Earlier this month, the Mozilla Foundation released a comprehensive report with an eye-opening overview of current data tracking practices within the automotive industry. Mozilla found that auto manufacturers are sucking up huge quantities of extremely sensitive data about motorists and their passengers, and doing just about whatever they want with that information. For years, privacy advocates have warned about how government agencies can track the location data from our vehicles. But according to Mozilla’s research, things have gotten worse—much worse—since we last blogged about a man who was arrested after police accessed data stored by his automaker.
In recent years, cars have become computers on wheels. No longer mere means to get motorists from A to B, modern cars act as entertainment hubs, makeshift offices, and dining spaces, integrating and linking personal gadgets with advanced on-board computers that collect all manner of data, including precise location information and even audio and video recordings of interiors and exteriors. According to market data, 91 percent of new passenger vehicles sold in 2021 featured in-vehicle internet connectivity. Soon that number will be 100 percent.
From a data mining perspective, connected cars are a goldmine. Outside of a handful of large metro areas, Americans are forced to rely on personal vehicles to get to work, school, and social engagements. The average US resident spends nearly an hour in the car every day. That means drivers are a captive demographic for aggressive data mining and surveillance.
Today, auto manufacturers and the data mining industry can divine wide ranging details about motorists from on-board telemetrics and connected technologies. These personal data range from the somewhat banal, like preferred music stations or driving speed, to more intimate and potentially revealing data points like location histories, sexual activities, and health-related information. Yes, really: According to Mozilla’s review of company policies, Nissan collects “sexual activity” information, Kia collects collect information about “sex life,” and six other car companies may collect “genetic information” or “genetic characteristics.”
All of this information is available not just for use by first-party data collectors. According to Mozilla’s report, the companies give themselves permission to sell and share the data widely, and most of them do. This commercialization of sensitive motorist information puts all drivers and passengers at risk.
Some low-lights from the Mozilla report:
- Rampant Data Collection: Many car brands have an insatiable appetite for personal data, harvesting information from various sources, including vehicle interactions and connected services. This data can reveal intimate aspects of an individual’s preferences and habits.
- Unauthorized Data Disclosure: 84% of car brands distribute or sell users’ data to entities such as data brokers and other businesses. Shockingly, over half are prepared to share this data with government or law enforcement agencies absent a court order.
- Users Lack Control Over Their Data: 92% of car brands deny users meaningful control over their data, with only Renault and Dacia offering customers an opportunity to request that their data be deleted, presumably due to the European General Data Protection Regulations (GDPR).
- Dubious Security Protocols: The researchers tried to apply Mozilla’s Minimum Security Standards to company policies and practices, but were largely unable to do so, leaving them uncertain about the seriousness of industry practices pertaining to encryption and the safety of stored personal data.
- Vague Privacy Policies: Car companies tend to craft long-winded and ambiguous privacy policies, making it an uphill battle for the average user to grasp the extent and implications of data collection and sharing schemes.
- Manipulative Consent Procedures: Car firms often bypass or manipulate user consent, claiming that by using their vehicles consumers have agreed to their policies.
Obviously, consumers do not consent to the abuse and misuse of their personal information, particularly when they are paying record-high prices to automakers. Thankfully, here in Massachusetts lawmakers are debating consumer privacy legislation that would stop the worst of these practices.
The Massachusetts Data Privacy Protection Act
The Massachusetts Data Privacy Protection Act (“MDPPA”), filed by Representatives Rogers and Vargas in the House and Senator Creem in the Senate, would provide one of the country’s most privacy-protective statutory frameworks for data protection and digital consumer rights.
Drafted following the latest standards in data privacy, it would prevent practices like the ones unearthed by Mozilla in the following ways:
- DATA MINIMIZATION: Pursuant to its data minimization principles, the MDPPA limits data collection, processing, and transfer to when it is “reasonably necessary and proportionate” to carry out one of the purposes established in the bill. These data minimization requirements in state law will end the practices of companies collecting and hoarding as much data as possible under the guise of “service improvements.”
- PROTECTING SENSITIVE DATA: According to Mozilla, auto companies collect information about our “sexual activity,” “sex life,” and “genetic information.” The MDPPA would outlaw these practices by prohibiting companies from collecting and processing sensitive data unless it’s “strictly necessary” to deliver a specific product or service the user has requested. Additionally, leveraging sensitive data for targeted advertising is strictly off-limits, and any transfer of this data to third parties is heavily restricted and subject to specific criteria.
- BANNING DARK PATTERNS: Under the MDPPA, consent cannot be presumed from an individual’s inaction or mere use of a service or product. It also prohibits entities from deploying deceptive or manipulative tactics to obtain consent.
- MAKING CONSENT REAL:
-
- Under the MDPPA, consent requests are tightly regulated. Companies must clearly explain what information will be collected, why it will be collected, and how it will be used. Additionally, the refusal option must be as prominent as the acceptance option and not entail more steps.
- Under the MDPPA, consent requests are tightly regulated. Companies must clearly explain what information will be collected, why it will be collected, and how it will be used. Additionally, the refusal option must be as prominent as the acceptance option and not entail more steps.
-
- The MDPPA also gives users control over their data by establishing traditional and advanced privacy rights that prevent companies from disclosing and profiting from our data. The bill grants individuals the right to access, correct, and delete their information and also the right to opt out of data transfers to third parties and targeted advertising.
- The MDPPA also gives users control over their data by establishing traditional and advanced privacy rights that prevent companies from disclosing and profiting from our data. The bill grants individuals the right to access, correct, and delete their information and also the right to opt out of data transfers to third parties and targeted advertising.
- HUMAN-READABLE POLICIES: The MDPPA doesn’t allow vague or impossible-to-decipher privacy policies. Covered entities and service providers must publicly release a clear, detailed, and understandable privacy policy. Privacy policies should outline data handling practices and provide detailed information, including contact details, data categories collected or processed, transfer details, data retention periods, individuals’ rights, data security measures, and the policy’s effective date. Large data holders like auto companies must preserve previous policy versions for at least ten years. In addition to the comprehensive privacy policy, these entities must offer a concise, 500-word notice summarizing their primary data practices.
- EFFECTIVE ENFORCEMENT: Laws are only meaningful when they can be robustly enforced. To ensure companies follow the law, the MDPPA creates a private right of action allowing consumers to enforce their own rights.
Mozilla’s revelations are shocking, illustrating that industries cannot be trusted to self-regulate when our privacy is on the line. Ordinary people can’t live in the modern world without engaging with technology providers that profit from our sensitive information. Individuals acting alone cannot fix these problems. We need governments to step in and regulate.
Fortunately, here in Massachusetts, lawmakers have filed strong consumer privacy legislation that would stop the worst abuses and empower ordinary people to take their privacy back. Stay tuned to the ACLU of Massachusetts’ social media channels to learn more about our work to advance privacy and for opportunities to get involved.
This blog post was authored by Emiliano Falcon-Morano, Policy Counsel for the Technology for Liberty Program