Modern cars are surveillance devices on wheels with major privacy risks – new report

New research reveals serious privacy flaws in the data practices of new internet connected cars in Australia. It’s yet another reason why we need urgent reform of privacy laws.

Modern cars are increasingly equipped with internet-enabled features. Your “connected car” might automatically detect an accident and call emergency services, or send a notification if a child is left in the back seat.

But connected cars are also sophisticated surveillance devices. The data they collect can create a highly revealing picture of each driver. If this data is misused, it can result in privacy and security threats.

A report published today analysed the privacy terms from 15 of the most popular new car brands that sell connected cars in Australia.

This analysis uncovered concerning practices. There are enormous obstacles for consumers who want to find and understand the privacy terms. Some brands also make inaccurate claims that certain information is not “personal information”, implying the Privacy Act doesn’t apply to that data.

Some companies are also repurposing personal information for “marketing” or “research”, and sharing data with third parties.

What is a connected car? How does it transmit data?

Connected cars sold in Australia can transmit data about the car, its driver and passengers in real time via the internet. The data can go to the overseas vehicle manufacturer and other businesses.

Manufacturers often require the owner or driver to download and use an app to make use of various “connected services”.

Depending on the brand and model, these may include the ability to remotely:

  • heat, cool, lock or unlock the car
  • locate the parked car, including through remote use of headlights and horn
  • check fuel level and tyre pressure, or
  • use the car’s internal and external cameras to view its surroundings and interior.

How connected cars transmit data. Katharine Kemp, based on Dept of Infrastructure, Telecommunications Legislation and Connected Vehicles Discussion Paper, 2023, Figure 2

The introduction of connected models in Australia has lagged behind the European Union and the United States. Some popular brands in Australia – for example, Subaru and Isuzu – still offer no connected models.

However, Austroads predicts that by 2031, 93% of new car sales in Australia will be connected cars.

Why do we need data privacy?

Personal information collected by your car can be misused in various ways. It could be disclosed to insurers or data brokers without your consent. It can facilitate crimes, including domestic violence, stalking and robbery.

Such data also presents the risk of unjustified police or government surveillance, and even national security risks.

In 2023, Mozilla Foundation researchers analysed connected car privacy terms in the United States, calling it a “privacy nightmare on wheels”. This was revealing, but not directly useful for Australian consumers.

This new report analyses the privacy terms of new connected cars sold by the 15 most popular car brands in Australia. The goal was to find out how car brands approach customer privacy and potential risks, and whether consumers can make decisions about their data privacy before buying the car.

To avoid comparing apples with oranges, this analysis only included brands that currently offer connected cars in Australia. “Unconnected” cars don’t offer consumers the same features via the internet (although they may still collect data to some extent, and can still present privacy risks).

Privacy terms aren’t easy to find

There are massive obstacles to consumers who want to read and understand the relevant privacy terms.

This includes brands referring consumers to multiple, lengthy documents. Consumers are directed to an average of three documents totalling around 14,000 words per brand to discover the applicable privacy terms.

There can also be further privacy notices in the vehicle, the user manual or the purchase contract.

Other hurdles for consumers included missing privacy terms, unhelpful interfaces, and significant errors in published privacy policies.

What counts as personal information?

Several major brands fail to recognise the full scope of personal information protected by the Privacy Act.

They claim, for example, that certain information “does not, on its own, personally identify” the consumer and they can use this for “any purpose”.

But this can, in fact, be personal information about a reasonably identifiable individual.

For example, on its own, a map of your precise location throughout the day may not identify you. But once matched with your home and work address, or location history on your mobile phone, it can be linked to you.

Using data for unrelated purposes

Given the intimate and often sensitive nature of the information, car companies should not use it for unrelated purposes without consent. Any consent to use it should be active, opt-in, express, unequivocal and fully informed.

However, most of the brands in our report say they will use the information collected from connected cars for undefined “marketing” or “research” purposes. In some cases they say they will use it for making predictions about the individual’s behaviour – all without requiring express consent.

Several of the brands also have broad data sharing arrangements with digital platforms, advertising technology companies, data brokers or artificial intelligence developers.

Most of the privacy terms also make vague references to providing personal information to insurance companies, without specifying limits on these disclosures to ensure insurance companies don’t repurpose this information against consumers’ interests.

Consumers in the US are suing General Motors for passing on driving data to insurers, which then increased their insurance premiums.

Privacy law reform is overdue

The Australian Privacy Act has been under review for several years.

To improve privacy protections in connected cars, we must update definitions of “personal information” and “consent”. We also need a “fair and reasonable” test for data practices. It’s not enough for consumers to technically consent to a practice, the practice itself should be fair when its consequences are fully understood.

The government’s current “first tranche” of proposed privacy law reform does not include these amendments.

In the meantime, the data practices surrounding connected cars need immediate attention and guidance from the privacy regulator.

Customers should be able to easily find and understand the privacy terms and choices of the cars they want to buy. Businesses should recognise the full extent of personal information collected by the car and adequately protect it.