Your smart car is a ticking data privacy timebomb

Connected, automated cars collect enormous amounts of data -- the price we must pay for increased road safety.
24 September 2021

Your smart vehicle might be a privacy nightmare. (Photo by ATTILA KISBENEDEK / AFP)

  • A smart car naturally needs a good connection to access a slew of autonomous features — thus increasing the amount of data the vehicle collects
  • There’s an entire industry built around monitoring, logging, analyzing, and monetizing this type of data
  • Several privacy experiments even found that automakers collect data through hundreds of sensors and an always-on Internet connection

The newer generation of road cars — from BMWs to Teslas — are in many ways like smartphones on wheels. A smart car today is WiFi-enabled, comes with CPUs, and has Bluetooth embedded throughout. In other words, they’re a far cry from the automobiles from even just 2 decades ago.

If your car knows where you go and how long you stay there — just like your GPS-enabled cellphone — that’s just the tip of the iceberg. And just like your smartphone, depending on what features have been enabled and what permissions have been granted, your smart vehicle may not be keeping that sensitive information to itself.

For some perspective, a 2019 Washington Post investigation had the writer hacking into a 2017 Chevrolet Volt to see what data the car hoovers. The Chevy was in fact collecting, amongst other data, the writer’s precise location, phone ID, and the contacts of the people he called. “It judged my acceleration and braking style, beaming back reports to its maker General Motors over an always-on Internet connection,” the writer reported in the piece.

While technology has given drivers remarkable improvements in both safety and convenience — it has also turned cars into data-gathering machines. But what info is collected by a smart car, and where it ends up, is not always clear to car owners.

To put things in perspective, there are 1.2 billion vehicles in operation globally, and people travel collectively more than 23 trillion miles every year. According to AAA, the average American spends 17,600 minutes driving annually. By those estimates, Americans will be generating 1.8 terabytes of data every year in their vehicles. 

Add additional vehicle sensors like cameras, radar, and lidar, cloud-hosted features, and suddenly Intel’s claims that autonomous vehicles will produce 4TB of data in one and a half hours of driving doesn’t sound so outlandish. McKinsey estimates that as much as US$750 billion worth of in-vehicle data could be accumulated by 2030. The sheer volumes of these two figures indicate that there exists a massive opportunity to monetize this data — and thanks to the connectivity of these vehicles, significant opportunity for cyberattackers to take advantage.

A smart car data reckoning, sooner or later

For a long time, automakers were not exposed to such a data reckoning, but China has recently been pushing for the security of data generated by connected vehicles as the proliferation of smart vehicles like Teslas fuels concerns about national security. The China move is in line with the country’s broader aim to tighten privacy policies

For the rest of the world, a smart car data reckoning is forthcoming — it’s only a matter of time. Besides China, as of Q3 2021 there are no other federal laws that regulate what carmakers can collect, or what they can do with driving data. Most carmakers are dragging their feet in taking proactive steps to protect user data, and to draw regulatory lines in the sand. Most hide what they’re collecting and sharing behind privacy policies, written in the kind of language only a lawyer could fathom.

Among the privacy policies studied, Toyota’s stood out for drawing a few clear boundaries surrounding data sharing. It says it won’t share “personal information” with data resellers, social networks, or ad networks — but still singles out the right to share what it calls “vehicle data” with business partners.

And in some rare instances, automakers share the outcomes of data collected, like in 2018 when GM ran an experiment in which it tracked the radio music tastes of 90,000 volunteer drivers to look for patterns with where they traveled. According to the Detroit Free Press, GM told marketers that the data might help them persuade a country music fan who normally stopped at Tim Horton’s to go to McDonald’s instead.

Frankly, the current state of smart vehicle data protection doesn’t bode well for an all-electric, sustainable vehicle future — since pretty much every electric car will by proxy have some form of connected computer onboard. At this juncture, it boils down to two options for consumers: either choose privacy, or an environmentally-conscious priority.

Data isn’t the enemy

Inevitably, as automakers around the world rush to ride the “smart car wave” — ostensibly in the name of going greener — more vehicles will run on the new oil, data. A smart car pundit would reckon that data isn’t the enemy, which isn’t untrue. Connected cars do contribute towards improving safety like sending service alerts — a much more helpful way than checking engine lights on the dashboard.

In fact, there’s an entire industry built around monitoring, logging, analyzing, and monetizing similar types of data. Dubbed telematics, the average consumer may know it as the technology insurance companies use to reward risk-averse drivers with discounts.

Truth be told, we’ve been down this fraught road before with smart speakers, smart TVs, smartphones, and all the other smart things we now realize are playing fast and loose with our personal lives. Once information about our lives gets shared, sold, or stolen, we lose control.

In the end, whether automakers decide to engage tech companies, acquire startups to help them gain expertise, or rely on a startup to supply their data management needs, a lot of opportunities lie ahead.