Your connected car could be putting your privacy at risk
As the U.S. enters a new era of lawmaking, connected cars could become the new front of legal battles.
This article was originally featured on The Drive.
Most modern cars know their locations better than their owners do. As suites of connected-car apps become mainstream for both emergency functionality (such as General Motors’ OnStar) or for owner conveniences such as remote start or parking guidance, new vehicles are overflowing with data needed to support always-on connectivity.
While most owner concerns (and popular attention) have been fixed on unallowed hacks into such systems by bad actors, there are still massive troves of automatically generated data open to anyone with the knowledge to access it, and even the “proper” use of this data can be a risk to consumers who seek privacy. Your home, your work, every trip you’ve taken no matter how private: it all can be seen by companies, countries, and individuals you’ve never given permission to follow your travels, and completely legally.
Struggling to think of a need for privacy besides what’s already been extensively reported and debated? One recent example: As certain states attempt to make previously legal medical care (such as abortion, contraception, and basic trans-related medication and care) illegal to access, the modern connected car and its troves of data have the potential to become a government’s unintentional best friend and a driver’s worst enemy as prosecution intensifies. Even if you’re not immediately affected by your car tracking your habits, state law has been changing increasingly rapidly—families in Texas found their access to trans care restricted within a week of the governor’s directive to eliminate it—and you may find yourself criminalized a week from now unexpectedly over some other arbitrary decision.
The good news is there’s already proposed legislation to combat the current freewheeling fate of our privacy. The bad news is we don’t know how long that legislation will take to pass, if it does at all.
GPS, Wifi, and a treasure trove onboard
To understand how driving a car could incriminate someone, it’s worth examining just what kind of data the car itself collects and transmits.
In 2021, 90 percent of cars sold in the United States—and around 130 million total cars sold worldwide—contained some form of embedded connectivity. This built-in connectivity can take many forms (built-in Wi-Fi connectivity, infotainment systems that connect to cellular networks, and even Bluetooth systems) but all of them share a few things in common: They collect (and transmit) massive amounts of data, they are usually truly embedded in the physical car (and comprise some core functionality of it), and owners rarely have control of where it ends up. This trove of data is known as telematics, and it’s a multi-billion-dollar industry with wide-reaching implications for consumers.
Most consumers never have an inkling of just how powerful—and plentiful—this telemetry data is. The raw amount of information itself is overwhelming to consider; a case study by the Washington Post on a 2018 Chevrolet Volt showed that the car generated up to 25 gigabytes per hour of data across every category imaginable; for context, browsing Instagram for an hour uses a mere 720 megabytes. This deluge of data the Volt created included location specifics, even when the GPS was not being actively used by the driver. In the case of the Chevy that was studied, researchers even bought a used Volt navigation system on eBay and were able to construct the previous owner’s daily life and routine down to their home, workplace, and oft-frequented gas station, simply by poring through stored location data that the infotainment system automatically logged.
An earlier study from 2017, undertaken by a student at the University of Ontario Institute of Technology, pulled similar location data from a variety of late-model vehicles’ infotainment systems that logged exact coordinates even when the GPS was not engaged. In certain versions of Ford’s Sync infotainment system installed in mid-2010s-era Fords, the researcher found that “vehicle and system generated events also generated GPS coordinates which can further be used to prove the vehicle user’s exact location at specific times (for e.g. when the vehicle shifts gear and vehicle doors are opened/closed, GPS coordinates are generated).”
An example demonstration log in the study, pulled from a 2013 Ford F-150, shows GPS coordinates being stored when opening or closing a car door. With this frequency and precision, it’s easy to retrace exactly where that truck has been.
Casting a wide net
But it’s not just the data inside your infotainment system that’s a concern. All of the data discussed above—the GPS coordinates of every gear change, the location of every ECU boot—is not just stored onboard the car itself, but is frequently sent back to an automaker for storage and analysis.
This massive dataset has extremely advantageous, non-invasive uses for a host of businesses, including the automakers and drivers themselves. Telematics can help professional drivers spot and avoid traffic by analyzing previous patterns; urban planners can use similar data to identify roads prone to jams and create more efficient streets; insurance companies can use it to spot fraud or dangerous driving habits; and manufacturers or fleet owners can identify potential malfunctions to repair (if engines report misfires or check engine lights after driving at high altitudes, for example).
All of this is possible thanks to OEMs sharing these troves of telematics data with other companies, which then provide their own unique analyses. One example of a company like this is Otonomo—which, according to internal presentations shown to investors, is partnered with nearly a dozen automakers including Kia, BMW, Ford, Toyota, Stellantis, GM, and even heavy equipment manufacturer Bobcat. Otonomo offers an array of services all underpinned by its large collection of automobile data to a variety of consumers, which include tech behemoths Amazon and Microsoft, smart-city planners such as BeMobile, and parts manufacturers such as Hella and Continental.
Yet, with this billion-dollar business comes massive privacy implications. Even in massive data sets comprised of millions of different peoples’ locations, all of whom are theoretically anonymous, identifying any one person out of those millions is a simple job without a strict concern for data privacy. In a 2019 feature story, The New York Times studied the difficulty of anonymizing location data as it relates to phones, and discovered individuals’ identities with ease in supposedly anonymous data sets containing timestamped locations of cell phones. Connected cars face the same issues that anonymization cell phones suffer from because the underlying premise of location tracking is that it is deeply difficult to anonymize, especially when the device in question travels with a person to their work and home.
How hard could it really be to anonymize this data? Well, a 2013 study published in Nature showed that “four spatio-temporal [GPS locations with a timestamp] points are enough to uniquely identify 95 percent of the individuals,” even while using a dataset of 1.5 million people. That is, even with millions of generic data points without a name attached to them, having four from a single person is enough to identify one of them. The only way the researchers found to add back any privacy to users that were “anonymously” tracked was to coarsen both location and timestamp data: making it less accurate by reducing the accuracy of location logging and giving wider time ranges for each timestamp. This, of course, reduces the usefulness of that data.
But companies have very little incentive to reduce the usefulness of location data because often its specificity is what makes it so valuable. McKinsey, a business strategy group, estimates the telematics data market will be worth a staggering $750 billion dollars by the time the decade is out. The best way to get a share of that lucrative market is with accurate data so that advertisers, police states, and corporations can get the most use from it.
That’s not to say some companies don’t try to protect consumer privacy; Otonomo specifically employs what it calls “data blurring,” which ideally hides the privacy of drivers in compliance with European GDPR laws while still offering useful data for its customers. Otonomo acknowledged a request for comment from The Drive regarding how its data blurring works but was unable to provide technical details on what exact steps it takes for anonymity.
But there are no laws in the U.S. requiring that manufacturers anonymize any of the telematics they collect, and some third-party companies sell services explicitly offering to track specific, targeted vehicles. Not only can this be used by less-than-scrupulous buyers, but previous court precedent in the U.S. allows for federal agencies to buy location datasets to sift through personally identifiable data that would otherwise require a warrant.
The state of tracking
With this in mind, The Drive reached out to four auto manufacturers—Ford, Honda, Kia, and BMW—that all offer modern connected-car functionality in many of their models, and whose privacy policies for use of their vehicles leave the possibility of third-party sale of telematics open. I asked, specifically, what their policies were on third-party data sale and sharing and, if they do share telematics with outside companies, how easily consumers can opt out of it at will.
Kia had a stronger approach to data protection. In a statement to The Drive, the company stated that “Kia America collects geolocation data only on consumer-owned vehicles in the United States that are equipped with connected vehicle technology and have been enrolled by the owner in our Kia Connect service.” Furthermore, the automaker noted, “[Kia America] does not aggregate vehicle geolocation data, nor do we sell such data to third parties. While affiliated global Kia companies may have a working relationship with Otonomo, [Kia America]… does not share vehicle data with that company.” The company said that the only time that geolocation data is shared with law enforcement is when presented with a valid court order or warrant, or if an owner consents to share it during an active vehicle-theft investigation.
Separately, a Genesis representative assured us in another story that the biometric data the GV70 can collect for the SUV’s fingerprint unlock and startup capabilities stays with the car itself and does not get shared with the company.
Roe vs. your car
With this level of data on hand, few safeguards legislatively in place, and a very scattered set of privacy policies that can vary widely by manufacturer, the potential for a car to betray a person’s privacy in a newly fraught legal landscape is clear. For example, there are already states that have not just banned care but also made it legally questionable to travel to another state for it, with Texas’s anti-abortion and anti-trans-care laws being the most obvious.
The state’s anti-abortion law weaponizes civil courts against anyone suspected of assisting in abortion (including, for example, driving someone out of state to a clinic where abortions are legal to obtain). Its anti-trans-care laws are somewhat differently formatted, but they allow state Child Protective Services to investigate any parents suspected of confirming their child’s gender identity, which includes driving out-of-state to clinics where puberty blockers or trans-specific therapy are offered to minors. Idaho recently attempted to pass a similar bill punishing parents with up to life in prison for traveling out-of-state to get their children trans-related care; the bill died in the state Senate, but lawmakers indicated that they would be willing to pass a more narrowly targeted bill in the future.
With the troves of data offered by patients’ cars, however, there’s a very clear risk, as what was once considered basic medical care becomes criminalized. Even assuming every other step for data privacy is taken—such as not traveling with a cell phone and avoiding digital communication while seeking care—having a car automatically log that its doors were opened at an out-of-state Planned Parenthood could be enough to potentially be enough to warrant investigation, civil lawsuits, or even criminal proceedings. To make matters worse, data like this is already out there in the open on the public market, specifically targeting people who’ve been to clinics such as Planned Parenthood. Poland, for example, is strictly anti-abortion and recently created a registry to track every person who becomes pregnant and seeks any care. The location data for every pregnancy clinic a patient has visited would be a valuable addition to those lists.
Even more shockingly, accessing this data does not require a warrant. The techniques discussed above have already been put into practice by U.S. Customs and Border Patrol, which has been deemed exempt from needing a warrant to search digital devices in general at the border. Thanks to a loophole in the Fourth Amendment (the amendment that prohibits unreasonable search and seizures), state police can also download telematics data during routine police stops if they feel the need to, which means that a traffic stop could quickly become an examination of every place a driver has been for weeks.
However, this still relies on direct access to the car in question, which means that for such searches of telematics to be effective, state action would need to be targeted at specific, already-on-the-radar individuals such as activists and doctors (or used against already marginalized groups who are more frequently pulled over). But what if a police agency could just browse through everywhere cars have been, looking for interesting patterns, and tying back specific locations to individuals?
The future of tracking
While Kia’s approach is much more likely to protect drivers’ privacy, the patchwork manufacturer-driven state of vehicle security means that while a Sorento may be able to glide under the radar, other vehicles may not. The easiest solution to unify the current state of driver privacy would likely come from the top down—that is, closing the Fourth Amendment’s loophole allowing vehicle telematics to be accessed without a warrant. While there is proposed bipartisan legislation that would do just that and prohibit warrantless vehicle surveillance by U.S. authorities, it hasn’t been voted on since its introduction late last year.
In the meantime, I spoke with Mary Stone Ross, the chief privacy officer at the privacy-focused technology firm OSOM and a former employee of the CIA, for thoughts on how consumers could protect themselves. Unfortunately, despite her familiarity with the issue, there wasn’t much comfort to be offered.
Even then, it’s still better than living elsewhere, as “all of the laws that you’ve seen passed by [other] states are so much weaker,” Ross went on. “And then, there’s been really no movement on the federal level… The tech companies are spending so much money, and any sort of privacy regulation they see as an existential threat to their business model, whether it is or isn’t.”
When I asked if there’s anything consumers can do to protect themselves in the absence of strong federal law, she said, “I don’t even know what my advice is [to consumers], because even with the rental cars, without safeguards on consumer data at the manufacturer level, it’s a free-for-all.” Yet, in a world where privacy is likely to rapidly go from an afterthought to a central legal battle, her hope is still “that it actually puts pressure on Congress to pass federal privacy laws.”
Until legislation is passed, then, consumers should be aware that their car could be an incredible weak point for their personal safety and privacy. If you can, perhaps stick with the ancient beaters, whose most advanced technology is fuel injection.