The Opt Out: Cars are spying on us, and we’re letting them

You are more than a data point. The Opt Out is here to help you take your privacy back.

AMERICANS SPEND A LOT of time in cars. Whether you have a long commute, enjoy riding with friends as they drive around, or just like sitting in the parking lot for a bit of solo time, a car might feel like an extension of your home—an intimate space for you to sing out of tune or seek silence in the middle of your day.

Unfortunately, if you’re in a car that was manufactured within the past few years, that environment isn’t as private as you think it is. Carmakers have been adding sensors, cameras, and microphones to their vehicles to improve safety and usability, but these bits of tech are also collecting a hefty amount of data that the automotive industry and other companies are selling and sharing. And don’t think this applies only to car owners: Your privacy is also at risk if you rent a car or are simply sitting in a passenger seat.  

These newer cars know what you say, where you go, and possibly even whom you’re sleeping with and how often. It’s scary, but what’s scarier is that consumers currently have little choice but to consent. 

More than computers on wheels

Cars have been equipped with onboard computers and sensors for a while now. The tools’ applications have always been rather practical—letting you know when your fuel tank is close to empty or when your machine is due for an oil change, even allowing you to get full system diagnostics via Bluetooth. But as technology advanced, so did the role of electronics within every vehicle. Now cars can help you master parallel parking, respond to your voice commands, and even alert you to the presence of other drivers as you change lanes.

“A lot of this can be used as safety features, but [car companies] are not going to let the opportunity to collect data and make money off of that slip away. They’re not just doing it for safety,” says Jen Caltrider, program director for Privacy Not Included, a series of privacy-focused consumer product reviews, at the Mozilla Foundation. 

The same navigational tool that guides you to your destination, for example, is collecting your location data, and the sensors that show which passenger hasn’t buckled up can tell if you’re alone or not, where people are sitting, and if there’s any movement. Those capabilities alone provide hundreds, if not thousands of data points every day that go straight to the car manufacturer’s servers. It’s hard to tell if any of that information is encrypted or not, Caltrider says.

Other than what your car’s sensors and cameras track, manufacturers also learn about you from other sources. If you’re buying a car, the data harvesting starts with every visit to the dealership or the brand’s website, and it continues when you enlist the help of a bank or some other type of financial institution to pay for your car. Then, when you drive home in your new ride, manufacturers keep gathering data through the car’s app. You can choose not to use the app, but it’s likely you’ll lose access to any vehicle features that require it, such as remote ignition. And then there’s what Caltrider and her team call “connected services,” including insurance companies and navigation and entertainment apps like Here and Sirius XM, which have basically become data brokers in the vehicle data industry. The bad news is that it’s unclear exactly how the information flows, how it’s shared, and where and how it’s stored. 

Your car might know too much about you

In September, Caltrider and her research team at the Mozilla Foundation launched an in-depth analysis of the privacy policies of 25 car companies doing business in the US, including the most popular ones: Toyota, Ford, Chevrolet, and Honda. The results? The Mozilla team labeled cars the worst product category it has ever reviewed for privacy.

When you read the privacy policy for any app or device, it’s common to feel confused. Tech companies have been writing privacy policies for decades, and they generally include broad or vague terms that make you feel as if they care about your data—or at least don’t make it obvious that they don’t. Car privacy policies are different: way more explicit and entirely absurd.

“Car companies are moving into the tech company world,” Caltrider says. “But they’re so inexperienced at it and it really shows.”

One of the wildest privacy policies in the Mozilla Foundation’s report is Nissan’s, which requires users to consent to the collection of sensitive information including sexual orientation, sexual activity, health diagnosis data, and genetic information. The document also says this data can be sold or disclosed to third parties for targeted advertising. It’s not clear how exactly Nissan is collecting this data or if it’s currently capable of doing so, but the fact that you’re agreeing to all of this by simply buying a Nissan is problematic enough. 

And these requirements don’t affect only drivers and car owners, as consent is murky territory in the land of vehicle privacy policies. For one thing, cars don’t grant the same control over data collection that your phone does. Most of the time, car owners will see a request for permissions on a single screen that pops up when they first set up their new car, and they may not be able to go back to it and revoke those permissions later on. 

That also means there’s assumed consent from anybody who steps inside the vehicle. Privacy policies like that of Subaru make it clear that terms and conditions affect everyone on board, regardless of whether they’re the vehicle’s registered owner or not. This means that the company burdens Subaru owners with the responsibility of informing all their passengers about the privacy policy and assumes that people are agreeing to it just by stepping into the car. It’s a safe bet that no ride-share driver or courteous coworker has ever read you a long list of types of data collection you needed to consent to before they’d give you a ride home. 

Car manufacturers, vehicle data hubs, and other actors in the industry, like insurance companies, calm concerned drivers and passengers by promising that the data they collect and save is anonymized, meaning it cannot be traced back to specific people. While anonymizing data is a common practice that’s meant to protect individuals’ privacy, research has shown that it’s not always effective and that the owner of any anonymized data can be easily re-identified when the information is combined with other datasets. This is especially true when location data is involved, Caltrider says. 

As we’ve mentioned, targeted advertising is one of the main uses car companies and third parties have for collecting data with vehicles, but it’s not the only one. More than half of the manufacturers analyzed in the Mozilla Foundation’s report say they can “share your information with the government or law enforcement in response to a ‘request.’” This leaves a lot of room for abuse, as there are no details about whether this request can be as informal as a call or an email to the right person, or if it must be a powerful document, like a court order. 

Unlike with home security cameras, it’s hard to tell exactly how many times these companies have responded to requests from police and other law enforcement agencies. But a 2021 Forbes investigation revealed that both Customs and Border Protection (CBP) and Immigrations and Customs Enforcement (ICE) had been requesting information from three companies in the vehicle data industry, including General Motors, which is the parent company of Buick, Chevrolet, Cadillac, and GMC. 

Regulation is the answer

The automotive industry in the US is huge—it brought more than $156 billion to the US economy in 2022, and more than 75 percent of Americans own a car. You’d imagine that such a rich market would include several car brands privacy-savvy users can choose from, but the Mozilla Foundation report is categorical: When it comes to data protection, they’re all bad. 

This leaves people who need to buy a new car with little choice but to consent to data collection. And it leaves their passengers with even less choice. Because it’s not only luxury vehicles that come equipped with sophisticated sensors and cameras—classic sedans like the Toyota Corolla and family SUVs like the Ford Escape also have them. As much as we’d like to say there’s an individualistic DIY way to snatch back your privacy, there’s not. You’ll have to appeal to the powers that be.

“Get mad and contact your elected officials,” says Caltrider. “It’s past time the US had a strong federal privacy law.”

She also recommends not using your car’s app, but acknowledges that this is a bandage solution and might not be an option for some people. Some of the features people need, like being able to warm the car in cold weather by turning it on remotely, require the use of the software. 

Using our power as constituents and asking our elected officials for laws that protect our data is the best chance we have of taking back the intimacy we once found inside our vehicles. Car companies simply aren’t going to change on their own—just like tech companies, they have no incentives to do so.

“And it’s not like they have a long history of ethical behavior,” Caltrider says. “They have quite the opposite.”

Read more PopSci+ stories.