Your dream car is a privacy nightmare

When it comes to privacy, the biggest threat might not be social media, smartwatches, or video doorbells. It just might be your car.

Mozilla recently took a look at 25 car brands and gave every single one a “Privacy not included” warning label—officially making automobiles the worst category of products the group has ever reviewed.

Mozilla evaluated each brand for its use of data, how you can control your data, its track record for protecting user data, and whether or not the product meets minimum security standards.

Overall, it found that all 25 of the car brands collect more personal data about you than they should, and every single brand also uses that data for a purpose other than making sure you have the best possible experience with their vehicle.

That’s actually a lot scarier, Mozilla notes, than if your computer or another device is doing it, simply because of the uniquely personal data that your car has access to. Not only does your car know where you’re going and when, but it also can collect data about what devices you use while you’re in your car, the weather around you, and even what music you’re listening to while you’re out on the open road. 

“Cars’ new bells and whistles mean the potential for more data-collecting sensors, cameras, and microphones,” says Misha Rykov, one of the researchers on the project. “But unlike with apps or smart home devices, most drivers aren’t even aware this data is being collected—let alone have the power to turn it off.”

Worse still, Mozilla notes that most car companies’ privacy policies are written in broad and vague language, including phrases like “such as” or “etc,” which leaves the door open for them to collect more data about you than they’re actually spelling out.

According to the report, the worst of the bunch was Tesla, which is only the second product in history to receive all of Mozilla’s privacy “dings.” The first was a creepy “AI Friend” chatbot earlier this year. In fact, AI is what ultimately put Tesla over the edge, specifically due to the number of crashes and deaths it has been responsible for thus far, as well as the fact that it’s currently the subject of multiple government investigations.

Other brands did not fare much better. Honda’s privacy policy, for instance, has a long list of personal information that the company collects, which it follows with “Personal information as described in Cal. Civ. Code § 1798.80(e).” If you’re not familiar with that code (and really, who is?), it reads as follows:

“Personal information” means any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. “Personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.”

So, really, it could mean just about anything. Not great.

Surprisingly, that wasn’t even the worst thing out there. Nissan actually scored almost as bad as Tesla in rankings for the type of data it collects. Its policy spells out that it plans to collect and share information about your sexual activity, health diagnosis data, and genetic information. No, really. Your car is collecting info about your sex life.

Mozilla also notes that Nissan’s policy extends to passengers in your vehicle as well. So if you give a coworker a ride home, they’re ostensibly consenting to also have their info shared with Nissan, and its privacy policy says “you promise” to let those passengers know.

Reached for comment, a Nissan spokesperson said the company takes privacy and transparency seriously, and that it complies with all applicable laws. “Nissan’s Privacy Policy incorporates a broad definition of Personal Information and Sensitive Personal Information, as expressly listed in the growing patchwork of evolving state privacy laws, and is inclusive of types of data it may receive through incidental means,” the company said.

We’ve also reached out to Tesla and Honda.

If your car collecting so much data about you and your friends isn’t bad enough, Mozilla also points out that 84% of car manufacturers are sharing that data after they get it, with 56% of them saying they can share your information with government or law enforcement in response to a request. It’s worth noting that they’re not talking about court orders here, just polite requests from a government or law enforcement entity.

Of the 25 brands it looked at, only 2 allow customers to request that their personal data be deleted: Dacia and Renault. This is probably because those vehicles are only available in Europe where the General Data Protection Regulation (GDPR) is an EU regulation on information privacy.

It’s all a mess, with no current way out for customers.

While for now you might be stuck with a car that’s collecting a little too much about you (or a lot), Mozilla is asking drivers to sign a petition calling on car companies to “respect drivers’ privacy and stop collecting and sharing and selling our very personal information.” If you’re interested, you can sign here.

This story was updated with Nissan’s response.