Internet-Connected Cars Fail Privacy and Security Tests Conducted By Mozilla (gizmodo.com) 26
According to Mozilla's *Privacy Not Included project, every major car brand fails to adhere to the most basic privacy and security standards in new internet-connected models, and all 25 of the brands Mozilla examined flunked the organization's test. Gizmodo reports: Mozilla found brands including BMW, Ford, Toyota, Tesla, and Subaru collect data about drivers including race, facial expressions, weight, health information, and where you drive. Some of the cars tested collected data you wouldn't expect your car to know about, including details about sexual activity, race, and immigration status, according to Mozilla. [...] The worst offender was Nissan, Mozilla said. The carmaker's privacy policy suggests the manufacturer collects information including sexual activity, health diagnosis data, and genetic data, though there's no details about how exactly that data is gathered. Nissan reserves the right to share and sell "preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes" to data brokers, law enforcement, and other third parties.
Other brands didn't fare much better. Volkswagen, for example, collects your driving behaviors such as your seatbelt and braking habits and pairs that with details such as age and gender for targeted advertising. Kia's privacy policy reserves the right to monitor your "sex life," and Mercedes-Benz ships cars with TikTok pre-installed on the infotainment system, an app that has its own thicket of privacy problems. The privacy and security problems extend beyond the nature of the data car companies siphon off about you. Mozilla said it was unable to determine whether the brands encrypt any of the data they collect, and only Mercedes-Benz responded to the organization's questions.
Mozilla also found that many car brands engage in "privacy washing," or presenting consumers with information that suggests they don't have to worry about privacy issues when the exact opposite is true. Many leading manufacturers are signatories to the Alliance for Automotive Innovation's "Consumer Privacy Protection Principles (PDF)." According to Mozilla, these are a non-binding set of vague promises organized by the car manufacturers themselves. Questions around consent are essentially a joke as well. Subaru, for example, says that by being a passenger in the car, you are considered a "user" who has given the company consent to harvest information about you. Mozilla said a number of car brands say it's the drivers responsibility to let passengers know about their car's privacy policies -- as if the privacy policies are comprehensible to drivers in the first place. Toyota, for example, has a constellation of 12 different privacy policies for your reading pleasure.
Other brands didn't fare much better. Volkswagen, for example, collects your driving behaviors such as your seatbelt and braking habits and pairs that with details such as age and gender for targeted advertising. Kia's privacy policy reserves the right to monitor your "sex life," and Mercedes-Benz ships cars with TikTok pre-installed on the infotainment system, an app that has its own thicket of privacy problems. The privacy and security problems extend beyond the nature of the data car companies siphon off about you. Mozilla said it was unable to determine whether the brands encrypt any of the data they collect, and only Mercedes-Benz responded to the organization's questions.
Mozilla also found that many car brands engage in "privacy washing," or presenting consumers with information that suggests they don't have to worry about privacy issues when the exact opposite is true. Many leading manufacturers are signatories to the Alliance for Automotive Innovation's "Consumer Privacy Protection Principles (PDF)." According to Mozilla, these are a non-binding set of vague promises organized by the car manufacturers themselves. Questions around consent are essentially a joke as well. Subaru, for example, says that by being a passenger in the car, you are considered a "user" who has given the company consent to harvest information about you. Mozilla said a number of car brands say it's the drivers responsibility to let passengers know about their car's privacy policies -- as if the privacy policies are comprehensible to drivers in the first place. Toyota, for example, has a constellation of 12 different privacy policies for your reading pleasure.
once you drive it off the lot (Score:5, Insightful)
The auto company doesn't care, they got your money. Unless there is something about the car that is going to cause death or injury, they aren't going to proactively deal with the issues. Anyone who has bought a BMW with the window trim falling off or other miscellaneous bullshit knows how important it is to get in line for warranty covered service. Good luck getting a warranty in this day and age that would recognize something as vague as internet security flaws.
To quote Gomer Pyle (Score:2)
Surprise! Surprise! Surprise! [youtube.com]
No phone or GPS connected (Score:3)
yeah probably (Score:4, Interesting)
Wait for your first e-mail from the dealer that magically has an up-to-date mileage number in it.
You know that scene from Total Recall where Arnold rips the tracker out of his nose? That's pretty much what you have to do. To get it out of a Subaru you have to pry the trim off, unbolt the head unit, pull it out, unplug the tattler (and ideally remove it entirely and trash it), insert a bypass plug (because a lot of stuff goes through it and won't work unless you patch it back together), then put everything back together again. Fun!
Re: (Score:2)
Thanks, I hadn't heard all of that yet. My solution: keep older cars, and yes, I do all my own repairs. If I ever make enough $ to justify a new car, and I'm not too sure what I'd buy anyway, I'd have to find the "tattler" and disable it as you suggest.
However, what happens when you take it in for dealer warranty / regular service? Aren't they going to know the tattler is disabled / missing and fix it?
Re: (Score:2)
However, what happens when you take it in for dealer warranty / regular service? Aren't they going to know the tattler is disabled / missing and fix it?
No, but they might well refuse to fix something else that's connected to it. The warranty doesn't cover your modifications.
Once again (Score:4, Insightful)
This type of behaviour should be grounds for murder, because I'm pretty sure anything less won't stop the constant march towards turning the 99.9% into property without rights.
And while I'd be happy enough seeing the CEO down to upper management hanged in front of their headquarters, I would also be OK with that treatment going all the way down to the coders behind the system as well.
YOU ARE HUMAN BEINGS. Stop accepting being treated like property to be exploited by the ultra-wealthy.
IOT is a massive threat to national security... (Score:5, Insightful)
Being able to turn your air conditioner on before you get into the car is not worth ANY increased risk of car accidents or cyber-stalking. But that's really all they're offering us.
Re: (Score:1)
well sure there's a downside, but look on the bright side (dadum dadum deedum dadum;-) here's a modest proposal:
all ECUs control the fuel/air mixture in realtime, so when the air contains unburned hydrocarbons, the ecu knows, as does anyone who has been coal-rolled https://en.wikipedia.org/wiki/... [wikipedia.org] or when followed an un-smogged muscle car or more frequently a chipped performance car...smell ya L8r-\ and don't forget _all_ cars spewed u.h.c. when we boomers were growing up:-( the rust-belt heavy-metal child
Methodology? (Score:4, Interesting)
So ... it looks like they read online privacy policies of each brand and then said "creepy"?
And they explain Acura uses the Honda privacy policy but Acura is scored much higher?
What is going on here. I was hoping for something like Consumer Reports used to do.
Mozilla and cars (Score:2)
Re: (Score:2)
My Nissan is stupid (Score:2)
But I am thinking of putting a Chinese Android stereo in it. The display on my stock one is a mess. Then it can spy on me.
Sexual activity monitoring... (Score:3)
The carmaker's privacy policy suggests the manufacturer collects information including sexual activity, health diagnosis data, and genetic data, though there's no details about how exactly that data is gathered
Well, depends on what you are doing on the back seat. Car is stationary but suspension system still detects impulses...
Anyway, on my Seat I was able to see all the info about the telematics box using OBD reader. I could just disable the eSIM altogether, but I preferred to just disable the incoming GPS signal. VAG group can collect my mileage and whether car doors are locked, but not where I've driven my car. (They posit that this could be used for finding your car if you forget where you parked it. No thanks, I'll find it on my own).
I also tested that if I disable the uplink, the telematics module apparently caches *some* of the data, but not more than a few iterations. I guess it's for cases where you are outside of mobile network.
Have to say, since I live in the EU and have to click through the cookie-consent stuff at every website, some being very detailed in what they collect and what you can toggle, why cannot the legislators draw up something similar for cars. When you first buy a car or factory reset the computer when you resell it, you would go through the data collection screen and opt-in. "Mileage and door locked status, sure. Location, not. Driving patterns, not".
Re: (Score:2)
Have to say, since I live in the EU and have to click through the cookie-consent stuff at every website, some being very detailed in what they collect and what you can toggle, why cannot the legislators draw up something similar for cars. When you first buy a car or factory reset the computer when you resell it, you would go through the data collection screen and opt-in. "Mileage and door locked status, sure. Location, not. Driving patterns, not".
Why not a universal GDPR for any hardware, including vehicles, phones, microwave, washing machine, etc?
Basically an explanation must be provided for every type of data collected and how it helps with the equipment working as designed. And with options to disable some types of data / all data from anything you buy. So you get to decide if you want to enable the GPS, but disable the sex monitoring stuff, for example.
Cheese (Score:2)
In other news, French Cheese Fails Taste Tests Conducted By Oracle.
Seriously, since when are Mozilla experts in things that aren't Web-related?
Re: (Score:2)
Because... they suck at the web browser development business, so they thought they would take some of the HUGE pile of money they have collected and spend it on things no one asked for. It falls under the heading of social activism, so it must be a good thing. And it gets their name in the headlines, so it is a valid advertising expense.
Don't worry. Amateur porn is "niche"... (Score:2)
This means not many people will be interested anyways. Personally, I like my porn performed and filmed by people that have some level of a clue how to give a good show.
Re: (Score:2)
That's the rub. Er...
Seriously though, what is it with all this amateur porn that looks like the people who made it have never seen porn before? Can't figure out either how to hold a camera OR where to point it.
Re: (Score:2)
No idea. Apparently some people have a fetish for that. The making of it, I mean, probably not so much the viewing of it.
Re disconnecting the antenna (Score:2)
Re: (Score:2)
Certain data such as seat belt status is known by abs module.
You can get data out of the SRS module in operation but it probably doesn't store much. The standard is to store 30 seconds before and after an airbag is deployed.
The infotainment, on the other hand, could be storing effectively any amount of logging data.