Is Your Car Sharing and Selling Your Personal Data through Spyware?
In a new report focusing on Australia’s top 15 car brands, extensive privacy concerns have been revealed, including unauthorized sharing with third parties.
Curious about the data your internet-connected car is collecting about you and your passengers, and where it’s being sent? Some car manufacturers make it challenging to get this information, with one instance requiring reading over 40,000 words spread across five documents to understand data policies.
This concerning discovery stems from a study conducted by Katherine Kemp at the University of New South Wales’ Law and Justice Department. Titled “Driving Blind: The Unexamined Privacy Risks of Connected Cars,” Kemp emphasizes the need for urgent reform of privacy laws in Australia.
While many of the monitoring features in cars serve useful purposes like detecting accidents or notifying about a child left in the back seat, all 15 cars in the study were found to collect data that is unnecessary for the driver but could be valuable to overseas manufacturers and various third parties, including government agencies and insurance companies.
“If this data is misused,” Kemp cautions, “it can result in privacy and security threats.”
Challenges in Finding Information
Despite data collection and storage likely not being a top priority for buyers, the report notes that even tech-savvy consumers would encounter significant obstacles in accessing and comprehending privacy terms.
“Some brands make inaccurate claims that certain information is not ‘personal information,’ suggesting that the Privacy Act does not apply to that data,” Kemp points out. “Some also repurpose personal information for ‘marketing’ or ‘research’ purposes and share data with third parties.”
In addition to observing the car, manufacturers often require drivers to download an app to access various “connected services.”
These services, depending on the brand and model, might include the ability to remotely:
- heat, cool, lock, or unlock the car
- find the parked car using headlights and horn
- check fuel levels and tire pressure
- use the car’s internal and external cameras for viewing its surroundings and interior
Kemp highlights that the information collected by cars can be misused in various ways, from being disclosed to insurers or data brokers without consent to facilitating crimes like domestic violence, stalking, and robbery. It also opens the driver up to potential unjustified police or government surveillance and national security risks.
National Security Concerns
Earlier this year, the White House issued a warning about certain hardware and software in connected vehicles from specific countries that could capture information about critical infrastructure or geographic areas, presenting opportunities for malicious actors to disrupt operations.
As consumers attempt to understand what data their vehicle is gathering and where it’s being sent, they are directed to an average of three documents totaling around 14,000 words per brand, provided they can locate this information.
“Consumers face barriers such as missing privacy terms, unhelpful interfaces, and significant errors in published privacy policies,” Kemp explains.
Further privacy notices might also be found in the vehicle, user manual, or the purchase contract.
Privacy Terms for Major Brands
⊗ = not available ⊕ = mixed ⊕ = available
| Brand | Full Privacy Terms Reasonably Available on Australian Website | Connected Privacy Terms: Number of Documents | Connected Privacy Document Word Count |
| Audi | ⊗ | 5 | 26,901 |
| BMW | ⊕ | 5 | 41,495 |
| BYD | ⊕ | 3 | 13,225 |
| Ford | ⊕ | 2 | 16,980 |
| GWM | ⊗ | 3 | 10,866 |
| Honda | ⊕ | 3 | 14,162 |
| Hyundai | ⊕ | 2 | 5,255 |
| Kia | ⊗ | 2 | 3,087 |
| Lexus | ⊕ | 3 | 12,625 |
| Mazda | ⊗ | 2 | 4,862 |
| Mercedes | ⊗ | 5 | 18,510 |
| MG | ⊕ | 1 | 3,524 |
| Tesla | ⊕ | 1 | 7,400 |
| Toyota | ⊕ | 3 | 16,808 |
| Volvo | ⊕ | 4 | 13,716 |
(Source: Katharine Kemp/UNSW)
Kemp points out that several major brands fail to acknowledge the full extent of personal information safeguarded by the Privacy Act. “They assert that certain information does not, on its own, personally identify the consumer and that it can be used for any purpose,” she elaborates. “However, this information can actually pertain to a reasonably identifiable individual.”
Data Matching Enables Identification
For instance, while a map pinpointing a person’s exact location may not identify them independently, when linked with their home and work addresses or location history on their mobile phone, it can be attributed to an individual. This combined data might reveal information such as children’s schools, occupation, family status, political beliefs, or use of specific services.
If the data includes audio or video recordings from inside the car, it could unveil details like individuals in the car, their activities, political or religious affiliations, racial origin, or whether the driver is alone.
Although not all cars available in Australia are currently connected, this landscape is projected to evolve rapidly. Despite lagging behind other regions like the European Union and the United States in introducing this technology, Austroads forecasts that 93 percent of new car sales in Australia will involve connected cars by 2031.
In a 2023 analysis of connected car privacy terms in the United States, where a significant portion of drivers have connected cars, the Mozilla Foundation concluded it was a “privacy nightmare on wheels.”
