Cars Have Terrible Data Privacy

A new Mozilla Foundation report concludes that cars, all of them, have terrible data privacy.

All 25 car brands we researched earned our *Privacy Not Included warning label—making cars the official worst category of products for privacy that we have ever reviewed.

There’s a lot of details in the report. They’re all bad.

BoingBoing post.

Posted on September 12, 2023 at 7:20 AM22 Comments


Anonymous September 12, 2023 8:15 AM

Whataboutism reveals most about your thinly veiled agenda, PaulBart.

This isn’t a security issue about applying security updates or password integrity to the computers of car manufacturers and the entities they sell data to. Heck – this isn’t about Data Brokers. This is a privacy issue about cars and the fact that car manufacturers are collecting extremely intimate data about drivers and passengers at all.

OldBruceFanCrMn September 12, 2023 9:03 AM

Years ago I got an offer from my car insurance company for something like a 10% discount if they could attach a device to my car that monitored my driving. I thought “NO THANKS” and never signed up.

It looks like we will not have a choice anymore. This might even drive me to do a web search, something like “how to disconnect a [car brand/model]”. Of course who knows how usable the car would be once it was disconnected…

K.S. September 12, 2023 9:21 AM

Such wanton violation of privacy should be illegal. More so, smartphone manufacturers should step in and make such abuse harder to pull off.

At the same time, I have hard time understanding the attack vector. How is it possible that simply Bluetooth pairing allows extraction of all that data? Or did users install some app and gave it all permissions?

Winter September 12, 2023 9:28 AM

Note that the GDPR seems to work here. The only exceptions in Mozilla’s report were two models that were only sold in Europe.

Good laws protect people.

Steve September 12, 2023 9:35 AM


Such wanton violation of privacy should be illegal. More so, smartphone manufacturers should step in and make such abuse harder to pull off.

I enjoy a deft bit of irony. Nice one.

TimH September 12, 2023 9:59 AM

“Cars Have Terrible Data Privacy”.

That sounds like passive lack of protection. The cars are actually proactive surveillance systems, which is much worse.

Clive Robinson September 12, 2023 10:39 AM

@ OldBruceFanCrMn, Bruce, ALL,

Re : Need for connection.

“Of course who knows how usable the car would be once it was disconnected…”

Or how dangerous…

The issues with AI in Uber and Tesla vehicles whilst small in the greater numbers of things, is actually quite significant.

If AI gains knowledge not individually but collectively through a centralized system. Then disconnecting could result in the AI equivalent of a “feral child” / “Adolescent gone wild”…

Personally I don’t think it will be like that, more likely it wilk be used to apply various political preasures that will give rise to “legaslitive changes” favourable to a few. Such that having an AI car even in part must legally be connected for “Health&Safety” reasons and not doing so would be a criminal offence… Thus enabling further “Privacy Invasion for Profit” and “Authoritarian Surveillance” on a dog whistle “think of the children” rhetoric.

AB September 12, 2023 11:45 AM

Wouldn’t simply not pairing your phone to your car prevent the car from sending out all that data? At least if you have a low end model car. I never connected my phone for that exact reason.

Schnudson Bohzo September 12, 2023 11:55 AM

A friend of mine told me that, for privacy reasons, the black boxes or Event Data Recorders (EDRs) in vehicles in USA are useless if there is no ignition key or key fob to turn on the engine. I kinda find it hard to believe this so can anyone please enlighten me. Thanks for any input.

THorton September 12, 2023 12:05 PM

PaulBart, what would it even mean for Experian and Equifax to be “secure” in terms of data privacy? In my view, they’d have to get permission for the data they’re collecting and sharing, which is probably equivalent to saying they’d cease to exist. Why would anyone consent to that unless forced? (I’ve asked before and am still curious as to how this works in Europe.)

Cars, of course, should also get explicit permission for any data being collected or stored. Contrary to credit agencies, history shows that cars can be viable businesses without all that stuff. And phones, of course, though it’s not obvious how their operating systems and “free” apps would be funded if they couldn’t sell out their users.

There’s some irony that this is coming from Mozilla. There are entire browser forks just to stop data from being sent to them (start a fresh Firefox installation, and you’ll see network traffic before you have any opportunity to consent or refuse—unless you know to pass --ProfileManager and choose “work offline”). And, still, one has to be careful to avoid data being stored. Browsers have always stored history without user consent, and it’s long made people nervous without providing them any real benefit. At least, I’ve never heard of anyone making good use of that history, though I’ve heard many references to people being paranoid about it—the media’s full of stuff like “if I die, clear my browser history before my family sees it”. Cookies are similar, but do provide benefits in some cases. They could be improved by requiring consent before going onto disk, but it’s tricky to do given the number of bullshit cookies sites try to set.

#Papa'll hecc u up# September 12, 2023 12:18 PM

if one is that concerned about cookie crumbs and other debris on their computer’s local and writable HDD/SSD storage tying them up to their Internet activities, there are Live OS disks for that. I’m not sayin’ – just sayin’…

THorton September 12, 2023 1:10 PM

“Papa’ll”, I know about live discs such as TAILS, and sometimes run them in virtual machines. “Ordinary” people don’t, though, and are stuck with a general feeling of unease and helplessness. Maybe they’re not “that” concerned, but they’re concerned enough to make it into a popular meme. And concerned enough that Mozilla can get funding to audit cars, if not their own products.

Unfortunately, those live systems tend to be inconvenient. If I want to save something I’ve downloaded, I’ve got to screw around with virtual USB disks and such. I don’t get to have nice features like bookmarks (well, Firefox actually writes those to disk before the “save” button is pressed, and CTRL+D is too easy to accidentally press; so there are still concerns about consent, but they’d be easily fixed).

What I normally do is run browsers, mostly Tor Browser, under strict BubbleWrap (“bwrap”) profiles with a lot of tmpfs mounts. It’s a real pain in the ass to set up, and a bit fragile, but generally works well. I do get to expose a “web download” directory that’s on a real filesystem, while my private files are hidden and the “browser profile directory” and most of its databases are on a throw-away filesystem (hint: if the SQLite bookmark database is missing, Firefox will auto-import a “bookmarks.html” file from the profile directory; Chrome can read them from a JSON policy file; the SQLite libraries in each will follow a symlink to a “real” filesystem for those databases you actually want to store).

To come back to my earlier point, privacy should always be the default, not something that only the most technical people can achieve through hacking. There should never be hidden tracking like command histories, most-recently-used file lists, GPS logs, credit bureau submissions, “OnStar” (search online for which fuse to pull), etc.; of course, such things would be fine with explicit and truly voluntary consent and the ability to easily revoke such consent.

Mr. Peed Off September 12, 2023 1:41 PM

Think of your children…remind them that “making out” in the car might get uploaded. Maybe you was wondering why your inbox was full of condom ads, better put some in the glovebox! Remind your legislators that their cars are reporting all of their activities may spur some relief.

Aaron September 12, 2023 2:17 PM

And you thought your RFID blocking wallet or purse was enough…

Guess it’s time for RFID blocking vehicle wraps too!

lurker September 12, 2023 2:28 PM

But, but, a car doesn’t need all that info just to perform its function as a car. The Model A Ford didn’t, not even the Third Reich’s Volkswagen. Add fuel injection control, antiskid brake control, tyre pressure monitors, &c (and yes most of that can be done without electronics), it still doesn’t need to know who is sitting in the drivrr seat. Drive it to another country, border control was satisfied with whatever was on the Green Card.

A battery electric vehicle might have some excuse for computational complexity, but still doesn’t need to identify the occupants of the vehicle, or their peccadillos.

At present it is difficult (impossible?) to buy a car without all this flummery. Be afraid that it may become illegal to do so.

Escobar September 13, 2023 7:10 PM

This is why nowadays drug smugglers major concern when renting cars is to get ride of any tracking meth0lodgies, GPS, GSM, GPRS, LTE, Toll RFID. Sometimes they forget after renting they still need to spoof the license plate :P. And even if you think you got your opsec covered while running loose from gov mafia they stash a trace of radioactive material on your tires and follow you o the streets 😛 (passing the mic/reference to Clive :P)

WhenILastBoughtACar September 13, 2023 7:11 PM

When I last bought a car, granted some years ago, I asked the dealer if it had anything like OnStar. They said no. I thought “Good!” Then I asked if it had a built-in cellular connection for all their services, emergency & otherwise. And they said no, it had to pair via bluetooth with my cell phone. And I bought that car. And they offered to help me hookup my cell phone. And I said “No Thanks”.

As far as I can tell, it can’t phone home. Of course, I could be wrong…

P Coffman September 14, 2023 10:35 AM

Shocker of shockers, right? I presently use only public transit. Also, I know how to operate a motorcycle. Although, it is pretty embarrassing to drop a motorcycle.

Still, there is the Catholic upbringing side of me to where Mozilla’s story (w/petition) has me feeling very judgmental towards the car companies. Like, 😮 we need to stop this INSTANTLY. All right, I obviously have some catching up to do, here.

K18 September 14, 2023 2:14 PM

The thing where you can hear everything said inside someone’s car clear as day from outside the car, how does that happen?

Julia Reed September 18, 2023 5:33 PM

I’m not surprised that Tesla is the worst-ranked brand and is highlighted as “untrustworthy” not only in the privacy category but also in the safety category.

zac September 19, 2023 4:31 PM

@Schnudson Bohzo
A friend of mine told me that, for privacy reasons, the black boxes or Event Data Recorders (EDRs) in vehicles in USA are useless if there is no ignition key or key fob to turn on the engine.

The car could get destroyed in an accident to a point where “turning on” the engine is out of question anyway. In a situation like that the fob could get useless as well.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.