Why a car can't protect your privacy as well as a smartphone

Rob Pegoraro
Contributing Editor

A mobile device with which you spend more time than you want to admit can gather an impressive amount of data about your daily habits. And because it’s your car, not your phone, it can also critique your driving with mathematical precision.

The auto industry is speeding down a road many others have taken. First, it’s computerizing everything, then it’s dealing with privacy implications raised by these advances.

Car manufacturers have an opportunity to learn from other industries — but so far, they’re not.

A new trade-in ritual

A panel at the Washington Auto Show last week discussed an early warning sign: how hard it can be to wipe your information from a car before you sell, trade or donate it.

Think of how a rental car’s Bluetooth-settings screen has become a public ledger of everybody who has driven it — except a car collects so much more data.

A 2017 flier from the Future of Privacy Forum and the National Automobile Dealers Association outlines the variety of information that a modern vehicle can gather, from your location history to your driving habits.

But then it shrugs off the difficulty of resetting all this information: “Consult your owner’s manual, and work with your dealer for details about resetting and removing your information from the system.”

The manual, however, may not shed much light. When you look up instructions on wiping your details from entertainment and navigation systems — see, for instance, the 2018 Chevy Volt, Ford (F) Focus, and Toyota Prius — it will probably leave you guessing about what other data points stay with the car.

In that panel, NADA Executive Vice President Andy Koblenz suggested carmakers provide a simpler solution: “a big reset button.”

Who owns your data?

If the information that a car collected never left it, you might not worry so much about not being able to erase it. But cars with cellular connectivity can transmit that information to manufacturers.

Honda found itself in hot water when one California driver objected to language in a lease for a Fit EV that granted the carmaker the right to track the electric vehicle’s location, after which the company declined to answer all of the Washington Post’s questions about its use of that data.

Honda publicist Chris Martin said Tuesday that the manual for that car specifies that the company only uses data for diagnosis and research and “will not permit others to access it unless such access is legally required.”

But the second page of the lease documentation — what a potential driver sees first — says the company may employ this data “for other legally permissible purposes.”

Almost all automakers have signed onto privacy principles that mandate customer transparency and choice and require firms to minimize their use and retention of personal information. So, if nothing else, the Federal Trade Commission can take action against a car manufacturer that breaks this commitment.

The consensus at that Washington Auto Show panel was that this sort of voluntary regulation would suffice.

The auto industry can learn from the phone industry. Will it?

Compare this to the location data that Google (GOOG, GOOGL) Maps scoops up. You may resent this collection — although the relative weakness of Apple (AAPL) Maps may not leave you much choice — but at least Google lets you inspect, edit and delete this information. You can even export your data.

Most carmakers haven’t given drivers the keys to their data. Roger Lanctot, director of connected automotive mobility with Strategy Analytics, pointed to BMW’s CarData as one positive example.

BMW’s CarData, developed with IBM (IBM), will let drivers access their car’s information and share subsets of it with mechanics and other third-party services. But U.S. drivers can’t use it yet, since it only launched in Europe last year, with plans for a gradual rollout elsewhere later on.

“I don’t know of any specifically who are proactively giving drivers control over data here,” said Catherine McCullough, executive director of the Intelligent Car Coalition. She added that stronger privacy laws in the European Union — for example, the General Data Protection Regulation that goes into effect in May — may continue leaving U.S. drivers behind.

Car makers also lag in documenting how they deal with government queries for this data. While “transparency reports” and itemizing corporate responses to those requests and demands have become standard practice at tech firms, auto manufacturers have yet to adopt this habit.

The best time to have started a serious discussion on connected-car privacy was probably five years ago, when Tesla (TSLA) CEO Elon Musk denounced a harsh New York Times review of the then-new Model S that he said was disproved by the vehicle’s own logs.

By and large, that discussion didn’t happen — even among obvious privacy activists. The Electronic Frontier Foundation regularly audits how well tech firms stand up to governments, but it has yet to turn its attention to the auto industry, EFF senior staff attorney Nate Cardozo admitted.

The next time for that conversation is now, while vehicle self-awareness remains in its early days. As NADA’s Koblenz said at that Washington Auto Show panel: “We should never have a situation where people are forced to choose between a safe car and a private car.”

More from Rob:

Email Rob at rob@robpegoraro.com; follow him on Twitter at @robpegoraro.