The US Federal Trade Commission recently sent out a blog warning car companies about sharing automobile collected data. Who thought your car would be gathering information about you? Personal data is being collected every second, even in your vehicle.
“Some say a person's car can say a lot about them. As cars get ‘connected,’ this turns out to be truer than many might have realized. While connectivity can let drivers do things like play their favorite internet radio stations or unlock their cars with an app, connected cars can also collect a lot of data about people. This data could be sensitive, such as biometric information or location, and its collection, use, and disclosure can threaten consumers’ privacy and financial welfare.[1]
“Connected cars have been on the FTC’s radar for years. The FTC highlighted concerns related to connected cars as part of an “Internet of Things” workshop held in 2013, followed by a 2015 report. In 2018, the FTC hosted a connected cars workshop highlighting issues ranging from unexpected secondary uses of data to security risks. The agency has also published guidance reminding consumers to wipe the data on their cars before selling them much as anyone would when trying to resell a computer or smartphone.
“Over the years, privacy advocates have raised concerns about the vast amount of data that could be collected from cars, such as biometric, telematic, geolocation, video, and other personal information. News reports have also suggested that data from connected cars could be used to stalk people or affect their insurance rates. Many have noted that when any company collects a large amount of sensitive data, it can pose national security issues if shared with foreign actors.
“Car manufacturers and all businesses should take note that the FTC will take action to protect consumers against the illegal collection, use, and disclosure of their data. Recent enforcement actions illustrate this point:
“Geolocation data is sensitive and subject to enhanced protections under the FTC Act. Cars are much like mobile phones for revealing consumers’ persistent, precise location. In a series of seminal cases in recent years, the Commission has established that collecting, using, and disclosing location can be an unfair practice. In X-Mode, the FTC alleged that the data could be used to track people’s visits to sensitive locations like medical or reproductive health clinics, places of worship, or domestic abuse shelters. Similarly, in InMarket, the Commission alleged that the company’s internal use of sensitive data to group consumers into highly sensitive categories for advertising purposes was unlawful. The orders resolving these matters prohibit these companies from selling sensitive location information.
“Surreptitious disclosure of sensitive information can be an unfair practice. Companies with legitimate access to consumers’ sensitive information must ensure that the data is used only for the reasons they collected it. For example, the Commission recently alleged that BetterHelp, which offers online counseling services, including those marketed to specific groups like Christians, teens, and the LGBTQ+ community, revealed consumers’ email addresses and health questionnaire information to third parties for advertising purposes. Similarly, the Commission took action against mental telehealth provider Cerebral for, among other things, the company’s unfair privacy and security practices. The FTC obtained settlements requiring BetterHelp and Cerebral to pay millions of dollars so that affected consumers could receive partial refunds, and the Cerebral settlement bans the company from using or disclosing consumers’ personal information for advertising purposes.
“Using sensitive data for automated decisions can also be unlawful. Companies that feed consumer data into algorithms may be liable for harmful computerized decisions. The FTC recently took action against Rite Aid, saying in a complaint that the company enrolled people into a facial recognition program that alerted employees when suspected matches entered their stores. The complaint includes allegations that Rite Aid failed to take reasonable steps to prevent low-quality images from being used with the program, increasing the likelihood of false-positive match alerts. In some cases, false alerts came with recommended actions, such as removing people from the store or calling the police, and employees followed through on those recommendations. As a result of the FTC’s action, Rite Aid agreed to a 5-year ban on using facial recognition technology.
“These cases underscore the significant potential liability associated with collecting, using, and disclosing sensitive data, such as biometrics and location data. As the FTC has stated, firms do not have the free license to monetize people’s information beyond purposes needed to provide their requested product or service, and firms shouldn’t let business model incentives outweigh the need for meaningful privacy safeguards.
“The most straightforward way that companies can avoid harming consumers by collecting, using, and sharing sensitive information is by simply not collecting it in the first place. When motivated, all businesses, including auto manufacturers, can build products with safeguards that protect consumers.
Why Your Car Collects and Shares Data - A car (and its app, if you installed one on your phone) can collect all sorts of data in the background with and without you realizing it. This, in turn, may be shared for various purposes, including advertising and risk assessment for insurance companies. The data collection list is long and depends on the car’s make, model, and trim.[2] But if you look through any car maker’s privacy policy, you'll see some trends:
- Diagnostics data, sometimes called “vehicle health data,” may be used internally for quality assurance, research, recall tracking, service issues, and similar unsurprising car-related purposes. This data type may also be shared with dealers or repair companies for service.
- Location information may be collected for emergency services, mapping, and cataloging other environmental details on where a car is operated. Some cars may give you access to the vehicle’s location in the app.
- Some usage data may be shared or used internally for advertising. Your daily driving or car maintenance habits, alongside location data, are valuable assets to the targeted advertising ecosystem.
- All of this data could be shared with law enforcement.
- Information about your driving habits, sometimes called “Driving data” or “Driver behavior information,” may be shared with insurance companies and used to alter your premiums. This can range from odometer readings to braking and acceleration statistics and even data about your driving time.
Surprise insurance sharing is the thrust of The New York Times article and certainly not the only problem with car data. Written previously about how insurance companies offer discounts for customers who opt into a usage-based insurance program. Every state except California currently allows telematics data for insurance rating, but privacy protections for this data vary widely across states.
When you sign up directly through an insurer, these opt-in insurance programs have a pretty clear tradeoff and sign-up process. They'll likely send you a physical device that you plug into your car's OBD port, which collects and transmits data back to the insurer.
However, some cars have their internal systems for sharing information with insurance companies that can piggyback off an app you may have installed or the car’s own internet connection. Many of these programs operate behind dense legalese. You may have accidentally “agreed” to such sharing without realizing it while buying a new car—likely in exhaustion and excitement after finally completing a gauntlet of finance and legal forms.
This gets more confusing: car-makers use different terms for their insurance-sharing programs. Some, like Toyota's “Insure Connect,” are obviously named. However, others, like Honda, tuck information about sharing with a data broker (that then shares with insurance companies) inside a privacy policy after you enable its “Driver Feedback” feature. Others might include the insurance sharing opt-in alongside broader services you might associate more with safety or theft, like G.M.’s OnStar, Subaru’s Starlink, and Volkswagen’s Car-Net.
The amount of data shared also differs by company. Some car makers might share only small amounts of data, like an odometer reading, while others might share specific details about driving habits.
That's just the insurance data sharing. There's little doubt that many cars sell other data for behavioral advertising, and like the rest of that industry, it's nearly impossible to track exactly where your data goes and how it's used.
See What Data Your Car Has (and Stop the Sharing) - This is a general guide to see what your car collects and who it shares it with. It does not include information about specific scenarios—like intimate partner violence— that may raise distinctive driver privacy issues.
See How Your Car Handles (Data) - Start by seeing what your car is equipped to collect using Privacy4Cars’ Vehicle Privacy Report. Once you enter your car’s VIN, the site provides a rough idea of what data your car collects. It's also worth reading about your car manufacturer’s general practices on Mozilla's Privacy Not Included site.
Check the Privacy Options in Your Car’s Apps and Infotainment System - If you use an app for your car, head into the app’s settings and look for any data-sharing options. Look for settings like “Data Privacy” or “Data Usage.” Opt out of sharing any data with third parties or for behavioral advertising when possible. As annoying as it may be, it’s important to read carefully here so you don’t accidentally disable something you want, like a car’s SOS feature. Be mindful that, at least according to Mozilla’s report on Tesla, opting out of certain data sharing might someday make the car undrivable. Now’s also a good time to disable ad tracking on your phone.
Regarding sharing with insurance companies, you’re looking for an option that may be obvious, like Toyota’s “Insure Connect,” or less obvious, like Kia’s “Driving Score.” If your car’s app has any driver scoring or feedback option—some other names include GM’s ”Smart Driver,” Honda’s “Driver Feedback,” or Mitsubishi’s “Driving Score”—there’s a chance it’s sharing that data with an insurance company. Check for these options in the app and the car’s infotainment system.
If you accidentally signed up to share data with insurance companies, you may want to call your insurance company to see how doing so may affect your premiums. Depending on your driving habits, your premiums might go up or down, and in either case, you don’t want a surprise bill.
File a Privacy Request with the Car Maker - Next, file a privacy request with the car manufacturer to see exactly what data the company has collected about you. Some car makers will provide this to anyone who asks. Others might only respond to requests from residents of states with a consumer data privacy law that requires their response. The International Association of Privacy Professionals has published this list of states with such laws.
In these states, you have a “right to know” or “right to access” your data, which requires the company to send you a copy of the personal information it collected about you. Some states also guarantee “data portability,” meaning the right to access your data in a machine-readable format. File one of these requests, and you should receive a copy of your data. In some states, you can also request the car maker not to sell or share your information or to delete it. While the carmaker might not be legally required to respond to your request if you're not from a state with these privacy rights, it doesn’t hurt to ask anyway.
Every company tends to word these requests differently, but you’re looking for options to get a copy of your data and ask them to stop sharing it. This typically requires filling out a separate request form for each type of request.
Here are the privacy request pages for the major car brands (click on the hyperlink):
BMW (BMW, Mini, Rolls-Royce)
Ford (Ford, Lincoln)
GM (Cadillac, GMC, Chevrolet, Buick)
Honda (Honda, Acura)
Jaguar (Jaguar, Land Rover)
Stellaris (Fiat, Chrysler, Jeep, Dodge)
Toyota (Toyota, Lexus)
Volkswagen (VW, Audi)
Sometimes, you must confirm the request via email, so be sure to check your inbox.
Check for Data On Popular Data Brokers Known to Share with Insurers - Finally, request your data from data brokers known to hand car data to insurers. For example, do so with the two companies mentioned in The New York Times article:
Now, you wait. In most states, within 45 to 90 days, you should receive an email from the car maker and another from the data brokers, often including a link to your data. You will typically get a CSV file, though it may also be a PDF, XLS, or even a folder with a whole webpage and an HTML file. If you don't have any spreadsheet software on your computer, you might struggle to open it up, but most of the files you get can be opened in free programs, like Google Sheets or LibreOffice.
Without a national law that puts privacy first, there is little that most people can do to stop this sort of data sharing. Moreover, the steps above clearly require far too much effort for most people. That’s why we need much more than these consumer rights to know, delete, and opt out of disclosure: we also need laws that automatically require corporations to minimize the data they process about us and get our opt-in consent before processing our data. As to car insurers, we've outlined exactly what sort of guardrails we'd like to see here.
As The New York Times' reporting revealed, many people were surprised to learn how their data is collected, disclosed, and used, even if there was an opt-in consent screen. This is a clear indication that carmakers need to do better.
This article is shared at no charge and is for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization and thinks highly of Recorded Future. Red Sky agrees with providing as much intelligence to an analyst as possible and believes our data sets and services can help augment what RF provides. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424
[1] https://www.ftc.gov/policy/advocacy-research/tech-at-ftc/2024/05/cars-consumer-data-unlawful-collection-use
[2] https://www.eff.org/deeplinks/2024/03/how-figure-out-what-your-car-knows-about-you-and-opt-out-sharing-when-you-can
Comments