Automakers' Data Privacy Practices 'Are Unacceptable,' Says US Senator

An anonymous reader quotes a report from Ars Technica: US Senator Edward Markey (D-Mass.) is one of the more technologically engaged of our elected lawmakers. And like many technologically engaged Ars Technica readers, he does not like what he sees in terms of automakers' approach to data privacy. On Friday, Sen. Markey wrote to 14 car companies with a variety of questions about data privacy policies, urging them to do better. As Ars reported in September, the Mozilla Foundation published a scathing report on the subject of data privacy and automakers. The problems were widespread -- most automakers collect too much personal data and are too eager to sell or share it with third parties, the foundation found.

Markey noted (PDF) the Mozilla Foundation report in his letters, which were sent to BMW, Ford, General Motors, Honda, Hyundai, Kia, Mazda, Mercedes-Benz, Nissan, Stellantis, Subaru, Tesla, Toyota, and Volkswagen. The senator is concerned about the large amounts of data that modern cars can collect, including the troubling potential to use biometric data (like the rate a driver blinks and breathes, as well as their pulse) to infer mood or mental health. Sen. Markey is also worried about automakers' use of Bluetooth, which he said has expanded "their surveillance to include information that has nothing to do with a vehicle's operation, such as data from smartphones that are wirelessly connected to the vehicle." "These practices are unacceptable," Markey wrote. "Although certain data collection and sharing practices may have real benefits, consumers should not be subject to a massive data collection apparatus, with any disclosures hidden in pages-long privacy policies filled with legalese. Cars should not -- and cannot -- become yet another venue where privacy takes a backseat."

The 14 automakers have until December 21 to answer Markey's questions.

Campaign contributions

[Harry_Bawls]

Bribery just sounds so passé.

Re:

[whitroth]

You're an idiot. A complete and total idiot.

I assume you're all happy with car companies tracking you everywhere, and selling that data to marketing companies, or, for that matter, to anyone willing to pay.

And you're also happy with the fact that they almost *never* push out security updates, so I hope you're happy when some jerk just like you decides he's mad at you, and takes control of your car.

Automakers response

[schwit1]

If you don't like it don't buy our vehicles. The problem is they are all going this way and the bureaucrats want it along with a kill switch and speed limiter.

Can I get pfSense for my car? Would it help?

Re Automakers Real response

[Joe_Dragon]

Well to have good Data Privacy we need to be able to lock down the cars so that they can only be worked on at our dealers.

Re:Automakers response

[rogoshen1]

Luckily they'll patch the "old cars" loophole soon, because of """strictly environmental concerns"""
Besides, only terrorists, drug dealers, and pedophiles care about being tracked. So concerned citizen, which are you?

Re:

[antdude]

Build your own car with open source. /s

Re:

[Can'tNot]

If you don't like it don't buy our vehicles.

Is this an option? There are old cars, but if you want something new with new features then there just aren't that many possibilities.

I remember a story some years ago about a company which would do electric retrofits for old cars. That's the closest I've seen to an electric car which doesn't violate your privacy.

Presenting a bill

[NotEmmanuelGoldstein]

... where privacy takes a backseat.

"backseat" ... Cute.

If only there was some way of presenting a bill to government that demanded auto manufacturers be punished for ignoring rules contained therein, rules protecting the data about their customers and customers' passengers.

Where does this lawlessness end? When a child connects her phone (technically not hers) to a computerized car in the USA, do the COPPA laws apply?

... infer mood or mental health.

Polygraphs are about stripping the suspect of her rights and assigning blame (via an incorrect emotional response), and in

Level all playing fields

[evanh]

Not just the auto industry. It also needs fixed where it started - on the internet. The ad industry needs to ditch all behavioural tracking and revet back to guestimating and targeting events, products and activities that garner such behaviours rather than knowing each individual person.

Obviously laws are needed to make behavioural tracking of individuals a universal ban.

Re:

[belmolis]

The way the digital ad industry talks, you'd think that advertisers had a god-given right to target people.

If Congress were actually serious...

[bradley13]

Bad TikTok, not respecting user privacy. Ooh, the car makers. Ooh, the...

If Congress actually cared, all they have to do is pass a real privacy law. It's not even difficult: basically, they just need to copy the GDPR.

Of course, they don't care, beyond drumming up publicity and extorting campaign contributions.

Re:

[jeti]

Those cars are sold in Europe as well. The GDPR is useless if no one enforces it.

Re:

[Darinbob]

An American problem too. Laws are meaningless if they're routinely ignored. The US laws really only get enforced through understaffed agencies engaging in civil lawsuits going after big offenders in the hopes of sending a signal to the small offenders. Which means it isn't effective. Worse, congress wants the agencies to be even smaller. Congress was even opposed to adding more tax inspectors, which would have increased revenue, and instead were defending the tax cheats and spreading the message that a

Re:

[mjwx]

Bad TikTok, not respecting user privacy. Ooh, the car makers. Ooh, the...

If Congress actually cared, all they have to do is pass a real privacy law. It's not even difficult: basically, they just need to copy the GDPR.

Of course, they don't care, beyond drumming up publicity and extorting campaign contributions.

There are reasons so many organisations are lobbying to prevent GDPR type laws in the US and other places... They don't want them working like they do in Europe.

As someone with a working understanding of GDPR, it amuses me just how scared certain businesses are of GDPR. All you have to do is suggest they might be in violation and they'll hit the roof trying to get rid of you (seriously, easiest way to make sure you're off their mailing list for life). The GDPR is a bit fuzzy around this and minor violati

Pages of legalese

[Teun]

Oh, breathing, blinking eyes and hart beat?
I was already wondering why my Nissan would at weird times suggest a coffee break...
And indeed, I have not read all the pages of legalese.

It's the law, stupid

[Errol backfiring]

It is mandated by law that all cars are connected to the internet, because governments wanted a kill switch. You cannot have a kill switch and privacy at the same time.

... to infer mood or mental health

[misnohmer]

Hang on a second, isn't this the same administration that was recently suggesting that automakers automatically prevent people from driving if they are under influence of drugs or alcohol or using their cell phones while driving, you know to curb the deaths of people killed in related accidents? So let get that clear, prevent someone under influence from driving, but don't collect any data to infer their state of intoxication, so how exactly is that supposed to work? Ask a bunch of questions on the screen o

Just cars?

[CyberKender]

The US needs some pretty strong data privacy laws, across the board.