We’ve previously discussed how your car could be potentially spying on you, as an array of sophisticated technologies and onboard computers track things like your location, speed, and voice commands.
Most modern cars are connected to the internet, either through infotainment options such as Android Auto or Apple Carplay, or more extensive systems, such as Tesla’s vehicles for which firmware needs to be updated much like consumer devices.
[Get privacy news that affects you. Sign up for the ExpressVPN Blog Newsletter.]
This technology undoubtedly makes our lives more convenient. There’s no need to flip through radio channels; just pick your favorite songs directly. In-built maps help us reach our destination faster by providing alternative routes if there’s traffic.
But as we allow our cars greater insights into our personal lives, we open the door to tracking and privacy violations.
In some cases these are used to solve crimes.
Police in Kalamazoo County, Michigan, were able to use digital forensics data stored in a Chevy Silverado truck to solve a murder they had been trying to crack for over two years. The 2016 model had timestamped recordings of the alleged perpetrator using the hands-free system to change the music. Investigators used the voice recordings as a key clue to reconstruct the events of the day and confirm the suspect’s identity. He has since been arrested and is awaiting trial.
If the outcome of the investigation results in the rightful conviction and incarceration of the murderer, then the car’s tracking and voice recording functions have been utilized to positive effect. But things start to get murky and complicated when the government oversteps.
Data on-demand for law enforcement
Turns out U.S. police have been requesting vehicle manufacturers to hand over in-car data for at least 15 years. General Motors has complied with several requests from the cops to turn over voice recordings and location history, tracked through its OnStar telematics service. In some cases, the occupants of the vehicle hadn’t even signed up for the service and were unaware that the system was recording their movements.
Satellite radio provider SiriusXM also promptly complied with a 2014 warrant to hand over location history for a car that the feds wanted to keep tabs on. This raises the question: Are people installing infotainment services aware that they can be used for advanced tracking and location purposes? Can they opt out without losing the benefits they’ve paid for?
The installation of blackbox recorders—devices that keep data like speed, seatbelt activation, and number of vehicle occupants—has been mandatory in vehicles since September 2014. The practice dates back to 1994, and the recorders have become much more advanced since, incorporating an array of sensors and other equipment to improve tracking capabilities. For the most part, consumers are still unaware that these devices exist. And the lack of clarity only hurts our privacy.
In 2015, security researchers found gaping loopholes in Chrysler and Jeep vehicles, estimating that nearly 500,000 cars on the road could be infiltrated by hackers. The vulnerability allowed for malicious actors to overpower the firmware and remotely shut off the engine or force unwanted steering commands.
Greater public discourse on in-car security practices might have prevented such an error. When car manufacturers are aware that their actions will be scrutinized, it’s likely that they will go to greater lengths to ensure there are no loopholes. The advent of self-driving cars only accelerates the need for data privacy.
Car data regulations are needed
As it stands right now, there’s no federal regulation that determines limits on data gathering and storage practices for automobile manufacturers. That’s despite the near-certainty of cars these days being connected to the internet, with onboard systems collecting a multitude of information pertaining to our driving habits. And if you’re in the practice of connecting your phone to your car, you’re also giving the vehicle access to your call records, text messages, and more.
A 2019 experiment showcased just how much our cars know about us. In it, the car in question, a 2017 Chevrolet, beamed back data relaying precise location history, acceleration speeds, and braking style. The owner’s manual and the car’s privacy policy had vague references to data collection practices and made no effort to educate users on the circumstances when their information might be stored.
These types of invasive practices stand in stark contrast to things like cell-phone privacy, where regulations like the GDPR and the much-maligned EARN IT bill make it clear how tech companies can handle individual data. Apple’s upcoming iOS 14 is slated to boost privacy even further, by giving users the ability to opt out of detailed tracking and warning them when apps attempt to identify their behavior.
But car manufacturers, with the possible exception of Tesla, aren’t thought of in the same context as Big Tech. The public takes a rather benign view, assuming that cars, unlike our phones, don’t always have access to us. Plus the lack of egregious data violations by popular carmakers have also prevented any large-scale controversies so far, which has helped them stay under the radar.
Nonetheless, consumers should be afforded the same data protections for their vehicles as they are for their phones and devices. Abstruse and nebulous privacy policies are a disaster waiting to happen. If car companies can get away with monitoring so much of our data, what’s to prevent them from selling it to insurance companies or credit-rating bureaus?
Are our cars too smart for their own good? Let us know your thoughts in the comments.
Read more: 5 vulnerable smart devices in your home right now
Comments
Just saw that Ford and Google are collaborating on information systems for future vehicles . Takes Ford off my list of future purchases
i dont want my car connected to express vpn i only want it on my computor and i expect to be respected as a customer of yoir
Sorry to play devil’s advocate here because i do hate the shadiness of invading privacy without being informed, but if the info is used solely for law enforcement to catch criminals then i guess it ain’t too bad unless you are the criminal that is trying to get away with hideous crimes lol. Now on the other hand if its for google or apple etc to spy on us then they can go to hell.
Because only bad guys would want privacy, right?
Thanks for telling us about our cars spying on us and also about Sirius XM.
Now tell us what we/you can do about it !!!!!
(whispering) I don’t have much time before the refrigerated knows I’m gone. I just wanted to say, great job, and— Oh no! The dishwasher ratted me out. Gotta go, keep it up!
As an aside, I just rented a car with Android Auto which would not connect until I excluded that app from ExpressVPN. I’m not entirely clear why a Bluetooth app cannot cope with a vpn but I am happy that ExpressVPN made it simple to do so without having me turn off the VPN wholesale
With a dead transmission and critters got into the wiring, I doubt my car is currently spying on anyone! But seriously, this and the phones that we carry everywhere with us…I believe we have met the enemy, and they are us.
Very well written and thought-provoking. Thank you, and keep them coming.
thanks Tim! appreciate your comments
Scarey stuff. But what is the solution as far as our cars spying on us?
Unfortunately, it seems we give away our rights to privacy all too frequently! Most of the time we are not even aware of how this data can or will be used. I think most people, if aware of the extent of the information being collected by your car, think that they do nothing wrong so what is the harm. For many, the convenience outweighs the intrusion. Time for legislation.
How to start and see something ?
Your car is spying on you—it is not speculative. The problem with this issue (as with most data issues) is the lack of knowledge of the general public. Most new cars are coming with GPS devices installed automatically without the consumer’s consent with no clear way to remove the device.
Law enforcement activity in this area is almost certainly illegal as well. There is no current Fourth Amendment jurisprudence that I am aware of that allows law enforcement to direct a probable cause warrant at a third-party (e.g., Sirius XM Radio) to search another person’s property. The activity does not qualify under the third-party doctrine because the data is not in the other party’s possession—they asked Sirius to “turn on” the GPS, which is the equivalent of an FBI agent forcing your friend to search your house because they happen to have a key. The person should have challenged the warrant. As usual, law enforcement breaks the law in relationship to technology because they think they are above the law.
i think that this is so wrong that they do this without people knowing and invading their private space totally wrong