Unfortunate news: Your car functions as a surveillance tool. If your vehicle was manufactured in recent years, chances are you’re driving a data-collection machine that might gather highly personal details such as your ethnicity, weight, and even intimate activities. Mozilla’s *Privacy Not Included project has revealed these findings, demonstrating that all major car brands fall short of meeting basic privacy and security standards in their new internet-connected models, with none of the 25 brands examined passing the organization’s assessment. Notably, car manufacturers like BMW, Ford, Toyota, Tesla, and Subaru are shown to accumulate data about drivers, including information about race, facial expressions, weight, health status, and travel destinations. Some vehicles even collect unexpected details, such as sexual activity, racial background, and immigration status.
Jen Caltrider, program director of the *Privacy Not Included project, expressed, “Many people think of their car as a private space — somewhere to call your doctor, have a personal conversation with your kid on the way to school, cry your eyes out over a break-up, or drive places you might not want the world to know about.” However, this perception no longer aligns with reality. Modern cars have transformed into privacy concerns on wheels, amassing vast amounts of personal information.
These data-gathering practices involve various tools, including microphones, cameras, and connections to drivers’ smartphones. Manufacturers also acquire data through their apps and websites, which they can then sell or share with third parties.
Nissan stands out as the most problematic in this regard, with its privacy policy suggesting the collection of data related to sexual activity, health diagnoses, and genetic information, though the specifics of data collection remain unclear. Nissan even reserves the right to share and sell this data to data brokers, law enforcement, and other third parties.
Other brands don’t fare much better. Volkswagen, for instance, tracks your driving habits, such as seatbelt usage and braking patterns, and combines this with demographic information for targeted advertising. Kia’s privacy policy permits monitoring of your “sex life,” while Mercedes-Benz ships cars with TikTok pre-installed on their infotainment systems, adding another layer of privacy concerns.
Amid these revelations, some manufacturers offered responses. BMW asserted that it provides comprehensive data privacy notices and allows vehicle drivers to make specific choices about their personal data collection. BMW also stated that it does not sell in-vehicle personal information and takes extensive measures to protect customer data. Mercedes-Benz mentioned that the MercedesMe Connect app offers users privacy settings and the ability to opt-out of certain services.
However, many unanswered questions persist. Most car brands failed to disclose whether they encrypt the data they gather, with only Mercedes-Benz responding to Mozilla’s inquiries. Additionally, Mozilla found that several car brands engage in “privacy washing,” presenting consumers with misleading information that suggests there are no privacy concerns when, in fact, the opposite is true. These car manufacturers have signed onto the Alliance for Automotive Innovation’s “Consumer Privacy Protection Principles,” which Mozilla characterizes as a non-binding set of vague promises created by the car industry itself.
Concerns about consent are also raised. Subaru, for instance, considers passengers in the car as “users” who have consented to data collection, and several car brands place the responsibility on drivers to inform passengers about their car’s privacy policies, despite these policies often being complex and difficult to understand. Toyota, for example, has 12 different privacy policies, adding to the confusion.