A comprehensive data privacy assessment of 25 major automakers’ vehicle tech deems cars “the official worst category of products for privacy” that the Mozilla Foundation has ever reviewed. For a bit of context here, every car company analyzed by Mozilla’s security experts failed crucial benchmark safeguards, compared to 63 percent of mental health apps they reviewed this year (which often come with their own serious security risks).
“While we worried that our doorbells and watches that connect to the internet might be spying on us, car brands quietly entered the data business by turning their vehicles into powerful data-gobbling machines,” Mozilla’s researchers explained in their findings announcement earlier this week. Because of this, they warn, vehicles’ “brag-worthy bells and whistles” now possess “an unmatched power to watch, listen, and collect information about what you do and where you go in your car.”
The companies boasting abysmal ratings include pretty much any automaker you can imagine—including Ford, Subaru, Jeep, BMW, Honda, Acura, Chevy, and Nissan, among others—with Tesla ranked dead last on the list. According to the experts, nearly 85 percent of surveyed automakers “share” car owners’ data to data brokers and other businesses. In total,19 of the 25 companies actually sell your personal data to third-parties, while over 55 percent of the carmakers’ Privacy Policies allow them to share your information to government and law enforcement authorities. Such data deliveries can be facilitated via a simple “request” instead of a legal warrant or court order.
[Related: Mental wellness apps are basically the Wild West of therapy.]
If all that weren’t enough, an additional creepy layer further worsens matters. According to Mozilla, at least two companies—Nissan and Kia—include Privacy Policy data categories explicitly labeled “sexual activity” and “sex life.” Exactly what kind of data this entails isn’t clear, but new cars often come equipped with microphones and cameras. Even if this data is somehow anonymized and aggregated, chances are those in the market for a new vehicle might want to take a closer look.
In an email provided to PopSci, a Kia spokesperson explains, “The privacy of consumers is important to Kia… Whether certain information is collected by us depends on the context in which a consumer interacts with us,” before clarifying that, “Kia does not and has never collected ‘sex life or sexual orientation’ information from vehicles or consumers in the context of providing the Kia Connect Services.”
Per Kia’s privacy policy page, “sex and gender information,” as well as “health, sex life or sexual orientation information” may be collected.
A spokesperson for Nissan tells PopSci the company complies “with all applicable laws and provide[s] the utmost transparency,” while stating “Nissan does not knowingly collect or disclose consumer information on sexual activity or sexual orientation.”
“Our privacy policy is written as broadly as possible to comply with federal and state laws, as well as to provide consumers and employees a full picture of data privacy at Nissan,” the spokesperson continues. “Some state laws require us to account for inadvertent data collection or information that could be inferred from other data, such as geolocation. For employees, some voluntarily disclose information such as sexual orientation, but it is not required and we do not disclose it without consent.”
What’s particularly infuriating these findings is that, as Mozilla explains, there simply isn’t much everyday car owners can do about it. Each individualized review of the 25 carmakers includes a section entitled “Tips to protect yourself,” which includes suggestions such as to avoid using a car’s app and limiting its permissions on your phone.
“But compared to all the data collection you can’t control, these steps feel like tiny drops in a massive bucket,” concedes Mozilla researchers. In response, the Mozilla Foundation has launched a petition asking companies to overhaul their massive, apparently unparalleled data collection programs.
Update 9/07/23 1:26 PM: This article now includes statements from both Kia and Nissan.