Mozilla recently reported that of the car brands it reviewed, all 25 failed its privacy tests. While all, in Mozilla’s estimation, overreached in their policies around data collection and use, some even included caveats about obtaining highly invasive types of information, like your sexual history and genetic information. As it turns out, this isn’t just hypothetical: The technology in today’s cars has the ability to collect these kinds of personal information, and the fine print of user agreements describes how manufacturers get you to consent every time you put the keys in the ignition.
“These privacy policies are written in a way to ensure that whatever is happening in the car, if there’s an inference that can be made, they are still ensuring that there is protection, and that they are compliant with different state laws,” Adonne Washington, policy council at the Future of Privacy Forum, said. The policies also account for technological advances that could happen while you own the car. Tools to do one thing could eventually do more, so manufacturers have to be mindful of that, according to Washington.
Beyond covering all imaginable legal bases, there simply isn’t any way to know why these companies would want deeply personal information on their drivers, or what they’d do with it. And even if it’s not what you would consider a “smart” car, any vehicle equipped with USB, Bluetooth or recording capabilities can capture a lot of data about the driver. And in much the same way a “dumb” tv is considerably harder to find these days, most consumers would be hard pressed to find a new vehicle option that doesn’t include some level of onboard tech with the capacity to record their data. A study commissioned by Senator Ed Markey nearly a decade ago found all modern cars had some form of wireless technology included. Even the ranks of internet listicles claiming to contain low-tech cars for “technophobes” are riddled with dashboard touchscreens and infotainment systems.
“How it works in practice we don’t have as much insight into, as car companies, data companies, and advertising companies tend to hold those secrets more close to the vest,” Jen Caltrider, a researcher behind Mozilla’s car study, said. “We did our research by combing through privacy policies and public documentation where car companies talked about what they *can* do. It is much harder to tell what they are actually doing as they aren’t required to be as public about that.”
The unavailability of disconnected cars combined with the lack of transparency around driver data use means consumers have essentially no choice to trust their information is being used responsibly, or that at least some of the classes of data — like Nissan’s decision to include “genetic information” — listed in these worrying privacy policies are purely related to hypothetical liability. The options are essentially: read every one of these policies and find the least draconian, buy a very old, likely fuel-inefficient car with no smart features whatsoever or simply do without a car, period. To that last point, only about eight percent of American households are carless, often not because they live in a walkable city with robust public transit, but because they cannot afford one.
This gets even more complicated when you think about how cars are shared. Rental cars change drivers all the time, or a minor in your household might borrow your car to learn how to drive. Unlike a cell phone, which is typically a single user device, cars don’t work like and vehicle manufacturers struggle to address that in their policies. And cars have the ability to collect information not just on drivers but their passengers.
The burden of these agreements doesn’t end with their presumptive data collection, or the onus to relay them to every person riding in or borrowing your car. The data held in-vehicle and manufacturer’s servers becomes yet another hurdle for drivers should they opt to sell the thing down the line. According to Privacy4Cars founder Andrea Amico, be sure to get it in writing from the dealer how they plan to delete your data from the vehicle before reselling it. “There’s a lot of things that consumers can do to actually start to protect themselves, and it’s not going to be perfect, but it’s going to make a meaningful difference in their lives,” Amico said.
Consumers are effectively hamstrung by the state of legal contract interpretation, and manufacturers are incentivized to mitigate risk by continuing to bloat these (often unread) agreements with increasingly invasive classes of data. Many researchers will tell you the only real solution here is federal regulation. There have been some cases of state privacy law being leveraged for consumers’ benefit, as in California and Massachusetts, but on the main it’s something drivers aren’t even aware they should be outraged about, and even if they are, they have no choice but to own a car anyway.