Watching you: Connected cars can tell when you’re speeding, braking hard—even having sex
Car companies collect a wide range of driver and passenger data—and now are under scrutiny by privacy advocates, the media, and the feds.
These days we’re connected to the world 24/7, primarily through our smartphones, but also by other devices that can track our whereabouts and capture personal data such as sleep patterns, heart rate, and more, while surveillance cameras mounted everywhere from house doors to corporate buildings monitor our every move.
Although your car might seem like a last refuge, they’re also becoming increasingly connected, thanks to cameras and sensors that are monitoring and recording everything from eye movements to moods. Connected car data has been used to alert insurance companies if drivers are accelerating too fast and braking too hard, and to supply law enforcement with information on crashes and more. Some automakers have even hinted that they know if you’re having sex in the cabin. And at least right now, there’s very little you can do about it.
Headlines, Headaches, and Hackles
Within the last year, the issue of connected car privacy has made headlines, caused headaches for some vehicle owners, and raised the hackles of federal officials. In September 2023, the Mozilla Foundation’s *Privacy Not Included project outlined that connected cars stood out as overly aggressive collectors of personal data compared to other technologies it examines, according to its report “It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed.”
“Every one of the 25 car brands across 15 car companies earned our *Privacy Not Included warning label, which is a first,” said Jen Caltrider, Mozilla’s lead researcher for the project.
Recent events have borne out Mozilla’s conclusions. In March, The New York Times published an exposé on how automakers work with data brokers that, in turn, sell driver data to insurance companies. The story detailed how several owners of General Motors vehicles saw their insurance premiums spike even though they didn’t know they signed up for the automaker’s OnStar Smart Driver service. GM described the feature within its connected car apps as using “driving insights to become a smarter, safer driver.” GM did mention—albeit in fine print—that the feature shared what that automaker called “select insights,” such as rapid acceleration, hard braking, and driving over 80 mph, with data brokers LexisNexis and Verisk. But not that the two data brokers would sell the data to insurance companies.
A GM spokesperson told The New York Times that Smart Driver is turned on “at the time of purchase or through their vehicle mobile app.” A GM spokesperson toldMotorTrend, "OnStar Smart Driver service is optional to customers, who give their consent three times before limited data is shared with an insurance carrier through a third party.” But The Times also reported that drivers were unknowingly signed up for the service at dealerships and that “salespeople can receive bonuses for successful enrollment of customers in OnStar services, including Smart Driver, according to a company manual.” After the article was published, GM issued a press release that said it would discontinue the Smart Driver service and terminate its relationship with LexisNexis and Verisk.
Connected Cars Catch the Attention of the Feds
Connected car data privacy has also caught the attention of Sen. Edward Markey, D-Mass., a frequent critic of the auto industry’s tech practices. In December 2023, Markey sent letters to 14 car manufacturers “urging them to implement and enforce stronger privacy protections in their vehicles,” and in May he called on the Federal Trade Commission (FTC) to investigate the car industry’s data privacy practices.
In a recent blog post, the federal agency warned auto manufacturers they “should take note that the FTC will take action to protect consumers against the illegal collection, use, and disclosure of their personal data,” and it cited several enforcement actions to “underscore the significant potential liability” automakers face. Andrea Amico, CEO of Privacy4Cars and an expert on vehicle privacy and cybersecurity, called the blog post a “shot across the bow from the FTC to the broad auto industry—not just the manufacturers—on the need to dramatically step up their privacy practices.”
It can be argued that cars are simply joining other connected devices that constantly collect and share personal data, but there are significant differences between the two, Amico said. When posting pics and info on social media, he said most people understand they’re trading personal data like location, search, and buying habits for services. “When I sign up for Facebook, I know in exchange for seeing cat videos and photos of friends, I'm paying with my eyeballs,” Amico added. “Consumers are aware it's happening. The adage in Silicon Valley is, if you're not paying for something, you are the product.”
But a new caris a product—one that costs tens of thousands of dollars—and Mozilla’s Caltrider noted vehicle data privacy is more difficult to navigate and less transparent than the free and paid services that most tech companies offer. As an example, she pointed to the privacy policy of Apple and its app developers, which she cites as straightforward in its approach. “If I'm looking for a recipe app, I go to the App Store and there's a link to the privacy policy,” she said. Once an app is on your iPhone, it asks for certain permissions. “And if you get creeped out by the app, you can delete it,” she added.
As Caltrider notes, the experience in the car is very different, and to date there aren’t any user-friendly opt-in and opt-out choices, compared to other technologies. “If you decide you don't want an app or service in your car, you can't just delete it,” she said. “And say you start your car and have to get somewhere, and a screen pops up asking, Do you agree to these things? And you click OK. How do you navigate back to that?”
Compounding the problem, as more vehicles include in-car cameras and other monitoring systems, it’s not just the driver whose personal data is potentially being captured. It’s the passengers’, as well. In this scenario, it would theoretically be on the driver to let the passengers know the details of an in-cabin monitoring system’s privacy policy. “Nobody picks up their buddy to go to a movie and says, ‘Hold on, I got to read you the privacy policy,’” Caltrider said. “It's a ridiculous situation.”
Flying Under the Data Privacy Radar
Connected cars “flew under the radar” as aggressive collectors of personal data, Caltrider said, and represent a completely new and difficult category for privacy researchers. “It took us about a month to even wrap our brains around how to research the privacy of cars,” she said. They’re also the first product category in which all the examples evaluated failed the Mozilla Foundation privacy tests. “And it's not just the car companies, but it feels like the entire auto industry slipped into collecting a lot of data.”
Connected cars are also far more complicated than other tech products. “The car company has a privacy policy; the connected services have a privacy policy; the financial services have privacy policies,” Caltrider said. “This is what we do for a living, and our heads were spinning. There's no way a consumer could even begin to navigate the privacy landscape.”
Another big difference Caltrider cites is that the privacy policies of auto companies are written much more broadly than those of most tech companies. “Their mentality is to collect all this data and sort it all out later,” she said. “With tech companies, there was pushback on data collection, and they had to reel it in and think through privacy protections.”
Auto Industry Consumer Privacy Protection Principles
The trade groups the Alliance of Automobile Manufacturers and the Association of Global Automakers, which at one time represented most major automakers, released a set of voluntary privacy principles back in 2014. The two groups merged into the Alliance for Automotive Innovation in 2019, and the principles were later updated in 2022.
“The auto industry Privacy Principles includes things like data minimization and transparency, which they didn't even come close to complying with,” Caltrider said. “It’s like someone said, ‘Here’s good things to do for privacy.’ But then they ignored that.” Amico added that the privacy principles “are very squishy. You’ll find language that says with consent they will use data for business purposes. What consent means is, somewhere in the lease or loan agreement signed at the dealership, the buyer signed a giant list of documents. It’s a big transparency problem.”
When we reached out to the Alliance for Automotive Innovation for comment, a spokesperson referred us to a privacy memo the organization published in December 2023 that largely frames the collection of data as a safety benefit for drivers and passengers. The memo ends with: “Yes, your vehicle is generating and transmitting safety data. That’s by design. No, your car isn’t spying on you.”
“Safety cannot be used to get data from consumers for other purposes,” Amico said. “When subscribing to those services, the pitch is in case of an accident, an adviser will dispatch emergency services. But what happens when you sign up, where you are second by second is collected and used for purposes that have nothing to do with safety.”
Collecting Information on Sexual Activity
Of all the data that car companies can potentially capture, one of the most eye-opening from the Mozilla report was people having sex in vehicles. “One of the things that everybody latched onto was Nissan and Kia saying they could collect information on your sex life or your sexual activity,” Caltrider said. “That really freaked people out.” While the researchers couldn’t determine exactly how the automakers would gather data on sexual activity in cars, the educated guess is it wouldn’t be that hard for cameras and sensors to gather the information.
After the Mozilla Foundation report was released, Kia Connect Services (a suite of services Kia extends to its vehicle owners) and Nissan USA removed wording about collecting information on sexual activity from their online privacy policies, Caltrider said. She sent us a PDF of the original wording on the Nissan site, and under Types of Personal Data collected, it read: “Sensitive personal information, including … sexual orientation, sexual activity, precise geolocation, health diagnosis data, and genetic information.” On Kia’s broader corporate privacy page under Sensitive Personal Information as of press time, it still read, “This category may include … sex life or sexual orientation information.”
Caltrider is also concerned about the information car companies share with law enforcement. “We saw companies that said they could share data with law enforcement based on something as simple as an informal request—and that’s a very low bar,” she said. Caltrider said she would like the companies to stipulate, “'We’ll never share data with law enforcement without a court order.' And if they have a court order, we will ask for the most limited amount of data possible. I'm still scratching my head what an informal request is. There's just so much potential for abuse. You don't want law enforcement peeking into what you feel like is your private personal space.”
Automotive News recently reported that Toyota, Subaru, Mazda, Nissan, Kia, BMW, Mercedes-Benz, and Volkswagen informed Congress they would give away driver data if challenged with only a subpoena, not a court order. A subpoena is a request for information by a court clerk or an attorney, while a court order requires a judge’s decision. “Automakers have not only kept consumers in the dark regarding their actual practices, but multiple companies misled consumers for over a decade by failing to honor the industry’s own voluntary privacy principles," Sens. Markey and Ron Wyden, D-Ore., wrote to the FTC following the automakers’ admission.
Top Consumer Data Privacy Concerns
Much as consumers are concerned about information being handed over to law enforcement, they are more concerned about data going to insurance companies, Amico said. “We asked consumers what they cared about, and that was number one,” he said. Which explains why GM dropped its Smart Driver program in the wake of The New York Times story.
The story detailed how Kenn Dahl—who lives near Seattle, leases a Chevy Bolt, classifies himself as a careful driver, and has never been at fault in an accident—was surprised when his car insurance premium increased 21 percent in 2022. An insurance agent told him a LexisNexis report tied to data from his Bolt was the cause. “It felt like a betrayal,” Dahl told The Times. “They’re taking information that I didn’t realize was going to be shared and screwing with our insurance.”
Romeo Chicco of Palm Beach County, Florida, the owner of a Cadillac, has filed a class-action lawsuit against GM and LexisNexis because he was denied auto insurance by seven companies after LexisNexis shared his data with insurers. Like Dahl, Chicco said he didn’t sign up for GM’s Smart Driver and didn’t realize his info was being shared. Other automakers, including Honda, Kia, and Hyundai, offer similar optional features that rate people’s driving.
How to Protect Your Data
Caltrider said there’s not a lot consumers can do at present to protect their data in modern connected vehicles. “You can do things like don't download a car’s app or try to opt out of things, but you might get opted back in,” she said. “I think that the best thing consumers can do is to push for a strong, consumer-focused federal privacy law. We don't have one, but Europe does.” The Alliance for Automotive Innovation spokesperson told us the organization also advocates for a comprehensive federal consumer privacy law.
Amico created Privacy4cars.com as a potential solution. “We built a tool called theVehicle Privacy Report,” he said. “It's free for consumers. You can punch in a VIN, and we'll tell you what data your car collects and where it's going.” Privacy4Cars also created a smartphone app that allows consumers to delete data in a car, and its Assert Your Data Rights services allows Privacy4Cars to act as authorized agent to submit requests for access to personal information collected by a car, to delete the information, and request that personal information not be sold as defined by respective state laws.
Because people are keeping cars much longer and connectivity has become so pervasive in new vehicles, most consumers might not realize how much of their personal data is being collected. “If you haven't bought a new car in a while, you might not know that almost every one you buy today comes with connected services, microphones, cameras, and all these points of data collection,” Caltrider said.
Despite the warnings and increasingly intrusive collection practices, data privacy still appears to be way down the list of car buyers' concerns. “Most people think about cost, reliability, safety, availability, things like that,” Caltrider said. “A car means freedom and independence for many people, and the tracking of data and the monitoring is hidden. You don't see the cameras. You don't know about the sensors. You don't see the data coming and going. It really creeps people out.”