An ongoing US Senate investigation indicated that connected car makers violate consumer privacy by sharing and selling drivers\u2019 data, including their location, on a vast scale, and that the same car makers often obtain consumer consent through deception.<\/p>\n
Based on this investigation, senators have urged<\/a> the Federal Trade Commission (FTC) to investigate automakers\u2019 disclosure of millions of Americans\u2019 driving data to data brokers, and to share new-found details about the practice.<\/p>\n And they don\u2019t stop there:<\/p>\n \u201cIf the FTC determines that these companies violated the law, we urge you to hold the companies and their senior executives responsible.\u201d<\/p>\n<\/blockquote>\n At Malwarebytes, we reported<\/a> how a team of researchers at Mozilla who reviewed the privacy and data collection policies of various product categories for several years now, named \u201cPrivacy Not Included,\u201d found cars <\/a>to be the worst product category they ever reviewed for privacy<\/a>.<\/p>\n A modern car hasn\u2019t just been a transportation vehicle for a long time. With multiple digital systems, they are increasingly plugged into web applications and digital processes\u2014applications and processes that are vulnerable to security flaws<\/a>. <\/p>\n But at least those vulnerabilities are not intentional. Some other privacy issues are.<\/p>\n In November 2023, a judge ruled it\u2019s fine for car makers to intercept your text messages<\/a>, because the practice doesn\u2019t meet the threshold for an illegal privacy violation under state law. <\/p>\n The senators found some worrying aspects of modern car data collection practices, which included the use of dark patterns<\/a> to obtain consent in ways that did not qualify as \u201cinformed\u201d consent. Dark patterns, also known as deceptive design patterns, occur when a user interface has been carefully crafted to nudge or trick users into doing things they didn\u2019t set out to do.<\/p>\n Another problem lies in the fact that data was found to be sold on to data brokers<\/a>. These services can allow interested parties\u2014from law enforcement agencies to marketing firms and even scammers\u2014to access records that contain usernames, passwords (including in clear text), email addresses, IP addresses, and more.<\/p>\n Three car makers confirmed their disclosure of drivers\u2019 data to one data broker, such as acceleration and braking data. One of the car makers also confirmed that it disclosed customer location data to two other companies, which it refused to name.<\/p>\n The named data broker sold these reports to auto insurance companies and also provided automakers with some of this information, including a driving score and safe driving suggestions. According to the New York Times<\/a>, car manufacturers shared driving behavior data from more than eight million cars.<\/p>\n The senators also worry that some car makers may have gone as far as exclusively advertising \u201csafe driving\u201d programs as a way to lower their insurance bills, without revealing that some insurers might charge some drivers more based on their telematics data.<\/p>\n Some states\u2014including Louisiana and Montana\u2014limited the use of telematics data to raise insurance premiums, while California only permits telematics data sharing for mileage verification.<\/p>\n The senators requested that:<\/p>\n \u201cThe FTC should hold accountable the automakers, which shared their customers\u2019 data with data brokers without obtaining informed consent, as well as the data brokers, which resold data that had not been obtained in a lawful manner. Given the high number of consumers impacted, and the outrageous manipulation of consumers using dark patterns, the FTC should also hold senior company officials responsible for their flagrant abuse of their customers\u2019 privacy.\u201d<\/p>\n<\/blockquote>\n At Malwarebytes, we have expressed our concerns about the number of buyers and brokers for data. That\u2019s regardless of whether they are there to sell data to anyone that is willing to pay, or only offer it to those that rightfully own the data. It\u2019s also regardless of how the data were obtained, in a breach or by \u201cconsent.\u201d<\/p>\n As we all learned in economics, demand drives up the price and the higher the price the more attractive it becomes to go after the data. And, as the mother-of-all-breaches (MOAB)<\/a> incident clearly demonstrated, not everyone is as careful as they should be about accidentally exposing their data collection.<\/p>\n You can verify whether your information is available online due to data breaches by using the Malwarebytes Digital Footprint portal. Just enter your email address (try the one your car dealership has) to our free Digital Footprint scan, and we\u2019ll give you a report. For those whose information was not included, you\u2019ll still likely find other exposures in previous data breaches.<\/p>\n\n
\n
Check your exposure<\/h2>\n