Senator Edward Markey (D-Mass.) has again obtained and about the privacy practices of private companies in a sensitive area, this time in the form of a report on the practices of automobile manufacturers.
According to the , not only are local police departments, federal agencies, phone companies, advertising companies, and map app providers collecting customers鈥 location data, so are the automobile manufacturers. One might think that the automakers would stick to their core competency of making cars, but apparently, like everyone these days, many of them are eager to get into the game of data, data, data. And so far, the marketplace has not made it possible to use location services without giving up a lot of privacy. There is no reason we can鈥檛 have our cake and eat it too, here鈥攃ool services, and reasonable protection for privacy.
The main privacy-related takeaways from the report are:
- Most carmakers today are including in their vehicles 鈥渁 range of navigation, telematics, infotainment, emergency assist, stolen vehicle recovery, and event data recording systems that have the ability to record driving history information.鈥
- At least seven manufacturers reported collecting information on drivers鈥 geographic location. The report does not name the manufacturers. (It does say that Honda, Porsche, and Mercedes-Benz refused to provide information in response to this question, and that Tesla, Aston Martin, and Lamborghini didn鈥檛 respond to the senator at all. I鈥檓 inclined to assume the worst of companies that refuse to cooperate with this kind of inquiry.)
- Two automobile industry associations have adopted voluntary privacy principles, but they are of little use. First of all, they鈥檙e voluntary鈥攁nd it鈥檚 not clear to what extent market pressures will ensure compliance. Second, they're weak, for example allowing collection 鈥渙nly as needed for legitimate business purposes,鈥 which as far as I can tell would still allow for any use of data that makes a company money. The voluntary guidelines also suggest that companies give consumers 鈥渃hoice鈥 over whether some data is shared鈥攂ut that choice only extends to 鈥渟ensitive鈥 data shared 鈥渇or marketing purposes.鈥 And the guidelines recommend no choice at all over whether the data is collected and stored by the car companies in the first place, which is the real privacy pain point. Among other things, data stored by a company can be demanded by government agencies.
- Only two manufacturers out of the 20 contacted said that data collection or transmission can be disabled with no loss of functionality, with four others saying it can be disabled by turning off a feature or service.
- Notice to customers of these practices, where there is any at all, typically comes in the form of fine print buried in owners鈥 manuals or terms and conditions (which must be accepted). Customers should never be tracked without their consent鈥攂ut you can't consent to something you aren't aware of.
- The security situation with regards to wireless car services is a mess, according to the report, which found that most cars on the road are vulnerable to hackers, who in many cases could interfere with critical safety systems such as a car's steering and brakes. I鈥檝e written about this issue before (here and here), but the report contributes valuable new information to our understanding of the scope of the security problem.
Our cars are increasingly computers on wheels, and that is opening the gates to all the privacy and security issues that other computers are susceptible to. It鈥檚 great to see at least some members of Congress making use of their powers to shine light on the lightning-fast evolution of technology and consumer privacy.