Bad news: your car is a spy. If your vehicle was made in the last few years, you’re probably driving around in a data-harvesting machine that may collect personal information as sensitive as your race, weight, and sexual activity. Volkswagen’s cars reportedly know if you’re fastening your seatbelt and how hard you hit the brakes.

The FTC Just Prescribed a Can of Whoop Ass on Health Data

That’s according to new findings from Mozilla’s *Privacy Not Included project. The nonprofit found that every major car brand fails to adhere to the most basic privacy and security standards in new internet-connected models, and all 25 of the brands Mozilla examined flunked the organization’s test. Mozilla found brands including BMW, Ford, Toyota, Tesla, and Subaru collect data about drivers including race, facial expressions, weight, health information, and where you drive. Some of the cars tested collected data you wouldn’t expect your car to know about, including details about sexual activity, race, and immigration status, according to Mozilla.

“Many people think of their car as a private space — somewhere to call your doctor, have a personal conversation with your kid on the way to school, cry your eyes out over a break-up, or drive places you might not want the world to know about,” said Jen Caltrider, program direction of the *Privacy Not Included project, in a press release. “But that perception no longer matches reality. All new cars today are privacy nightmares on wheels that collect huge amounts of personal information.”

Modern cars use a variety of data harvesting tools including microphones, cameras, and the phones drivers connect to their cars. Manufacturers also collect data through their apps and websites, and can then sell or share that data with third parties.

The worst offender was Nissan, Mozilla said. The carmaker’s privacy policy suggests the manufacturer collects information including sexual activity, health diagnosis data, and genetic data, though there’s no details about how exactly that data is gathered. Nissan reserves the right to share and sell “preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes” to data brokers, law enforcement, and other third parties.

“When we do collect or share personal data, we comply with all applicable laws and provide the utmost transparency,” said Lloryn Love-Carter, a Nissan spokesperson. “Nissan’s Privacy Policy incorporates a broad definition of Personal Information and Sensitive Personal Information, as expressly listed in the growing patchwork of evolving state privacy laws, and is inclusive of types of data it may receive through incidental means.”

Other brands didn’t fare much better. Volkswagen, for example, collects your driving behaviors such as your seatbelt and braking habits and pairs that with details such as age and gender for targeted advertising. Kia’s privacy policy reserves the right to monitor your “sex life,” and Mercedes-Benz ships cars with TikTok pre-installed on the infotainment system, an app that has its own thicket of privacy problems.

“BMW NA provides our customers with comprehensive data privacy notices regarding the collection of their personal information. For individual control, BMW NA allows vehicle drivers to make granular choices regarding the collection and processing of their personal information,” said Phil DiIanni, a BMW spokesperson. DiIanni said BMW hasn’t reviewed the study, but said “BMW NA does not sell our customer’s in-vehicle personal information,” and the company takes “comprehensive measures to protect our customers’ data.”

Mercedes-Benz spokesperson Andrea Berg declined to comment, as the company hasn’t reviewed the study, but Berg said the MercedesMe Connect app gives users privacy settings and the ability to opt-out of certain services. Gizmodo contacted the other manufacturers named in this story, but none immediately provided comments.

The privacy and security problems extend beyond the nature of the data car companies siphon off about you. Mozilla said it was unable to determine whether the brands encrypt any of the data they collect, and only Mercedes-Benz responded to the organization’s questions.

Mozilla also found that many car brands engage in “privacy washing,” or presenting consumers with information that suggests they don’t have to worry about privacy issues when the exact opposite is true. Many leading manufacturers are signatories to the Alliance for Automotive Innovation’s “Consumer Privacy Protection Principles.” According to Mozilla, these are a non-binding set of vague promises organized by the car manufacturers themselves.

Brian Weiss, a spokesperson for the Alliance for Automotive Innovation, shared a link to a letter the organization wrote to congress about its Privacy Principles. These principles “are in effect today and enforceable by the Federal Trade Commission,” Weiss said.

Questions around consent are essentially a joke as well. Subaru, for example, says that by being a passenger in the car, you are considered a “user” who has given the company consent to harvest information about you. Mozilla said a number of car brands say it’s the drivers responsibility to let passengers know about their car’s privacy policies—as if the privacy policies are comprehensible to drivers in the first place. Toyota, for example, has a constellation of 12 different privacy policies for your reading pleasure.

Update, Sept. 7th, 2023, 9:54 a.m. EST: This story has been updated with a comment from Nissan.

Read More