What does your car know about you? Data privacy for motorists now Big Brother is riding shotgun

Most drivers are aware that today’s cars collect – and share – data about all manner of things. But there’s a general ignorance about the specifics that could be cause for alarm.

Research conducted by Uswitch last year revealed that 72 per cent of motorists were unaware of cars collecting data related to how and when they are driven; 67 per cent didn’t realise that data pertaining to their use of GPS and infotainment could be gathered; 54 per cent were in the dark that some cars amass data on speed; and 53 per cent that route history is also accessible. Even a car’s current location can be tracked and stored; something that 44 per cent of drivers are apparently not wise to.

If that little lot doesn’t concern you, also consider that when you connect your phone, all manner of data – including call records, messages, location histories and more – can migrate to the car, often in unencrypted form. Combine this with the reality that there’s a vast marketplace for this data, and even the most technically illiterate driver will appreciate that the potential for problems is vast, should it be exploited, misused or fall into the wrong hands.

What happens to the vast amount of data being generated by modern vehicles is an issue that is coming into clearer focus with each passing month, and one that a new company, Privacy4Cars, is specifically trying to address. CEO Andrea Amico’s advice for Auto Express readers is simple: “Educate yourself about your car or the car you are looking to buy. What type of sensors does it have? What type of services? Stop thinking of a car as a mechanical thing. It’s a super-powered laptop.”

A swift trawl through some recent car data-related horror stories shows exactly why this is a matter that urgently needs to be tackled. In America, for example, the US media outlet Wired reported in January how a researcher had been able to exploit the online features of his mother’s Subaru Impreza via one of the company’s web portals, gaining remote access to a number of functions on the car but also, alarmingly, to an entire year’s worth of location history.

As the Wired researcher, Sam Curry, explained on LinkedIn: “Whether somebody’s cheating on their wife or getting an abortion, or part of some political group, there are a million scenarios where you could weaponise this [data] against someone.”

Data useful for insurance companies, and others

Also in the United States, General Motors, parent company of Buick, Cadillac, Chevrolet and GMC, was banned from selling geolocation and driver behaviour data for five years by the Federal Trade Commission, after it found the OnStar connected service had been passing on details about customers’ driving habits – including braking, acceleration and trip lengths – to third-party brokers and insurers. OnStar had generally been marketed as a connected service that could help in emergencies.

The New York Times, which conducted an investigation into the scandal, reported how one consumer told a GM customer service representative that “When I signed up for this, it was so OnStar could track me. They said nothing about reporting it to a third party. Nothing. You guys are affecting our bottom line. I pay you, now you’re making me pay more to my insurance company”.

Closer to home, Privacy4Cars recently published a white paper, titled ‘Deleting Personal Data from Vehicles’, which highlighted an array of arguably more prosaic but equally chilling data breaches that can occur all too easily. How about, for example, the company car of a pharma rep which, when passed on, still stored the identity and addresses of cancer patients? Or the luxury car for sale which contained the address and phone numbers of a female celebrity? The white paper even highlighted the case of the ex-fleet vehicle of a military contractor whose smartphone data had been retained, revealing the locations of classified and sites with restricted access.   

It’s a fair assumption that most motorists would be appalled should any of the above scenarios apply to them. So what can be done to prevent these sort of breaches? According to Amico, the answer is straightforward: privacy has to start being taken seriously by everyone in the automotive ecoystem, whether that be manufacturers, dealers, fleet operators, rental firms, insurers or finance companies.

He says: “The problem is with the individuals at the companies who make decisions on how to use the data. Privacy is about choice. Companies need to explain the data a car collects, and the way they plan to use it.”

How to find out what data your car holds

While there is an argument that this sort of information is covered by companies’ privacy notices, many feel that these are too complex – and not sufficiently prominent – to be fit for purpose. If you’re curious about what info your car holds, Privacy4Cars has created a free tool at vehicleprivacyreport.com that can provide a summary if you input its registration number.

In some respects, Amico likens the current situation to the lack of transparency on car safety prior to the launch of the global NCAP organisations – what was once common practice will, in time, become unthinkable.

“I think privacy is going to become more visible and the current problems will become less acceptable,” he continues. “Companies will figure it out – it will probably not be of their own volition, but they will be pushed into it by the fact that consumers and regulators are upset.”

And that’s where Privacy4Cars is aiming to capitalise with its data-deletion service for auto businesses. As its white paper identified, under the General Data Protection Regulation (GDPR), the onus is not on the individuals running cars to be responsible for wiping them of data when their time with the vehicle ends. Instead it’s down to the Controller – whether that’s a dealer, leasing company, fleet management company or any other relevant business.

According to analysis from Aidan Eardley, King’s Counsel, failure to do so would be in breach of GDPR: “If it re-lets the vehicle without doing so, such that the next hirer can see the previous hirer’s personal data, then there will be a strongly arguable case that the hirer has processed the data in contravention of the [GDPR] Art 5 (1) principles.”

From a legal perspective, Jon Butler, a partner specialising in automotive at law firm Geldards in Derby, agrees: “This is very much a live issue, but the Controllers don’t know or much care that they have this data,” he stated. They should, though, because failure to comply could have significant consequences.

Butler explains: “When you’re talking about franchised dealers selling tens, if not hundreds of thousands of units a year, for example, then if most of those vehicles have got personal data on them, that could be a huge problem. The fines that are available to the Information Commissioner’s Officer for breaching GDPR and data protection legislation are typically the higher of four per cent of global turnover or £17.5 million. So that’s big.” The idea that “most” of these cars contain data is not fanciful – research from Privacy4Cars showed that four in five customers had found personal data in cars sold at retailers in the UK, Italy and Germany.

Butler also believes selling a car with the data of a previous user could even allow the buyer to sue the dealer, due to the vehicle not being of satisfactory quality because of a failure to comply with the regulations.

He has a blunt recommendation for motorists: “When your time with the car comes to an end, ask for confirmation from the Controller that steps have been – or will be – taken to irretrievably remove your data."

A digital friend...or an ever-present spy?

As cars become more automated, how we use them will fundamentally change, and they’re likely to become more like offices or even homes. A friendly AI-generated in-car assistant, for example, might point out that your favourite pop star is touring, because you listened to them recently on Spotify, or suggest a nearby Mexican restaurant because you ordered some refried beans on a supermarket shop via your smartphone.

On the face of it, all innocent, helpful stuff. But at the same time it’s collecting more and more data to form a comprehensive profile of you, the user, which makes it imperative that you get all this wiped on handover.

Deletion also does not address the fact that the data is being amassed in real time, and until it’s removed, it’s accessible. This was demonstrated vividly by how much information Tesla was apparently able to provide to US authorities on the Cybertruck that exploded in Las Vegas on New Year’s Day in what initially was thought to be a terrorist attack.

While few could argue that assisting an investigation of this type is a bad thing, it also highlighted just how much some manufacturers now know about what their vehicles are up to.

How car data is intensifying a new cold war

It’s not only individual motorists who have cause for concern about what ‘spying’ cars might do with the data they collect; the fear exists at state level, too.

Earlier this year, one of the last acts of the Biden administration in the US was to ban cars that feature Chinese and Russian-developed software linked to connectivity and autonomous driving. National Economic Advisor Lael Brainard said the measure was necessary to prevent the US people being exposed to “risks of misuse of their sensitive data or interference by malicious actors”. 

The software ban comes into effect for the 2027 model year, and the repercussions are very real; Polestar, for example – which is part of the Chinese-owned Geely stable – is affected, despite actually building cars in South Carolina. “We will have to find solutions,” CEO Michael Lohscheller (right) has admitted. In tandem with punitive EV tariffs, the ban is likely to stop a widespread rollout of Chinese cars in the United States.

Is modern car tech too intrusive? Let us know your thoughts in the comments section?