Of all product categories that Mozilla’s team of privacy researchers have ever examined, automobiles are the worst. All 25 brands it looked at earned its “Privacy Not Included” warning label for their poor treatment of consumer data.
The study found that all of the brands it looked at collected more data than necessary to run their connected services. That allows them to find out things that you might expect – where you drive, how fast you go, the songs you play – and some you might not expect, such as information about your genetics and your sex life – no kidding.
“Nissan earned its second-to-last spot for collecting some of the creepiest categories of data we have ever seen,” notes Mozilla in its report. “It’s worth reading the review in full, but you should know it includes your “sexual activity.” Not to be out done, Kia also mentions they can collect information about your “sex life” in their privacy policy. Oh, and six car companies say they can collect your “genetic information” or “genetic characteristics.” Yes, reading car privacy policies is a scary endeavor.”
Read: Self-Driving Cars Are Like Surveillance Cameras On Wheels For Police
Almost all of the brands (84 percent) share that data to third party companies such service providers, data brokers, and more. In addition, 76 percent of carmakers’ privacy agreements allow them to sell your personal data. Over half say they will share information with local governments and law enforcement agencies in response to a request, not a court order.
Mozilla found that Renault and Dacia were the only two brands that say all drivers have the right to delete their personal data. Meanwhile, others assume that if you enter their vehicle, you’ve read the privacy agreement and consent to it. Worse still, some of the brands assumed that any occupant who connects their smart device to the vehicle has consented, and some explicitly say that it is the owner’s responsibility to inform them about the privacy agreement. Even if you read the privacy agreement, you may not find everything you’d like to know.
“Even though the car brands we researched each had several long-winded privacy policies (Toyota wins with 12), we couldn’t find confirmation that any of the brands meet our Minimum Security Standards,” Mozilla wrote. “It’s so strange to us that dating apps and sex toys publish more detailed security information than cars.”
Since connected vehicles keep so much of your information, it’s alarming that their track record for cybersecurity is so bad. Mozilla claims that looking back at the last three years, 68 percent of brands earned its “bad track record” for leaks, hacks, and breaches that threatened driver’s privacy.
More: Toyota Data Leak Left Over 2 Million Owners’ Vehicle Information Exposed For A Decade
Even though almost every automaker that Mozilla looked at was a member of the Alliance for Automotive Innovation, which espouses good privacy policies such as data minimization, transparency, and consumer choice, none of the brands actually followed those principles.
The real problem with the ubiquity of the problem is that it leaves consumers with no recourse. As cars without these connected features slowly age out of the market, handing your personal data over to a company that does not treat it with care will be almost inevitable.
“All of the car brands we researched got our ‘data use’ and ‘security’ dings – and most earned dings for poor data control and bad track records too!” Mozilla wrote. “We can’t stress enough how bad and not normal this is for an entire product guide to earn warning labels.”
However, Mozilla does believe that by pressuring the automotive industry, it can be forced to do better. Keeping automakers accountable for data breaches and over-mining with things like government regulation may help even more.