“Modern cars are a privacy nightmare,” says the Mozilla Foundation.
The Firefox browser developer’s deep dive into privacy and security issues among connected vehicles provides some valuable insights into how car brands treat their drivers’ data.
Here’s an overview of the research and a closer look at some issues with specific car brands.
Mozilla tests consumer goods for privacy and security across five main areas:
- Data use
- Data control
- Track record (the brand’s history of privacy and security issues)
Brands that fail Mozilla’s tests earn the non-prestigious *Privacy Not Included label.
For this research, Mozilla tested 25 connected cars—and all 25 brands failed to meet the organization’s privacy and security standards.
Mozilla research found some significant results.
- 76% of the car brands sell personal data.
- 84% of brands share personal data.
- 56% of brands will share data with government authorities following a “request” (Mozilla distinguishes a “request” from a court order).
- 100% of brands used complex or confusing language in their privacy notices.
All car brands failed in at least two of Mozilla’s categories, and one brand (Tesla) failed in all five.
Now, we’ll explore what Mozilla had to say about a few of these car brands – but bear in mind that these are merely summaries of Mozilla’s research.
First, let’s look at the two brands that came off least badly in Mozilla’s research.
Remember, these brands still earned Mozilla’s *Privacy Not Included badge but were deemed by Mozilla to be the least problematic.
Renault and Dacia (both owned by Renault Group) failed on only two fronts: “Data use” and “security”. Mozilla noted that only these two brands allowed drivers to delete the data collected by their cars.
What distinguishes Renault and Dacia from the other 23 car brands Mozilla tested? These models were only available in Europe.
The General Data Protection Regulation (GDPR), which applies across most of Europe, appears to have spared drivers the worst connected car-related privacy issues.
For example, here’s what Mozilla had to say about Dacia’s location-tracking capabilities:
“They do say that they will ask for your consent when your geolocation is collected. Great! But that’s something Renault Group must do to comply with Europe’s General Data Protection Regulation (GDPR). It’s the law.”
Mozilla did find some privacy issues even with these two brands, mainly relating to ambiguities around how they process data.
“Our biggest concern with Renault is that we couldn’t confirm if all the data the car collects is encrypted as it sits on the car. It could well be, we just couldn’t confirm that and multiple emails to the privacy contact at Renault went unanswered, so we just don’t know.”
Nonetheless, Renault and Dacia—while still failing Mozilla’s tests—appear to be doing some things right when it comes to privacy in their connected vehicles.
Now let’s look at one of the more problematic brands tested: Volkswagen, which received “dings” across four of the five areas of Mozilla’s research.
Mozilla criticized Volkswagen (VW) in particular for how the company collected and used drivers’ data.
“VW says they can share… personal information in lots of places, including throughout their large Volkswagen Group of companies. And VW freely admits in their privacy policies they share this information for lots of targeted advertising and marketing purposes…”
What types of data might Volkswagen use for these purposes? According to Mozilla, many types of data—including “fuel level, when you lock and unlock your car, whether or not you use your seatbelt, how fast you drive, where you drive (location data), your voice commands.”
It’s not clear how information about seatbelt use could be useful for targeted advertising purposes, but advertisers do target consumers based on all sorts of data points.
Finally, let’s look at the car brand that earned bad marks across all five of Mozilla’s categories: Tesla.
Note that despite poor results in each category, Mozilla did not deem Tesla to be the worst car brand for privacy.
“Here’s the good news with Tesla when it comes to privacy — they very clearly state in their privacy documentation that they don’t sell or rent your personal information to third parties.”
Mozilla also criticized some of the language in Tesla’s privacy notice, which states that turning off data sharing “may result in your vehicle suffering from reduced functionality, serious damage, or inoperability.”
Tesla was the only brand to earn a “ding” in the area of AI. Mozilla cited news reports regarding Tesla’s self-driving capabilities, which appeared to require that drivers “forfeit some privacy protections around location sharing and in-car recordings that they previously had.”
Transparency and data sharing
One issue with many of Mozilla’s findings is that they rely on a dearth of information—privacy notices that do not fully explain how each brand uses drivers’ data or language that suggests that sharing data is mandatory to make the car work.
But connected cars do require the collection, and sometimes sharing, of data about the driver for some purposes. When properly explained and with privacy protections in place, data sharing is not inherently bad.
While unnecessary data collection is always problematic—and illegal under the GDPR’s “data minimization” principle – people will often agree to the use of their personal data if they can trust the company collecting it.