While syncing a smart phone to an infotainment system may sound appealing on the surface, we must ask ourselves what we — as a society — are willing to sacrifice for the conveniences of technology.
You jump into a rental vehicle. The car asks if you want to pair your device and sync your contacts. You think nothing of it.
Some time later you realize – that you’ve compromised your data and personal privacy. Stored (not-so) securely in an airport rental lot. Your stomach wrenches. It seemed like an easy route to make hands free calls with a vehicle, but in reality, private and potentially sensitive information was shared with a third party.
From your vehicle’s speed, to the time spent driving, contacts, personal information, whether or not someone is sitting in the front passenger seat of a vehicle and the applications utilized while driving during a car accident. All these pieces of information can be stored by a vehicle manufacturer and even shared with third parties unbeknownst to the user.
Newer cars collect large quantities of data on their drivers and passengers. All too often, unassuming individuals connect their smartphone to the vehicle’s infotainment system without fully understanding the privacy that they are forfeiting to the vehicle manufacturer and thereby potential bad actors in the event of a data breach down the line.
What Kind of Data are Car Manufacturers Collecting?
It may be surprising to some, but consumer data has become a treasure trove for businesses to monetize. Individuals may blindly accept the terms and conditions to utilize a digital platform, without fully recognizing the drawbacks of doing so. According to Bonilla Law Firm, an Austin TX accident attorney, infotainment systems can, in certain instances, be shared with law enforcement and other third parties.
Toyota, the world’s largest car manufacturer, with 9.5 million units sold in 2020 states that voice recordings, location data, driving data, and multimedia screen data will be collected for four years after the expiration of your subscription for connected services.
Toyota states in their privacy policy that they may share personal information with the following entities:
- Emergency responders
- Their parent company
- Third party service providers
- Insurance providers
- Dealerships
- Law enforcement
Mazda’s privacy policy outlines similar terms and conditions. Although many car buyers agree to these policies without reading or comprehending the amount of information that could be shared with third parties. Anyone using a car infotainment system might have what they thought was otherwise private data, someday come back to bite them.
With all of the data collected by car manufacturers – what is their end game? Every day, car manufacturers collect exponentially more data about driving habits, application use, number of passengers and personal contacts.
With the future of automobiles pointing forward automation, vehicles and their manufacturers can use your driving habits to aggregate data from sensors on the exterior and interior of a vehicle.
Can I Request My Data Stored on an Infotainment System?
To answer simply – it depends.
The State of California and it’s 2020 California Consumer Privacy Act (CCPA) requires companies that collect and store a user’s data to provide access to the user and provide the ability to opt-out of the “sale” of their data. Unfortunately, this right to opt-out of the “sale” of data is a qualified right — car manufacturers can still send user data to their vendors. The CCPA also mandates that businesses subject to CCPA provide a notice at the point of collection of user data collection for both digital and in-person data.
California, is however, not the only jurisdiction that has laws on the books granting users the right to access their data. The European Union, United Kingdom, Canada, and Brazil all have similar laws in place at time of this article’s publication. These governments have established a user’s right to access the data that has been stored about them — including data car manufacturers store in their infotainment systems.
However, for the individuals who do not live in jurisdictions with these types of data privacy laws on the books, user rights can be a bit less certain. While car manufacturers operating in the jurisdictions with data privacy laws must allow users located in those jurisdictions to request this information, users located outside those jurisdictions are not necessarily afforded the same rights. While some companies have voluntarily afforded these privacy rights to all users, many only provide these rights when legally required to do so. The methods for exercising these rights vary from manufacturer to manufacturer and jurisdiction to jurisdiction. The best way to find out if you have such rights is to review your car manufacturer’s privacy policy.
The amount of data privacy can differ greatly from one state, jurisdiction or country to the next. What is the norm in one jurisdiction can be completely different from a bordering territory. Even jurisdictions within the same country can have varying rules and regulations to govern what can, and cannot, be shared.
A resident of the European Union lives in an “opt-in framework for data privacy. This means that the user of the automotive device must consent” to it before a vehicle manufacturer can track and utilize the data. The consumer must be allowed to withdraw consent at any time and they do own the rights over their information. The user is allowed to request this information at any point in time.
Can Law Enforcement Access My Car’s Infotainment System?
If a car manufacturer is suspected of possessing information related to criminal activity the vehicle manufacturer may be obligated to provide this information to law enforcement during the execution of a search warrant. This ability for law enforcement to access information held by entities like car manufacturers is constitutional in the United States as it falls under the “third-party doctrine.”
The third-party doctrine basically holds that individuals who voluntarily give information to third parties have “no reasonable expectation of privacy” in the information the third party possesses. The third-party doctrine generally enables law enforcement agencies in the US to obtain information from third parties without a legal warrant. Certain exceptions to the third-party doctrine exist, but they are narrow and still in their nascent stages of judicial interpretation.
However, if the data in the infotainment is encrypted, the law is still unsettled in the United States as to whether law enforcement forcing the decryption of the data is constitutional. For example, if the police show up at your door and ask you to decrypt your car’s infotainment by entering a passcode, the courts are split as to whether this violates the fifth amendment prohibition against self-incrimination. The US Supreme Court has not yet ruled on this issue — although it is only a matter of time before it does. The law governing forced decryption varies from one state to state and circuit to circuit.
With businesses continuing to monetize from learning about the behavior of their users, users of these technologies need to weigh the risks of sacrificing privacy for the usability and convenience of syncing a smart phone with an infotainment system — and even driving a car with a computer. If users do not wish to have their data shared, it may be best to stick with an older model vehicle.
How Can I Keep My Data Secure?
In the exhausting struggle against companies tracking our every move, consumers need to understand that there is very limited privacy in the 21st Century.
During a recent conversation with Jason Heath, a data privacy attorney in California, he put it this way:
“Basically, if there’s any electronic device within earshot, it is best to assume that the conversation is not private. Even if the device is turned off.”
From smartphones, smart speakers, smartTVs and now smart cars – the consumer and user of these electronic devices needs to grasp that privacy is increasingly being squeezed from their own property and own lives. Your data, in many respects, is owned and accessible to parties with whom you are familiar and parties you wouldn’t expect if you did not read the terms and conditions and privacy policy when you purchased your vehicle.
If you want to keep your data secure in your vehicle, limit or avoid sharing your data with your car. Doing this will require driving a car that has no infotainment system or severely limiting the functionality of a car. Many infotainment and on board car computer systems can collect data on unassuming individuals. A car that lacks these infotainment systems cannot share your data regarding your driving habits with your car’s manufacturer or potential third parties you are unaware of.
While contacting my recently purchased car manufacturer regarding opting out of their data sharing program, I was told that it must be made verbally. However, if I choose to opt out of data sharing, some functionalities of the vehicle will no longer work. While I was willing to compromise with most of the trade-offs that would be lost while opting out, if my car was ever stolen, the vehicle more than likely would not be able to be tracked and recovered. It’s important to understand what can be lost from opting-out and weighing the pros and cons of this before reaching a conclusion.
Although this requires the vehicle operator to sacrifice some of the bells and whistles that vehicles in the 21st century have begun to implement, a car operator can at least rest easier knowing that their data will not be shared with third parties via their vehicle, potentially requested by law enforcement officials or impacted by a data breach.
Before you frivolously sync a smart device with a smart car it is important to think of the benefits and drawbacks. While syncing a smart phone to an infotainment system may sound appealing on the surface, we must ask ourselves what we — as a society — are willing to sacrifice for the conveniences of technology.
Join the conversation!