Nissan apparently collects “Sensitive personal information, including driver’s license number, national or state identification number, citizenship status, immigration status, race, national origin, religious or philosophical beliefs, sexual orientation, sexual activity, precise geolocation, health diagnosis data, and genetic information.”
I guess Subaru don’t need telemetry to guess your sexual orientation.
If a car is advertised as smart or connected, there’s a good chance it collects too much personal information.
That’s too bad because most new cars are, and it may cause some people to keep their old polluting but privacy-friendly car longer.
All new cars - Bruce Schneier wrote in cryptogram that he tried to buy a new car without a permanent internet connection to the manufacturer and it wasn’t possible.
I’m probably never buying a car newer than the one I have. Everything is so ridiculous now. Though if I can just physically disable the WAN communication it uses I guess that’s fine too, though it would likely be expensive to get working again for resale.
It bothers me enough that my car is even capable of doing any kind of steering input I didn’t give it myself, brakes are by wire too, but fully depressing the pedal still connects you to the hydraulics directly so kind of a non issue, it allows for AEB which is a good safety feature though I’ll likely never trip it.
My current car I think can do some kind of connection but I disabled it in the firmware when I flashed the BCM. Not missed, did nothing of benefit to me afaik.
Physically disabling WAN can be a workaround, assuming is can be done and reverse without damage. But it’s not a good solution.
Manufacturers have ways to degrade experience/features when the owner physically disable WAN: deny features and security updates (by doing OTA updates only), drag their feet or void warranty if WAN is disabled, design some features to be unnecessarily dependant on some cloud/online services (eg navigation, media features, …).
They cannot void your warranty over that, maybe for the computer you modified but the Magnuson Moss warranty act means they have to honor the warranty unless they can prove your modifications caused the damage.
Also, who cares if it gets updates? It will continue to work as it did from the factory indefinitely. Security updates aren’t necessary if the car isn’t connected to the internet and those updates cant change how the immobilizer/keys work anyways.
Things can suddenly or progressively break after a while if a system gets too far behind regarding updates.
A few plausible examples:
- The navigation system can send you to non-existing road if it doesn’t know about recent major roadworks. Or give you old/bad speed limit and cause you to get a ticket.
- The GPS receiver may fail to obtain a location if satellite orbit or other parameters shifted too much since the last update (happened to me once after several years).
- A bug may manifest itself only after a while or a given date (similar to y2k) and break some features.
- A vulnerability may be discovered, which make cars that aren’t updated easy to steal as knowledge of the vulnerability spread
- …
Tangentially related: I have a 2022 Subaru, I used to have a 2021 Subaru. Subaru has a mobile app where I can start the car, locate it, unlock the doors, etc. When I traded in the 2021, it never removed it from my app. I’m able to see where the car is parked, and presumably start it, open the doors, whatever.
I tried contacting Subaru, I looked for a bug reporting or bug bounty but couldn’t find one anywhere. All I could find was instructions to remove the car off of my app. I view this as a huge privacy breach, it shouldn’t be my responsibility to remove the previous owners info from the app.
I skimmed the article. Some manufacturers are not listed. Mazda for one.
Edit: I am unclear. Should I presume Mazda and others that are not listed are doinga good job?
I skimmed through their privacy policy and I’m not confident Mozilla would approve. They can share the telemetry that comes from your car, including it’s physical location.
Should I presume Mazda and others that are not listed are doinga good job?
Doubtful. Absence from a list like this usually just means that the people investigating had limited resources, and therefore chose a representative sample instead of doing an exhaustive survey.
If this report gets much attention, it would be a good opportunity for any car makers that do well on privacy (if they exist) to start boldly advertising it.
I wonder if this is part of the reason Chevy dropped Android Auto and Carplay. Can’t lose out on data collection.
It is, I think it’s been discussed to hell and back that it was the reason.
Make sure to sign the petition at the bottom of the mozilla report.
Done
As expected, Tesla has the worst privacy rating
Second worst were these ones:
Nissan earned its second-to-last spot for collecting some of the creepiest categories of data we have ever seen. It’s worth reading the review in full, but you should know it includes your “sexual activity.” Not to be out done, Kia also mentions they can collect information about your “sex life” in their privacy policy. Oh, and six car companies say they can collect your “genetic information” or “genetic characteristics.” Yes, reading car privacy policies is a scary endeavor.
While they’re all bad, Nissan is a no for me. Also between this, the dangerous recalls, and the theft issue, Kia is falling even further down my list
