Mozilla Names And Shames Privacy Compromising Cars

Car manufacturers are being confronted by the failing privacy safeguards of their vehicles, after Mozilla Foundation published its latest edition of Privacy Not Included (PNI).

Mozilla’s reviewed 25 global car brand names, and for the first time in the seven year history of PNI, all 25 manufacturers received failing scores.

And some of the data that these cars collect is truly alarming. According to Mozilla research, popular global brands – including BMW, Ford, Toyota, Tesla, Kia, and Subaru – can collect deeply personal data such as sexual activity, immigration status, race, facial expressions, weight, health and genetic information, and where a person drives.

Data collection

Mozilla researchers found data is being gathered by sensors, microphones, cameras, and the phones and devices that drivers connect to their cars, as well as by car apps, company websites, dealerships, and vehicle telematics.

And to make matters even worse, certain car brands can then share or sell this data to third parties.

Car brands can also take much of this data and use it to develop inferences about a driver’s intelligence, abilities, characteristics, preferences, and more.

For the first time Mozilla’s *Privacy Not Included research found that none of the brands meet Mozilla’s Minimum Security Standards. Specifically, researchers couldn’t confirm whether any of the brands encrypt all of the personal information they store on vehicles, and only one of the brands (Mercedes) even replied to Mozilla’s questions about encryption.

Mozilla said its researchers spent 600 hours reading privacy policies, downloading apps, and corresponding with brands as part of its investigation.

“The very worst offender is Nissan,” noted Jen Caltrider at Mozilla. “The Japanese car manufacturer admits in their privacy policy to collecting a wide range of information, including sexual activity, health diagnosis data, and genetic data – but doesn’t specify how.”

“They say they can share and sell consumers’ ‘preferences, characteristics, psychological trends, predispositions, behaviour, attitudes, intelligence, abilities, and aptitudes’ to data brokers, law enforcement, and other third parties,” warned Caltrider.

Worse offenders

Other top offenders include Volkswagen, which collects demographic data (such as age and gender) and driving behaviours (like seatbelt and braking habits) for targeted marketing purposes.

Toyota meanwhile features a near-incomprehensible galaxy of 12 privacy policy documents; Kia, whose privacy policy states they can collect information about your “sex life”; and Mercedes-Benz, which manufactures certain models with TikTok (an app with its own privacy issues) pre-installed.

Analysts estimate that by 2030, car data monetization could be an industry worth $750 billion.

While all car makers had privacy failings, Mozilla researchers identified Renault as the least problematic. This could be down to the fact that Renault has to comply with General Data Protection Regulation (GDPR), said Mozilla.

“Many people think of their car as a private space – somewhere to call your doctor, have a personal conversation with your kid on the way to school, cry your eyes out over a break-up, or drive places you might not want the world to know about,” said Jen Caltrider, *PNI Program Director.

“But that perception no longer matches reality,” said Caltrider. “All new cars today are privacy nightmares on wheels that collect huge amounts of personal information.”

Mozilla also warned that car apps add a new level of complexity (and creepiness) to the mix.

Growing problem

Privacy implications for cars have been growing for a while now.

In 2021 US magazine Consumer Reports highlighted concerns about Tesla’s in-car cameras.

The in-car cameras are part of the driver monitoring system, which Tesla (and some other manufacturers) utilise to ensure the driver is paying attention to the road, and not sleeping at the wheel, as happened in Canada in September 2020.

Then in April this year privacy concerns surfaced again when it emerged that Tesla’s workforce reportedly internally shared sensitive images taken from the cameras on customer’s cars.