An evaluation of 25 vehicle brands’ consumer privacy policies found that none of them offer adequate protection, according to Mozilla’s “*Privacy Not Included” survey. Each brand collects too much data, can share or sell data too widely and fails to grant drivers control over their data, Mozilla said in its survey released Tuesday.
The “*Privacy Not Included” survey, launched in 2017, found that all 25 car brands reviewed collect more personal data than necessary and use that information beyond operating the vehicle. Some brands even collect data about drivers’ sex lives and genetics. Automakers harvest personal information through sensors, microphones, cameras, connected phones and other devices, company websites, dealerships and vehicle telematics, Mozilla said.
“There are no good choices for consumers because pretty much all car companies are a privacy nightmare,” said Jen Caltrider, the survey’s program director. “People are not talking about this enough. It seems to be flying under the radar, and it’s time for policymakers and regulators to get involved.”
Mozilla comprises a nonprofit and a corporation owned by that nonprofit. It runs the Firefox web browser and operates a virtual private network, email software and other privacy-oriented products.
“*Privacy Not Included” has reviewed smart speakers, dating apps, robot vacuums and even sex toys. This is the first time the survey has reviewed car brands.
The paper’s authors stressed that cars were “the worst product category” ever to have been reviewed in the survey and that researchers spent 600 hours researching privacy practices — three times the normal amount for product policy review. All of the brands had more than one privacy policy and some had several — Toyota Motor Corp. had 12 — which can be hard for consumers to navigate, Mozilla said.
“Somebody discovered money was to be made here, and they went all-in without any thought about ethics or care about consumers,” said Caltrider.
Vehicles from automakers including Ford Motor Co., Volkswagen, Toyota and Tesla Inc. collect data through the vehicle, connected services, phone applications and third-party sources such as Google Maps. Most of the brands reviewed retain the right to share and sell personal data. Nearly 60 percent of the brands surveyed said they could share information with the government or law enforcement in response to a “request” — not a court order or subpoena.
Hyundai Motor Group, for example, said it would comply with “lawful requests, whether formal or informal.”
Mozilla said it was unable to confirm whether any of the brands encrypt all the collected personal information. Most did not respond to researchers, and those that did declined to fully answer specific security questions. Mercedes-Benz, for example, confirmed the encryption of some information but not all.
The survey also found that during the past three years, 17 of the 25 brands had experienced leaks, hacks and breaches. Just two of the brands gave drivers the right to have their personal data deleted.
Researchers found that Nissan Motor Co. was the worst offender for consumer privacy because it admitted to collecting reams of information about sexual activity, health diagnoses and genetics but did not explain how. The company retained the right to share and sell data about consumer preferences, “psychological trends,” “intelligence” and other metrics to data brokers, law enforcement and others.
Researchers identified Renault as the least problematic because it complied with the General Data Protection Regulation, a European law governing using and storing personal data. Still, researchers found that Renault collected “data related to your personal and/or professional situation (family situation, socio-professional category, etc.),” and ultimately the brand fell short in Mozilla’s evaluation.