Modern cars pose problems for data protection

Jan Tissler

Modern cars collect a lot of data with their numerous sensors. As an analysis by the non-profit Mozilla Foundation revealed, manufacturers see this as a potential source of revenue. None of the 25 brands studied prioritise customer privacy.

Many everyday devices are now "smart": they have sensors of all kinds and a connection to the internet. On the one hand, this enables practical functions, but at the same time has implications for data security and privacy.

Many everyday devices are now "smart": they have all kinds of sensors and can connect to the internet. On the one hand, this enables practical functions, but at the same time has implications for data security and privacy. This applies not least to modern cars: they respond to voice commands, monitor the driver's attention and keep an eye on the surroundings. Sensors measure data such as acceleration and the on-board computer can directly access the driver's smartphone – including location data, notifications and contacts. Such functions are becoming more and more commonplace: the management consultancy firm McKinsey, for example, expects 95 percent of all new cars to be connected to the internetby 2030.
This ultimately leads to enormous amounts of data that can reveal many personal details about the occupants of the car. So, this means you need to trust the car manufacturers to handle it wisely. However, this does not seem to be the case. On the contrary, it would seem that manufacturers even view this information as a potential source of revenue and are willing to sell it on. At least that's what a study by the non-profit  Mozilla Foundation suggests. It analysed the privacy agreements of 25 car manufacturers.

A comprehensive data set

The range of data collected is enormous and includes a lot of very personal information. First and foremost, the obvious details such as the name, address, date of birth and contact details of the vehicle owners. It is more serious if the vehicles seamlessly record the behaviour of their users: from the driving style and routes taken to conversations and interactions in the car.

After all, there are enough cameras and microphones. Location data reveals where you have been and when you were on the road. The sensor system also tracks the driver's head movement and gaze direction. The music system stores which radio stations and playlists you like.

For the companies, all this is extremely valuable for creating customer profiles and predicting their behaviour and interests, even beyond the mere use of the car. The information collected can also be combined and compared with other data. The result is a very intimate insight. Many seemingly harmless individual pieces of information, once combined and analysed, give an almost complete picture. The data protection regulations of certain manufacturers who want to collect information on the sex life or intelligence of the occupants, for example, seem somewhat bizarre. All this applies not only to the owner or driver of the car: depending on the manufacturer, passengers too automatically agree that their data will also be processed. The driver is supposed to point out the privacy implications before getting in – a very unrealistic idea.

The information piques interest

Moreover, car manufacturers use this data not just for themselves, but reserve the right to pass it on to third parties. Data traders and advertisers, for example, may be interested. On the whole, however, it is usually unclear what exactly happens with the information. The data protection regulations are often vague and leave many backdoors open. For drivers, it is practically impossible to understand who has access to which information and what it is used for.  But even if the car manufacturers simply collect the data without selling it on to third parties, the mere existence of the data set piques the interest of cybercriminals. At the same time, manufacturers have repeatedly shown in the past that they do not protect this information adequately. More than half of the companies investigated had been affected by hacks or data leaks in recent years. Millions of customers' data had been lost or ended up in the wrong hands. Moreover, Mozilla could not confirm that basic security standards such as encryption were used by any of the 25 brands analysed. When asked, the companies either said nothing or gave an evasive response.

Petition for a rethink among manufacturers

In these circumstances, Mozilla would normally recommend switching to privacy-friendly alternatives. However, there don't seem to be any in the case of cars: All 25 manufacturers fail when it comes to privacy. Ultimately, only public pressure can help to promote a rethink. Mozilla has started a petition for this. Car customers in the EU and Switzerland may feel slightly reassured because of stricter data protection laws. Some restrictions and regulations from DSGVO and Co. are certainly helpful. However, as a buyer, you automatically accept the data protection regulations. And they can still be far-reaching. With Tesla, for example, you can definitely object to the data collection. However, this can impair the function of the car, the company warns, potentially causing the vehicle to stop working entirely.