#82 The modern car is a lemon (for privacy)

ARJ
Welcome to This Week in Digital Trust, elevenM’s regular conversation about all things tech policy, privacy and cyber security. I’m Arj, joining you today from Awabakal country.
JORDAN
And I’m Jordan, joining you from Wurundjeri country.
And we’re gonna talk about cars. Today, Arch couple weeks ago we talked about the road map. So we’ve got our map. We’re gonna hit the road in our cars, which are watching us.
ARJ
Yeah. Yeah, slightly. Different twist like cars and and privacy but. What was your? First car, that’s what I wanna know.
JORDAN
My first car was a. Volvo that I shared with my older brother that. It’s like a 85 Volvo. Very, very old and squeaky. But, like, basically a tank. No, nothing computerised whatsoever in that thing. So.
ARJ
Yeah, I was gonna say that didn’t even have a CD. Player did.
JORDAN
No, it had a it had a tape player that didn’t work good times. How? About you my.
ARJ
Mum’s Nissan pulsar. It was never really my car. It was just that, you know, that was my first the. First one I. Got to drive when I had my licence, but yeah. Nissan. Pulsar hatchback. GL or something? Something. Same story like no bells or whistles. Air conditioning didn’t work. Tape deck, tape, deck work. So there were a lot of mix tapes in the glove box, but yeah, that was probably the.
JORDAN
Nice. Nice. The good old days when we.
ARJ
Highlight of the car, but yeah, yeah.
JORDAN
Didn’t drive around in computers.
ARJ
Yes, but it makes cars a relevant topic for our podcast, so that’s a that’s a positive of of the development of cars because yeah, like I said, they’re basically operating systems on wheels, and now that means there’s lots of.
JORDAN
That’s true. That’s true.
ARJ
Data involved and and there’s this awesome report that’s coming out of the Mozilla Foundation that we’re going to talk about today. Basically, they did a study and this is Mozilla who make you know, Firefox and they did a study that found that 25 car brands that they investigated had glaring privacy concerns. And they looked at all the kind of major cars you can think of, you know, Ford, Toyota, Volkswagen, BMW, Tesla and Nissan 25 brands, as I said. And yeah, all fell a foul.
JORDAN
Every single one of them got like their worst possible review, which was really quite funny. Before we dive into it, I just want to talk briefly, like introduce Mozilla’s privacy not included product review series. If you’re not familiar with it, and I wasn’t actually until I stumbled across this report and I’m devastated that I wasn’t cause it’s such a fantastic resource.
They do a Whole bunch of product reviews about like a really wide range of apps and tech products. So like, you know, like mental health messaging, fertility tracking apps, gaming consoles, smart home devices like speakers, thermostats, smart. Tales a whole bunch of devices, Kindles, iPads, iPhones, bunch of Bluetooth headphones, smart watches, all of these kinds of tech, data driven devices. They trawl through the privacy statements, product descriptions, they send questions to the manufacturers and assess them on 4 main areas. How much data do they collect and who do they share? With whether they let users delete their data, whether they’ve had any recent data breaches, whether they meet some pretty basic security standards like encrypting data at rest and in transit, things like that. Like really basic baseline security stuff. And you know, if you do badly on two or more of those, you get there. Coveted privacy not included. Well, they look at few other things like how bad like badly things might go if they get hacked and things like that. But but overall, they look at these kind of four. Main areas and just give you an assessment of how creepy, how comfortable they are with the product. It’s. A really good. Just like high level privacy related product review, if you if you’re picking between a Garmin and a Fitbit and an Apple Watch, you know like checking out the the reviews on this website. Is a super super useful place to go. They’re really easy to read too, so I love it. I love the website.
ARJ
I wasn’t familiar with it either, and it’s amazing to see that they’ve they’ve done that and they’ve been doing it for such a broad range of product categories and. To cut to the chase on, you know the the, the, the study into cars, I mean they basically get right to the heart of it with the headline of the report, which is it’s official. Cars are the worst product category we have ever reviewed for privacy. Which you know, and that’s on the basis. That all 20. Five of the book Barbarians that they researched earned their privacy not included warning label, which makes them the worst category. Which I think. Is amazing. I think it’s stunning considering that list you just read out of the sorts of things they review. You know, fertility apps. Smart. Home devices, iPhones. These are things that we always hear about and talk about as being, you know, terrible for privacy and the tracking that they. Do and you know that they are to be feared and for cars to come out. As you know, the the unequivocal worst category, that’s really something.
JORDAN
Yeah, it it’s really something. And it’s interesting to just kind of consider why right cause I think one of the reasons they point to this in some of their writing on the topic from the Mozilla Foundation. And I think one of the reasons why is people. Don’t buy cars at all on privacy, right? It’s at least on some consumers minds when they’re buying connected devices. If you’re putting a camera in your home, it’s not unusual for people to consider privacy right? But a car manufacturer? There are so many other things. First of all, people. Did mobility a lot of people don’t have a choice? About like having a car. And there’s not a lot of differentiation clearly between products, right? All of them suck, but also nobody is going to read the privacy policy of their car or, like, have that as a meaningful differentiation criteria above like safety fuel economy. The type of car. All of this. Kind of thing, right?
ARJ
Yeah, there’s like, there’s a couple of things at play. One is people are conscious of safety and we often talk about privacy in the context of safety, as in kind of online safety. But it’s not the kind of safety you’re thinking about. How when you buy a car like you are. Thinking about I need this thing to. Be safe, but you’re thinking about airbags. You’re thinking about brake systems. You think about physical safety so that it’s just it’s not really front of mine. And I think, you know, I guess maybe to some extent the idea of technology, you know, in the car has always felt like. And we talked about it with the tape deck and the CD conversation with our first cars. It’s kind of like the bells and whistles. There’s sort of the. Extras and this pivot now where car technology and these platforms are actually very much central to the way the cars work. In some cases like like Teslas, they effectively are just computers with wheels. There’s no kind of, you know, there’s no like combustion engine in there and people haven’t necessarily reoriented. They’re thinking that, well, what I’m actually doing is getting into. Way into a piece of computing, you know, which happens to have wheels on it, and therefore I should think about it in the way I think of other computing, which is like, what does the data you know collection look like?
JORDAN
And what’s it planning to do? Yeah, exactly right. They are really computers on wheels. And that gets too kind of some of the findings. Right, the. Because when you think about a car as essentially a computer on wheels. You start thinking about the kinds of interactions that would get logged. A car has, you know, the computer operating a car, whether it’s a petrol one or an electronic one, has an idea of how quickly you’re going physically, where you are, whether you wind it with wind down the windows or not. Often these cars have modern. Cars have, like driver fatigue, measuring systems. You got a camera or some sort pointed at your face, measuring whether your eyes are on the road. They can measure your heart rate through your skin with these cameras. They can, you know, get in a sense of whether you’re paying attention. The car knows what music you’re playing. If there are passengers in the car, maybe you connected the car to your phone. The car might have access to your contact details, the phone calls you’re making while you’re on the car. There’s this huge list of data. That modern. Tech driven car has access to.
ARJ
I mean, this is where it started to get comical with some of the reporting and and certainly some of the reporting focused on this, but the stuff about your. Sex life like? Was. Yeah, some of the things that Mozilla found when they looked at privacy policies of these car makers was that they were saying, look, we we might collect information about you that relates to your your sex life, your medical information, your genetic information. And that all goes to, I think, which you’re. Speaking to which is. The sorts of data that are now involved in, you know, kind of in a, in a car, in, in operating a car so broad that they’ve gotta put these caveats in there like we might, we might learn something in in relation to these very sensitive areas of. Your life, if you. Do things in the car which we are tracking through your phones, through our biometric detection systems or whatever it else.
JORDAN
Yeah, for sure and. I mean, it speaks to the kind of. Approach to drafting privacy policies when you don’t really think customers are reading or paying attention right is that it gets driven by the legal department and there’s, you know, maybe at some point we might collect something like this. And so, yeah, stick it in the privacy policy. You don’t know whether or not. They actually do. Maybe they do. Who knows? But they’re they’re using their privacy policy to mark the territory to say, well, we might. And that’s that’s what’s being called out. So the first finding of this Mozilla report was that every single one of the. The car brands that they reviewed, the 25 car brands, every single one they looked at, collects more personal data than necessary in order to, you know, drive the car and uses that information for a reason other than to operate your vehicle and manage their relationship with you, like every single one carves out those permissions to say we’re going to collect. Much more data maybe about your sex life. Maybe your photos. Maybe your genetic information, and we’re going to use that for other purposes beyond operating the vehicle, which is just wild.
ARJ
Yeah. And I like I I I. Like that little summary in the Mozilla report, because it kind of something when you read about these policies, privacy policies, that state we’re collecting such broad categories of information, you can kind of assume, OK, well, I don’t understand the business well enough. Maybe they need it for in some way to give me the service that they. You need to give me. Or, you know from a customer relationship perspective, but this makes it very clear from this analysis that. That they’re all collecting information that goes above that need to operate the vehicle and they need to manage the relationship where it gets scarier is I think then when you get to the second finding, which is OK. So they collect this broad sets of information, fine, well, not fine, but the second category is that most 84% share. Or sell your data. So having collected. At all. They also will use this information for their own research, marketing or other business purposes, which is not particularly well spelled.
JORDAN
Answer or?
ARJ
Out or whatever that means. To share or sell it to data brokers and other businesses. So 84% said they would. You know, they would share it, 76% said they could unsell it and then 56% said that they could share the information with government or law enforcement in response to a quote request, which is. You know a a threshold that’s not as high as a court order or anything like that, just some something quite informal.
JORDAN
That 84% number saying they, you know, sharer on sell the data brokers is just wild right like most the 21 out of 25 car companies. Say in their privacy policies that they collect a whole bunch of information about all those ridiculous categories and that they will, and that they reserve the right to on sell it for their own benefit. Nothing to do with you sell it to a data broker that’s you know building. Data set for marketing or for you know, understanding a population demographic or how people drive or selling products or whatever it is. It’s just, yeah, that’s just wild.
ARJ
It it reminded me a little bit of our conversation about location data and location apps, which is that you know we when when we talked about this in in that. In an earlier episode of our Location data, we talked about these kind of apps that collect location information as a sort of part of delivering the service that they deliver. But what we actually discovered was that some of these. Apps large, larger portions of their revenue come from selling that location information on to data brokers that that the commercialization of that data is actually the first kind of order of business. And you know it’s almost like the you know the location based app that they provide is just a way to get you in and share that information. That made me think a little bit like that. It’s a little bit like. They’ve kind of discovered this business model where they have found that, you know, data relating to car usage, whichever of those many categories it is from, you know, where you’re going to, what you’re doing in the car, whatever it is, it’s valuable. There’s a Politico report from 2022 which says car location data is among the most valuable that automakers. And gather and data brokers who obtain this information claim it’s far more accurate and voluminous than phone data, so it’s almost like. Pardon the pun, like they’re reverse engineering the use case for the car, which is that like if we can do something to gather this kind. Of data and. Then you know provide some sort of service in the car that encourages people to provide it. We’ve got this lucrative, incredibly lucrative revenue stream that to you. Know that at our fingertips.
JORDAN
Yeah, that’s so interesting. It’s like they’ve. Kind of looked at all of these digital business models where you.
Google search you provide a search, you can provide A use. Full functionality for free in order to gather the data about the people using it, and that’s your main revenue stream and you know you produce the service in order to collect the data. It seems feels like all these car manufacturers have looked at that. And thought hang on. We already have the service, we have the. In the to people’s lives, people aren’t particularly privacy sensitive. As we discussed before. Out their purchase decisions for cars so we can pivot that as that you know, we have this central location in people’s lives. We can use this to gather data and that’s a fantastic new revenue stream for us.
ARJ
Yeah. And you’re literally, like, you’re a captive audience of people in, you know, locked into a car just focused on getting from A to B. But the whole time spinning off this data. And I think that’s quite telling. Cause I think we often think of that. As the sale and. The sharing of the data is just in like an excess. It’s something that they. Haven’t particularly put. You know, safeguard, you know, guard rails around this core business, but it in in many cases it it I think it’s so lucrative that it could be the core businesses that you know let’s let’s tap into that revenue stream.
JORDAN
There’s just a fun tidbit in these reports. That’s just the absurdity of expecting people to have read the privacy policy, for starters. But then, you know, even the owner of the car, right? Like I’ve I’ve got. A car I have. Not read the privacy policy for my car, but a lot of these privacy policies assert that even by. Travelling in the car cause they’ve got, you know, the sensors and whatnot, and even by travelling in the car, you agree to the privacy policy of the particular car manufacturer and my favourite, the most ambitious it was was nice. And who? Who says, as an owner, you promise to educate and inform all users and occupants of your vehicle about the services and systems features and dot dot dot the privacy policy. So so like by but if you have if you drive a Nissan you have committed to before you let anyone in your car. Sitting them down and giving them a briefing on the Nissan privacy policy, which is just fantastic, yeah.
ARJ
Yeah, you could just imagine it basically going fine, but I get to. Pick the music, you.
JORDAN
Yeah, yeah.
ARJ
Know like nice. We talk about kind of notice and consent and the absurdity of privacy policies all the time, and this felt like it too. Get to a. A whole new level, and that’s reflected even in the exercise that Mozilla went through to produce this report. Like they talk about how arduous it was to try to even write this report. And they said, like, you know, they say researching cars and privacy is one of the hardest undertakings for we as privacy researchers sorting through the large and. Confusing ecosystem of privacy policies for cars, car apps, connected services is something most people don’t have the time. And experience to do and they talk about spending over 600 hours trying to work their way.
JORDAN
Through this? Yeah, which is wild across across only 25 brands, right? Like, that is so much. And yeah, yeah, they, they these people do this for a living and yeah. Yeah. And like, that was an interesting comparator as well. That, like, the cars were way more difficult to. Get through more connected services, each brand having like heaps like like 12 different privacy policies. Various other terms of services to wade through and stuff the complexity of the ecosystem and the disclosures was significantly greater than in other industries, which was interesting.
ARJ
The the other aspect around. Control was just about, you know, the ability to delete your data and only two of the car makers that they looked into gave that option for, for, for people. To be able.
Speaker
To delete their data.
ARJ
And well, one of the interesting things was that it was those two car makers were European car. Makers and you know Mozilla sort of says in their report that they’d probably think that’s no coincidence. You know, that big, those European car makers which. Probably governed by GDPR thinking about. That I really like.
JORDAN
That as a metric actually that like you know, you have a right to deletion in in the EU and one of the things they look at is do they extend that right to deletion to customers who are not in the EU. You know off the like. If you’re an Australian that does not have a legal right to deletion, will they? Do it for you and. Right. And literally none of the car companies, a lot of other companies do that, but none of the car companies, the only car companies that offered deletion to all of their customers were the ones that only sell cars in the.
ARJ
EU gives a different hue to, you know, the idea of kind of European. Cars. Because when we when we bought. Our our car. We had like family members insisting like you can make sure you get a European one. And like, they’re obviously thinking. More about like German engineering than.
JORDAN
The German doctor protection, yeah.
ARJ
Law making in Brussels.
Speaker
Yeah, yeah.
JORDAN
Yeah, well, maybe. Now we’re gonna be like, you know, make sure and make sure you get a European car because they yeah, because of the data protection. The last topic was just that they look. At minimum, security standards for all of these car companies, and usually they can’t they they describe this kind of process, they dig through any publicly available data, privacy policies, disclosure statements, whatever, see what they can find about security statements and then. Send information requests to the companies you know introduce themselves and ask some basic security questions. Do you encrypt? Do you require strong passwords? Do you provide security updates? Do you have the vulnerability management programme where people can report vulnerabilities? Kind of really basic security, things like that, and across those minimum standards, even after asking the questions explicitly, they were unable to confirm that any of the car companies met those pretty basic minimum standards. Which again is like extremely worrying for, especially for like, you know life impacting product. You know like like. Security in a computerised car is kind of a big deal, yeah.
ARJ
Like, I mean, they’ve been, you know, stories going back, you know, the last few years about various kind of hackers remotely, you know, accessing and controlling jeeps on the highway. And, you know, Tesla kind of cars being hacked and cameras being disabled. Yeah. But those are like a little bit more sophisticated attacks, I guess, like, these are hackers who know what they’re doing. And saying, look, we’ve done this and you know going to security conferences and talking it up. This stuff that Mozilla’s you know they’ve labelled at minimum security standards like they’re not gonna setting a particularly high bar here. And you know, none of their car makers are kind of able to meet the mark. So forget about, you know, protecting against sophisticated hackers. They’re not even meeting the minimum bar here. Yeah.
JORDAN
Exactly. And that’s demonstrated some 68% that of companies that they looked at had a recent data breach that threatened drivers privacy in some way, right. So they’re they’re hoovering up all of this data, making a business out of it, but they. Have not yet worked out how to do safety. You know, there’s there’s such a safety record, right? You were saying this before? There’s such a safety record around like cars themselves. But yeah, no safety around the data.
Speaker
Yeah, yeah. You know.
ARJ
Yeah. And then the in the write up of about Nissan in particular, they call out that Nissan actually had a data breach last year through a third party service provider. So you know they they disclosed that in January this. Here and so it’s not just, you know, being able to secure it themselves. They’re also kind of passing it on to these third parties. Yeah. And, you know, not doing enough due diligence. It would seem around how that data is. Secured so there’s. You know, this isn’t hypothetical like there have. Been data breaches of. You know people’s information through these car makers.
JORDAN
Yeah, look, it’s all it’s all a bit depressing. So what are the takeaways for me? I really value this report as just pointing out that trend we were talking about before, right? Of, like, cars are increasingly computerised, they are increasingly being used to. Introduce tracking cameras, microphones into connectivity into your phone, through the entertainment system. And historically, we haven’t really thought about the need to think about privacy in relation to cars and this this report. Really demonstrates that this is an area where we we should start thinking about privacy and especially. The with the kind of promised coming of more autonomous cars, yeah. You know like. A lot of modern cars don’t just have cameras on the inside, right? They’ve got cameras on the outside looking for lane markings or how far adaptive speed can cruise control. Looking at how far the car ahead of you. These things are just like stacked with senses, and they’re ubiquitous in our built world. Yeah, we. We really need. To start thinking seriously about privacy for those things.
ARJ
Yeah, I had the same takeaway and I came across there was actually a 2017 parliamentary inquiry into social issues relating to driverless vehicles specifically. And it exactly makes that point. And there’s this quote from one of the academics who submitted into the inquiry called Dez Butler. It’s from the Queensland University of Technology, who talks about this whole issue around data collection, data production by cars. It’s a sleeper issue because the focus on these vehicles in the public eye is on safety. On the privacy or data production of these vehicles and you know, so I see. Yeah, I think it’s like you say it’s something we need to kind of have a bit more of a sharp focus on also because I think maybe we underestimate how much time we spend in cars and also how much more we do in them like now that we sort of get in there. And the first thing you do often, if you’ve got a car that enables it is plug your smartphone. And and you’re basically enabling that world through the car. There was a yeah study I saw that said, you know, people spend just commuting in Australia up to like 6 full time weeks working weeks in a car and in Sydney that goes up to 9.4 because of traffic. But that’s just commuting. I mean we spend lots and lots of times in car. We do lots and lots of things in our cars. And if cars have got this. On a data first. Commercialization of data first kind of mentality that there’s kind of thinking about.
JORDAN
Yeah. Yeah, I I think absolutely. The other response I think is through privacy law reform. So I think this business model of having a useful service. And using that to pivot to data collection or. To leverage a useful service into data collection is something I think we see almost everywhere. We see it very much online services. You know you’re free, online services, Facebook, Google, and various other things. But you’re also starting to see it in the context of like healthcare or. In the context of retailer relationships, loyalty programmes, you know we give you a little and we we take a lot in terms of surveillance, loyalty programmes actually are probably a bad example because they actually are explicitly giving you a value in exchange for the data rather than like just trying to build surveillance onto a service that already exists. But it’s it’s in this increasingly common business model to monetize data in this way and we really need, I think, law reform through the Privacy Act review to tamp down on that and the the mechanism for that in the Privacy Act review is this proposal for fair and reasonable? I think that’s the main one that. Any use or disclosure of your information has to be fair and reasonable in the circumstances, and I think it would be a very easy argument to say I bought my car. There’s features in it for safety and to manage their relationship with me. But to operate the vehicle. Well, it is not fair or reasonable to use that data for any other purpose other than to make the cargo and to keep. It safe right? Like. Collecting photos of my face or my heart rate or my location data and selling that for marketing purposes as an additional revenue stream is not fair and reasonable, right? And so, yeah, I’m really optimistic, probably too optimistic that that if we. Get that core requirement fundamental requirement in. The act. And we we shovel a little little bit of money to the privacy Commissioner to go around and yeah, knock some heads. It we we might have a meaningful pushback on on this kind of practise.
Speaker
You’re just just.
ARJ
As you’re talking, I’m reminded of when we bought our car. For some reason, the car salesman, the first thing you decided to show us was like you opened this compartment and said, look, there’s an umbrella in there, OK? And it’s like, so, you know, the expectation of like what, you know what, what, what, what most people expect out of their car.
JORDAN
Yeah, right.
ARJ
And they’re very different. Yeah, different expectation. I was like, well, OK, great. But what’s the size of the engine and the? Televisions. But one last thing for me is if you’re interested is a bit of a plug. If you’re interested in kind of this issue around privacy and security risk around cars, particularly driverless cars, couple of guys Jayden and Daniel from 11 and wrote a blog The last couple of weeks. Posts on this, we’ll put it in the show notes, but good breakdown of the privacy and security risks. Relating to self driving cars.
JORDAN
Yeah, definitely worth checking out on that plug. Let’s. Leave there.