Senator Edward Markey (D-Mass.) has again obtained and released information about the privacy practices of private companies in a sensitive area, this time in the form of a report on the practices of automobile manufacturers.
According to the report, not only are local police departments, federal agencies, phone companies, advertising companies, and map app providers collecting customers’ location data, so are the automobile manufacturers. One might think that the automakers would stick to their core competency of making cars, but apparently, like everyone these days, many of them are eager to get into the game of data, data, data. And so far, the marketplace has not made it possible to use location services without giving up a lot of privacy. There is no reason we can’t have our cake and eat it too, here—cool services, and reasonable protection for privacy.
The main privacy-related takeaways from the report are:
- Most carmakers today are including in their vehicles “a range of navigation, telematics, infotainment, emergency assist, stolen vehicle recovery, and event data recording systems that have the ability to record driving history information.”
- At least seven manufacturers reported collecting information on drivers’ geographic location. The report does not name the manufacturers. (It does say that Honda, Porsche, and Mercedes-Benz refused to provide information in response to this question, and that Tesla, Aston Martin, and Lamborghini didn’t respond to the senator at all. I’m inclined to assume the worst of companies that refuse to cooperate with this kind of inquiry.)
- Two automobile industry associations have adopted voluntary privacy principles, but they are of little use. First of all, they’re voluntary—and it’s not clear to what extent market pressures will ensure compliance. Second, they're weak, for example allowing collection “only as needed for legitimate business purposes,” which as far as I can tell would still allow for any use of data that makes a company money. The voluntary guidelines also suggest that companies give consumers “choice” over whether some data is shared—but that choice only extends to “sensitive” data shared “for marketing purposes.” And the guidelines recommend no choice at all over whether the data is collected and stored by the car companies in the first place, which is the real privacy pain point. Among other things, data stored by a company can be demanded by government agencies.
- Only two manufacturers out of the 20 contacted said that data collection or transmission can be disabled with no loss of functionality, with four others saying it can be disabled by turning off a feature or service.
- Notice to customers of these practices, where there is any at all, typically comes in the form of fine print buried in owners’ manuals or terms and conditions (which must be accepted). Customers should never be tracked without their consent—but you can't consent to something you aren't aware of.
- The security situation with regards to wireless car services is a mess, according to the report, which found that most cars on the road are vulnerable to hackers, who in many cases could interfere with critical safety systems such as a car's steering and brakes. I’ve written about this issue before (here and here), but the report contributes valuable new information to our understanding of the scope of the security problem.
Our cars are increasingly computers on wheels, and that is opening the gates to all the privacy and security issues that other computers are susceptible to. It’s great to see at least some members of Congress making use of their powers to shine light on the lightning-fast evolution of technology and consumer privacy.