‘Permissions app’ may solve car data privacy
BY PETER BARNWELL | 15th Oct 2024
THE horse may have already bolted in terms of controlling rampant in-car data mining and sharing with third-party aggregators for marketing purposes, dobbing on driver behaviour to insurance companies and other reasons – but there is a growing pressure to lasso the phenomenon before it goes feral via transparency and formal consent.
Last week’s exposé in consumer publication Choice put car brands on notice about their information collection and sharing practices, with Hyundai, Kia and Tesla deemed, by Choice, among the worst culprits.
Data mining from cars has been possible for at least a decade but the latest generation of tech-heavy connected cars increases the capability – and the implications – exponentially, while an incoming wave of so-called ‘software-defined vehicles’ will only increase the data capture potential.
According to auto industry sources, the issue is under discussion at manufacturer, dealer (and presumably government) levels as to what to do before potentially going down the legislative path.
Several car manufacturers and importer representatives contacted by GoAuto – and wishing to remain nameless – said they did not engage in on-selling driver data and did not collect biometric information, claiming they used the data mostly for market research and advertising purposes.
Others were non-committal. However, some manufacturers are known to collect data without the knowledge of drivers who failed to read the fine print, including the assumption of consent from the simple act of occupying one of their vehicles.
Should there be a ‘permissions app' within the menu screen of connected cars – like the cookie warning on websites or smartphone settings around which apps are allowed to use location data, camera or microphone access and other privacy-related features – or some form of clause upon purchase enable new car buyers to consciously opt-in (or out) of sharing driving data?
Industry sources Down Under told GoAuto a permissions app is being mulled by a number of manufacturers as they respond to tightening international privacy and cyber security regulations.
Any such application would likely have a domino effect as other manufacturers follow suit.
MG Motor, for example, already disables certain in-vehicle functions – including native satellite navigation software – unless the driver reads and agrees to a lengthy on-screen privacy policy.
However, as Choice reported, MG’s privacy policy is “unclear about how extensively the driver data they collect is shared”.
Separate from the vehicles themselves, many car-makers have an accompanying smartphone app.
The Apple App Store discloses that MG’s iSmart iPhone app can collect location, contacts, user content, search history, identifiers, usage data and diagnostics information that may be linked to the owner of the device. Apple lists MG’s Chinese parent company SAIC Motor International as the developer of the iSmart app.
Given responses to questions from a number of car brands GoAuto received over the issue a permissions app or opt-out clause may be in the pipeline at point of sale.
But with vast driver data worth billions of dollars up for grabs, such controls might not realistically materialise without regulation.
The outcome may depend on a number or combination of factors not limited to but including the willingness of car-makers and their dealers to act transparently, government regulation, enforcement, consumer acceptance/resistance and new technology coming on stream, not to mention giving consumers a fair go.
Of the brands named in the Choice report, the second-biggest collector of owner-linked iPhone app data after MG appears to be Mazda, which the Apple App Store says can link location, contact, identifiers, usage data and diagnostic info to the device owner.
Toyota and Ford apps have similar capabilities but supplant linked location data for user content
Kia’s app links location, contact info, user content and identifiers while sister brands Hyundai and Genesis link contact info and identifiers but collect anonymised location, user content and diagnostics data.
In contrast with its traffic-light-themed Choice rap sheet for in-vehicle data collection (scoring red along with Kia and Hyundai), Tesla’s app seems least invasive, harvesting only usage and diagnostic data linked to the device owner.
Ford, Mazda, MG and Toyota were all given an amber traffic light by Choice, with Isuzu Ute, Mitsubishi Motors and Subaru getting green.
For clarity, under current privacy law "sensitive data" here is already meant to have an enhanced level of consumer protection and consent before it can be gathered and shared the key being the interpretation of “sensitive data”.
Realistically, it seems action to address the matter of automotive data harvesting and sharing will have to come from the government, which may force manufacturers to provide a permissions app or opt-out clause on purchase for buyers who do not wish their personal information to be collected and/or shared.
As well as over-the-air connectivity features and technology updates, a permissions app would potentially apply to certain driver assistance systems that harvest and share driver information such as driver attention monitoring and speed limit alert among other features therein, creating another headache this time relating to safety and safety ratings.
In the United States, a long list of car brands was found by The New York Times to be providing details of owners’ driving behaviour to insurance companies via data aggregators Lexis Nexis and Verisk.
A 2023 Sydney University report on data mining in new cars, which generate about 25 gigabytes of data per hour, highlighted the need to “shift our focus towards the automobile industry which has so far escaped the scrutiny faced by technology giants, despite the significant threats to personal privacy it poses”.
“For Australians, the implications are profound and immediate. Given our robust car market, many of us are unwittingly ensnared in this web of data-collection, our personal details, driving patterns, and other private information, splayed open for corporate consumption.”
The report, by Uri Gal, professor of Business Information Systems at the University of Sydney Business School, calls for regulatory changes and transparency.
“While technology giants, such as Google, Facebook, and Amazon, remain under intense public scrutiny for their data-handling practices, car manufacturers have managed to evade similar attention. This contrast exposes a gap in our collective consciousness and regulatory frameworks,” said Prof Gal.
“Despite the grave implications of this indiscriminate data collection - spanning from the invasion of personal privacy to potential misuse by governmental entities - the automotive industry continues its operations mostly unfettered.
Professor Gal’s legislative remedy to data mining in cars is obvious as he explains; “The critical juncture we confront necessitates comprehensive regulatory action.
“Echoing the stringent standards of Europe's General Data Protection Regulation, Australia should embark on a decisive journey towards bolstering its data privacy laws. The automotive industry must be held to account, ensuring transparent, ethical, and consensual data handling practices.
“Furthermore, the onus rests upon car manufacturers to cultivate a culture of transparency. A transparent approach to data-handling would not only elevate the industry's ethical standing but also empower consumers to make informed decisions and retain control over their personal information.
On the other side of the coin, self-regulation may be the most palatable to vested interests.
Given the connected car’s rapid rise, these rolling data-collection machines have enabled data mining to become an intrinsic part of the business model in terms of how car-makers and their dealerships are run, forming a core part of modern automotive dealer platforms and a key profit centre for these businesses amid squeezed margins in other areas of operation.
On a global scale, something similar applies to the automotive manufacturing sector which is constantly on the lookout for cheaper resources be they labour or components, logistics, technology, financial incentives and other new income streams.
With such a focus on profitability, not a lot of expectation on the self-regulating front exists as it has the potential to reduce or eliminate a lucrative and largely unseen profit centre.