The Secret Life of Cars

The Secret Life of Cars

Today’s vehicles have more and more electronics for safety and ease of use, but that convenience comes at a price. Using a new car’s features often requires connecting your phone to the vehicle and allowing the vehicle to access the information on your phone. Car companies are able to obtain more and more data on drivers, passengers, and even pedestrians, all without their knowledge or consent. At the very least, any consent provided is unknowing since the privacy policies are notoriously difficult to understand and are exceedingly long.

Consider all of the ways you interact with your vehicle without even thinking about it. When you sit down, the vehicle can detect your weight. When you close the door and drive off, the vehicle can detect whether you have a passenger and how many. Vehicle companies can gather personal data through sensors, microphones, cameras, GPS tracking, touch sensors, buttons, and screens and other ways you interact with your car that produce data collection points. Some of the car companies even try to collect private information not connected to your vehicle like medical information, genetic information, and even information about your sex life.

The Mozilla Foundation, the creators of the Firefox browser, spent more than 600 hours reviewing the privacy policies of 25 car manufacturers and found some disturbing news. These popular global brands, including BMW, Ford, Toyota, Tesla, Volkswagen, and Subaru, can collect deeply personal data such as:

your name

email address

postal address

phone number

age range

nationality

gender

immigration status

race

facial expressions

weight

where you drive

weather conditions

road surface conditions

traffic signs

demographic data

sensor data

where you work

where you live

places you go.

Sensors can also gather information about how the vehicle is operated and used, such as speed, use of the accelerator, brakes, steering, and seat belt usage, as well as current location, travel direction, speed, and even information about the usage of vehicle features, services, and what you listen to while driving.

If that information is not enough, vehicle systems also gather vehicle- and driving-related data: information about the vehicle, its components and parts, including status and performance, and diagnostics of vehicle systems, VIN, hardware model and part numbers, odometer, tire pressure, fuel and fluid levels, battery and lock status, trouble codes, warning indicators, alerts, and other information about how the vehicle is performing.

In the United States, there are no legal requirements about what information can be collected or what is done with it. Car manufacturers can share or sell this data to third parties, such as service providers, data brokers, and other businesses we know little or nothing about. They can even share your data with law enforcement or government agencies with little more than an informal request, not even a subpoena.

Car companies can use the data they collect to make debtors pay or the car can repossess itself. Ford even applied for a patent in August 2021 for a system that allows them to turn off features like air conditioning, restrict where and when the vehicle drives, or lock the vehicle completely when a borrower misses payments (Patent Application No. 17/408,004).

Did I mention that researchers also found that car companies do little to protect your private information? That leaves all of this data exposed to hackers. According to Axios, 233.9 million people were affected by 2,116 data breaches as of September 2023, an increase from 1,802 in 2022.

While you have no right to delete data, there are some things that you can do. Start by avoiding the use of your car’s app or limiting its permissions on your phone. Doing so may mean that certain features like over-the-air updates, remote services, and interactivity with mobile applications and in-car features such as location search, Internet radio, voice commands, and web browser functionality that rely on such connectivity will be limited.

When you get rid of your vehicle, always do a factory reset to wipe your data clean and disconnect the app. Use strong passwords and set up two-factor authentication for apps and services that connect to your car. When giving access to your data, make sure that you limit that access to trusted third-parties. When connecting a mobile app to the car, minimize the amount of data collected through this app.

Wherever your vehicle ends up, your data goes with it, so be cautious about how you interact with your car and what information you allow it to access. Be cautious about connecting your phone to rented vehicles as well. When I rented a vehicle recently, I connected my phone to it but declined to allow it access to the data on the phone. When I returned the vehicle, I noticed a list of phones that had once been connected to that car. Since mine was on that list, I pressed the button to forget the phone, but did it really forget my phone?

While worrying that our doorbells and watches that connect to the internet might be spying on us, we didn’t consider that our cars might in fact be bigger spies.

If you have questions about this article or about privacy issues in general, please contact Mitchell Goldstein (mgoldstein@setlifflaw.com) at (804) 377-1269, or Steve Setliff (ssetliff@setlifflaw.com) at (804) 377-1261.