Mastodawn

Rohit Chatterjee Sep 6, 2023

“The worst offender was Nissan, Mozilla said. The carmaker’s privacy policy suggests the manufacturer collects information including sexual activity, health diagnosis data, and genetic data, though there’s no details about how exactly that data is gathered. Nissan reserves the right to share and sell “preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes” to data brokers, law enforcement, and other third parties.”

https://gizmodo.com/mozilla-new-cars-data-privacy-report-1850805416

If You’ve Got a New Car, It’s a Data Privacy Nightmare

Bad news: your car is a spy. Every major car brand's new internet-connected models flunked privacy and security tests conducted by Mozilla.

Gizmodo

Doubledado Sep 6, 2023

@nazgul Oh shit, and I drive a leaf. Well at least I do not use their navigation because they want to charge me to update their maps system … and it sucks.

Newk Sep 6, 2023

@bigTanuki @nazgul

Get the new Nissan Leave!

@nazgul surely, legally, most, if not all, of that needs consent. So how the hell does that work for passengers, or other people driving than the owner (who may have agreed)?

Alun Jones Sep 6, 2023

@revk @nazgul we have a 2018 model Leaf. Every time you start it, there's a data consent popup. You can accept or reject the terms each time. I suspect that if you reject then it doesn't record trip details for that trip.

SallyX Sep 6, 2023

@pengfold A popup every time you start the car? Good grief, that sounds like a nightmare even if the popup were "would you like to see puppies" instead of "can we violate your privacy."

Alun Jones Sep 6, 2023

@sallyexactly it's a touch annoying, yes, but it does at least satisfy their legal obligations. Got to wonder about how other manufacturers think they're complying!

Reinder Dijkhuis Does Art Sep 6, 2023

@revk @nazgul This is mentioned in one of the articles. Nissan puts the task of informing passengers and borrowers about privacy issues on the owner, making them complicit in their abuses.

@reinderdijkhuis @nazgul But if the owner does not, then Nissan would be in breach of GDPR. What do they do - sue the owner for breach of contract when they get charged/fined? Is it a reasonable consumer contract term? And if the owner sells the car, how does the new owner come in to such a deal?

Reinder Dijkhuis Does Art Sep 6, 2023

@revk @nazgul I think they were sort of counting on nobody asking these questions until now. From the look of it, it seems they were in breach of the GDPR from the start because most of the stuff they collect has no legitimate purpose. But IANAL and I hope an actual GDPR lawyer will make this their personal project.

Paul L Sep 6, 2023

@revk @reinderdijkhuis @nazgul

On a more basic level a company saying it "reserves a right to X" if it was never theirs in the first place - I don't accept them self-assigning themselves info about another person by the simple act of writing it into their own policy.

Info beyond directly related being able to buy/own/drive a car should be on company to demonstrate the relevance as well as the permission.

"I'd like to share your info with …"
you'd like to but it isn't a legitimate interest.

Steve Hill 🏴󠁧󠁢󠁷󠁬󠁳󠁿🇪🇺Sep 7, 2023

@prlzx @revk @reinderdijkhuis @nazgul Unfortunately, "legitimate interest" is so broadly defined in the legislation, that someone needs to put up some legal fees and take a gamble that a court will agree that the vendor has failed the balancing tests - it's certainly not a clear cut thing that you can almost guarantee which way a court will decide.

Steve Hill 🏴󠁧󠁢󠁷󠁬󠁳󠁿🇪🇺Sep 7, 2023

@revk @reinderdijkhuis @nazgul Given that the car has probably already been purchased by the time the owner is asked to accept the privacy policy (and no doubt they reserve the right to revise the privacy policy at any point in the future), I'd venture that it isn't a valid contract since it was never "freely entered into". That's assuming you can even prove the owner was the one to agree.

But then, these are the same problems as smart TVs, smart speakers, etc.

James Holden Sep 6, 2023

@revk @nazgul Is this in the UK/EU? The article seems US-centric. My car app logs journeys and some data like fuel level. The privacy policy is here: https://cdn.prod-row.jlrmotor.com/static/docs/legal/pp/landrover/PP_GBR.pdf It all seems quite reasonable to be honest.

Steve Hill 🏴󠁧󠁢󠁷󠁬󠁳󠁿🇪🇺Sep 7, 2023

@revk @nazgul I would imagine that they are claiming that it is their "legitimate interest" and therefore needs no consent. "Legitimate interest" is basically determined by a fuzzy balancing test and you probably have no idea whether it really is a "legitimate interest" until it has been tested in court.

That said, you must surely be able to object to any processing that isn't strictly necessary without impacting the services you use?

Toni M.Sep 6, 2023

as for the "no details about how exactly the data including sexual activity is gathered by a car manufacturer" -

there was a case with tesla workers...

😉

Dan Conn Sep 6, 2023

@nazgul the interesting part was that Tesla comes out as one of the worst in the Mozilla report but Gizmodo chose not to include them.

██████████████████████████████Sep 6, 2023

Gizmodo is afraid of elmo

Dan Conn Sep 6, 2023

@suqdiq @nazgul I think a fair few are sadly.

Oliver Schafeld Sep 6, 2023

Indeed, #Tesla is ranked *last* in the Mozilla Foundation’s #privacy ranking, one place behind Nissan.

"Tesla is only the second product we have ever reviewed to receive all of our privacy “dings.” "

Not even mentioned by Gizmodo… afraid of a poll on X/Twitter to kick them out for harming the owner’s business… 🤷‍♂️?

https://foundation.mozilla.org/en/privacynotincluded/articles/its-official-cars-are-the-worst-product-category-we-have-ever-reviewed-for-privacy/

#twitter #media

*Privacy Not Included: A Buyer’s Guide for Connected Products

All 25 car brands we researched earned our *Privacy Not Included warning label – making cars the worst category of products that we have ever reviewed

Mozilla Foundation

Oliver Schafeld Sep 6, 2023

For clarification (as this seems to be getting a bit of attention) and documentation:

Below you will find the sources mentioned and the corresponding screenshots, which in my humble opinion reveal a strikingly friendly attitude towards a certain car manufacturer.

https://foundation.mozilla.org/en/privacynotincluded/articles/its-official-cars-are-the-worst-product-category-we-have-ever-reviewed-for-privacy/

https://gizmodo.com/mozilla-new-cars-data-privacy-report-1850805416

*Privacy Not Included: A Buyer’s Guide for Connected Products

All 25 car brands we researched earned our *Privacy Not Included warning label – making cars the worst category of products that we have ever reviewed

Mozilla Foundation

Doug Whitfield [Minneapolis]Sep 6, 2023

@oliver_schafeld what I am curious about is...how does a car even collect "sexual activity data" unless the car is driven by a teenager?

chronohart Sep 6, 2023

@nazgul
Anyone know how to install a VPN on a car? Or maybe they only connect to the internet through wifi networks you've actively connected them to, so all you need is a pi-hole at home?

This is seriously concerning. Older vehicles won't be available forever. People are going to be forced to be a part of this, whether they like it or not. Whether they *know* it or not.

John Stonier Sep 6, 2023

@nazgul interesting, but has anyone pulled together #hacks on how to disarm these #datagathering techniques and devices? It appears that mozilla simply did a legal review of #privacy policies. That’s the easy part.

Thurman Sep 9, 2023

Thank you for highlighting this great article. Scary shit. I want to hang in to my 2004 Chevy until I die.