Update September 7, 2023: BMW responds with a statement
BMW has responded to the allegations from the Mozilla study about “non-data protection” in modern cars with a statement. In it, BMW emphasizes that it would process personal data in accordance with the statutory provisions. Customers can read detailed information in the data protection notices on the Internet.
Customers can granularly adjust the privacy settings at any time in the data protection menu directly in the vehicle, in the MyBMW app or in their BMW profile on the Internet, as the car manufacturer emphasizes.
But the problem is that in the current generation of vehicles, the customer has to sign a Connecteddrive contract and agree to BMW’s data protection requirements in order to be able to use networked functions at all. Customers must also explicitly activate sensitive processing of data such as geopositions and voice recognition. According to BMW, some safety functions such as the drowsiness assistant only process data (eg infrared image data) locally in the vehicle and do not transmit it to the BMW Group.
The last paragraph of the BMW statement is curious: “The BMW Group expressly contradicts circulating statements in media reports about the study by the Mozilla Foundation (Sept. 2023) on the processing of data on race, sexuality and state of health. Such data is neither processed nor stored by the BMW Group.” But Mozilla had never claimed that in relation to BMW!
Update end, beginning of the original message: car manufacturers collect sensitive customer data – even about sexual preferences
In the latest edition of its “Privacy Not Included” study, the Mozilla Foundation examined the privacy policies and practices of 25 automakers and comes to a staggering conclusion. Through its research, the organization found that brands like VW, Ford, Toyota, BMW, Tesla, Kia, and Subaru completely disrespected the privacy of their customers. They collect sensitive personal information such as immigration status, race, weight and genetic information. Details of the sexual activities as well as the places visited are also analyzed by some companies.
Black box for the car is mandatory – these are the consequences for drivers
Personal information is collected and sold
According to the Mozilla Foundation, the car manufacturers access this data via sensors, microphones and cameras installed in the vehicles, as well as via devices that connect users to their cars. More information can be found on car apps, dealer and company websites. From this collected data, vehicle manufacturers can draw conclusions about the skills, characteristics, preferences and intelligence of their customers. They may also give or sell the personal information to third parties.
Datenkrake Auto serves as evidence against the driver
All 25 companies fail the test
In an equally startling first for Mozilla’s “Privacy Not Included” study, none of the companies met the minimum security standards of the study. For example, it remains unclear whether the collected data is at least encrypted by the brands.
“All new cars today are privacy nightmares on wheels, collecting massive amounts of personal data.”
Jen Caltrider, Mozilla
Nissan and VW are the worst performers
Mozilla highlights the Japanese car manufacturer Nissan and the German brand Volkswagen as particularly dangerous data octopuses. Nissan even acknowledges in its privacy policy that it collects driver health and sexual activity information, while VW collects driving behavior and demographics for marketing purposes. Renault emerged as the least problematic brand from the test. BMW also rated Mozilla as comparatively less bad: “Well, they’re not the worst car brand we’ve reviewed. Unfortunately, that bar is really low, so while they’re not the worst, we wouldn’t exactly say they’re great at privacy either.”
Data octopus with financial interest
According to Mozilla, there is a financial interest behind the data collection frenzy. According to analysts, auto data monetization could be a $750 billion industry over the next seven years. “Getting into a car today is like handing your phone to the car manufacturer.” explains Misha Rykov from Mozilla.
This is how the Mozilla Foundation works
For the latest “Privacy Not Included” study, the Mozilla Foundation examined the privacy and security policies of car brands in five countries: Germany, Japan, the US, South Korea and France. The researchers spent a total of 600 hours reading data protection guidelines, downloading apps and corresponding with the car manufacturers.