By Dennis B. Desmond
Australia’s spy agency issued a stark warning to politicians and public servants last week: do not discuss sensitive or classified information in vehicles.
Speaking at senate estimates, ASIO Deputy Director-General Lisa Alonso Love said the warning concerned “any vehicle, whether it’s connected or not”.
But she added that “connected vehicles” may come with additional risks for data collection. Her advice was that classified conversations should occur only in properly secured locations, not while travelling.
The warning came after seven models of Chinese electric vehicles were added to the list of taxpayer-funded cars available to federal politicians, representing 30 percent of the vehicles now available under the parliamentarian vehicle scheme.
But this is not just a problem with electric cars, nor cars manufactured in China. Connected vehicles of any kind come with several privacy and national security risks.
What are ‘connected cars’?
According to the Australian Signals Directorate, any vehicle that is connected to the internet, either through an embedded SIM card or a paired smartphone, can be considered a connected vehicle.
Almost all major cars sold in Australia with “connected services” collect and transmit driver and passenger data to the vehicle manufacturer.
A study by consulting firm McKinsey found 50 percent of cars on the road in 2021 had internet connections and predicted the number will rise to 95 percent by 2030.
Data is collected and stored both on vehicle and offshore. For example, Great Wall Motor’s policy states its data is transmitted to Singapore but is available for analysis in China.
What data do these cars collect?
Connected vehicles are packed with sensors: in the seats, the dashboard, the engine, the steering wheel. Many also have additional driver-facing cameras plus external cameras. Vehicles can generate 1 to 2 terabytes of raw data per car each day.
Manufacturers collect sensor data to measure vehicle performance. However, collected data also includes precise geolocation data, infotainment use, whether you buckle your seatbelt, drive too fast or brake too hard, and whether you are sleepy or drank too much.
Some of the data collected, such as real-time location and when the driver and passengers are inside or outside the vehicle, can infer weight, age, race and facial expressions.
Vehicles also have access to data from Bluetooth connections to our cellphones. This includes contacts, mapping data, calendar information, habits and hobbies and a myriad of other data sets. Data shared through cellphones can provide even more personal data such as your financial and relationship status.
And it isn’t just driver data. The privacy of passengers is also of concern. Sales agreements state the driver is responsible for advising passengers anything they say or do can be collected by the on-platform sensors. It is up to the driver to warn passengers.
According to a 2023 report by software company Mozilla, vehicles are the most egregious for collecting personal information and violating privacy norms.
Of the 25 vehicles Mozilla reviewed, none passed their privacy review.
According to vehicle privacy disclosures reviewed by Mozilla, manufacturers use data for product evaluation and improvement. However, it is also made available for sale to affiliates and data aggregators where it is repackaged and sold.
In 2023, Reuters revealed Tesla employees privately shared highly invasive videos and images that had been collected from customers’ cars. The recordings reportedly included people in the nude and others involved in crashes.
What can you do to protect yourself?
Generally, consumers can choose to opt out of some of the data collection. However, if they refuse the collection, they may not receive all of the vehicle’s full functionality.
The following steps can help you stay secure:
- Review the manufacturer’s privacy and sharing agreements when you purchase a vehicle and know your rights.
- Go to vehicleprivacyreport.com and enter your vehicle identification number to check to see what data is collected.
- Do not allow the manufacturer’s SIM card to be installed or activated in data-enabled cars.
If the vehicle has a downloadable application, you may be able to turn off some of the collection features associated with that vehicle.
Alternatively, many vehicles have the data collection description and the ability to opt-out through its infotainment centre dashboard.
If you sell or loan your vehicle, make sure you do a full factory reset to eliminate any collected data. Advise the new owner to ensure the vehicle has been reset.
Dennis B. Desmond is a Lecturer in Cyberintelligence and Cybercrime Investigations at the University of the Sunshine Coast. This article was first published by The Conversation
