Your modern car spies on you, and you’re the only one who can limit it

You know the liberated feeling you sometimes get when you jump into your car — that it’s your own private, personal space?

Forget it. Perhaps that once was true, but today it’s a delusion. If you own a vehicle made during the past decade, you’re being surveilled — by your car. Big Brother isn’t just some monolithic governmental entity in Washington, D.C. He’s very much embedded in the private sector.

The modern car—essentially hundreds of computers on wheels—isn’t just tracking miles driven. It’s tracking where you go, how long you stay, how hard you use the brakes, and how fast you go, along with hard cornering, forward collision alerts, lane-departure warnings, seat belt reminders, race, immigration status, even sexual activity.

And in many cases, that data collected without your knowledge or informed consent is being stored and then shared or sold to marketers, insurance companies, and law enforcement.

This should not come as a shock. Surveillance through ubiquitous security cameras and the devices you use and carry is now mainstream. For years, privacy advocates have sardonically labeled the annual National Data Privacy Day on January 28 as National Lack of Privacy Day, arguing that not only is privacy dead — it’s even more dead than it was the year before.

Dark humor notwithstanding, there’s not much humor in the reality that vehicles you think you own and control are spying on you. And so far, your elected government hasn’t done much to intervene and protect you from it. Right now, privacy protection is mostly up to users.

Exhibit A is the Federal Trade Commission (FTC), which just recently issued a warning to the auto industry. It declared in a recent blog post about connected cars that its concerns about data collection in vehicles have “been on the FTC’s radar for years,” going back at least to 2013, and that “firms do not have the free license to monetize people’s information beyond purposes needed to provide their requested product or service.”

It warns that “Car manufacturers — and all businesses — should take note that the FTC will take action to protect consumers against the illegal collection, use, and disclosure of their personal data.”

But the post doesn’t list a single action taken against the auto industry, even after more than a decade of the problem being on its “radar.” Nor does it specify what, if anything, is illegal.

Chris Clark, automotive software and security solutions architect with Synopsys, is not surprised. “The FTC has stated that it will tackle consumer data privacy but has taken little, if any, action to protect consumers up to this point,” he said, adding that “it’s highly questionable that any real change will occur under the current FTC leadership.”

Rampant privacy invasion

Which probably explains why, as mainstream news reports have documented, abuse of consumer data in the auto industry has been rampant for years. In one of the most recent, reporter Kashmir Hill wrote in The New York Times (also carried by Yahoo! News) about her and her husband’s experience buying a General Motors Chevrolet Bolt last December.

“Automakers have been selling data about the driving behavior of millions of people to the insurance industry,” she wrote. “In the case of General Motors, affected drivers weren’t informed, and the tracking led insurance companies to charge some of them more for premiums. I’m the reporter who broke the story. I recently discovered that I’m among the drivers who were spied on.”

The reason, she learned, was that she had been signed up for OnStar, the company’s connected services plan, and also enrolled in a program called Smart Driver. OnStar is frequently pitched as a safety measure — it will call 911 for you if you’re knocked out in a collision.

Hill wrote that she had no recollection of enrolling in either, but the result — which she and her husband got from a LexisNexis report, was “a breakdown of the 203 trips we had taken in the car since January, including the distance, the start and end times, and how often we hard-braked or accelerated rapidly. The Verisk report, which dated to mid-December and recounted 297 trips, had a high-level summary at the top: 1,890.89 miles driven; 4,251 driving minutes; 170 hard-brake events; 24 rapid accelerations; and, on a positive note, zero speeding events.”

Clark said those data points are “just the tip of the iceberg,” adding that “as sensors become more prevalent and capable, new methods of vehicle and driver data points will become available.”

Tip of the iceberg indeed. A review of 25 car brands published last fall by the Mozilla Foundation calling vehicles a “privacy nightmare on wheels,” reported that “popular global brands — including BMW, Ford, Toyota, Tesla, Kia, and Subaru — can collect deeply personal data such as sexual activity, immigration status, race, facial expressions, weight, health and genetic information, and where you drive.”

That data is being gathered by “sensors, microphones, cameras, and the phones and devices drivers connect to their cars, as well as by car apps, company websites, dealerships, and vehicle telematics,” Mozilla reported, adding that “brands can then share or sell this data to third parties.”

Hill wrote that she had checked in mid-January to make sure she wasn’t enrolled in Smart Driver. “The app said we weren’t, and thus we had no access to any information about how we drove. But in April, when we found out our driving had been tracked, my husband signed into a browser-based version of his account page, on GM.com, which said our car was enrolled in “OnStar Smart Driver+.” GM said this discrepancy between the app and the website was the result of ‘a bug’ that affected a ‘small population’ of customers. That group got the worst possible version of Smart Driver: We couldn’t get insights into our driving, but insurance companies could.”

No informed consent

She wasn’t alone. One car owner told her that after GM started collecting and selling her data to insurers, her premium had jumped 50%. Another, who drove his Cadillac CTS-V “around a racetrack for events, saw his insurance premium nearly double, an increase of more than $5,000 per year.”

Hill also reported that “in 10 federal lawsuits filed in the last month, drivers from across the country say they did not knowingly sign up for Smart Driver but recently learned that GM had provided their driving data to LexisNexis.”

In her case, “What I can say is that regardless of who pushed the consent button, this screen about enrolling in notifications and Smart Driver doesn’t say anything about risk-profiling or insurance companies,” she wrote. “It doesn’t even hint at the possibility that anyone but GM and the driver gets the data collected about how and where the vehicle is operated, which it says will be used to ‘improve your ownership experience’ and help with ‘driving improvement.’”

With the company caught with both hands fully in the data cookie jar, a spokesperson told Hill that it was discontinuing the Smart Driver program “based on customer feedback,” and would begin unenrolling them over the next several months.

But as her story documented in multiple ways, the company had been collecting and profiting from customers’ data without their informed consent for years.

This would seem to be an egregious violation of consumer privacy. But so far, as noted earlier, the FTC’s stance is more rhetoric than action.

Its “warning” to the auto industry is filled with qualifiers, such as that certain uses of data “can be” illegal, as in “the Commission has established that the collection, use, and disclosure of location can be an unfair practice.” It doesn’t list anything that is, without qualification, illegal or unfair.

There oughta be a law

Rebecca Herold, CEO of The Privacy Professor and a longtime privacy advocate, said the FTC is not entirely to blame for that. She noted that while there is a federal law — the Health Insurance Portability and Accountability Act — that governs the healthcare industry, “the manufacturing industry lacks a data protection regulation that is enforced by the U.S. DOT [Department of Transportation], or some other appropriate regulatory agency, which could possibly be the FTC.”

“So, it could be argued that there have not been expectations or regulatory requirements to date for vehicle manufacturers to engineer privacy and security protections into their vehicles and related products.”

In other words, an agency like the FTC could only impose sanctions on a company if it violates its own contracts or any promises it makes to its customers. If a company violates those, the FTC could then sanction it for unfair or deceptive business practices.

And that’s because Congress has failed to pass a rigorous data privacy law for vehicles that the DOT or FTC could then enforce.

Hence the qualifiers in the FTC blog post, which also refers to news reports that have “suggested” that vehicle data collection “could be” used to stalk people or to affect their insurance premiums. Hill’s story goes far beyond “suggesting” that the data collection resulted in higher insurance premiums.

Clark said insurers also use the data from vehicle surveillance “to deny claims and even cancel policies.” And he said the danger goes well beyond that. “The vehicle has insight into almost every aspect of your life — where you go, who you talk to, when, vices, and so much more. When you have this information, you can link it to other sources such as financial transactions. The potential for harm is monstrous.”

The FTC didn’t respond to several requests for comment. Which means, as noted earlier, that if vehicle owners want to protect their privacy, they’ll have to do it themselves — probably like those who filed those federal lawsuits.

It’s up to you

And on that front, the FTC does have some advice. In a post from 2018, it notes that “When you sell or donate your car, [your] personal data might be accessible to the next owner if you don’t take steps to remove it.”

That should go beyond a factory reset, available on some vehicles. “For example, your old car may still be connected to subscription services like satellite radio, mobile wi-fi hotspots, and data services. You need to cancel these services or have them transferred to your new vehicle,” according to the post.

It lists types of data that may be stored in the car’s built-in hard drive or navigation system including phone contacts; address book; mobile apps’ log-in information; data gathered and stored on mobile apps; digital content like music; location data like addresses; the routes you take to home, work, and favorite places; and garage door codes for your home or office.

The post also recommends checking to make sure you’ve cleared connections between your devices and the car.

Regarding the other data collection and use documented by Hill, Clark said even though GM’s unenrolling of customers in Smart Driver came after some bad publicity, it’s an indication that the market has some force that could move the industry in the right direction.

“At this point, the FTC has taken a lukewarm approach to addressing any of the indicated items,” he said. “It hasn’t delivered any concrete requirements. But this is an opportunity for the industry to get ahead of regulators and create a social contract with their customers and consumers.”

That can’t come soon enough, he added, given the inexorable expansion of data collection and use. “Today, data that was intended for a single audience or diagnostic is finding new ways of being correlated and valued,” he said. “Insurance companies are probably among the top 10 data consumers for automotive, but others include manufacturing, consumer trackers, and testing organizations.”

Herold agrees. “I’m thankful for my tire inflation sensors and oil change monitors, and how they communicate to me when I need to have those things serviced. However, that data should not be communicated to any others, or used for any other reasons — marketing, tire research, my car insurance company, law enforcement, etc. — without my explicit consent.”