In the Privacy Soapbox, we give the stage to privacy professionals, guest writers, and opinionated industry members to share their unique points of view, stories, and insights about data privacy. Authors contribute to these articles in their personal capacity. The views expressed are their own and do not necessarily represent the views of Didomi.
Do you have something to share and want to take over the privacy soapbox? Get in touch at email@example.com.
Note: This article was originally published on September 11, 2023, on the Yes We Trust blog.
The automotive industry is shifting gears to an ultra-connected future, as cars rapidly become "smartphones on wheels," routinely including a broad range of advanced infotainment systems and connected services. However, this transition presents data privacy and cyber security risks for consumers.
I recently purchased a new electric car myself. The sophisticated embedded infotainment system includes a built-in Google Maps app, which can display how much car battery will be left by the time I reach my destination, or show me nearby charging stations, among other things. But the amount of data shared between my car manufacturer and Google doesn’t stop there. It also includes data, such as braking, turning, and acceleration information, or even air conditioning status.
The car is also equipped with various sensor data, including cameras, lidar, radar, and ultrasonic sensors, able to detect objects and people in the public traffic environment.
This data is collected in the name of convenience, R&D, but also safety. My connected car provides 24/7 assistance and in the unlikely event of an accident, emergency services are automatically notified without the need for describing the collision location. While some of these can be switched off from the car privacy settings, the amount of data collected by the car manufacturer raises questions about data privacy, data sharing, and potential misuse by corporations.
Let's take a look at where it all started and how we ended up driving smartphone-on-wheels.
The rise of the smart vehicle
In the past couple of decades, the automotive landscape has undergone a transformational technology shift. Cars have fully embraced the digital realm and gone from mere transportation devices to sophisticated, connected systems.
This change can be attributed to several causes and reasons:
The digital revolution: As smartphones and other devices started to become commonplace, there is a growing expectation for every aspect of our lives to become connected. Carmakers recognized this and incorporated infotainment systems, wireless connectivity, and app integrations into their vehicles.
Safety and efficiency: Connected vehicles started to increasingly provide enhanced safety features, from collision warnings and lane departure alerts, all the way to alerts on vehicular health or maintenance. Safety has been extensively used as a marketing and branding device by car manufacturers since the invention of the seatbelt in 1959.
The push for self-driving: Once a sci-fi dream, self-driving is becoming a reality made possible by sensors, cameras, and software innovation to create smarter autonomous cars that won't eventually need human drivers to actually steer the wheel. The race towards autonomous driving has led to numerous innovations that are incorporated into our vehicles today.
Consumer expectations: As technology becomes a constant in our lives, the fact that our vehicles become connected is a logical next step. Remote start, location tracking, and in-car entertainment are now default features in every new car model.
While innovation in vehicles is, for the most part, and at first glance, for the benefit of car users, it comes with very valid concerns about privacy. Our vehicles are now becoming part of the vast Internet of Things (IoT) ecosystem, and having an understanding of what that entails for our privacy rights is critical - not only for us as consumers but also for automotive companies, and policymakers.
Let's take a closer look at some of the privacy implications and challenges related to smart vehicles.
Privacy challenges of connected cars
My experience as a new owner of a connected car has been interesting. Upon first setting up my car infotainment system, I was invited to consent to various data-sharing parameters, for purposes ranging from safety to behavioral analytics.
The experience, very reminiscent of the one we help organizations implement using our Consent Management Platform (CMP) at Didomi, was not as transparent as one could expect, and led me to raise an eyebrow and to look deeper into these practices coming from car manufacturers.
Connected cars generate a trove of data: precise driving routes through GPS, driving patterns and telematics (e.g., speed and breaking patterns), music preferences, voice commands, search histories in infotainment systems... the list goes on.
Altogether, this data helps companies learn behavior and patterns to serve consumers better, but collecting it also triggers privacy compliance obligations and opens the door for threat actors to acquire sensitive information. In terms of security issues, an attacker can learn where the driver lives and, with the right technology, steal the EV without a trace. An attacker can also impair the battery capacity and speed/acceleration faculties of the vehicle, creating dangerous conditions for drivers and others on the road.
Other examples can include remote hacking incidents where security researchers gained access to digital car keys and breached third-party software used for accessing vehicle data.
Yet, despite the risks involved, information regarding who has access to this data, how it's being used, and what some of the vulnerabilities are seem to remain nebulous for consumers.
A recent Mozilla study on the topic reveals that most car brands have a not-so-stellar track record when it comes to privacy. Among 25 car brands reviewed by Mozilla’s *Privacy Not Included team, none have passed the organization privacy test, making cars the worst category of products ever reviewed on the website.
"Cars’ new bells and whistles mean the potential for more data-collecting sensors, cameras, and microphones. But unlike with apps or smart home devices, most drivers aren’t even aware this data is being collected -- let alone have the power to turn it off."
- Misha Rykov, researcher at *Privacy Not Included (Source: Mozilla Foundation)
The study paints a grim picture of car manufacturers' data privacy practices, including that they:
Collect a lot of personal data
Sell a lot of that data to third parties
Give little to no control to car users over their data
Provide artificial consent to users
These concerns are reflected in the courtroom and in news headlines around the world, where car manufacturers have been garnering more and more attention regarding their data privacy practices.
In the United States, vehicles' "black boxes" (essentially event data recorders) have been used for years to determine the course of events (and the responsibility of drivers) in case of a collision and can be leveraged to incriminate or exculpate drivers. This is also the case in France, where new cars entering circulation must since last year contain similar devices to help to provide information in the case of a road accident.
While this is generally perceived as a positive use of technology, it also has deep surveillance implications.
From artificial intelligence reporting drivers to law enforcement to license plate sharing for invasive tracking purposes, tracking in cars seems to happen everywhere. It starts from the vehicle identification number (VIN) that serves to identify a specific vehicle, all the way to the connected devices installed in the car, and through the partnerships established between manufacturers and software providers (Mercedes-Benz and Google, General Motors and Android, Amazon and Stellantis, etc).
Users have little to no say, despite being given the option to consent or refuse connectivity.
“However, if you no longer wish for us to collect vehicle data or any other data from your Tesla vehicle, please contact us to deactivate connectivity. Please note, certain advanced features such as over-the-air updates, remote services, and interactivity with mobile applications and in-car features such as location search, Internet radio, voice commands, and web browser functionality rely on such connectivity.
If you choose to opt out of vehicle data collection (with the exception of in-car Data Sharing preferences), we will not be able to know or notify you of issues applicable to your vehicle in real time. This may result in your vehicle suffering from reduced functionality, serious damage, or inoperability."
- Tesla Customer Privacy Notice (Source: Tesla)
In light of these concerning data privacy practices, what are regulators putting in place, and what can we expect for the future of data privacy for connected cars?
What is the future of data privacy for connected cars?
Car manufacturers face the daunting task of designing a comprehensive privacy compliance program amidst a patchwork of international, federal, and state laws. As 5G’s footprint expands, vehicle-to-everything (V2X) and production at the pace of innovation are rapidly becoming realities: by 2027, it’s projected to account for 23% of automotive cellular connections.
According to Juniper Research, connected vehicles are predicted to surpass 367 million globally by 2027 as 5G unlocks data-heavy use cases.
In-car data privacy harvesting is emerging as an issue in the automotive industry, with Federal Liberal Senator James Paterson claiming last February that all Chinese car brands are required by the Chinese Government to covertly assist intelligence agencies. China's industry ministry issued last May, a series of draft technical standards. Among the proposed rules, the Ministry of Industry and Information Technology plans to ban smart vehicles in China from transferring data directly abroad, pushing them instead to use domestic cloud services.
Equally, the European Automobile Manufacturers’ Association (ACEA), which represents the 15 Europe-based car, van, truck, and bus makers, has established 5 key principles of data protection that were adopted by the European industry and might signify the manufacturer's global role in shaping data privacy, including transparency, customer choice, ‘privacy by design,’ data security and the proportionate use of data.
As car makers are pivoting towards a market where the connected experience matters as much as more traditional car features, data privacy will continue to grow as a major influencing factor in the purchasing decision for consumers. Those that manage to create a comprehensive connected experience while respecting consumers' data privacy are bound to come out on top.