With car privacy concerns rising, automakers may be on road to regulation
This is the third and final part in a series on automobile privacy. Read part 1 and part 2 here.
Faye Francy decided to buy a used car from a dealer a few hours from her house. After writing a check and signing the paperwork, she synced her phone to the infotainment center so she could get step-by-step directions and find her way back.
Francy, who runs the industry-driven vehicle cybersecurity organization Automotive Information Sharing and Analysis Center, was excited to try out her new car’s navigation feature.
She was very surprised by how things turned out.
“I hit home and I started following the directions — and it took me to the previous owner’s home,” Francy recalled in an interview discussing the 2017 incident.
Francy said she started combing through the infotainment center and found a credit card number and other personal information belonging to the previous owner.
“Erase your data,” Francy said.
The problem is many consumers don’t know they should erase their data — largely because manufacturers typically bury densely written privacy policies deep in their terms and conditions. Sometimes those policies’ terms are vague and do not indicate the full scope of what data is taken and how it is used.
Even if consumers don’t sync their phones to the infotainment system, the myriad sensors and geolocation capabilities in connected vehicles reveal a great deal, including to police who can extract it sometimes without a warrant. And there’s a lot that can’t be erased even when consumers do wipe their cars’ data because it has already been sold to data brokers.
Given these facts, regulators are starting to take notice. In July, the California Privacy Protection Agency’s (CPPA) enforcement division announced it is reviewing connected vehicle manufacturers’ and suppliers’ privacy practices, a probe that could have a big impact because a car maker penalized for being out of compliance with California’s relatively strict state privacy law would put the rest of the industry on notice.
Without comprehensive federal privacy legislation, which is currently stalled in Congress and not seen as likely to become law any time soon, experts see two chances for real change: action from California or from the Federal Trade Commission, with the latter the most far-reaching.
FTC action
In 2009, a Sears settlement with the FTC set an important precedent that could be used to frame a connected cars action today, former agency officials and privacy advocates said.
That complaint focused on a program the retailer billed as “My SHC Community,” which the agency said inadequately disclosed what was in fact a vast surveillance apparatus. Under the program, consumers were paid $10 if they downloaded “research” software that would track their “online browsing.”
Sears gathered participants’ online bank statements, drug prescription records, histories of library and video borrowing, and significant information derived from web-based emails, the agency said.
To resolve the FTC complaint, Sears ultimately agreed to destroy the information it had collected and more prominently disclose the types of data it was collecting in the future.
The fact that the company’s disclosure of the scope of the surveillance was insufficient was a key factor in the FTC’s decision to pursue the Sears’ case, former senior FTC official Mary Engle, who worked on the case, said in an interview.
The agency decided that even though the retailer shared what it would gather in the terms and conditions, the surveillance was so extreme and beyond what a consumer would reasonably expect that pro forma disclosures were not enough.
“Disclosing this in the terms and conditions was not adequate, that was not clear and conspicuous,” said Engle, who is now executive vice president for policy at BBB National Programs, a nonprofit overseeing industry self-regulation programs for privacy and advertising. “I can see that kind of framework also being used in the connected car space.”
A similar theory could underpin a FTC settlement with a single automaker or many of them. Either would have a chilling effect on the level of data extraction and third-party sharing that is now going on, experts and former FTC officials said.
If the infotainment center is being used to “listen in on your conversations or pull down data about preferences and so forth, the FTC could argue that that's an unfair and deceptive act in practice,” David Vladeck, who served as the FTC’s director of the Bureau of Consumer Protection during the Obama administration, said in an interview. “The question is would a reasonable person understand that the car manufacturer is harvesting personal data?”
Vladeck said the best way for the agency to assess the privacy risks of connected cars would be to launch a so-called 6(b) investigation, named for the section of the FTC Act allowing it, and require several major manufacturers to disclose their practices.
If the agency were to find car companies are “acquiring personal data without giving consumers, car buyers, people in cars clear notice of that,” Vladeck said, “the FTC could bring an enforcement action.”
For the FTC, it will be a question of degree — how clear is the disclosure, how extreme is the data extraction, how much of it is shared with third parties and for what purpose?
“Every little fact is a variable that you're going to weigh in terms of the fairness or unfairness,” said Lee Tien, senior staff attorney at the Electronic Frontier Foundation, a nonprofit digital rights group.
A spokesperson for the FTC declined to comment for this story.
On the agency’s radar for years
Connected cars have long been under scrutiny by the FTC. In 2016, the agency told consumers to wipe data after renting a car.
At a connected car workshop the agency held in 2017, then-Commissioner Maureen Ohlhausen warned industry that the FTC had its eye on connected cars and potential privacy violations.
“Where necessary and appropriate, we will use our civil law enforcement authority under Section Five of the FTC Act to take action against manufacturers of connected devices, including connected cars, and potentially service providers,” she said.
Section Five prohibits ”unfair or deceptive acts or practices in or affecting commerce.”
By 2018 the FTC had issued a staff report on connected cars which noted that vehicles collect data as sensitive as fingerprints and iris patterns, along with real time locations. It also flagged that vehicle infotainment systems allow manufacturers to discover drivers’ browsing habits or app usage and sell them for ad targeting.
The agency identified a possible solution: “segregating” safety functions from other “functions controlled through the networks.” In other words, make it possible for hands-free navigation, a safety boon, to not necessarily require drivers sign off on the exfiltration and long-term retention of their mobile phones’ text messages, emails and call logs.
As it stands, consumers are told to “agree to everything or they get nothing,” Andrea Amico, the founder of Privacy4Cars, a company which helps consumers navigate car privacy, said via email. “This is often a false choice.”
The FTC has not taken any enforcement actions against connected car manufacturers to date.
What is disclosed?
Many car manufacturers are silent or unclear about whether they, for example, harvest data from synced phones.
Among the nearly two dozen auto manufacturers that fall in this category are Chrysler, BMW, Dodge, Mazda, Ford and Lincoln, according to research conducted by Privacy4Cars.
What some automakers do disclose makes clear what’s possible. Take Nissan, whose policy until recently bluntly stated it can collect and share consumers’ sexual activity, health diagnosis data, genetic information and more for targeted marketing, according to the Mozilla Foundation, a privacy watchdog. The references to sexual activity, genes and health diagnoses were apparently deleted after the Mozilla report was published.
Politicians have begun asking questions.
Earlier this month Sen. Ed Markey, (D-MA) sent a letter to 14 major auto manufacturers, condemning their privacy practices and declaring that consumers should not be trapped in a “massive data collection apparatus, with any disclosures hidden in pages-long privacy policies filled with legalese.”
Markey pointed out that Bluetooth’s emergence has broadened car surveillance by letting companies extract data that “has nothing to do with a vehicle’s operation, such as data from smartphones that are wirelessly connected to the vehicle."
The senator demanded the car makers answer specific questions about their data practices and submit them to his office by last week.
Given the opaqueness of what the industry is actually doing, many consumers and regulators are in the dark — likely an impetus for the California privacy agency’s investigation.
“There’s a lot that we don’t know,” Tien said.
The car data ecosystem
Part of the difficulty in challenging car data privacy norms stems from how many sectors, including state, local and even the federal government, benefit from it, Tien said.
Local governments use car data to better control traffic and place enforcement cameras, for example.
However, carmakers often use improved driver safety as a “rationale for consumers to agree to giving away their data,” Amico said.
Insurers, a huge lobby, also have a vested interest in preserving their access to car data, Tien said.
Law enforcement sees an advantage in extracting the data — which it can potentially do without a warrant, concerning advocates particularly post-Dobbs, since many women use their cars to seek abortions.
The Department of Motor Vehicles even sells car data to generate revenue, Tien said.
“It’s like a swamp,” he said. “There is a giant both federal and state and local infrastructure of government entities in the transportation area and in law enforcement … that has tremendous incentives, who collect this data.”
The fact that car companies may be sharing data with insurers could be of particular interest to regulators, according to Maneesha Mithal, who ran the FTC’s Division of Privacy and Identity Protection for over a decade.
Connected cars’ ability to gather not only locations, but data showing how somebody drives a car could be a key focus, she said.
“A big concern that regulators have, that was one of the focuses of the FTC workshop in 2017, is the extent to which car companies may be sharing data with insurance companies,” said Mithal, who is now a partner at law firm Wilson Sonsini. “I think that's the major consumer concern.”
The car industry has made a public commitment to privacy protection but it is not binding. Most major car companies have signed off on seven fundamental privacy protection principles drafted by the Alliance for Automotive Innovation Inc., the predominant car industry association.
The principles were originally published in 2014 and reviewed in 2022 and include a commitment not to release geolocation data to law enforcement without a warrant or court order, for example.
But former regulators pointed out that some of the language included in the principles leaves plenty of wiggle room for troublesome car data privacy practices.
For example, the principles’ data minimization, de-identification and retention section notes that automaker signatories “commit to collecting covered information only as needed for legitimate business purposes.”
“Who knows what a legitimate business purpose is?” Engle asked. “That's not defined.”
The issue continues to pick up steam as public attention mounts — often a trigger for regulators. A bombshell report by the Mozilla Foundation released in September drew headlines and inspired Markey’s blistering letter to manufacturers.
The foundation is highly regarded for its consumer privacy work and called the auto sector “the worst product category we have ever reviewed for privacy.” All 25 car brands it researched failed its privacy test.
For many Americans concerns about their cars matter more than they would for an average consumer good.
“Your car is almost an extension of your house,” renowned car hacker and longtime cybersecurity guru Marc Rogers said. “People do very private things inside their cars.”
Editor's Note, January 2, 2024: Corrects name of Electronic Frontier Foundation and Automotive Information Sharing and AnalysisCenter.
Suzanne Smalley
is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.