated”.

According to legal experts Lexology, the Data Act will not cover “data that the connected vehicle generates when the user records, transmits, displays or plays content as well as the content itself”. That could cover you streaming a film while you charge an EV, for example, but it could also be argued that “content” covers your phone conversations, or even your own image — carmakers now routinely use in-car cameras to monitor your face, while Mercedes is about to introduce a selfie camera embedded into the dashboard of the new E-Class saloon, so that the driver can — when safely parked up — make and take Zoom calls from their car.

Worse still, whatever it does and does not eventually cover, the Data Act is late. Speaking about the delays in enacting legislation covering car-generated data, the BEUC (European Consumer Organisation) said: “This delay in proposing a sector-specific regulation is particularly detrimental to consumers: they see their car sharing a growing amount of data without any control over it and they are being locked in communication systems without any possibility to make alternative, informed choices. Further delay in taking legislative action will only open the door to further abuses by carmakers or tech companies.

Everything that will happen inside and outside the car — entertainment, payment services, navigation system, but also connection with the consumer’s smartphone and home-connected devices — will be controlled by Amazon, in what looks like a data dystopian scenario

“Indeed, carmakers do not simply act as gatekeepers for the access and use of consumers’ data. The emergence of application platforms and the growing involvement of technology giants pose serious concerns to how this data will be used. Recently, Stellantis (Citroën, Opel, Peugeot, Fiat ... ) concluded an agreement with Amazon to equip its vehicles with software-defined platforms and use Amazon cloud services to store data. Everything that will happen inside and outside the car — entertainment, payment services, navigation system, but also connection with the consumer’s smartphone and home-connected devices — will be controlled by Amazon, in what looks like a data dystopian scenario. This is bad for consumers’ privacy, this is also bad for the competitive structure of not only in car market, but also other related markets such as transport and logistics, as Amazon could use the data harvested to reinforce its market power across numerous markets it is active on.”

In the meantime, Mozilla is asking people to sign its online petition, with which it hopes to force carmakers to reduce the amount of data that they collect. “The situation with cars and privacy is not good. Cars are so far the worst category of products we have ever reviewed at Privacy Not Included, with every single car brand we looked at earning our warning label. We’re worried about the amount and the sensitivity of the information car companies collect about you. Based on their track records alone, we don’t trust them to keep it safe. And we don’t think a lot of the ways that your information is being shared or sold benefits drivers or anyone besides the businesses who exist to make money off of your data,” said the Mozilla team.

Neil Briscoe

Neil Briscoe

Neil Briscoe, a contributor to The Irish Times, specialises in motoring