Carmakers promise they'll protect driver privacy -- really

The two largest auto trade groups representing 19 of the biggest car and truck makers have signed onto a set of principles to protect data privacy in an every increasing digital, connected age.

The world's 19 biggest automakers have agreed to principles they say will protect driver privacy in an electronic age where in-vehicle computers collect everything from location and speed to what smartphone you use.

A 19-page letter committing to the principles was submitted to the Federal Trade Commisison from the industry's two largest trade associations: the Alliance of Automobile Manufacturers (AAM) and the Association of Global Automakers (AGA).

The AAM represents Detroit's Big Three automakers -- Ford, GM and Chrysler -- along with Toyota, Volkswagen AG and others. The AGA also represents Toyota, along with Honda Motor Co., Nissan Motor Co. and Hyundai Motor Co., among others.

The trade groups promised that without a court order, private information will not be sold to insurance companies or used to bombard drivers with business ads without their permission.

The principles also commit automakers to "implement reasonable measures" to protect personal information from unauthorized access.

Among the promises agreed to by the automakers:

  • Our members will not disclose the customer's geolocation data to the government unless the government produces a warrant or a court order.
  • Our members will not market to their customers using identifiable personal data collected by the vehicle unless the customer explicitly agrees.
  • Members will give customers clear and meaningful notices about the collection, use and sharing of any personal information generated by their vehicle.
  • Members will maintain data security and implement safeguards, consistent with industry best practices, to control risks to data such as loss, unauthorized access, and improper disclosure.
  • Our members will not share sensitive personal data collected by the vehicle with data brokers and other third parties unless the customer explicitly agrees.
  • Our members will each have a dedicated web portal that will contain their privacy information.

Newer vehicles have head units (infotainment systems) with embedded GPS and mobile communications technology, such cellular and radio frequency or -- in some of the newest cars and trucks -- embedded Wi-Fi routers.

Sen. Edward Markey (D-Mass.), a member of the House Commerce, Science and Transportation Committee, said the voluntary privacy pledge is an important first step but falls short in two key areas: choice and transparency.

"It is unclear how auto companies will make their data collection practices transparent beyond including the information in vehicle owner manuals, and the principles do not provide consumers with a choice whether sensitive information is collected in the first place," Markey said in a statement today.

Markey said automakers must make security and privacy as standard as seatbelts and stereos for drivers and their vehicles.

In coming weeks, Markey plans to release the findings of an investigation into the privacy and security practices in the automotive industry. "I will call for clear rules -- not voluntary commitments -- to ensure the privacy and safety of American drivers is protected," Markey said.

Carmakers already remotely collect data from their vehicles, unbeknownst to most drivers, according to Nate Cardozo, an attorney with the Electronic Frontier Foundation. "Consumers don't know with whom that data is being shared," Cardozo said. "Take Ford Sync, for example. In its terms of service, it says it's collecting location data and call data if you use Sync to dictate emails."

Location data about drivers is continually sent to manufacturers, which allows navigation systems to update users on traffic and weather conditions and offer other services such as remote payment for parking.

Location data has the potential to be used to advertise via either the infotainment system or any mobile device connected to it, sending pop-up messages about retail offers.

Dominique Bonte, a director at ABI Research, believes drivers should have to opt in before car companies can share data with any outside parties. Bonte pointed to GM as an example of why an opt-out model isn't good enough.

In 2011, GM's OnStar in-vehicle communications service began collecting data on users without permission. The strategy was designed to improve the OnStar service, but GM also shared that data with third-party suppliers.

"They failed to observe the most essential rule in privacy. They were forced to stop using the data," Bonte said.

Earlier this year, GM issued an OnStar privacy statement clarifying how it could use data collected from its in-vehicle service. The vehicle-related information it collects involves diagnostic data, odometer readings, estimates of remaining oil life, tire pressure calculations and information about collisions. It also includes driving information, such as vehicle location, speed, safety belt usage "and other similar information about how the vehicle is used."

As vehicle-to-vehicle and vehicle-to-infrastructure communications become more sophisticated, information will pass between vehicles and to government organizations.

"Not having knowledge that a third party is collecting that data on us and with whom they are sharing that data is extremely troubling," Cardozo said.

The National Highway Traffic Safety Administration is also working with automakers on regulations to oversee vehicle data transfers.

"As modern cars not only share the road but will in the not-too-distant future communicate with one another, vigilance over the privacy of our customers and the security of vehicle systems is an imperative," John Bozzella, president of Global Automakers, an industry trade association, said in a statement.

The automakers' principles leave open the possibility of deals with advertisers who want to target motorists based on their location and other personal data, but only if customers agree ahead of time that they want to receive such information, industry officials said in a briefing with reporters.

"Google may want to become an automaker, but we don't want to become Google," Mitch Bainwol, president of the AAM, said in a statement.

The complete list of automakers who've signed onto the principles are: Aston Martin, BMW, Chrysler, Ferrari, Ford, General Motors, Honda, Hyundai, Kia, Maserati, Mazda, Mercedes-Benz, Mitsubishi, Nissan, Porsche, Subaru, Toyota, Volkswagen and Volvo.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitynissandata privacyHondathreeVolkswagenprivacy

More about AAMElectronic Frontier FoundationGoogleHonda Motor Co.HyundaiHyundai Motor Co.Nissan MotorNissan Motor Co.OnStarTransportationVolvo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucas Mearian

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place