September 18, 2023 | By Craig Zawada

What if I told you there was something you rely on almost every day which is collecting information about your habits, places you visit, videos of you, your voice, and even your sexual activities? Millions of these things exist, and the information collected is not just used by the manufacturer, but also sold to third parties. And there is virtually no oversight by privacy laws, especially here in Canada.

Your first guess would probably be your smartphone. That is a good one, and maybe accurate, although the sexual activity part could be a stretch. No, the thing I am talking about today is your car, especially if it has been manufactured in the last few years.

This is not just my opinion. A recent report by the Mozilla Foundation outlines the frightening collection and distribution of personal data by virtually every automobile manufacturer worldwide. These machines have literally become data harvesters on wheels, and can enable precise, alarming profiles of drivers, or anyone in the vehicles.

The Mozilla Foundation is a non-profit organization that leads the open-source Mozilla project. Its most famous product is the Firefox browser, something you may have used, but it has other products and funds other activities. One of its most important undertakings is product privacy reviews. It found that automobiles are one of the most egregious violators of personal privacy they have ever seen.

If you own a car built in the last five or ten years, you already have a sense of this. They are bristling with sensors and data collection components. Granted, most of these are directed to driving convenience and safety. Cameras point out the windshield for lane departure warnings, from the side to warn you that other vehicles might be in your blind spot, and from the rear so you can reverse without running into someone or something.

Inside the cabin there are microphones which let you command the car and its features by voice, allowing you to operate phones, media systems and other items by talking instead of fiddling with knobs. There are GPS components which help navigation, but also pinpoint your vehicle’s location within a few metres. Other sensors collect and store information on how fast you drive, braking, lights – virtually everything the vehicle does.

There are valid reasons for these sensors. The radar which many cars now transmit can detect and avoid collisions, for example. The problem is that input devices can collect other information which is not directly, or even indirectly, related to vehicle safety. They are also not necessarily just active while you are driving. That microphone which is waiting for your hands-free commands might be live all the time, picking up every conversation in or near the car, and storing it who knows where.

That was just one of the chilling findings by Mozilla. Car manufacturers are extraordinarily opaque in disclosing what they collect and what they do with it. Voice command microphones are handy so you can dial a phone without taking your eyes off the road, but they are microphones: they could be always listening. What might you say in your vehicle that you would not want others to hear?

That brings in the title of this article, which you may have thought was unduly sensationalistic to get you to read. OK, consider that Nissan’s Privacy Policy says they may collect information about “sexual activity”. Kia’s refers to your “sex life”. This suggests a possibility that the microphones, cameras and other sensors are always on and recording things like… well, I will leave that to your imagination.

Some might call this paranoia, and maybe the manufacturers are just including this in their privacy policies to be safe, in case microphones or cameras happen to pick up intimate information. Mozilla wondered that too, and specifically asked the manufacturers to provide details on what they gathered and what they did with it. Out of the 25 brands they contacted, only Mercedes-Benz, Honda and Ford responded, and even those did not fully answer their questions. This lack of transparency is concerning.

It is also worrisome because 84% of the companies say they can share your data, and 76% can sell it to third parties. The sharing extends to law enforcement. Hyundai, for example, states that it will share information by a formal or informal request from authorities. In other words, no warrant is needed to obtain personal data.

Then there is the ongoing problem of protecting the data which the companies are amassing. Mozilla says that in just the last 3 years, 68% of the car brands earned demerits for leaks, hacks and breaches of their data stores. In April, 2023, Reuters reported that Tesla employees had, for years, shared among themselves highly invasive videos and images recorded by customers’ car cameras.

Wait, you say, I did not consent to this collection of data. Is that not a hallmark of modern privacy legislation, that information cannot be collected or used without my consent? The perspective of the manufacturers is that you have consented in some way, perhaps by reading the owner’s manual, or just operating the vehicle. Even worse, Subaru’s policy results in passengers consenting to data collection simply by being a passenger. Yes, you can read that last sentence again. In the words of Mozilla, “Subaru’s privacy policy says that even passengers of a car that uses connected services have “consented” to allow them to use — and maybe even sell — their personal information just by being inside.”

Even if you realize you have somehow given consent, there is not much you can do about it, other than resolve to ride a bicycle for the rest of your life. If you revoke your consent and opt out of data collection, it could break your car. Here is some wording from Tesla’s Privacy Statement:  “If you opt‐out from collection of such Vehicle data, please note that we will not notify you of issues applicable to your Vehicle in real‐time and this may result in your Vehicle suffering from reduced functionality, serious damage or inoperability.” (emphasis added)

These policies border on the ridiculous if they were not so disturbing, considering the importance of automobiles to everyday life. Despite alternatives like public transit (in areas which offer it), a car is essential for most Canadians’ work and personal needs.

What does Canadian law say about all this? Keep in mind that our primary law, the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”) is old legislation, slated to be replaced by a new privacy statute shortly. It is much less protective than newer rules like Europe’s General Data Protection Regulation. But even under our feeble legislation, it is hard to see how a manufacturer could legitimately claim that clear, informed consent had been granted to the sweeping data collection activities which car makers are potentially using. To be clear, we do not know for sure that Kia, or anyone else, is recording our backseat shenanigans. That is part of the point. We do not know, and disclosure by manufacturers is sorely wanting.

All these findings point to corporate activities which have far outpaced legislation. It promises to become worse as the prevalence of artificial intelligence data collection and processing multiplies. Although newer privacy statutes, like the EU’s, have more robust protections, they are still seemingly being ignored by manufacturers. If there is enough consumer pressure, the auto industry might roll back its activities. But there is also a definite possibility that the backlash will extend to governments, and extra regulations will need to be imposed to restore some semblance of privacy to users.

Consumers may welcome more regulation in light of these disclosures, but how it will shake out is speculation at the moment. We can confidently say it will require a great deal of personal oversight, and perhaps lobbying, by consumers in the meantime. The Procido LLP Intellectual Property & Technology (IPT) Group will continue to follow this and provide updates as needed. For now, if you have questions or concerns about this level of privacy intrusion, by automobiles or otherwise, don’t hesitate to contact our IPT Group.

Disclaimer

This publication is provided as an information service and may include items reported from other sources. We do not warrant its accuracy. This information is not meant as legal opinion or advice. Contact Procido LLP (www.procido.com) if you require legal advice on the topic discussed in this article.