Buying a new car means your privacy might as well be left up on blocks, according to a study released Wednesday by the Mozilla Foundation.
“Modern cars are a privacy nightmare,” researchers Jen Caltrider, Misha Rykov, and Zoë MacDonald write (emphasis in the original) in their introduction to that report, published under the equally scathing headline "It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy."
The report, based on what the authors say was “over 600 hours researching the car brands’ privacy practices,” concludes that the 25 carmakers profiled might as well have been asleep at the wheel for the last 10 years of data breaches: They collect too much data from the sensors stuffed into their increasingly connected vehicles, share or sell too much of that, and grant drivers too little control over this collection and sharing.
Tesla fared worst of them all in Mozilla’s evaluation, with demerits in all five categories (data use, data control, track record, security, and AI), notwithstanding the upfront statement in Tesla’s privacy policy that it “never sells or rents your data to third-party companies.”
The researchers instead objected to the volume of data that Tesla vehicles collect, the history of it being misused (such as April’s report that employees shared video from Tesla car cameras), language that suggests Tesla won’t insist on a court order before handing over data to law-enforcement investigators, and what they regarded as opaque and untrustworthy “Autopilot” and “Full Self-Driving” systems.
Sixteen brands from eight companies—Ford and its Lincoln brand; Honda and its Acura subsidiary; Hyundai and Kia; GM’s Cadillac, Chevrolet, Buick, and GMC; Mercedes-Benz; Nissan; Toyota and Lexus; and Volkswagen Group’s Audio and VW—received a failing grade on the first four of those categories.
Nissan drew extra scorn from the researchers in an all-caps verdict that suggests this company, not Tesla, should have been at the far end of the junkyard: “THEY STINK AT PRIVACY!”
A key factor in that harsh judgment was a facepalm-inducing privacy policy that says Nissan may collect data points up to and including “sexual activity” (per the policy, if they somehow come up in conversations between customers and Nissan employees) and build a marketing profile that covers your “psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.”
Another six makes from three firms (BMW; Stellantis brands Chrysler, Dodge, Fiat, and Jeep; and Subaru) only got dinged in the data use, data control and security categories. Two other makes, Renault and its subsidiary Dacia, escaped with failing marks in data use and security–but since neither sells in the United States, that’s of little benefit to US customers.
(It’s unclear why Mozilla included those last two brands in a report with so many references to US law enforcement instead of, say, Mini, Rivian or Volvo.)
The report, the latest chapter in the “Privacy Not Included” series that the nonprofit behind the Firefox browser began publishing in 2017, says Mozilla contacted all of these companies with requests for comment. But it received vague-to-useless replies from only Ford, Honda, and Mercedes.
It further notes that all of these companies besides Renault and Tesla have signed the Consumer Privacy Protection Principles document (PDF) first released in 2014 by the Alliance For Automotive Innovation but contends that none follow those terms. For example, that document says carmakers should require a warrant or court order before handing over location and other sensitive information to law enforcement, but Hyundai’s privacy notice suggests that “informal” requests from police may suffice.
That Washington-based trade group wrote those principles after an outcry over remarks at CES in January 2014 by Ford executive Jim Farley in which he seemed to brag about how much data the company collected from its cars. Apparently, nearly a decade hasn’t been enough time for this industry to learn about the virtues of data minimization and writing privacy policies that expressly limit their action instead of maximizing their future flexibility.
Mozilla’s report doesn’t offer much actionable advice to drivers beyond opting out of whatever categories of data collection are available and ensuring you factory-reset a car’s software before selling or trading it.
It does not, however, advise voting for candidates who will enact stronger privacy regulations–something that’s happened in Europe with the General Data Protection Regulation and in California with the California Consumer Privacy Act, as noted by the report’s nod to that 2018 law, but which has eluded the grasp of Congress to date.