Last week, a federal judge refused to have the courts reexamine a gaggle of class action lawsuits claiming automotive manufacturers had violated Washington State’s privacy laws after allegations that on-board infotainment systems were recording customers’ private text messages and mobile phone call logs. Despite substantial evidence that the above claims are not only true but also just the tip of the iceberg as manufacturers have normalized some of the most egregious data harvesting we’ve seen, the Seattle-based judge said the allegations were not severe enough to be considered a violation of the Washington Privacy Act (WPA).
The plaintiffs represent a series of class actions suits asserting that vehicles sold by Ford, Honda, General Motors, Toyota, and Volkswagen have “recorded and intercepted [owners’] private text messages and call logs.”
Despite years of the industry downplaying data harvesting as simple telematics analysis that can be used to help troubleshoot designs and establish better maintenance routines, it has been revealed that modern automobiles likely have the worst user privacy practices imaginable. In many cases they’re even worse than smartphones, because the first thing the car does is yank as much data off your mobile device as it can once they’ve been paired together.
While the Mozilla Foundation study from earlier this year helped make that clear to a wider audience, savvy consumers were already coming to the realization that automotive connectivity had allowed companies to track everything from the vehicle’s current position, HVAC settings, speed, and what was playing over the speakers, to just about everything that’s been stored on a person’s phone. Automotive-focused apps have only worsened the issue, as they frequently utilize the kind of implicit user agreements nobody reads but ultimately results in a forfeiture of privacy.
Much of that data is useful to the manufacturer for marketing and development purposes. But we’ve also seen data being sold off to third parties while the technology continues getting more invasive and drivers rarely have any say in the matter. Unfortunately, when you tell someone about this there’s still a chance they’ll furrow their brow and call you paranoid.
“Cars seem to have really flown under the privacy radar and I’m really hoping that we can help remedy that because they are truly awful,” said Jen Caltrider, who conducted research for the Mozilla Foundation study. “Cars have microphones and people have all kinds of sensitive conversations in them. Cars have cameras that face inward and outward.”
The relevant lawsuits don’t dig that deeply, however. They were focused primarily on the phone data vehicles will relay back to the manufacturer. According to The Record, the case against Ford had been dismissed on appeal previously. The plaintiffs in the four other cases had appealed a prior judge’s dismissal. But the appellate judge ruled that the Washington Privacy Act requires plaintiffs to prove that “his or her business, his or her person, or his or her reputation” has been threatened.
It’s not clear what it’s going to take to move the needle on the privacy issue. Despite numerous states implementing laws designed to keep tech companies from spying on users, there hasn’t been much formal regulatory pushback. Meanwhile, automakers and companies selling “smart devices” are having customers pay real money for physical products that are effectively spying on them. Car companies have likewise integrated things like Amazon’s Alexa into newer vehicles, even though there have been sustained concerns that the service is highly questionable in regard to maintaining user privacy.
Automakers have spent the last several years building massive data hubs to store and analyze the staggering amount of information being gathered by today’s vehicles. But they’re not the only interested parties, everyone from your insurance agency to your satellite radio provider is trying to finagle at least some information out of cars. And data brokers will happily make deals with any other entity that’s offering them money.
From The Record:
In an example of the issues at stake, plaintiffs in one of the five cases filed suit against Honda in 2021, arguing that beginning in at least 2014 infotainment systems in the company’s vehicles began downloading and storing a copy of all text messages on smartphones when they were connected to the system.
An Annapolis, Maryland-based company, Berla Corporation, provides the technology to some car manufacturers but does not offer it to the general public, the lawsuit said. Once messages are downloaded, Berla’s software makes it impossible for vehicle owners to access their communications and call logs but does provide law enforcement with access, the lawsuit said.
Many car manufacturers are selling car owners’ data to advertisers as a revenue boosting tactic, according to earlier reporting by Recorded Future News. Automakers are exponentially increasing the number of sensors they place in their cars every year with little regulation of the practice.
U.S. lawmakers may be threatening to take action against the collection, transfer, and sale of user data. But little has been done to directly combat the issue. Legislators seem to have little understanding of the matter, with the brunt of their information coming from industry lobbyists, and the courts don’t seem much better.
But we’re also butting up against U.S. regulations that could be broadly interpreted to mandate things like in-cabin camera systems and permanent driver monitoring by 2026. The European Union has implemented even stricter protocols within the same timeframe, despite also having conflicting privacy laws in place.
There is some reason to be hopeful, however. Despite the Washington cases being dismissed, they were civil suits and that usually comes with the assumption that the plaintiff has to incur damages for things to move forward. While your author would argue unwittingly paying tens of thousands of dollars for a device that spies on you absolutely qualifies, the judge may simply believe that the matter isn’t quantifiable. A non-civil suit, where plaintiffs reached out to the Attorney General to address broader consumer protections and the possibility of illegal business practices may have better luck.
The public is also growing more aware of the issue. When automakers began harvesting user data in the early 2010s, the people were more focused on evidence that the National Security Agency has been illegally spying on American citizens and how social media companies were becoming too big for their britches. Claims that automobiles were harvesting scads of user data were frequently laughed off and ultimately fell by the wayside.
That’s not the case today. While full awareness of the problem remains lower than it probably should, more motorists are becoming hip to the situation and we’ve started seeing the issue being taken on by consumer advocacy groups. The right-to-repair movement has also called into question data ownership rights and is fighting for legislation that at least provides drivers with the ability to control some of their data.
The road ahead still looks long and rough for those who value privacy. However, headway is slowly being made and laying the groundwork for real change. Just don’t expect the relevant companies to lay back and submit, as vehicle data harvesting is assumed to be an industry worth hundreds of billions of dollars annually.
[Image: General Motors]
Become a TTAC insider. Get the latest news, features, TTAC takes, and everything else that gets to the truth about cars first by subscribing to our newsletter.