The California Privacy Protection Agency—created under a ballot initiative in 2020 and the only regulator in the nation solely dedicated to privacy issues—will examine the growing amalgamation of data collected by smart vehicles and whether the business practices of the companies collecting that data comply with state law.
“Modern vehicles are effectively connected computers on wheels. They’re able to collect a wealth of information via built in apps, sensors, and cameras, which can monitor people both inside and near the vehicle,” Ashkan Soltani, the agency’s executive director, said in a statement.
U.S. regulators’ scrutiny of the data lags behind such efforts in Europe, which has forced automakers to update software to limit the collection and protect the privacy of consumers.
Porsche provides a menu on vehicle dashboards where European drivers can give or withdraw their consent for the company to collect personal data or share it with third-party suppliers.
Regulators in Europe also have opened investigations into how the auto industry uses personal information from cars such as location data. In February, Tesla agreed to offer a software update in Europe to change camera settings in cars after the Dutch privacy regulator investigated the company.
Tesla disabled vehicles’ external security cameras by default until a driver turns on the function to record activity outside a car and changed the camera settings so they only save the last 10 minutes of footage recorded from outside the cars, compared with one hour of footage they previously had saved.
The Dutch regulator also said it was a privacy violation for the cameras to extensively record people outside of cars without their knowledge.
The Tesla update also included features to warn people inside and outside of cars that the external cameras are recording. Headlights blink if the cameras are recording and a message is displayed on a touch screen inside the cars.
Automobiles represent the latest frontier for regulators, raising fresh questions about who will control the data generated by vehicles as they move through the world.
Numerous companies are in a position to access the data—including the automakers themselves, companies that make or run in-car navigation or infotainment systems, satellite radio companies and in-vehicle security and emergency services providers.
Insurance companies have also been encouraging consumers to share information about their driving behavior, sometimes in exchange for a discount.
All the data has commercial potential. In some cases, it can be used by insurers in determining how to set rates, evaluate risk and gauge safe driving behavior.
It also can be used in urban planning and traffic studies; to help make real-estate decisions such as where to open a franchise or outlet; or be used in economic forecasting.
In some cases, data brokers make vehicle data available for sale—stripping it of personal information such as names. People’s movement patterns are often unique, however, and their real-world identities can be inferred in large-scale location data sets even when the data is stripped of personal information.
Law-enforcement agencies also can now obtain the historical location of suspects, usually with a warrant. The sensors on modern cars have raised national-security concerns as well.
China in 2021 banned certain officials from owning or driving Tesla vehicles citing concerns that data the cars gather could be a source of national-security leaks, The Wall Street Journal has reported.
California has been at the forefront of consumer-privacy issues in the U.S. In 2018, it passed the nation’s first California Consumer Privacy Act and expanded the law in 2020 by ballot initiative approved by voters. In the years since, 10 other states have passed similar laws and others are weighing whether to do so.
Violations of California privacy laws can be punished by fines. As a relatively new agency, the California Privacy Protection Agency wasn’t authorized to begin enforcement activities until July 1.
The agency has jurisdiction over technology companies that either have an annual gross revenue of over $25 million; buy, sell or share the personal information of more than 100,000 state residents, or derive more than 50% of their annual revenue from selling or sharing California residents’ data.
Carmakers Fail Privacy Test, Give Owners Little Or No Control Of Personal Data They Collect
Cars are getting an “F” in data privacy. Most major manufacturers admit they may be selling your personal information, a new study finds, with half also saying they would share it with the government or law enforcement without a court order.
The proliferation of sensors in automobiles — from telematics to fully digitized control consoles — has made them prodigious data-collection hubs.
But drivers are given little or no control over the personal data their vehicles collect, researchers for the nonprofit Mozilla Foundation said Wednesday in their latest “Privacy Not Included” survey Security standards are also vague, a big concern given automakers’ track record of susceptibility to hacking.
“Cars seem to have really flown under the privacy radar and I’m really hoping that we can help remedy that because they are truly awful,” said Jen Caltrider, the study’s research lead. “Cars have microphones and people have all kinds of sensitive conversations in them. Cars have cameras that face inward and outward.”
Unless they opt for a used, pre-digital model, car buyers “just don’t have a lot of options,” Caltrider said.
Cars scored worst for privacy among more than a dozen product categories — including fitness trackers, reproductive-health apps, smart speakers and other connected home appliances — that Mozilla has studied since 2017.
Not one of the 25 car brands whose privacy notices were reviewed — chosen for their popularity in Europe and North America — met the minimum privacy standards of Mozilla, which promotes open-source, public interest technologies and maintains the Firefox browser. By contrast, 37% of the mental health apps the non-profit reviewed this year did.
Nineteen automakers say they can sell your personal data, their notices reveal. Half will share your information with government or law enforcement in response to a “request” — as opposed to requiring a court order. Only two — Renault and Dacia, which are not sold in North America — offer drivers the option to have their data deleted.
“Increasingly, most cars are wiretaps on wheels,” said Albert Fox Cahn, a technology and human rights fellow at Harvard’s Carr Center for Human Rights Policy. “The electronics that drivers pay more and more money to install are collecting more and more data on them and their passengers.”
“There is something uniquely invasive about transforming the privacy of one’s car into a corporate surveillance space,” he added.
A trade group representing the makers of most cars and light trucks sold in the U.S., the Alliance for Automotive Innovation, took issue with that characterization. In a letter sent Tuesday to U.S. House and Senate leadership, it said it shares “the goal of protecting the privacy of consumers.”
It called for a federal privacy law, saying a “patchwork of state privacy laws creates confusion among consumers about their privacy rights and makes compliance unnecessarily difficult.”
The absence of such a law lets connected devices and smartphones amass data for tailored ad targeting and other marketing — while also raising the odds of massive information theft through cybersecurity breaches.
The Associated Press asked the Alliance, which has resisted efforts to provide car owners and independent repair shops with access to onboard data, if it supports allowing car buyers to automatically opt out of data collection — and granting them the option of having collected data deleted.
Spokesman Brian Weiss said that for safety reasons the group “has concerns” about letting customers completely opt out — but does endorse giving them greater control over how the data is used in marketing and by third parties.
In a 2020 Pew Research survey, 52% of Americans said they had opted against using a product or service because they were worried about the amount of personal information it would collect about them.
On security, Mozilla’s minimum standards include encrypting all personal information on a car. The researchers said most car brands ignored their emailed questions on the matter, those that did offering partial, unsatisfactory responses.
Japan-based Nissan astounded researchers with the level of honesty and detailed breakdowns of data collection its privacy notice provides, a stark contrast with Big Tech companies such as Facebook or Google. “Sensitive personal information” collected includes driver’s license numbers, immigration status, race, sexual orientation and health diagnoses.
Further, Nissan says it can share “inferences” drawn from the data to create profiles “reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.”
It was among six car companies that said they could collect “genetic information” or “genetic characteristics,” the researchers found.
Nissan also said it collected information on “sexual activity.” It didn’t explain how.
The all-electric Tesla brand scored high on Mozilla’s “creepiness” index. If an owner opts out of data collection, Tesla’s privacy notice says the company may not be able to notify drivers “in real time” of issues that could result in “reduced functionality, serious damage, or inoperability.”
Neither Nissan nor Tesla immediately responded to questions about their practices.
Mozilla’s Caltrider credited laws like the 27-nation European Union’s General Data Protection Regulation and California’s Consumer Privacy Act for compelling carmakers to provide existing data collection information.
It’s a start, she said, by raising awareness among consumers just as occurred in the 2010s when a consumer backlash prompted TV makers to offer more alternatives to surveillance-heavy connected displays.
Car companies are collecting “too much personal data” from drivers, who have little freedom to opt out, researchers wrote in a report assessing the data privacy policies of 25 automobile brands.
All carmakers received “Privacy Not Included” warnings from the Mozilla Foundation, which developed the Firefox browser and advocates for better online privacy and internet safety.
This means that the report’s authors have determined the companies’ products to “have the most problems when it comes to protecting a [user’s] privacy.”
Cars are the worst product “we have ever reviewed for privacy,” the authors wrote, calling them a “privacy nightmare.”
The authors have reviewed at least seven additional product categories, including mental health apps, entertainment electronic devices, smart home devices, wearables and health and exercise products.
“Cars is the first category we’ve reviewed where every product earned our *Privacy Not Included warning label,” Kevin Zawacki, a Mozilla spokesman, said in an email.
All of the car brands were deemed as collecting too much personal data, while 84 percent also shared or sold data. More than half “say they can share your information” with government officials upon “informal request.”
All except two — Renault and Dacia — gave “drivers little to no control over their personal data,” such as the choice to delete personal data.
The report, published Wednesday, adds weight to concerns that as cars become increasingly connected to each other and to the internet, they are becoming tech products that provide sellers with customer data that can be easily sold and shared without the explicit consent of the product’s end users.
“The gist is: they can collect super intimate information about you — from your medical information, your genetic information, to your ‘sex life’ (seriously), to how fast you drive, where you drive, and what songs you play in your car,”the authors of the report wrote.
Modern automobiles, increasingly equipped with the latest electronic gadgets, can record data automatically. Connect to a car’s GPS navigation system, and it can collect location data and driver habits. Hook up your smartphone, and data stored there can be transmitted to carmakers.
“Vehicle data is a low-hanging fruit that offers many opportunities” for carmakers at low cost, said Uri Gal, a professor of business information systems at the University of Sydney Business School in Australia. Data privacy laws in the United States appear to be “slowly emerging,” while low public awareness about the topic makes it easier for carmakers to collect data, he said.
The Mozilla report assessed what data companies can collect under their own policies — based on companies’ disclosures to government regulators — rather than the data they do collect.
Renault and Dacia came out the best among the 25 carmakers, ranking first and second, respectively. The authors said that the two brands — whose data privacy policies “aren’t so bad” — probably were ranked highest because of Europe’s General Data Protection Regulation, which is seen as much more stringent than U.S. rules governing data privacy.
Renault Group, which oversees the two brands, said it “is strongly committed to respecting the regulations on personal data.”
Renault Group will limit data collection to what is “necessary for the provision” of “innovative services linked to connected vehicles” and will respect the user’s choices, it said in a statement.
BMW, the German luxury carmaker, was ranked as the third-best data protector by the authors, who said the company appears to “have had fewer serious security breaches and data leaks than” other automakers. But Mozilla’s researchers also expressed skepticism about BMW’s willingness to give customers the ability to delete their data.
The Rise In Car Thefts Has Car-hacking Experts Searching For Weak Spots
Criminals can exploit everything from a vehicle’s Bluetooth connection to a headlight’s wiring, but white hat hackers are trying to improve security.
In Paris, in a laboratory the size of a walk-in closet, a handful of researchers tinker with the infotainment system of a Tesla. They prod the device, a circuit board they bought on eBay for $400, for weaknesses.
To determine which components control which functions, they connect it to an oscilloscope, a machine the size of a heart monitor; various other tools help them extract and analyze data.
The fruit of their labor: the ability to send commands wirelessly to a Tesla, remotely opening the doors and the front trunk, cutting the lights and potentially turning the car off—without ever having a key, and even while the car is moving.
The researchers are so-called white hat hackers, working for a French cybersecurity company named Synacktiv that helps probe clients’ computer systems.
Tesla Inc. isn’t a client—earlier this year Synacktiv won Pwn2Own, a prominent hacking competition in Vancouver sponsored by Trend Micro Inc.’s Zero Day Initiative, by showing how the security firm could compromise Tesla’s electric vehicles.
Teslas have a reputation of being particularly hard targets for those looking to exploit automotive cybersecurity weaknesses, and are less likely to be stolen than other cars, according to the Highway Loss Data Institute, an organization that analyzes insurance data.
Synacktiv’s recent success, though, is a reminder of the constantly shifting ground between those trying to break into cars and those trying to keep them out.
After years of decline, car thefts have been on the rise. In the US, they bottomed out in 2014 and have since risen more than 45%, with total thefts surpassing 1 million in 2022 for the first time since 2007. In the UK, car thefts rose 19% in 2022 alone.
That country’s National Crime Agency said in July that one factor was a rise in “electronic compromise thefts,” a category that covers such actions as a thief removing a headlight, then attaching a device that sends commands to unlock a car’s doors and start its engine.
Criminals have also been using a range of devices to intercept signals from keyless fobs to get into cars—and block GPS trackers that would make recovery of stolen vehicles easier.
Cybersecurity experts say it’s often hard for victims to know whether such devices were involved in crimes, making the extent of the problem difficult to determine.
In the US, the nonprofit National Insurance Crime Bureau has been warning for almost a decade about the criminal use of devices that mimic the function of wireless key fobs.
In October 2022, Europol, the European Union’s law enforcement agency, announced it had arrested 31 people across France, Latvia and Spain in an auto theft scheme using devices that spoofed keyless entry systems.
In the UK, officials are considering banning the sale, purchase or possession of equipment that can be used to hack cars, according to local news reports. Some lawmakers are also trying to compel carmakers to harden their defenses.
Last year a law went into effect in the EU that requires all new vehicles to undergo a cybersecurity review and automakers to have a plan for identifying and fixing vulnerabilities before the vehicles are sold.
The increased scrutiny is a potential boon for cybersecurity companies like Synacktiv. Tiffany Rad, an independent consultant in the field since 2006, says she’s working with US officials on developing cybersecurity and privacy standards for the transportation industry, focusing on potential requirements for the design stages of automobile manufacturing.
“When I started hacking cars, the auto manufacturers didn’t have many cybersecurity concerns,” she says. “Things are very different now.”
A major wake-up call came in 2015, when two researchers had a reporter from Wired magazine drive a Jeep on a highway in St. Louis, then remotely hijacked it while he was at the wheel. (They also shared their work with FCA US LLC, the company that made the car, and it addressed the vulnerability.)
Automakers have added many cybersecurity features since then—the researchers who hacked the Jeep quickly found jobs in the industry—but cars are also adding new potential vulnerabilities as they rely more heavily on computing systems.
Cars Stolen In The US In 2022: 1 Million
Security is an issue throughout the computing industry. But automakers have a particularly tough task, because people tend to hold on to their car for far longer than, say, their smartphone, according to Ken Tindell, chief technology officer of Canis Automotive Labs Ltd., a UK-based automotive security company.
“The cars you see are like starlight: They represent the state of the industry not as it is now but many years ago,” he says.
“The spike in car thefts today comes from a few technically savvy criminals designing theft devices that are easy for street thieves to use on starlight cars with security weaknesses.”
Some problems can be fixed by requiring vehicle owners to visit dealers for software updates when carmakers discover vulnerabilities, but others are harder to stop. Tindell’s company published a report in April that documented the hack of a Toyota RAV4 stolen last year.
He worked with the vehicle’s owner, an independent cybersecurity researcher named Ian Tabor, to discover how the thieves pulled off an attack that involved removing the car’s headlight to gain access to the internal network, through which different parts of the car communicate with one another.
In the weeks leading up to the theft, Tabor had woken up twice to find extensive damage to the vehicle, with the front bumper removed and the headlights’ wiring so badly mangled that they no longer worked. He posted photos on social media, complaining about what he assumed then was mere vandalism.
After the theft, the researchers used an app that tracked the vehicle’s onboard telematics to confirm how it was stolen, and they scoured cybercriminal forums, finding hacking tools and instructions for sale that enable automotive attacks.
Specific devices targeted vehicles including BMWs, Cadillacs, Hondas, Jaguars and Maseratis.
The researchers bought one such tool, a Bluetooth speaker retrofitted with a small piece of electronics loaded with malicious code and grafted onto the speaker’s circuit board, according to the report.
They activated a special chip hidden inside by pressing the play button, sending the car’s system the message to unlock the doors. From there, they could detach the hacking tool, get inside the car and start the engine, according to the report.
Canis’ researchers determined that a similar hacking tool was used to steal Tabor’s vehicle. (A Toyota Motor Corp. spokesperson said in an email that the automaker was “continuously working on developing technical solutions to make vehicles more secure” and that such devices should not be available for sale online.)
Synacktiv’s main work consists of conducting “penetration tests” for nonautomotive clients. It decided to focus on Teslas because of the vehicles’ popularity and their reputation for being particularly resistant to cyberattacks.
Much of the published security research involving Tesla has involved flaws in cloud services used by owners, not the vehicles themselves.
In 2022 a German teen named David Colombo found a weakness in a third-party app that some Tesla owners use to collect and analyze data about their vehicles. It allowed him access to those vehicles’ location history and hijack functions the owners had enabled via the app, including remotely opening and closing the doors and honking the horn.
Synacktiv’s work has exposed serious flaws in the code of the Teslas themselves. They disclosed three vulnerabilities at the Pwn2Own competition in March that allowed them to hijack key security and safety features of the Model 3—including, most dangerously, while the car is moving. To hack the Tesla, Synacktiv’s team needed to be within range of its Bluetooth connection.
Without any physical contact with the vehicle, they could then run malicious code directly on the Tesla’s infotainment system and deeper into the vehicle, bypassing the car’s primary cybersecurity protections. (They weren’t able to control the steering wheel or acceleration, which are protected by additional layers of security.)
The company’s demonstration won it a $350,000 prize and a new Tesla Model 3. Tesla didn’t respond to requests for comment, but has been involved in the competition since 2019 and supplied the car that Synacktiv won as a prize, according to Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative.
Tesla has long invited ethical hackers to look for flaws in its technology and has had a “bug bounty” program since 2014, according to the automaker’s news releases and public statements.
Tesla has subsequently patched the flaws, according to Synacktiv. The security firm’s researchers say they will likely join next year’s Pwn2Own, but with the security improvements Tesla has made, they are setting expectations low.
“Every year it’s gotten more difficult for researchers to do useful and impactful exploits specific to Tesla,” says Vincent Dehors, one of the researchers on Synacktiv’s Tesla hacking team. “We’ll probably participate, but we don’t know if we’ll be able to do something. We think for now that it will be hard—very hard.”