em360tech image

Imagine you’re driving in your luxurious sedan with your better half, when suddenly your car infotainment system stops the beautiful music that was playing in your expensive sound system and plays an audio sequence of a very intimate conversation between yourself and another person, a conversation that took place the day before, when you were supposed to be at work.

 Your better half is in shock and furious, you are in shock, and the nightmare doesn’t stop as the car plays other recordings of yourself and other persons.

Science-fiction versus the truth.

Nowadays, most cars are connected cars. They listen to you and activate features when you say specific words like “Hey, Mercedes”. In order to do this, the car listens to you, just the way an Amazon Alexa device listens to you. Moreover, voice samples are uploaded to AI algorithms in order to improve the voice recognition abilities.

These great new features in our cars open many Pandora’s boxes as the car monitors more and more aspects of your life. Not only the car listens to you, but it also records images – both inside and outside the car. Of course, for a better cause, to detect whether you are tired or incapable of driving. It is also a requirement of REGULATION (EU) 2019/2144 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 November 2019 on type approval requirements for motor vehicles and their trailers, and systems, components and separate technical units intended for such vehicles, as regards their general safety and the protection of vehicle occupants and vulnerable road users, article 6, para 1: 1. Motor vehicles shall be equipped with the following advanced vehicle systems: a) intelligent speed assistance; b) alcohol interlock installation facilitation; c) driver drowsiness and attention warning; d) advanced driver distraction warning; e) emergency stop signal; f) reversing detection; and g) event data recorder.

So yes, there are laws which require cars to “listen” to you, record your data, upload it to AI algorithms that “learn” when a driver is probably drowsy or distracted.

So, what about personal data protection?

Data protection legislations around the world, like UK and EU GDPR, require data controllers to apply some basic principles to every personal data processing operation: transparency, purpose limitation, data minimisation, data accuracy, restricted data retention and data security.

In terms of transparency, people have no clue that cars are monitoring their voices, processing their images and their driving behaviour. Because all these “specs” are hidden (if they exist at all) behind complicated privacy notices that you need to accept the first time you start a car. I’m not even going into “data minimisation" or “data retention” here, they are both ignored usually, but let’s take a look at security.

One would think that such intimate data is protected, but we keep seeing the first data security failures. A smart programmer managed to “hack” a connected car that lacked appropriate security controls. Tesla uploaded images of their customers, in their homes, to Tesla servers, images that were accessed by Tesla employees.

One of the key principles in GDPR is data protection by-design and by-default. Which, of course, states that whenever you are designing a new personal data processing operation, you must factor in the data protection aspects from the very beginning. However, from the examples above we see that car manufacturers pay little attention to privacy; and this will cost us a lot in the immediate future.

What data does my car record, store and share and with whom?

First of all, you have the manufacturer’s digital platform – an operating system, with its core applications and core systems. No-one except the car manufacturer and its trained service partners should be able to access these core systems. These systems manage the car engine’s different settings and workloads, faults, etc. These systems also manage the car safety features – tampering with them would mean threatening the driver’s and passengers’ lives. Such systems shouldn’t store any data – they should act based on the manufacturer's specifications that might be updated in time.

Then we have third-party applications and systems – applications and features, 1st party (from the car manufacturer), 2nd party (car manufacturer in partnership with another company) or 3rd party (independent vendor) downloaded from the manufacturer's official digital store. Such features might unlock different car features (like BMW is trying these days) or new experiences – in-car entertainment, maps, games, etc. All these applications, systems and services are recording, storing and uploading data somewhere – to car manufacturers, partners and independent vendors, usually all at the same time.

The more digital and entertainment systems are implemented in a car, the more data is sent to different players. And as the number of players in the industry is growing, controlling access to sensitive personal data becomes crucial. Whenever you are thinking about this, think about the Tesla case, above.

Where is the problem?

When such personal data is collected, stored, combined, and enriched, it can be used to profile every driver. Its driving behaviour, personality, relationships, EQ, IQ, everything. It’s nothing new, we’ve seen it before with Cambridge Analytica.

As technology is becoming more and more cheaper, more and more car manufacturers implement big data platforms to collect, store and process drivers’ personal data. Moreover, they are pushing their car dealers to convince drivers to “activate” car applications. Feeding such data to AI algorithms always generate discrimination, scoring and classification.

Regulating artificial intelligence algorithms (EU AI Act is already in its final steps) will require big players, including car manufacturers, to rethink their approach. But I’m not very optimistic, we have GDPR in the market for five years now and we don’t see better transparency, proportionality, or security (check the hacking case above).

What is the solution?

The funny thing in all this mess is that the solution might be coming from the customers who already start asking car dealers about privacy and personal data protection. Car dealers know that they don’t have access to car data, except the data extracted by the car service devices which physically connect to the cars. But customers think that car dealers can also access sensitive information like GPS history so they put pressure on them, thus the car dealers begin asking questions to the car manufacturers.

So, the conversation is starting. And this is much better than having this whole mess regulated – the natural way is to solve these issues within the industry.

I think that we will soon see car privacy solutions, similar to DuckDuckGo App Tracking protection for Android mobile devices, that would limit the data sent to different players in the automotive industry or at least that would inform the driver about the data that is sent, giving back (some) control to the data subject.

If you have a modern car, I recommend you start looking at the data that your car collects, process, stores, and uploads. And start asking questions to your car dealer or even to your car manufacturer. Let’s start the ball rolling.