An ongoing US Senate investigation indicated that connected car makers violate consumer privacy by sharing and selling drivers’ data, including their location, on a vast scale, and that the same car makers often obtain consumer consent through deception.
Based on this investigation, senators have urged the Federal Trade Commission (FTC) to investigate automakers’ disclosure of millions of Americans’ driving data to data brokers, and to share new-found details about the practice.
And they don’t stop there:
“If the FTC determines that these companies violated the law, we urge you to hold the companies and their senior executives responsible.”
At Malwarebytes, we reported how a team of researchers at Mozilla who reviewed the privacy and data collection policies of various product categories for several years now, named “Privacy Not Included,” found cars to be the worst product category they ever reviewed for privacy.
A modern car hasn’t just been a transportation vehicle for a long time. With multiple digital systems, they are increasingly plugged into web applications and digital processes—applications and processes that are vulnerable to security flaws.
But at least those vulnerabilities are not intentional. Some other privacy issues are.
In November 2023, a judge ruled it’s fine for car makers to intercept your text messages, because the practice doesn’t meet the threshold for an illegal privacy violation under state law.
The senators found some worrying aspects of modern car data collection practices, which included the use of dark patterns to obtain consent in ways that did not qualify as “informed” consent. Dark patterns, also known as deceptive design patterns, occur when a user interface has been carefully crafted to nudge or trick users into doing things they didn’t set out to do.
Another problem lies in the fact that data was found to be sold on to data brokers. These services can allow interested parties—from law enforcement agencies to marketing firms and even scammers—to access records that contain usernames, passwords (including in clear text), email addresses, IP addresses, and more.
Three car makers confirmed their disclosure of drivers’ data to one data broker, such as acceleration and braking data. One of the car makers also confirmed that it disclosed customer location data to two other companies, which it refused to name.
The named data broker sold these reports to auto insurance companies and also provided automakers with some of this information, including a driving score and safe driving suggestions. According to the New York Times, car manufacturers shared driving behavior data from more than eight million cars.
The senators also worry that some car makers may have gone as far as exclusively advertising “safe driving” programs as a way to lower their insurance bills, without revealing that some insurers might charge some drivers more based on their telematics data.
Some states—including Louisiana and Montana—limited the use of telematics data to raise insurance premiums, while California only permits telematics data sharing for mileage verification.
The senators requested that:
“The FTC should hold accountable the automakers, which shared their customers’ data with data brokers without obtaining informed consent, as well as the data brokers, which resold data that had not been obtained in a lawful manner. Given the high number of consumers impacted, and the outrageous manipulation of consumers using dark patterns, the FTC should also hold senior company officials responsible for their flagrant abuse of their customers’ privacy.”
At Malwarebytes, we have expressed our concerns about the number of buyers and brokers for data. That’s regardless of whether they are there to sell data to anyone that is willing to pay, or only offer it to those that rightfully own the data. It’s also regardless of how the data were obtained, in a breach or by “consent.”
As we all learned in economics, demand drives up the price and the higher the price the more attractive it becomes to go after the data. And, as the mother-of-all-breaches (MOAB) incident clearly demonstrated, not everyone is as careful as they should be about accidentally exposing their data collection.
You can verify whether your information is available online due to data breaches by using the Malwarebytes Digital Footprint portal. Just enter your email address (try the one your car dealership has) to our free Digital Footprint scan, and we’ll give you a report. For those whose information was not included, you’ll still likely find other exposures in previous data breaches.
We don’t just report on threats – we help safeguard your entire digital identity
Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.