How Your Car Is Using Your Data (And Why Its So Alarming)
The increasing ubiquity of consumer-facing in-dash computers in today's cars has greatly upped the convenience factor for staying connected while driving. Still, it also poses some serious privacy concerns. These modern in-dash computer systems, complete with touchscreens, voice recognition, connected driver and road-facing cameras, and text-to-speech capabilities, gather a wealth of data about drivers and their behavior. That you're increasingly being encouraged to pass on data from your phone only amplifies the seriousness of these concerns. Your car may store everything from location data to contact lists to payment details.
The increasing user base of cars with "smart" features raises questions about handling the data collected by those vehicles, who has access to it, and who they might be selling it to. So far, it seems like car companies may not have struck the right balance between convenience and best privacy practices, with in-depth audits slamming the poor privacy policies of auto manufacturers. With cars becoming more connected and potentially autonomous, dealing with these concerns needs to be a significant priority. With a federal appellate judge ruling that a lawsuit objecting to car companies' handling of retention of text messages and call logs from connected mobile phones, let's look at exactly what happened in that case and other privacy concerns you need to watch out for.
How and why Honda got sued
In August 2021, Stacy Ritch and Gilbert Dornay sued Honda in Washington's Thurston County Superior Court in an attempted class action that was quickly moved to federal court. The complaint alleged that since 2014, Honda cars have been copying all text messages on connected phones to the storage on the in-car infotainment system. To complicate matters, equipment capable of accessing that data was not being given to the public. Honda permitted Berla, a forensic technology company, to provide access to law enforcement.
The complaint cites a December 2020 NBC news article quoting Berla founder and CEO Ben LeMere strongly implying in an interview that the data on these in-dash computers was not being handled in a way that emphasized privacy. "People rent cars and go do things with them and don't even think about the places they are going and what the car records," he said on a podcast produced by Cellebrite, another forensic tech company. "Most of them aren't doing anything wrong, but it's pretty funny to see the hookers and blow request text messages and answers."
The plaintiffs asserted they never consented to Honda downloading all their text messages. They alleged violations of the Washington Privacy Act while seeking a declaratory judgment that Honda violated said Act and injunctive relief, both barring Honda from continuing to copy over all of a phone's text messages and ordering the car company to push an update that would make its cars delete stored texts.
Plaintiffs lost, appealed, and lost again
In May 2022, U.S. District Judge David G. Estudillo granted Honda's motion to dismiss the lawsuit. "There is no assertion that the infotainment systems are acting in any capacity on behalf of Honda after a vehicle is purchased by an end user, such as Plaintiff Stacy Ritch," he wrote. "This is because there is no assertion Honda — other than having designed or installed the infotainment system — reviews, utilizes, benefits from, or even has the ability to retrieve the cellphone data collected and stored by an infotainment system."
He added that though the Washington State Privacy Act bars "intercepting or recording any private communication transmitted by telephone," it "also requires an injury to one's business, person, or reputation." Since the infotainment itself is not acting on anyone's behalf and "because Plaintiffs have not alleged sufficient injury," Estudillo ruled that the plaintiffs "failed to state a claim upon which relief can be granted" and thus "Plaintiffs' requests for declaratory and injunctive relief are not actionable."
The plaintiffs appealed, but the two-judge federal appellate panel denied the petition and affirmed the district court's ruling, writing that, for a Washington State Privacy Act claim, "a plaintiff must allege an injury to "his or her business, his or her person, or his or her reputation" for it to be actionable. "Contrary to Plaintiffs' argument, a bare violation of the WPA is insufficient to satisfy the statutory injury requirement," they added.
How does Honda's privacy policy address all this, anyway?
In September 2023, the Mozilla Foundation's Privacy Not Included blog published its findings on the privacy policies of all of the major car companies, and it wasn't pretty. "It's Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy," read the headline of the overarching blog post, and the details themselves just amplified the concern, with all 25 brands "earning" Mozilla's "*Privacy Not Included" warning label.
How did Honda fair, specifically, though? Per Mozilla, Honda claims you opted into its data collection policies by buying or leasing a car with an in-dash infotainment system and using its connected services. Perhaps most curiously, Honda's policies claim that it can speculate about how smart you are or aren't. It mentions "Inferences drawn from other Personal Information or data that relate to your preferences, interests, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes."
Honda includes the usual caveats about selling your data but also says it can use your data "[f]or any other purpose for which we obtain your consent; and as otherwise permitted by law," which is distressingly vague. It doesn't help that Honda has seen a couple of security vulnerabilities, with security researchers being distressed by Honda's lack of a formal process or department to report these security flaws to so they can be dealt with promptly and securely.
What do we need to know about the other car companies, though?
Mozilla's report highlighted all sorts of issues.
Tesla allows you to opt out of data collection but states that said collection is required for "certain advanced features such as over-the-air updates, remote services, and interactivity with mobile applications and in-car features such as location search, Internet radio, voice commands, and web browser functionality." Oh, and it further adds that opting out could result in your car getting bricked.
Nissan's privacy policy, for some reason, notes that it can collect information about "religious or philosophical beliefs, sexual orientation, sexual activity, precise geolocation, health diagnosis data, and genetic information" if disclosed to Nissan employees. Kia, meanwhile, mentions "genetic data" as well as "sex life or sexual orientation information."
Hyundai, though, raised the stakes. The South Korean company says that it can turn over your data "to comply with applicable legal or regulatory obligations, including as part of a judicial proceeding, in response to a subpoena, warrant, court order, or other legal process, or to cooperate with investigations or lawful requests, whether formal or informal, from law enforcement or government entities." Essentially, Hyundai is saying that it will happily share your data with law enforcement if simply asked, even without a subpoena, a warrant, or a court compelling it in any other way.
There are no good choices, so please be careful with your data by locking it down using your phone's security settings as much as possible.