The automotive industry stands out as one of the most data-intensive sectors globally. A recent study uncovered alarming trends among leading global car manufacturers, casting them as major contributors to data privacy concerns. This revelation comes just as driving is becoming increasingly digitized.
In its recent study, Mozilla indicated that car brands have essentially transformed vehicles into massive data collection and distribution machines. While we've been concerned about potential privacy breaches from our internet-connected doorbells and smartwatches, car manufacturers have entered the data arena with remarkable stealth. According to Mozilla's findings, Tesla emerged as the worst offender, closely followed by Nissan.
Tesla faced a data breach earlier this year that exposed the personal information of over 75,000 individuals, while Nissan also had to contend with a data breach — one affecting nearly 18,000 of its customers.
Mozilla's research further disclosed that an overwhelming 92% of car brands offer users limited to no control over their personal data. The exception to this limitation seems to be France's Renault and its Dacia brand, which afford users the right to delete their data, likely in adherence to European Union regulations.
Car manufacturers possess a multitude of data collection opportunities and can gather personal information through various channels, including interactions with the car itself, usage of connected services within the vehicle and even third-party data sources.
The ever-present connectivity and digital experiences, coupled with the data accumulation integral to the modern connected car experience, are fundamental to the industry's evolving business model. However, they simultaneously introduce substantial privacy and data protection vulnerabilities.
Exploring In-Vehicle Data in Detail
Depending on the carmaker, a connected vehicle can generate up to 25 gigabytes of data per hour, sourced from at least 200 sensors embedded within the vehicle. This data primarily exits the vehicle through in-vehicle cellular connections. It is then initially stored in data centers or cloud platforms controlled by the original equipment manufacturers (OEMs).
In-vehicle data is categorized into two basic types: non-personal data collected by sensors and personal data that can be linked to the driver. The latter can include journey details, driving behavior and data from the driver's mobile device.
When individuals synchronize their phones or connect via Bluetooth in a car, whether it's their own vehicle or a rental, they often unwittingly transfer extensive information, encompassing call logs, contacts, text messages, music preferences and even social media updates, to the car's data storage.
This sensitive data traverses numerous environments and platforms, both on-premises and in the cloud, where employees and contractors can access it worldwide. This reservoir of information exposes manufacturers to substantial risks from cyberattacks.
The abundance of highly sensitive data in connected vehicles necessitates an elevated level of protection, especially against threats like ransomware, cyber warfare and other attacks exploiting vulnerabilities in software and hardware.
In-vehicle data serves a multitude of purposes, ranging from the development of autonomous vehicles and enhancing transport efficiency to enabling new business models. The significance of the parties with a vested interest in in-vehicle data further underscores its importance; these include insurers tailoring policies to drivers' behaviors and governments aiming to improve traffic management and road safety in smart cities.
Addressing Data Privacy in the Automotive Industry
Data privacy is a critical concern in today's world, and while we often hear about data breaches from various other sources, we may overlook the potential privacy risks associated with our vehicles. In reality, the automotive industry is a significant user of data and faces substantial data security risks.
The proliferation of smart technology, coupled with the massive generation of vehicle data, extensive network coverage and automation in road traffic, has led to an unprecedented volume of dynamic data. With multiple OEMs involved, data processing occurs at various stages and locations. This in itself substantially increases the risk of data breaches.
In response to the legal, financial and reputational consequences of data breaches and the subsequent emergence of data privacy regulations, the automotive sector must adopt robust data protection policies to safeguard information and ensure compliance.
Automotive companies must provide access to hardware and software security throughout the entire lifecycle of a vehicle, from design and manufacturing to operation and retirement. Additionally, securing in-vehicle networks is paramount to protecting processed personal data. Furthermore, the secure implementation of cloud security services is just as vital.
In the era of what are essentially “computers on wheels,” data privacy concerns in modern vehicles have mounted. A Mozilla study highlighted these trepidations, revealing that a substantial 84% of car brands openly shared users' personal data with service providers, data brokers and other undisclosed entities. The majority of manufacturers (76%) admitted to selling customer data, while over half confirmed sharing data with government and law enforcement agencies upon request.
Moreover, the expanding connectivity of vehicles via vehicle-to-vehicle communications, vehicle-to-infrastructure communications, over-the-air updates, Wi-Fi, Ethernet, 5G and other technologies has increased the vulnerability to cyberattacks.
Due to such concerns about the growing volume of data collected by vehicles, the California Privacy Protection Agency (CPPA) is actively monitoring the privacy practices of automakers and vehicle technology companies. They are particularly interested in those features that allow vehicles to automatically collect information regarding drivers’ locations and preferences — in essence, their daily lives.
Regulators worldwide, including the Dutch government, the European Commission and the European Data Protection Board (EDPB), are beginning to recognize the importance of privacy protection as a fundamental prerequisite for the responsible collection and exchange of in-vehicle data. Such institutions are actively engaging with relevant stakeholders to develop and enhance privacy frameworks in response to the increasing in-vehicle usage of personal data for entertainment, performance and safety.
Conclusion
In this day and age, the next major cyber threat may not be your computer or credit card; it may very well be the vehicle that gets you from point A to B. Legislation concerning automotive cybersecurity and data privacy is evolving to become more tailored and more stringent. While nations have borders, OEMs must soon develop similarly protective, privacy-conscious and cyber-secure solutions. Once in place, such parameters will serve not only the individual markets but also the millions of connected cars operating across them.
By Elvi Correos, Senior Journalist, Telecom Review
