Worried About Cellphone Privacy? Pffft… Check Your Car Computers
Et Tu Detroit?
Two automobile industry associations have adopted voluntary privacy principles, but they are of little use. First of all, they’re voluntary—and it’s not clear to what extent market pressures will ensure compliance. Second, they’re weak, for example allowing collection “only as needed for legitimate business purposes,” which as far as I can tell would still allow for any use of data that makes a company money. The voluntary guidelines also suggest that companies give consumers “choice” over whether some data is shared—but that choice only extends to “sensitive” data shared “for marketing purposes.” And the guidelines recommend no choice at all over whether the data is collected and stored by the car companies in the first place, which is the real privacy pain point. Among other things, data stored by a company can be demanded by government agencies.
Only two manufacturers out of the 20 contacted said that data collection or transmission can be disabled with no loss of functionality, with four others saying it can be disabled by turning off a feature or service.
Notice to customers of these practices, where there is any at all, typically comes in the form of fine print buried in owners’ manuals or terms and conditions (which must be accepted). Customers should never be tracked without their consent—but you can’t consent to something you aren’t aware of.
The security situation with regards to wireless car services is a mess, according to the report, which found that most cars on the road are vulnerable to hackers, who in many cases could interfere with critical safety systems such as a car’s steering and brakes. I’ve written about this issue before (here and here), but the report contributes valuable new information to our understanding of the scope of the security problem.
More: Et Tu, Detroit?