Why Your Car Is a 'Privacy Nightmare,' and What You Can Do About It

Even if you are healthily paranoid, when you find out how much private data your car collects, your head is going to spin.

According to the Mozilla Foundation, your car is a 'privacy nightmare.' It is constantly harvesting data from the car itself and any connected apps. And as we shall see, it also shares and sells that data. The bad news is, there's very little you can do about it. The good news is you can at least do something, but it's not simple.

"The car industry will use data collected much like big tech companies will use it, to sell more products and add-on services. This is projected to be a $400-800 billion industry by the next decade, so the race is on to put this data to use," J.D. Brooks, former Pentagon, NORAD, and Space Command engineer and adjunct professor of cybersecurity, told Lifewire via email. "Europe […] is generally ahead of us in terms of data privacy, and they are already looking at defining what car data really is and how to protect consumers."

100% Bad

Mozilla's report calls cars "the worst product category we have ever reviewed for privacy." Of the 25 manufacturers it studied, all committed privacy violations that the foundation considers unacceptable.

What kind of data are we talking about? It runs from the obvious, like your driving habits, fuel consumption, location, and tire wear (to sell you new tires), to the downright creepy. Nissan, which Mozilla considers the second-worst offender on its list, even tries to collect data about your "sex life." (Mozilla's worst manufacturer is—surprise surprise—Tesla.)

Not all of this data can come from the car itself, obviously. To really round out their portfolios of privacy violations, cars pull data from apps you connect to them. Many apps already have dodgy privacy practices, and those are the ones you should watch out for.

"[W]ith cars becoming a home on wheels, manufacturers have sought to monetize the data they could collect and sell as a way to provide an ongoing stream of revenue from this data. In nearly every vehicle purchase, the consumer is held captive as they are not in a position to return the vehicle if they disagree with a privacy policy," Dr. Chris Pierson, former CISO, general counsel and chief privacy officer, and founder and CEO of digital executive protection company BlackCloak, told Lifewire via email. "It is logical to assume that data collected from vehicle systems may be aggregated and sold to data brokers with little attention given to individual rights and explicit consent."

If it seems like open season on any and all data that a car manufacturer can mine, trawl, scrape, or otherwise glean about you, that's because it is. And so far, the law doesn't really help.

"Data privacy is one area where corporations are running circles around the federal government. They simply don't have the expertise to adequately regulate the industry, and they're also much more likely to hear from industry stakeholders than they are to hear from ordinary consumers," Ben Michael, attorney at Michael and Associates, told Lifewire via email.

Melanie Musson, vehicle expert and car insurance writer at Clearsurance, agrees. "It seems like it should be regulated, but manufacturers essentially force buyers to sign away their right to privacy. So, manufacturers can argue that the buyers released access to their data, so there's no crime in taking it."

How to Protect Yourself

There are steps you can take to mitigate this hemorrhage of data.

"Remove the antennae that transmit data back to the manufacturer (not possible with all brands)," says Brooks, and "Do not connect to the car's Bluetooth with your phone. Your phone data may be shared if you do."

Brooks also recommends checking sites like Privacy4Cars to get more detailed advice.

The Mozilla Foundation also offers advice for preventing access to your data. Much of this is the same general advice for all online services and apps. Do not consent to anything, switch off any data-sharing options, and activate any privacy settings.

You should also avoid connecting your phone to the car. At the very least, it will exfiltrate your address book to enable essential phone functions. If you do connect, use your phone's own settings to limit data transfer.

And Mozilla has a doozy at the end of its list of advice, worth quoting in full:

"Do not use Amazon Alexa in your car if you are concerned about Amazon collecting that voice request information, IP address, and geolocation information and using it to target you with advertising," it says.

Take care, and cross your fingers that the US government will take this as seriously as the EU is beginning to.