Mozilla calls cars from 25 automakers 'data privacy nightmares on wheels'
Privacy-invading data harvesting by smartphones, wearable devices, smart doorbells, and reproductive health apps are well known, but the Mozilla Foundation has found the worst threat to your privacy may be parked in your driveway.
The foundation, the Firefox browser maker’s netizen-rights org, assessed the privacy policies and practices of 25 automakers and found all failed its consumer privacy tests and thereby earned its Privacy Not Included (PNI) warning label.
In research published Tuesday, the org warned that car manufacturers may collect and commercially exploit much more than location history, driving habits, in-car browser histories, and music preferences. Instead, some makers may handle deeply personal data, such as – depending on the privacy policy – sexual activity, immigration status, race, facial expressions, weight, health, and even genetic information, the Mozilla team found.
Cars may collect at least some of that info about drivers and passengers using sensors, microphones, cameras, phones, and other devices people connect to their cars, according to Mozilla. And they collect even more info from car apps – such as Sirius XM or Google Maps – plus dealerships, and vehicle telematics.
Some car brands may then share or sell this information to third parties. Mozilla found 21 of the 25 automakers it considered say they may share customer info with service providers, data brokers, and the like, and 19 of the 25 say they can sell personal data.
More than half (56 percent) also share consumer information with the government or law enforcement in response to a "request." This isn't necessarily a court-ordered warrant, and can also be a more
informal request.
And some – like Nissan – also use this private data to develop customer profiles that describe drivers' "preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes."
Yes, you read that correctly. According to Mozilla's privacy researchers, Nissan says it can infer how smart you are, then sell that assessment to third parties.
"Why does a car company need to make an inference about my intelligence? It gets creepy really fast," PNI program director Jen Caltrider told
The Register.
Nissan, according to the research, is "probably the worst car company we reviewed, and that says something because all car companies are really bad at privacy."
"Please people, if you care even a little about privacy, please stay as far away from Nissan's cars, apps, and connected services as you possibly can," it continues.
According to the
Nissan USA privacy notice, the automaker may collect and share a ton data for targeted marketing purposes, including:
Sensitive personal information, including driver's license number, national or state identification number, citizenship status, immigration status, race, national origin, religious or philosophical beliefs, sexual orientation, sexual activity, precise geolocation, health diagnosis data, and genetic information.
"Nissan's privacy policy stands out as one of the most amazing things I've ever read," Caltrider said. "They aren't shy about saying they could collect all of this stuff."
But Nissan isn't the only brand to collect information that seems completely irrelevant to the vehicle itself or the driver's transportation habits.
"
Kia mentions sex life," Caltrider said. "
General Motors and
Ford both mentioned race and sexual orientation.
Hyundai said that they could share data with government and law enforcement based on formal or informal requests. Car companies can collect even more information than reproductive health apps in a lot of ways."
The Mozilla Foundation also called out consent as an issue some automakers have placed in a blind spot.
"I call this out in the Subaru review, but it's not limited to Subaru: it's the idea that anybody that is a user of the services of a connected car, anybody that's in a car that uses services is considered a user, and any user is considered to have consented to the privacy policy," Caltrider said.
Opting out of data collection is another concern.
Tesla, for example, appears to give users the choice between protecting their data or protecting their car. Its privacy policy does allow users to opt out of data collection but, as Mozilla points out, Tesla warns customers: "If you choose to opt out of vehicle data collection (with the exception of in-car Data Sharing preferences), we will not be able to know or notify you of issues applicable to your vehicle in real time. This may result in your vehicle suffering from reduced functionality, serious damage, or inoperability."
While technically this does give users a choice, it also essentially says if you opt out, "your car might become inoperable and not work," Caltrider said. "Well, that's not much of a choice."