Whether to offer driving assistance systems or new entertainment possibilities, modern cars process more and more data. The Mozilla Foundation therefore wanted to take an interest in the precautions taken by 25 manufacturers in their processing as part of its Privacy Not Included research project, as it does for other products. And the results are very bad to say the least. Mozilla even describes cars as “officially the worst product category for privacy”.
In detail, all the manufacturers studied collect more personal data than is necessary to ensure the functions of their vehicles. In addition, they can collect data from very broad sources: “They may collect personal information from how you interact with your car, the connected services you use, the car’s app (which provides a gateway to your phone’s information), and may collect further more information about you from third-party sources such as Sirius XM or Google Maps”alarms Mozilla.
Only Renault and Dacia allow you to request the complete deletion of your personal data, as required by the right to be forgotten under the GDPR in the European Union. The two brands of the Renault group rank as the least bad performers studied by Mozilla, but they are far from having convinced the foundation.
Builders have their own notion of consent
The control given to drivers over their personal data is therefore very weak. The notion of consent certainly exists among car manufacturers, but they each see it in their own way. For Subaru, for example, the simple fact of taking a seat in one of its cars equipped with connected services as a driver or passenger consents to the collection and processing of personal data. Tesla, which according to Mozilla’s ranking is the manufacturer whose data processing policy is the most problematic, certainly offers its customers to deactivate collection on request, but specifies that the operation “may result in reduced functionality of your vehicle, serious damage, or inability to operate”. Just that !
This can be all the more frightening since the general conditions of the 25 manufacturers analyzed specify for 84% of them that personal data can be shared with third parties. 76% even allow themselves to sell them and 56% specify that they communicate them to the authorities upon simple request.
The surprises don’t stop there. Thus, by focusing on the security practices put in place to protect users’ personal data, Mozilla managed to determine that they were not encrypted for any of the cars studied. And yet, Mozilla researchers scrutinized the confidentiality conditions of the 25 selected manufacturers for more than 600 hours, or three times more time per product than usual. Cars are therefore a product category where manufacturers make the least effort towards transparency.
A petition to put an end to this “nightmare on wheels”
Faced with this observation, the Mozilla Foundation launched a petition to ask car manufacturers to stop collecting, sharing and selling our personal data.