11.2 C
New York
Wednesday, April 24, 2024

How Your New Car Tracks You

Your car knows a lot about you. Over the past decade, vehicles have become increasingly connected and their ability to record data about us has shot up. Cars can track where you’re traveling to and from, record every press on the accelerator as well as your seatbelt settings, and gather biometric information about you. Some of this data is sold by the murky data-broker industry.

In May, US-based automotive firm Privacy4Cars released a new tool, dubbed the Vehicle Privacy Report, that reveals how much information on your car can be hoovered up. Much like Apple and Google’s privacy labels for apps—which show how Facebook might use your camera, or how Uber might use your location data—the tool indicates what vehicle manufacturers can know.

Using industry sales data, WIRED ran 10 of the most popular cars in the US through the privacy tool to see just how much information they can collect. Spoiler: It’s a lot. The analysis follows previous reporting on the amount of data modern cars can collect and share—with estimates saying cars can produce 25 gigabytes of data per hour.

Andrea Amico, the founder of Privacy4Cars, says people understand very little about what data their cars can collect as there is little education and “the level of detail and transparency varies” across manufacturers. His tool ranks most modern vehicles as “smartphones on wheels,” as they’re able to collect heaps of data and wirelessly send that information to manufacturers.

The Vehicle Privacy Report creates privacy labels under two broad categories: what a manufacturer collects (including identifiers, biometrics, location, data from synced phones, and user profiles) and whom a manufacturer sells or shares data with (affiliates, service providers, insurance firms, government, and data brokers). For the vast majority of cars and trucks released in the past few years, it’s likely that most types of data are collected.

The tool works by using your car’s Vehicle Identification Number, or VIN, and also analyzes each manufacturer’s public policy documents. We gathered publicly available VINs for a selection of vehicles produced in 2022—from Toyota, Honda, Ford, Chevrolet, Ram, and Jeep—and ran them through the tool, also comparing the results with the original documents. The results only apply to the US, as different laws apply in other countries.

Most PopularBusinessThe End of Airbnb in New York

Amanda Hoover

BusinessThis Is the True Scale of New York’s Airbnb Apocalypse

Amanda Hoover

CultureStarfield Will Be the Meme Game for Decades to Come

Will Bedingfield

GearThe 15 Best Electric Bikes for Every Kind of Ride

Adrienne So

The documents can include privacy statements, terms of service, and connected vehicle policies. Recent models from a manufacturer often gather the same data as other cars in the manufacturer's lineup, as they are governed by the same policies. Generally, all manufacturers will provide data to the government or law enforcement when it has a legal request to do so.

These lengthy documents are often technical legal files, which can be difficult to understand, but also can contain nuances. They also explain why data is collected; some may be gathered for research or product development, while other information could be used for personalizing marketing. For instance, you need to provide your location data for mapping and satellite navigation services to work. And not all data a privacy policy says is collected may be gathered by default—certain settings may need to be turned on by the driver, for instance—and in some cases, it is possible to opt out of information being collected.

Toyota (Tacoma, Camry, RAV4, Highlander)

Four Toyota models were in our pick of the most popular US vehicles in recent years: the Toyota Tacoma, Toyota Camry, Toyota RAV4, and Toyota Highlander. As with all of the vehicles in this article, the privacy documentation analyzed by the Vehicle Privacy Tool is the same for each 2022 model—some older cars may collect less data.

Broadly, all manufacturers are likely to collect personal information that can be classed as an identifier. These include your name, address, driving license number, phone number, email, and other information. Toyota is no different. The Privacy4Cars tool analyzed four publicly available documents from Toyota, which total around 31,000 words. One key document is the company’s connected services privacy notice, which details what information your car may collect.

As well as information about who you are, Toyota can also collect your “driving behavior.” This includes information such as your “acceleration and speed, steering, and braking functionality, and travel direction.” It may also gather your in-vehicle preferences, favorite locations saved on its systems, and images gathered by external cameras or sensors.

Some models of Toyota can also scan your face for face recognition when you enter one of its vehicles. Corey Proffitt, a senior manager for connected communications at Toyota, says this can verify a driver’s identity and the profile that is stored on a vehicle. “This data is not readable by humans, and any facial features are only stored on the vehicle and not transmitted to Toyota,” Proffitt says.

The Vehicle Privacy Tool says Toyota’s documents are “silent” on whether the company collects data from people’s phones that are synced with its vehicles. Proffitt says it doesn’t collect this data, except for “using an identifier for the sole purpose of connecting a user’s profile on the Toyota/Lexus app with a vehicle” if a profile has been set up. “Any synchronization of contact info and call history for Bluetooth purposes remains on the vehicle and is not sent to Toyota,” Proffitt says.

They say people can “turn off all data transmission on their vehicle.” To do this, you can decline consent for connected services on its privacy hub or contact Toyota customer service.

Honda (CR-V and Civic)

As with other manufacturers, Honda collects personally identifying information, such as contact information, Social Security numbers, driving license details, and your location. This all broadly falls into a category that Honda calls “covered information”—essentially information that’s gathered about you.

Chris Martin, regulatory, legal, and new technology communications manager at Honda, says it is difficult to distill how data is collected and used by Honda into a few sentences because of various different laws that apply and different reasons why some data may be collected. Martin points to Honda’s Vehicle Data Privacy Practices document for the full picture and descriptions of how data is being used.

Most PopularBusinessThe End of Airbnb in New York

Amanda Hoover

BusinessThis Is the True Scale of New York’s Airbnb Apocalypse

Amanda Hoover

CultureStarfield Will Be the Meme Game for Decades to Come

Will Bedingfield

GearThe 15 Best Electric Bikes for Every Kind of Ride

Adrienne So

Using the Privacy4Cars tool, we looked at Honda CR-V and Civic models. Honda can collect information about your vehicle (such as fuel levels, tire pressure, and battery charge status); trip log information (such as when you start and end a journey); and airbag system status. There is also information about how you use the connected elements of your vehicle—such as search content, call history information, and voice commands (which could include audio recording). Driver behavior information can include pedal position, engine speed, and steering angle, among other things.

There’s also “on-board data,” which is information that is generated by your car but “generally” not sent to Honda. This is information that’s stored in your car and could be accessed by someone plugging in external data extraction tools, such as a technician. Honda’s documentation says this could include information about how your car is used, driver behavior information, or contacts and messages sent using the systems.

Privacy4Cars results say it is unclear how Honda uses biometric data, which is information about your body. Honda’s Martin says no Acura or Honda models in the US have systems that transfer biometrics to the company. The airbag system within the car may collect weight and body position information, Martin says, but this is stored on the onboard computer and is only accessible by a physical connection, with state and federal laws outlining who can access it.

Honda’s connected product privacy notice says it is possible to opt out of many forms of data collection, pointing to its apps and owners manuals.

Ford (F150)

Only one Ford model, the F150 truck, appears in recent lists of best-sellers, but it's often the most popular across all categories. Like most manufacturers, Ford collects information about who owns the vehicle, including names, location details, and driving license data. Privacy4Cars analyzed four Ford documents, which run to around 50,000 words, when looking at the data the company can collect.

Alan Hall, director of technology communications at Ford, says its Connected Vehicle Privacy Notice provides people with the most information about what its cars collect. This includes vehicle data, such as tire pressure, information about how parts are performing, and vehicle charging information if a vehicle is electric.

The company also can collect driving data and characteristics, such as your speed, how you push the pedals, and seat-belt-related data. Information about your travel direction, precise location, speed, and local weather can be gathered from the vehicle.

Voice recognition systems in some of its vehicles can gather information when they are listening. Its “media analytics” involves capturing information about what you listen to in your car, including “radio presets, volume, channels, media sources, title, artist, and genre.”

The section of Ford’s privacy policy that is specific to California, which has stricter data laws than across the US, also provides extra data about what can be collected. “We utilize connected vehicle data to improve quality, minimize environmental impact, and make our vehicles safer and more enjoyable to drive and own,” Hall says.

Chevrolet (Silverado)

Chevrolet, which is owned by General Motors, collects both information about you and what you do with your vehicle, as all manufacturers we analyzed do. A company spokesperson says its privacy statement is the fullest documentation of what the company collects. This document also links to its specific privacy document for connected services, including its cars. We ran the Chevrolet Silverado through the privacy tool.

As a starter, GM collects people’s identifiers, such as names, postal addresses, and email addresses. Chevrolet’s documents say it can collect information about your vehicle, such as its battery, ignition, and window data, gear status, and diagnostic information. It can also collect, among other things, your location, route history, your speed, and “braking and swerving/cornering events.”

Most PopularBusinessThe End of Airbnb in New York

Amanda Hoover

BusinessThis Is the True Scale of New York’s Airbnb Apocalypse

Amanda Hoover

CultureStarfield Will Be the Meme Game for Decades to Come

Will Bedingfield

GearThe 15 Best Electric Bikes for Every Kind of Ride

Adrienne So

The documents also say data “from camera images and sensor data, voice command information, stability control or anti-lock events, security/theft alerts, and infotainment (including radio and rear-seat infotainment) system and Wi-Fi data usage” can be collected. The company can also receive “information about your home energy usage,” which relates to the charging and discharging of electric vehicles.

Jeep and Ram (Grand Cherokee and Ram Pickups)

The Jeep Grand Cherokee and the Ram Pickup are two of the most popular vehicles in the US. Both the Jeep and Ram brands are owned by Stellantis, a firm that was created when Fiat Chrysler Automobiles and the Peugeot group merged in 2021. As a result, they largely use the same connected services privacy policy and terms of service, which can also cover Chrysler, Dodge, and Fiat. (Ram was a line of Dodge trucks until it became its own brand starting in 2010.)

Stellantis can collect your name, address, phone number, email, Social Security number, and driving license number. The driving data the company collects, according to its documents, includes the dates and times you use it, your speed, acceleration and braking data, details of the trip (including location, weather, route taken), and, among other things, cruise control data. Like other manufacturers, it also collects data about the status of your car, including “refueling activity,” battery levels, images from cameras, and error codes that are generated. Your face and fingerprint data may be collected if you use services, such as digital keys, that need this kind of information to operate, the documents say.

Privacy4Cars tool says the company is “silent” in its documents on whether data from synched phones is collected. Mark Silk, the head of software data analytics at Stellantis, says data is not collected from synched phones in vehicles, but the company does collect data from its “branded mobile remote apps.”

Silk says that for the majority of its new vehicles, there are three ways for people to manage their personal data. “The ability to turn off and on the collection of geo-location data at any time from within the vehicle, the ability to opt-in/out and consent to specific uses of their personal data via our digital channels, and the ability to request the ‘right to be forgotten’ at any time—again this can be requested via digital channels,” Silk says, adding the company is rolling out more privacy tools in the future.

Related Articles

Latest Articles