From sophisticated navigation systems to entertainment, new cars come with an array of computer processors, sensors and software built in. This means that, as technology advances, our vehicles are becoming ever more intrusive.
Experts worry that members of the public broadly underestimate the risks of in-car devices and services that, in the course of doing their jobs, also harvest vast amounts of personal data. Recently, privacy concerns have been raised about manufacturers including Ford and Tesla.
In its annual Global Automotive Cybersecurity Report, the Israeli firm Upstream Security stated that 36% of cyber security incidents within the automobile industry in 2020 involved data and privacy breaches. A number of them resulted in the theft of personal information, including the telephone numbers and email addresses of car owners.
To understand what kind of data we leave behind every time we drive, where it goes and what that might mean for our privacy, I talked to cybersecurity expert Andrea Amico. Amico runs Privacy4Cars. His team consults with consumers and automotive businesses, and advises them how to manage the data that vehicles collect.
This conversation was edited for length and clarity
Coda Story: What kind of data are our cars gathering and how do they do it?
Andrea Amico: There’s anything ranging from your Twitter and Facebook handles and their activity to your calendar entries. You can see what music people were listening to, what files were recently downloaded on your phone, which photos you have taken recently. It depends on the car, but the newer the vehicle, the more information it captures.
If you take your phone and sync it over Bluetooth — say you need to do a hands-free call, which is a legal requirement in a lot of locations; if you plug your phone into the USB port because you want to listen to your tunes, or because you want to use Apple CarPlay or AndroidAuto; if you connect to the vehicle’s Wi-Fi or, simply, if you drive a car that has a GPS system — if you do any of those things, your personal data will be captured by the vehicle.
Why should we care that all this data is collected from us?
AA: I think people have a misunderstanding of two things. One is how much data is in there and how safeguarded that data is, which really breaks down into two things. Most people think: “Once I unplug my phone, all my data is gone.” That’s not true. Unless you take some really specific steps, car by car, your data will be there forever. The other thing is that now, with certain vehicles, some of this data will actually go to a number of third parties. Right now we’re tracking over 200 companies or entities that collect, use, share data collected from vehicles.
Can you give me examples of what kind of third parties — companies that are not the car manufacturer — can get hold of a vehicle owner’s data? How do they do it?
AA: The fact that we call it the manufacturer is a bit of a misnomer, because really auto manufacturers are assemblers of parts made by many third parties. You use the infotainment system, then the data goes to the manufacturer, but the company that made the infotainment system, they may also be getting a copy of certain types of data. The company that powers the maps, they are getting your geolocation. You want the weather alerts? Again, the weather company will get your geolocation. And, of course, if you know where people are, if you have detailed geo-stamps, it is not difficult to understand who these people are.
What concerns you about where our data goes? Could you give me examples?
AA: The electronic data recorder, what people call the black box, is the only box in the car that collects personal information that actually has some good, real, clear protections under the law. Everything else does not. The average car today has about 100 computers. One has good legal protection, the other 99 do not, which poses questions about who can get access to it. And the answer is just about anybody.
If you look at a modern vehicle, some cars have more than 300 million lines of code and then collect terabytes of data from consumers every year. And now, with the advent of 5G, they will be able to collect even more and much faster. We are at the very beginning of this data revolution in cars.
There’s a perception that the data vehicles collect is not personal because it doesn’t directly identify a person. What do you say to that?
A lot of research has been done on how anonymous your geolocation is. And the answer is that it really isn’t. Just recently, we came across a vehicle that had over 300 destinations stored in the navigation system. So, this is accessible to anybody who would have bought that car. They would have been able to rebuild a detailed diary of a person’s life for the previous year or so.
This stuff is personal. Would you hand your phone to a stranger? And if the answer is yes, then, by all means, don’t worry about cars. But if the answer is no, I don’t think people should treat cars any differently.
So what can car owners do to protect their privacy?
I don’t think we should be trading off privacy for safety at any point. The burden really should not be on consumers, it should be on the industry, on how we can deliver these services in a way that does not dramatically affect the privacy of people. And I think it’s about how transparent you can be about letting people know what data you’re collecting, how you’re planning to use it and how much granular control you can give to people to decide what they actually want to do.