Monday, December 9, 2024

Modern cars collect and share your data !!!

These car brands are collecting and sharing your data with third parties
By James Purtill
9 Oct, 2024

In short:

An investigation by consumer advocacy group Choice found most of Australia's popular car brands collect and share "driver data", ranging from braking patterns to video footage.

Kia and Hyundai collect voice recognition data from inside their cars and sell it to an artificial intelligence software training company.


What's next?

Privacy and consumer rights advocates are pushing for law reform to limit data collection to what is "fair and reasonable".

Popular car brands are collecting and sharing driver data from braking patterns and odometer readings to vehicle location and voice recognition information, consumer advocacy group Choice has found.

Choice sifted through the privacy policies of the 10 most popular car brands in Australia to identify which tracked their drivers and passengers.

As car makers add microphones, sensors and other internet-connected features, cars are fast becoming all-seeing data-harvesting machines dubbed "smartphones on wheels".

But many car makers are not being up-front about data collection and often keep the fine print in their privacy policies vaguely worded, Choice investigative reporter Jarni Blakkarly said.

"We found that seven out of 10 of those car brands contain concerning privacy policies that allow them to track driver data, driving habits, and sell that data to third parties.

"We found Hyundai, Kia and Tesla to be the most concerning."

What data are they collecting?

Kia and Hyundai, which have the same parent company, collect voice recognition data from inside their cars and sell this to the artificial intelligence (AI) software training company Credence, the Choice investigation found.

"We think that the average Hyundai driver, the average Kia driver, when they purchase their car, have no idea that this is happening," Mr Blakkarly said.

"They haven't really properly consented to their voice being used to train AI models."

Tesla collects short images and videos from cameras inside and outside their cars. Tesla workers have been caught sharing among themselves highly invasive camera recordings of Tesla customers in the nude, as well as images of crashes and road-rage incidents.

The videos and images Tesla collects may be shared with third parties, Mr Blakkarly said.

"The way their privacy policy is written is incredibly vague and gives them space to potentially share that data."

In general, privacy policies were vaguely worded, he added. Mazda, for instance, collects and shares "voice consumption" data but the privacy policy does not explain what this means.

"I think, in many cases, privacy policies are written in a way that's deliberately confusing and it's not clear for consumers," Mr Blakkarly said.

The Choice list isn't definitive, and generally serves to highlight the lack of transparency around data collection and sharing among connected cars.

But having a car that isn't connected doesn't mean your data isn't collected, either.

Car makers that don't yet sell connected cars in Australia may still be collecting and sharing customer data gathered in other ways, Katharine Kemp, a privacy law expert at the University of New South Wales, said.

"There are many vehicles without connected services available in Australia, and manufacturers who don't offer connected services can still engage in concerning practices with customer data."

The findings of the Choice investigation are similar to those of the US-based Mozilla Foundation, which last year found 25 car brands collected customer data ranging from facial expressions to sexual activity and where and how people drive.

Cars were a "privacy nightmare on wheels" and "the official worst category of products for privacy" the foundation said it had ever reviewed.

How long has this been going on for?

The rate of car-data collection is accelerating as high-end internet-connected features make their way into more affordable models.

The tipping point happened about two years ago, Mr Blakkarly said.

"But it's ubiquitous now. It's across the range. It's in all the vehicles that are coming out."

Choice investigated car-data privacy after an "avalanche" of responses to a story published earlier this year about a Queensland man who backed out of purchasing a Toyota ute after learning about the company's data collection practices.

Toyota collects and shares vehicle location and driver behaviour data, including scoring a driver's acceleration, braking and cornering behaviour during each trip.

Many privacy policies gave car brands the option of sharing data with insurers, Mr Blakkarly said.

"We don't have evidence of insurers in Australia purchasing this information.

"I'm not sure it's been happening here, but it's certainly something we could be seeing in the not-too-distant future."

How do I disable my car's data collection?

If you use an app for your car, head into the app's settings, and look for any sort of data sharing options, usually named "data privacy" or "data usage".

Where possible, opt out of sharing any data with third parties, and see if you can disable GPS location tracking when not in use for navigation.

Be cautious about connecting your phone to your car's infotainment system. Limit the permissions you grant the car's system.

The process for deleting any data collected is unique to most car models and types.

The free online resource Privacy4Cars amassed step-by-step delete instructions for tens of thousands of vehicles, whose settings often differ by model, make, year and optional extras.

The website covers the US, Canada, UK and the EU, so some Australian models may not be on it, site founder Andrea Amico said.

"You guys have a thing called Holden which I'd never heard of before," he said.

"[Privacy4Cars] is not a perfect tool, but it's a hell of a lot better than what you have otherwise, which is trying to figure it out by yourself or asking your dealer."

Are governments and car buyers concerned about this?

Awareness of how much data cars collect is growing sharply.

Last month the US moved to ban a huge array of Chinese-made cars over fears the Chinese government could spy on their drivers.

Mr Amico said the "underlying data" gathered by Chinese-made cars was the same as other car brands, but there was a higher potential for misuse.

"Commercial surveillance is one thing, but the shadow gets much darker when you have government surveillance."

The Privacy4Cars page has seen a big uptick in traffic in the past two to three months, he said.

About three in four Australians disagree or strongly disagree with video or audio recordings from inside a car being collected by car companies, according to a nationally representative Choice survey conducted in June 2024.

Domestic violence support services are also increasingly concerned.

For years, the Women's Service Network has been aware of perpetrators using connected cars to track those who are trying to escape them, but was reluctant to speak publicly on the topic until now, CEO Karen Bentley said.

"We have to balance between educating people who might be experiencing abuse versus educating people who might choose to use [surveillance technology] to abuse.

"But there's been nearly a dozen articles about connected cars in 2024. The horse has bolted now."

She said a woman who fled an abusive relationship with three children and few belongings found her perpetrator easily tracked her down to each high-security refuge she visited. Staff eventually realised the man was using anti-theft technology inside the woman's car.

"We'll certainly be starting to do some training around [connected car data privacy] for frontline workers and shelters and refuges," Ms Bentley said.

"Perhaps we need to be thinking of cars as like phones, like GPS devices."

California recently introduced legislation requiring car makers selling internet-connected cars to do more to protect domestic abuse survivors, including enabling drivers to easily turn off location access from inside the vehicle.

Last year, a woman unsuccessfully sued Tesla, alleging the company failed to act after she repeatedly complained that her husband was stalking and harassing her using the car maker's technology, despite a restraining order.

"Cars that we let into Australia have got to meet basic safety standards," Ms Bentley said.

"Data privacy needs to be included in those standards."

Is this data collection legal?

Yes. Australian privacy law is based on the "notice and consent" model, where consumers make individual privacy decisions about their personal information.

Car makers are generally free to use your data as long as they give notice in their privacy policies.

The Privacy Act was drafted in 1988, long before internet-connected devices.

"The deficiencies in a 'notice and consent' approach to data privacy regulation are quite evident when it comes to connected vehicles," Dr Kemp, from UNSW, said.

"Privacy notices can be lacking in key information or definitions. And 'consent' can be quite fictional when defaults are set to less privacy and there is limited ability to opt out."

A review of Australian privacy law by the Attorney-General's Department released last year recommended the Act be amended to include an objective test to determine whether the collection and sharing of data was "reasonable in the circumstances".

The federal government introduced long-awaited privacy law reforms last month, but did not include the proposed "fair and reasonable" test.

Dr Kemp said this was a mistake.

"A 'fair and reasonable' test for data practices may be better able to address the information and power imbalances that exist between car manufacturers and consumers."

Choice's Mr Blakkarly also backed a "fair and reasonable" test.

"[It would mean] companies can't go and just write the rules themselves and say, 'Well, it's written somewhere online in a 10,000-word privacy policy, so we can do whatever we want.'

"Privacy law reform is really what's needed here, but in the meantime do your own research and opt-out where you can."

Motor vehicle industry peak body the Federal Chamber of Automotive Industries (FCAI) represents most of the car brands named in the Choice report.

A spokesperson told the ABC its members collected and shared data legally.

"FCAI members are committed to maintaining high standards with respect to consumer data protection and privacy, in line with relevant laws," the spokesperson said.

"The utilisation of data in vehicles, including through connected and autonomous vehicles, provide consumers with benefits through improvements in safety, performance and navigation as well as supporting general user experience and servicing improvements.

"The FCAI and its members will continue to engage proactively with government and other stakeholders regarding [the privacy law reforms]."

No comments:

Post a Comment