As cars have transformed into technologically advanced machines, laden with a host of advanced features aimed at enhancing the driving experience, they have silently morphed into spying devices.
The findings of a recent report by the Mozilla Foundation serve as a stark alarm bell, revealing that all 25 surveyed car brands were accumulating excess personal data, leaving drivers with little control over their information.
According to the report, cars are the worst performing product category in terms of privacy protections.
Car manufacturers, covertly mining a wealth of intimate details - from driving habits and location data to more personal smartphone information - are essentially transforming vehicles into rolling data-collection machines.
The report highlights the need to shift our focus towards the automobile industry, which has so far escaped the scrutiny faced by technology giants, despite the significant threats to personal privacy it poses.
More than most other products, our cars can collect vast amounts of data about us; what we do, say, and think, as well as about our body. Manufacturers collect this information primarily from our interactions with our cars and their various applications.
Many vehicles are equipped with advanced electronics and sensors, enabling them to connect with other devices, networks, and technologies.
Some examples include telematics systems that collect and transmit data related to the vehicle's operation, and navigation and infotainment systems, some of which connect to our phones through Apple Car Play or Android Auto.
While these technologies offer enhanced safety, comfort, and efficiency, they generate extensive amounts of data about drivers and their behaviour.
Data range from relatively mundane facts such as our name, address, phone number, and age, to more sensitive details such as our religious affiliation, financial and medical information, employment history, and facial features.
Our cars can also track our location, driving schedule, phone calls, music and podcasts, and even physical gestures.
These data can be used to create individual profiles describing our interests, cultural preferences, religious affiliations, sexual orientation, and personality traits.
Most of the car manufacturers surveyed in the Mozilla report sell our data to various third-party entities.
These could be businesses such as car dealers, insurance companies, advertising firms, market research companies, and data brokers.
This information can be incredibly valuable for various reasons, including targeted marketing, product customisation, and tailored political campaigns.
For instance, a driver's frequent visits to gardening centres might prompt advertisements for gardening tools and plants; insurance companies might be interested in driving data to assess risk levels and personalise insurance premiums; political advertisers can target users with ads based on their political leanings or interests, inferred from their favourite podcasts.
Alarmingly, more than half of the car manufacturers say that they can share our information with government and law enforcement agencies in response to a request, which does not necessitate an official court order.
For instance, Hyundai states in its privacy policy that it will comply with any "lawful requests, whether formal or informal".
To make things even worse, only two of the 25 car companies give drivers the ability to delete their personal information. These companies, Renault and Dacia (owned by Renault Group) are based in Europe and bound by the General Data Protection Regulation privacy law. Tellingly, most of the better "privacy performers" are European manufacturers, such as Volkswagen, BMW, and Fiat.
For Australians, the implications are profound and immediate. Given our robust car market, many of us are unwittingly ensnared in this web of data-collection, our personal details, driving patterns, and other private information, splayed open for corporate consumption.
To illustrate, the best-selling car brand in Australia last year was Toyota, which has a questionable privacy track-record. Toyota says it can collect large amounts of personal data through its cars, the Toyota application, and related services. This includes basic details like name and address, and more intricate data such as geolocation, driving behaviour, and biometric information.
Toyota admits the possibility of sharing or selling personal information for targeted advertising. The vague language used in the company's privacy policy regarding the management and sharing of sensitive personal information highlights the lack of clear, committed boundaries in Toyota's privacy practices. This underscores the potential risks and vulnerabilities faced by consumers.
While technology giants, such as Google, Facebook, and Amazon, remain under intense public scrutiny for their data-handling practices, car manufacturers have managed to evade similar attention. This contrast exposes a gap in our collective consciousness and regulatory frameworks.
Despite the grave implications of this indiscriminate data collection - spanning from the invasion of personal privacy to potential misuse by governmental entities - the automotive industry continues its operations mostly unfettered.
The critical juncture we confront necessitates comprehensive regulatory action. Echoing the stringent standards of Europe's General Data Protection Regulation, Australia should embark on a decisive journey towards bolstering its data privacy laws. The automotive industry must be held to account, ensuring transparent, ethical, and consensual data handling practices.
Furthermore, the onus rests upon car manufacturers to cultivate a culture of transparency. A transparent approach to data-handling would not only elevate the industry's ethical standing but also empower consumers to make informed decisions and retain control over their personal information.
Uri Gal is a Professor of Business Information Systems at the University of Sydney Business School. This article was first published in The Canberra Times.