Carmakers promise they'll protect driver privacy -- really

The two largest auto trade groups representing 19 of the biggest car and truck makers have signed onto a set of principles to protect data privacy in an every increasing digital, connected age.

The world's 19 biggest automakers have agreed to principles they say will protect driver privacy in an electronic age where in-vehicle computers collect everything from location and speed to what smartphone you use.

A 19-page letter committing to the principles was submitted to the Federal Trade Commisison from the industry's two largest trade associations: the Alliance of Automobile Manufacturers (AAM) and the Association of Global Automakers (AGA).

The AAM represents Detroit's Big Three automakers -- Ford, GM and Chrysler -- along with Toyota, Volkswagen AG and others. The AGA also represents Toyota, along with Honda Motor Co., Nissan Motor Co. and Hyundai Motor Co., among others.

The trade groups promised that without a court order, private information will not be sold to insurance companies or used to bombard drivers with business ads without their permission.

The principles also commit automakers to "implement reasonable measures" to protect personal information from unauthorized access.

Among the promises agreed to by the automakers:

  • Our members will not disclose the customer's geolocation data to the government unless the government produces a warrant or a court order.
  • Our members will not market to their customers using identifiable personal data collected by the vehicle unless the customer explicitly agrees.
  • Members will give customers clear and meaningful notices about the collection, use and sharing of any personal information generated by their vehicle.
  • Members will maintain data security and implement safeguards, consistent with industry best practices, to control risks to data such as loss, unauthorized access, and improper disclosure.
  • Our members will not share sensitive personal data collected by the vehicle with data brokers and other third parties unless the customer explicitly agrees.
  • Our members will each have a dedicated web portal that will contain their privacy information.

Newer vehicles have head units (infotainment systems) with embedded GPS and mobile communications technology, such cellular and radio frequency or -- in some of the newest cars and trucks -- embedded Wi-Fi routers.

Sen. Edward Markey (D-Mass.), a member of the House Commerce, Science and Transportation Committee, said the voluntary privacy pledge is an important first step but falls short in two key areas: choice and transparency.

"It is unclear how auto companies will make their data collection practices transparent beyond including the information in vehicle owner manuals, and the principles do not provide consumers with a choice whether sensitive information is collected in the first place," Markey said in a statement today.

Markey said automakers must make security and privacy as standard as seatbelts and stereos for drivers and their vehicles.

In coming weeks, Markey plans to release the findings of an investigation into the privacy and security practices in the automotive industry. "I will call for clear rules -- not voluntary commitments -- to ensure the privacy and safety of American drivers is protected," Markey said.

Carmakers already remotely collect data from their vehicles, unbeknownst to most drivers, according to Nate Cardozo, an attorney with the Electronic Frontier Foundation. "Consumers don't know with whom that data is being shared," Cardozo said. "Take Ford Sync, for example. In its terms of service, it says it's collecting location data and call data if you use Sync to dictate emails."

Location data about drivers is continually sent to manufacturers, which allows navigation systems to update users on traffic and weather conditions and offer other services such as remote payment for parking.

Location data has the potential to be used to advertise via either the infotainment system or any mobile device connected to it, sending pop-up messages about retail offers.

Dominique Bonte, a director at ABI Research, believes drivers should have to opt in before car companies can share data with any outside parties. Bonte pointed to GM as an example of why an opt-out model isn't good enough.

In 2011, GM's OnStar in-vehicle communications service began collecting data on users without permission. The strategy was designed to improve the OnStar service, but GM also shared that data with third-party suppliers.

"They failed to observe the most essential rule in privacy. They were forced to stop using the data," Bonte said.

Earlier this year, GM issued an OnStar privacy statement clarifying how it could use data collected from its in-vehicle service. The vehicle-related information it collects involves diagnostic data, odometer readings, estimates of remaining oil life, tire pressure calculations and information about collisions. It also includes driving information, such as vehicle location, speed, safety belt usage "and other similar information about how the vehicle is used."

As vehicle-to-vehicle and vehicle-to-infrastructure communications become more sophisticated, information will pass between vehicles and to government organizations.

"Not having knowledge that a third party is collecting that data on us and with whom they are sharing that data is extremely troubling," Cardozo said.

The National Highway Traffic Safety Administration is also working with automakers on regulations to oversee vehicle data transfers.

"As modern cars not only share the road but will in the not-too-distant future communicate with one another, vigilance over the privacy of our customers and the security of vehicle systems is an imperative," John Bozzella, president of Global Automakers, an industry trade association, said in a statement.

The automakers' principles leave open the possibility of deals with advertisers who want to target motorists based on their location and other personal data, but only if customers agree ahead of time that they want to receive such information, industry officials said in a briefing with reporters.

"Google may want to become an automaker, but we don't want to become Google," Mitch Bainwol, president of the AAM, said in a statement.

The complete list of automakers who've signed onto the principles are: Aston Martin, BMW, Chrysler, Ferrari, Ford, General Motors, Honda, Hyundai, Kia, Maserati, Mazda, Mercedes-Benz, Mitsubishi, Nissan, Porsche, Subaru, Toyota, Volkswagen and Volvo.

Join the Computerworld newsletter!

Error: Please check your email address.

Tags securitynissandata privacyHondathreeVolkswagenprivacy

More about AAMElectronic Frontier FoundationGoogleHonda Motor Co.HyundaiHyundai Motor Co.Nissan MotorNissan Motor Co.OnStarTransportationVolvo

Show Comments

Market Place