Modern Cars Have Created an Unregulated Surveillance Network
By Jackson Chen
From biometric watches to smart refrigerators, everyday items are becoming increasingly infused with technology.
Cars also have been swept into the rapid current of digitization and since have transformed into computers on wheels that can glean individual driving habits, personal relationships and frequent destinations.
“People think they’re driving a car, but they’re driving a computer,” Andrew Ferguson, a law professor at American University (AU) in Washington, told Digital Privacy News. “It’s a computer that’s tracking them — where they go, what they’re listening to and who they’re communicating with.
“More-advanced cars are literally connected to your smartphone, so you’re giving up data trails not just about your geolocation information but your preferences and your likes and dislikes.”
“People think they’re driving a car, but they’re driving a computer.”Andrew Ferguson, American University.
Besides the data-collecting capabilities of modern cars, the information gathered largely is unregulated and has become a trove of personal information waiting to be monetized or misused, according to privacy experts.
A Computer on Wheels
These days, the fleet of modern cars has several avenues to collect various types of driver data.
Andrea Amico is the founder of the Privacy4Cars app, which facilitates the deletion of personal information from vehicles. Based in Kennesaw, Ga., Amico started the app in 2018.
He said one of the first ways automobile manufacturers and cars could collect driver data was through the event-data recorder.
Often referred to as a car’s “black box,” the device was used to record information immediately related to crashes or accidents, so manufacturers could improve safety design.
The recorder, Amico told Digital Privacy News, “collects a few seconds of technical information before and after an accident — and it’s used for accident reconstructions, which was originally designed to help manufacturers design better and safer vehicles.
“But it is increasingly used by law enforcement.”
Nowadays, however, Amico explained that the infotainment systems installed on new cars were the more obvious way to collect driver data.
The sleek touchscreen interfaces built into new cars offer drivers a convenient, singular device to — among other things — take cellphone calls, control air temperatures and obtain directions.
But the convenience comes at a steep cost, as the systems vacuum up terabytes of driver data — even creating a “mini-clone” of a driver’s smartphone that’s synced to the car, Amico said.
“The infotainment system — where you can find people’s text messages, which apps they were on, all this other sensitive information — that’s not regulated,” he explained.
“There’s no clear ownership and controllership of the data in the hands of the owner of the vehicle.”
Chevy Volt Hacked
In December 2019, a columnist for The Washington Post experimented by hacking into a 2017 Chevrolet Volt, a plug-in hybrid built by General Motors Co. (GM), to see what data was stored in the car.
The report, by Geoffrey Fowler, showed that after disassembling the Volt’s infotainment system, several precise data points were found: unique identifiers for phones that were synced to the car, several stops the driver made — and a list of contacts that included addresses, emails and photos.
Fowler’s investigation showed that the Chevy did not offer any notice or consent for what the car was recording — nor any way to download or view the collected data.
“The manufacturer has this data, the company that made the infotainment system has this data — and the company that made the mapping system has this data.”Andrea Amico, Privacy4Cars.
“Many copy over personal data as soon as you plug in a smartphone,” the column said about modern cars. “But for the thousands you spend to buy a car, the data it produces doesn’t belong to you.”
GM stopped making the Volt in February 2019, citing low consumer demand.
Collecting the Data
To understand how a car can collect so much data, Amico cited the example of a driver heading to visit a friend and stopping by a favorite coffee shop.
The trip may seem mundane to the driver — but the vehicle’s infotainment system and other devices are logging the drive and preserving the personal information from that trip.
The data collected from such innocent excursions then remains on the vehicle’s computer, unless explicitly deleted by the user.
“What’s happening is that the manufacturer has this data,” Amico told Digital Privacy News, “the company that made the infotainment system has this data — and the company that made the mapping system has this data.
“You could have a stack of five, six, seven companies that track down which shops you stop by, where you stop for fuel — and all this data just because you are driving to your friend’s house.”
Advice From Regulators
With all this data stored in cars, the Federal Trade Commission recommended in 2018 blog posts that drivers factory-reset their vehicles — and before reselling them, disconnect cars from subscription services, and remove such personal data as phone contacts, location information and garage-door codes.
Despite these federal recommendations, however, Amico said that audits Privacy4Cars conducted last year showed that more than 80% of cars were resold still containing personal information of previous owners.
“At the end of last year, we sent consumers to 72 large and sophisticated dealerships in California and Massachusetts,” he told Digital Privacy News.
“They could find the personal information of the previous owners at 88% of those dealerships, just by test-driving one or two vehicles of their choice.”
Surveillance Inside and Out
Cutting-edge cars, like self-driving vehicles with their many sensors and cameras, introduce another element of surveillance to the mix, noted Lee Tien, senior staff attorney at the Electronic Frontier Foundation.
While telematics and infotainment systems largely are collecting a car’s internal data, self-driving vehicles expand these efforts externally through constantly surveying its surroundings.
“The moment you add that in, the car has become a rolling 360-degree camera as long as it drives,” Tien told Digital Privacy News. “So, every car is like a Google Street View car.”
As for the scope of data collected, a 2014 report from McKinsey & Co., the global consulting firm, said that modern cars could collect up to 25 gigabytes of data per hour.
Two years later, the firm estimated that the data gathered by auto manufacturers and their cars could be worth as much as $750 billion by 2030.
“Every car is like a Google Street View car.”Lee Tien, Electronic Frontier Foundation.
More recently, McKinsey reported that monetization from car data had grown more slowly than anticipated from its 2016 report, but that 60% to 70% of new vehicles sold in North America and Europe would reach high levels of connectivity that included personalized controls, infotainment and advertising by 2030.
“Monetization from car data has, thus, grown more slowly than we anticipated in our 2016 report on this topic, which was published at a time when the industry seemed to hold great promise,” McKinsey’s 2021 report noted.
“While (original equipment manufacturers) and other players have faced immense challenges to monetizing car data, the industry is now at an inflection point.”
Consumer Demand a Factor
Timo Möller, a McKinsey partner who leads its Center for Future Mobility, attributed the increase in collecting driver data to several factors — including consumer demand for “connected” vehicles and the inherent value of the car data itself, whether it was being monetized or used a cost-saving measure.
Möller, who coauthored the 2016 and 2021 McKinsey reports, told Digital Privacy News that the car-data monetization model could evolve from a single car owner and their data connected to one vehicle to a subscription-based vehicle or service that could monetize the data of many customers.
“The whole industry has realized we are getting away from ‘you buy a car once and then it’s done’ towards an industry where it’s all about recurring revenues and monetizing ownership of that device,” Möller said.
“There will be different kinds of ways to interact with customers to create revenue going forward.”
That could include selling personal data to marketing companies and other third parties, AU’s Ferguson said.
Newer cars can detect when they’re low on fuel and ask drivers to search for nearby gas stations. Carmakers could sell this datapoint, fuel levels, to gas companies who might want to be prioritized on such lists, he said.
Möller observed that companies from different industries also could team up to manage car data.
In February, Ford Motor Co. announced that it was partnering with Google to enhance the auto manufacturer’s connected-vehicle experience.
Under the six-year partnership, Ford and Lincoln cars built starting in 2023 will be powered by Android with built-in Google apps and services. Ford also will use Google Cloud as its “preferred cloud provider.”
Part of the reason why car data is vulnerable to exploitation is because no concrete or comprehensive regulations protect it, said Privacy4Cars’ Amico.
In December 2015, President Barack Obama signed the Fixing America’s Surface Transportation Act, which included the Driver Privacy Act.
The Driver Privacy Act said that vehicle owners or lessees owned the information recorded by a car’s black box — and the data only could be obtained by search warrants or by explicit consent.
Amico observed that car technology has evolved greatly since the Driver Privacy Act took effect and that it did not cover the infotainment systems now critical to data-collection.
As such, privacy experts noted many avenues for abuse.
“People will go and buy a vehicle, drive it home — but have no idea whatsoever that this car is tethered to their own cellphone and is beaming data back and forth to a bunch of companies,” Amico told Digital Privacy News.
“Unfortunately, there is great potential for the data being used in ways that consumers are not aware of.”
Potential for Misuse
Police and law enforcement agencies already have shown an appetite for personal vehicle data.
In June 2020, U.S. Customs and Border Protection purchased five vehicle forensics kits for extracting sensitive information from cars, according to news reports.
Other reports disclosed that the Ulysses Group, a South Carolina surveillance contractor, was selling a device that could remotely geolocate vehicles in nearly every country in the world using telematics.
“Law enforcement has realized that cars give really valuable clues about where a suspect was, what time they were there, what they were potentially doing there,” AU’s Ferguson said. “All of that is incredibly valuable information to investigate and prosecute a crime.”
“There will be different kinds of ways to interact with customers to create revenue going forward.”Timo Möller, McKinsey & Co.
EFF’s Tien said that many car owners also were incentivized to download insurance company apps onto smartphones under the guise of potentially lower rates.
These apps, Tien argued, could take advantage of a smartphone’s accelerometer or pressure sensors to extract accurate information about driving habits.
With these specifics, Ferguson predicted that accidents and how they’re settled in the future largely could be decided through these automotive digital trails.
“I assume in the future that the sort of traditional tort lawsuit, which is about who was at fault in an accident, will largely just be decided on the digital trails of the cars,” he told Digital Privacy News.
“It’s going to change litigation, torts and insurance rates — because we’re going to have much better information about what the cars were doing right before the accident.”
Jackson Chen is a Connecticut writer.
An Unclear Future for Car Data
Unlike choosing whether to buy a smart TV or a home-security system, cars often are a necessity for most people.
Similarly, many consumers use smartphones, though Apple iPhone users now receive a prompt asking if they want to be tracked by an app in the company’s iOS 14.5 firmware update that was released in April.
But only a few new-car models have similar notifications with their infotainment systems, said Andrea Amico of Privacy4Cars, with an even smaller percentage offering opt-out options.
The lack of regulation regarding car data also has left various stakeholders confused about who owns this information and how it can be used.
Regarding manufacturers, more than 20 major companies — Honda, BMW, GM among them — have signed onto car privacy-protection principles created in 2014 by the Alliance for Automotive Innovation, the Washington-based trade association and lobbying group.
These principles include providing drivers with clear explanations about what information is collected and about how consent must be obtained before sensitive information can be used for marketing or sold to third parties.
Auto manufacturers abiding by the guidelines often include them in lengthy privacy policies that many customers don’t review, experts told Digital Privacy News.
Lee Tien of the Electronic Frontier Foundation also noted that more policymakers were interested in creating privacy standards for car data, adding that the task required a delicate balance of the needs of politicians, auto manufacturers and — most importantly — drivers.
But until such a framework is in place, American University’s Andrew Ferguson told Digital Privacy News that drivers would be taken advantage of through their car data.
“We are slowly waking up to the fact that geolocation information in our apps and our phones is privacy-revealing,” the law professor said. “Because it’s unregulated, it means that it will likely be abused.
“We’re going to see that again when cars become the next data gold rush to monetize and figure out.”
— Jackson Chen
- The Washington Post: What does your car know about you? We hacked a Chevy to find out.
- Ford Motor Co.: Ford and Google to Accelerate Auto Innovation, Reinvent Connected Vehicle Experience
- Federal Trade Commission: Selling your car? Clear your personal data first
- McKinsey: What’s driving the connected car
- McKinsey: Monetizing car data
- McKinsey: Unlocking the full life-cycle value from connected-car data
- Congress: H.R.22 – FAST Act
- The Intercept: Your Car Is Spying on You, and a CBP Contract Shows the Risks
- Vice: Cars Have Your Location. This Spy Firm Wants to Sell It to the U.S. Military
- Alliance for Automotive Innovation: Automakers’ Commitment