Home of internet privacy

How your car data can be used against you

We’ve previously discussed how your car could be potentially spying on you, as an array of sophisticated technologies and onboard computers track things like your location, speed, and voice commands.

Most modern cars are connected to the internet, either through infotainment options such as Android Auto or Apple Carplay, or more extensive systems, such as Tesla’s vehicles for which firmware needs to be updated much like consumer devices.

[Get privacy news that affects you. Sign up for the ExpressVPN Blog Newsletter.]

This technology undoubtedly makes our lives more convenient. There’s no need to flip through radio channels; just pick your favorite songs directly. In-built maps help us reach our destination faster by providing alternative routes if there’s traffic.

But as we allow our cars greater insights into our personal lives, we open the door to tracking and privacy violations.

In some cases these are used to solve crimes.

Police in Kalamazoo County, Michigan, were able to use digital forensics data stored in a Chevy Silverado truck to solve a murder they had been trying to crack for over two years. The 2016 model had timestamped recordings of the alleged perpetrator using the hands-free system to change the music. Investigators used the voice recordings as a key clue to reconstruct the events of the day and confirm the suspect’s identity. He has since been arrested and is awaiting trial.

If the outcome of the investigation results in the rightful conviction and incarceration of the murderer, then the car’s tracking and voice recording functions have been utilized to positive effect. But things start to get murky and complicated when the government oversteps.

Data on-demand for law enforcement

Turns out U.S. police have been requesting vehicle manufacturers to hand over in-car data for at least 15 years. General Motors has complied with several requests from the cops to turn over voice recordings and location history, tracked through its OnStar telematics service. In some cases, the occupants of the vehicle hadn’t even signed up for the service and were unaware that the system was recording their movements.

Satellite radio provider SiriusXM also promptly complied with a 2014 warrant to hand over location history for a car that the feds wanted to keep tabs on. This raises the question: Are people installing infotainment services aware that they can be used for advanced tracking and location purposes? Can they opt out without losing the benefits they’ve paid for?

The installation of blackbox recorders—devices that keep data like speed, seatbelt activation, and number of vehicle occupants—has been mandatory in vehicles since September 2014. The practice dates back to 1994, and the recorders have become much more advanced since, incorporating an array of sensors and other equipment to improve tracking capabilities. For the most part, consumers are still unaware that these devices exist. And the lack of clarity only hurts our privacy.

In 2015, security researchers found gaping loopholes in Chrysler and Jeep vehicles, estimating that nearly 500,000 cars on the road could be infiltrated by hackers. The vulnerability allowed for malicious actors to overpower the firmware and remotely shut off the engine or force unwanted steering commands.

Greater public discourse on in-car security practices might have prevented such an error. When car manufacturers are aware that their actions will be scrutinized, it’s likely that they will go to greater lengths to ensure there are no loopholes. The advent of self-driving cars only accelerates the need for data privacy.

Car data regulations are needed

As it stands right now, there’s no federal regulation that determines limits on data gathering and storage practices for automobile manufacturers. That’s despite the near-certainty of cars these days being connected to the internet, with onboard systems collecting a multitude of information pertaining to our driving habits. And if you’re in the practice of connecting your phone to your car, you’re also giving the vehicle access to your call records, text messages, and more.

A 2019 experiment showcased just how much our cars know about us. In it, the car in question, a 2017 Chevrolet, beamed back data relaying precise location history, acceleration speeds, and braking style. The owner’s manual and the car’s privacy policy had vague references to data collection practices and made no effort to educate users on the circumstances when their information might be stored.

These types of invasive practices stand in stark contrast to things like cell-phone privacy, where regulations like the GDPR and the much-maligned EARN IT bill make it clear how tech companies can handle individual data. Apple’s upcoming iOS 14 is slated to boost privacy even further, by giving users the ability to opt out of detailed tracking and warning them when apps attempt to identify their behavior.

But car manufacturers, with the possible exception of Tesla, aren’t thought of in the same context as Big Tech. The public takes a rather benign view, assuming that cars, unlike our phones, don’t always have access to us. Plus the lack of egregious data violations by popular carmakers have also prevented any large-scale controversies so far, which has helped them stay under the radar.

Nonetheless, consumers should be afforded the same data protections for their vehicles as they are for their phones and devices. Abstruse and nebulous privacy policies are a disaster waiting to happen. If car companies can get away with monitoring so much of our data, what’s to prevent them from selling it to insurance companies or credit-rating bureaus?

Are our cars too smart for their own good? Let us know your thoughts in the comments.

Read more: 5 vulnerable smart devices in your home right now