Want to find out what information your internet-connected car is collecting about you and your passengers, and sending back to the overseas manufacturer—and possibly to third parties?
Some carmakers make it hard to find out. In one case, understanding the data policies required reading over 40,000 words spread across five documents.
This troubling insight comes from a new study by Associated Professor Katherine Kemp of the Law and Justice Department at the University of New South Wales, Driving Blind: The Unexamined Privacy Risks of Connected Cars.
Kemp says it is another reason why Australia needs “urgent reform of privacy laws.”
Many of the reasons your car is watching your every move are benign or even positive: it might detect an accident and call emergency services or notify you if you inadvertently leave a child in the back seat.
However, all 15 cars in the study go beyond helpful uses, collecting data that can reveal a lot about the driver but is of no use to them, yet could be valuable to overseas car manufacturers and a range of third parties, including government agencies and insurance companies.
“If this data is misused,” Kemp warns, “it can result in privacy and security threats.”
Difficulties Finding Information
While data collection and storage are probably low on a buyer’s list of priorities—if they’re considered at all—the report says even tech-aware consumers would find “enormous obstacles” in finding and understanding privacy terms.
“Some brands also make inaccurate claims that certain information is not ‘personal information,’ implying the Privacy Act doesn’t apply to that data,” Kemp said.
“Some are also repurposing personal information for ‘marketing’ or ‘research,’ and sharing data with third parties.”
In addition to monitoring the car, manufacturers often require drivers to download an app to access various “connected services.”
Depending on the brand and model, these may include the ability to remotely:
- heat, cool, lock, or unlock the car
- locate the parked car using headlights and horn
- check fuel levels and tyre pressure
- use the car’s internal and external cameras to view its surroundings and interior.
Kemp says the information collected by cars can be misused in various ways.
“It could be disclosed to insurers or data brokers without [a person’s] consent,” she said.
“It could facilitate crimes, including domestic violence, stalking, and robbery.
“It also risks the driver being subject to unjustified police or government surveillance and presents national security risks.”
National Security Risks
This year, the White House issued a warning that “certain hardware and software in connected vehicles enable the capture of information about geographic areas or critical infrastructure and present opportunities for malicious actors to disrupt the operations of infrastructure or the cars themselves.”
“Commerce has determined that certain technologies used in connected vehicles from [Communist China] and Russia present particularly acute threats,” it said.
“These countries of concern could use critical technologies within our supply chains for surveillance and sabotage to undermine national security.”
When consumers try to find out what data their vehicle is collecting and where it is being sent, they are directed to an average of three documents totalling around 14,000 words per brand—if they can find them.
“Hurdles for consumers included missing privacy terms, unhelpful interfaces, and significant errors in published privacy policies,” Kemp said.
There may also be further privacy notices in the vehicle, the user manual, or the purchase contract.
Privacy Terms For Major Brands
⊗ = not available ⊕ = mixed ⊕ = available
| Brand | Full Privacy Terms Reasonably Available on Australian Website | Connected Privacy Terms: Number of Documents | Connected Privacy Document Word Count |
| Audi | ⊗ | 5 | 26,901 |
| BMW | ⊕ | 5 | 41,495 |
| BYD | ⊕ | 3 | 13,225 |
| Ford | ⊕ | 2 | 16,980 |
| GWM | ⊗ | 3 | 10,866 |
| Honda | ⊕ | 3 | 14,162 |
| Hyundai | ⊕ | 2 | 5,255 |
| Kia | ⊗ | 2 | 3,087 |
| Lexus | ⊕ | 3 | 12,625 |
| Mazda | ⊗ | 2 | 4,862 |
| Mercedes | ⊗ | 5 | 18,510 |
| MG | ⊕ | 1 | 3,524 |
| Tesla | ⊕ | 1 | 7,400 |
| Toyota | ⊕ | 3 | 16,808 |
| Volvo | ⊕ | 4 | 13,716 |
(Courtesy of Katharine Kemp/UNSW)
Kemp says several major brands fail to recognise the full scope of personal information protected by the Privacy Act.
“They claim that certain information ‘does not, on its own, personally identify’ the consumer, and they can use this for ‘any purpose,'” she explained.
“But this can, in fact, be personal information about a reasonably identifiable individual.”
Data Matching Allows Identification
For example, a map of a person’s precise location may not identify them on its own, but when combined with their home and work addresses or location history on their mobile phone, it can be linked to an individual. This data could then reveal:
- Children’s schools
- Occupation
- Family and relationship status
- Political opinions or religious affiliations
- Use of legal, medical, rehabilitation, and family planning services
- Involvement in sex work and other services
If the data includes audio or video from inside the car, it could identify:
- Specific individuals in the car and their interactions
- Planned activities
- Political and religious views
- Racial or ethnic origin
- Whether the driver is alone
Although not all cars on the Australian market offer connectivity, it is expected to change rapidly.
The introduction of the technology in Australia has lagged behind other countries, notably the European Union and the United States. However, Austroads predicts that 93 percent of new car sales in Australia will be connected cars by 2031.
In 2023, the Mozilla Foundation analysed connected car privacy terms in the United States—where 63.4 percent of licensed drivers have connected cars and 91 percent of all new car sales include the feature—and concluded it was a “privacy nightmare on wheels.”
Friends Read Free
Copy
Facebook
Tweet
