It is so easy to vacuum up private data from vehicles that Andrea Amico taught his daughter how to extract text messages from her momâs car when she was only eight years old.
Blue-haired and an engineer by training, Amico has a hackerâs mentality, which has manifested in giving drivers a way to protect their data and beat the system at no cost.
Amico is the founder and CEO of Privacy4Cars, the outfit behind a free app that lets individuals erase the astonishing amount of personal data â including text messages, biometrics and geolocation â that many automakers collect, store and often share with law enforcement, insurers and even data brokers.
Privacy4Cars also allows consumers to pull a full report on exactly what data their own car is scooping up, using nothing but a vehicle identification number.
Amico worked on car data privacy for years on what he called a âpassion projectâ basis. After running a large car inspection business, he came to understand the scale of the problem â and the stakes â and founded Privacy4Cars in 2019.
Consumers can use the app to delete data retroactively, but there is no way to block its collection moving forward so those especially concerned about privacy have to regularly wipe the carâs data, which usually primarily resides in the infotainment system, Amico said.
The process for deletion is unique for most car models and types. Amico says the company has amassed step-by-step delete instructions for tens of thousands of vehicles, whose settings often differ by model, make, year manufactured and even how many extras customers pay for to enhance a given model.
The app typically works for four out of five cars. Wiping data can take as few as three commands, or as many as 50, Amico said. If a car owner has not downloaded a given carâs software updates, that can complicate matters.
Data linked to more than a million cars has been deleted using the app to date, Amico said.
With car data privacy in the spotlight recently, the demand is likely to rise.
Last month a Seattle-based federal judge declined to revive a class action lawsuit alleging four auto manufacturers had broken Washington state privacy laws by gathering and storing customersâ private text messages and mobile phone call logs.
The judge ruled the practice did not meet the threshold for an illegal privacy violation under state law, which requires plaintiffs prove that âhis or her business, his or her person, or his or her reputationâ has been threatened by the harvesting of private data.
Despite the ruling, car data privacy concerns are growing as more consumers become aware of their exposure, and even some industry figures concede more needs to be done to educate car owners about data practices.
Running the report
Privacy4Cars offers a website feature which allows users to search their vehicle identification number and quickly learn the data their car gathers, pulling and crystallizing information from the small print manufacturers typically disclose in complex, dense and lengthy terms and conditions and privacy disclosures.
A recent search of what Privacy4Cars calls its âVehicle Privacy Reportâ showed a variety of automakers disclosing they can or do pull, store and even sell a wide range of data, including:
- Personal identifiers, which can include data as granular as a driverâs signature; Social Security number; passport number; insurance policy number; employment history and medical information, among other things
- Biometrics, which can identify individuals, including through fingerprint mapping, facial recognition and retina scans
- Geolocation data
- Data collected and used to create profiles on drivers
- Consumer data collected from synced phones like text messages and call logs. Often manufacturers donât disclose whether they also gather data from drivers’ connected smart devices when third-party apps run on or sync with the infotainment system, the report said.
Many automakers also acknowledge they share data with law enforcement, insurers and data brokers.
While some cars searched on the Privacy4Cars website were silent on whether they collect data from synced phones, Sean McKeever, a senior security researcher at GRIMM, a cybersecurity company with an automotive division, said most cars do gather and store phone data.
âIf the vehicle offers phone connectivity, you can assume there is some level of data being stored on the vehicle,â McKeever said via email.
Amico estimated that about two-thirds of U.S. auto manufacturers declare they collect data from synced phones, at least for some models.
âThey’re also very quick to say that it’s none of their responsibility and essentially it’s the consumersâ fault if they leave this data behind,â he said in an interview.
To use the Privacy4Carsâ Vehicle Privacy Report search tool, drivers must have their vehicle identification number (VIN). A recent random check of the privacy reportâs portal, using VIN numbers linked to used vehicles on Carmax, showed that many cars collect all of the data listed above and more.
Vehicles collecting synced phone data, for example, included a 2018 Vokswagen Atlas, a 2023 Audi Q4, a 2019 Volvo XC90 and a 2020 Honda Civic. All of these vehicles also collect location data and some gather biometric data along with compiling personal identifiers and user profiles.
None of the automakers offered comment except for Volkswagen. A spokesperson said that “when a customer syncs their phone via Bluetooth, the car can access phone data as granted by the customer and all of this data is stored within the vehicle.”
They added that customers can delete this data at any time through a factory reset and noted that “while the car itself will access the data, the car does not transmit this data beyond the car.”
A privacy report for a 2020 Volkswagen Tiguan.
Many of the cars Recorded Future News searched in the Vehicle Privacy Report also allowed data to be collected from Android Auto, Apple Carplay and Amazon Alexa.
Amico said that if your car uses Android Auto, for example: âGuess what? Google collects data from you as well.â Google does not have an Android Auto-specific privacy policy or data disclosure, Amico said. The data can also potentially be sold by Google for targeted advertising. Google did not respond to a request for comment.
Privacy4Cars also takes on data brokers, offering a way for consumers to easily reach them and tell them not to sell their data. An âAssert Your Rightsâ button on the upper right corner of the companyâs homepage takes users to a place to share their information so that Privacy4Cars can submit consumer privacy requests to first-party businesses, data brokers, and third parties on their behalf.
Consumers in the dark
Most drivers have no idea what data their car is collecting because other than through Privacy4Cars it can be very hard to track down and digest the information. The privacy disclosures for the four cars mentioned above involved between nine and 12 unique documents, and each ran between 55,00 and 60,000 words, according to the Privacy4Cars site.
Older cars appear not to be immune. A check for a 2012 Honda Odyssey, for example, revealed the vehicle collects data from synced phones, geolocation information and compiles personal identifiers and user profiles.
Car owners should use the app to wipe data particularly when they buy or sell a used car and return vehicles to car rental agencies or leasing companies, Amico said, although most people donât know they should do so.
Four out of five used cars contain the data of previous owners since most owners and subsequently car dealers donât wipe them clean, he said.
In some cases cars even store pieces of code from previous drivers that can allow old owners to access new ownersâ data. Most carsâ infotainment systems also store text messages and other unencrypted data.
Amicoâs services arenât foolproof. The FBI, for instance, still might be able to hack into the carâs systems and extract data. But they do make it a âhell of a lot harderâ for them or anyone else to do so.
Even those unworried about getting entangled with the FBI have serious reasons to delete their data, he said.
âIf you have a navigation system, you have about a 50/50 chance that you can press two buttons and show up inside the house of somebody because you press âgo homeâ and then you pop the garage open,â Amico said.
This is Part 1 of a three-part series on automobile privacy that will run through the month of December.
Automated Vehicle Law: Legal Liability, Regulation, and Data Security
InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory
