Automakers are collecting sensitive data and selling it without your permission

Data about our daily lives is routinely collected, aggregated, reported, sold, and hacked. Very little, if any, of our data is actually private. Add to this complex mix the rapid rise in the use of artificial intelligence and generative artificial intelligence to scrape, ingest and apply search routines and options, plus post election directives to cease regulatory processes, and you have an escalating privacy nightmare on wheels.

The public is increasingly familiar with the scale of data collection, surveillance, marketing and sale, and privacy violations that routinely occur when using apps, browsers, social media, the internet, and cell phones. But extensive data collection and privacy violations also routinely occurs when we use cars and trucks [regardless of manufacturer], much if not all of it likely without your knowledge or consent. As EFF states, “If you’ve purchased a car made in the last decade or so, it’s likely jam-packed with enough technology to make your brand new phone jealous.” In many instances, vehicles use onboard technology, ‘black boxes’, to collect data, but cell phone apps also provide critical data collection operations that seamlessly and continuously harvest your information, without your knowledge, or your consent. Privacy statements are buried in terms of service on everything you use, and for the most part, are automatically set to “opt-in,” requiring you to locate and “opt-out” of processes which in many cases, will continue regardless of your actions. In addition data collection technology is deployed by police departments around the country who are collecting, aggregating and operationalizing your travel activities using automated license plate readers. Some drivers are using obfuscation techniques to prevent license plate tracking systems, but this technique is rendered useless when mass data collection technology is used on targeted groups.

Automaker data collection and tracking can be even more extensive than what is deployed to track your activities online. Vehicle data collection has multifaceted impact, including setting and increasing your insurance costs, identifying all destinations of travel, the dates and times, the speed at which you travel, medical or health service locations you have visited, where you eat and shop, and even engagement with political, legal and religious causes, groups and actions. Some vehicles, such as Telsa, have 24/7 mobile camera monitoring inside and outside of the vehicle, and “records audio and video footage every time the vehicle is in motion.”

The following selected articles and abstracts will inform you about how, where, when and by whom your transportation data is collected, and ways in which is it used, and sold. It is important to acknowledge that aggregating and selling your data is a very large and lucrative business. Companies selling subscription and contractual access to extensive high profile risk databases include LexisNexis Risk Solutions, Verisk, and Mobilewalla, and the customers for these data include the private sector as well as local, state and federal government.

The citations and abstract in this article are in chronological order, starting with the most current. I will continue to update this article with relevant information becomes available.

Subaru Security Flaws Exposed Its System for Tracking Millions of Cars. Wired, January 23, 2025. Now-fixed web bugs allowed hackers to remotely unlock and start any of millions of Subarus. More disturbingly, they could also access at least a year of cars’ location histories—and Subaru employees still can.

Subaru security vulnerability allowed millions of cars to be tracked, unlocked, and started. 9to5Mac, January 23, 2025. A Subaru security vulnerability allowed millions of cars to be remotely tracked, unlocked, and started. A full year’s worth of location history was available, and was accurate to within five meters … Security researcher Sam Curry reached an unusual deal with his mother: he would buy her a Subaru if she would let him try to hack it. He started by looking for flaws in the MySubaru Mobile App, but couldn’t find any. He didn’t stop there, however.

From my past experience with car companies, I knew there could be publicly accessible employee-facing applications with broader permissions than the customer-facing apps. With that in mind, I decided to shift focus and started hunting for other Subaru-related websites to test.

A friend helped him find a promising-looking sub-domain. It of course required an employee login, but some digging around in a Javascript directory revealed insecure password reset code. All they needed then was a valid employee email address, which they found with a quick web search. They reset the password, and were then able to login. The one remaining barrier was 2FA protection, but this turned out to be trivial to defeat, as it ran on the client side and could be removed locally. At that point they were in.

The left navbar had a ton of different functionality, but the juiciest sounding one was “Last Known Location”. I went ahead and typed in my mom’s last name and ZIP code. Her car popped up in the search results. I clicked it and saw everywhere my mom had traveled the last year.

It appeared that they could also remotely take control of any Subaru with Starlink installed, and they tested this by getting permission to target a friend’s car.

Your car knows more about you than you think. January 17, 2025. Automakers are collecting a treasure trove of data on the people driving their cars — and often selling that data to third parties. CNN via MSN, January 11, 2025. There’s a good chance your car knows all about you. Where you’ve been. How fast you drive. If you could’ve been a little easier on the brakes. Even what you look like, thanks to cameras pointed right at your face. This kind of data collection has been going on for years. And, in some cases, the data has been sold by automakers to third parties, such as insurance companies, which have used the data on driving habits to hike insurance rates for some customers. It also has been used by law enforcement, with the most recent prominent example being the Tesla Cybertruck that was exploded outside of the Trump International Hotel in Las Vegas on New Year’s Day. Law enforcement officials investigating the incident have thanked Tesla for turning over data quickly about the suspect, who killed himself while in the truck. “I have to thank Elon Musk specifically,” Las Vegas Sheriff Kevin McMahill said at a news conference, noting that the Tesla CEO gave authorities “quite a bit of additional information,” including directly sending them video from Tesla charging stations to help with their efforts to track the driver. But while law enforcement praises corporations for handing over driver data, others are concerned that most of the information collected could be violating people’s privacy. They’re concerned that without limits, potential privacy invasions will only get worse, with automakers standing to make money off the treasure trove of information they now possess.

General Motors Is Banned From Selling Driving Behavior Data for 5 Years. An investigation by the Federal Trade Commission determined that consumers had not been aware that the automaker was providing their driving information to data brokers.The New York Times, January 16, 2025. The Federal Trade Commission said on Thursday that it had reached a settlement with General Motors that would ban the automaker from providing drivers’ behavior and geolocation data to consumer reporting agencies. The ban will last for five years. The New York Times reported last year that G.M. was collecting data about people’s driving behavior, including how often they sped or drove at night, and selling it to data brokers that generated risk profiles for insurance companies. Some drivers reported that their auto insurance rates increased as a result. “G.M. monitored and sold people’s precise geolocation data and driver behavior information, sometimes as often as every three seconds,” said Lina M. Khan, the chair of the F.T.C. “With this action, the F.T.C. is safeguarding Americans’ privacy and protecting people from unchecked surveillance.” The F.T.C. opened an investigation and determined that G.M. had collected and sold data from millions of vehicles “without adequately notifying consumers and obtaining their affirmative consent.” Drivers who signed up for OnStar Connected Services and activated a feature called Smart Driver were subject to the data collection. But federal regulators said the enrollment process was so confusing, many consumers did not realize that they had signed up for it.

Allstate used GasBuddy and other apps to quietly track driving behavior. Ars Technica, January 14, 2025. “Texas has sued insurance provider Allstate, alleging that the firm and its data broker subsidiary used data from apps like GasBuddy, Routely, and Life360 to quietly track drivers and adjust or cancel their policies. Allstate and Arity, a “mobility data and analytics” firm founded by Allstate in 2016, collected “trillions of miles worth of location data” from more than 45 million people, then used that data to adjust rates, according to Texas’ lawsuit. This violates Texas’ Data Privacy and Security Act, which requires “clear notice and informed consent” on how collected data can be used. A statement from Texas Attorney General Ken Paxton said the suit is the first-ever state action targeting comprehensive data privacy violations. “Our investigation revealed that Allstate and Arity paid mobile apps millions of dollars to install Allstate’s tracking software,” Paxton said in a statement. “The personal data of millions of Americans was sold to insurance companies without their knowledge or consent in violation of the law. Texans deserve better, and we will hold all these companies accountable.”

Inside the Black Box of Predictive Travel Surveillance. Wired, January 13, 2025 – “Behind the scenes, companies and governments are feeding a trove of data about international travelers into opaque AI tools that aim to predict who’s safe—and who’s a threat… In Europe, at least four technology companies—Idemia, SITA, Travizory, and WCC—offer governments around the world software that uses algorithms on traveler data to profile passengers. These companies claim their software can detect terrorists, human traffickers, drug dealers, serious criminals, missing persons and increasingly, people migrating without papers. Products from these companies aim to combine multiple data streams about a traveler—such as your flight booking data with your visa application—to allow some people to pass quickly and effortlessly through border control. Those flagged by a machine as risky would be sorted into separate lines and subjected to a variety of measures ranging from questioning to physical searches and even possible surveillance by intelligence agencies. It would be difficult, if not impossible, in many countries to find out why you were flagged or what happens afterwards with your data…”

Here is a list of every app on your phone selling your location data, Via Austin Corbett‬ ‪@austincorbett.bsky.social January 9, 2025. Here is a list of every app on your phone selling your location data to advertisers, interested unknown 3rd parties, and the US government. Thanks to 404 Media and @josephcox.bsky.social – Here is a list of every app on your phone selling your location data:

There are 12, 373 apps on this Google doc as of today – the apps are used by children and adults and include: word games, puzzles, music, pets, sports, animals, solitaire, food, cooking, QR codes, gaming, news…..the list goes on and on and on. No doubt you will find a few or dozens that impact your privacy.

Cars (and Drivers): 2024 in Review, EFF, December 29, 2024: “If you’ve purchased a car made in the last decade or so, it’s likely jam-packed with enough technology to make your brand new phone jealous. Modern cars have sensors, cameras, GPS for location tracking, and more, all collecting data—and it turns out in many cases, sharing it. Cars Sure Are Sharing a Lot of Information – While we’ve been keeping an eye on the evolving state of car privacy for years, everything really took off after a New York Times report this past March found that the car maker G.M. was sharing information about driver’s habits with insurance companies without consent. It turned out a number of other car companies were doing the same by using deceptive design so people didn’t always realize they were opting into the program. We walked through how to see for yourself what data your car collects and shares. That said, cars, infotainment systems, and car maker’s apps are so unstandardized it’s often very difficult for drivers to research, let alone opt out of data sharing. Which is why we were happy to see Senators Ron Wyden and Edward Markey send a letter to the Federal Trade Commission urging it to investigate these practices. The fact is: car makers should not sell our driving and location history to data brokers or insurance companies, and they shouldn’t make it as hard as they do to figure out what data gets shared and with whom. Advocating for Better Bills to Protect Abuse Survivors – The amount of data modern cars collect is a serious privacy concern for all of us. But for people in an abusive relationship, tracking can be a nightmare…”

You shouldn’t be driving over 100 mph and your car shouldn’t let you. Fast Company, December 23, 2024 – “The traffic signal on North Las Vegas’s North Commerce Street had been red for at least 29 seconds, but the Dodge Challenger did not slow down. Instead, it flew through the intersection with Cheyenne Avenue at 103 mph, almost three times the 35 mph speed limit. Carnage ensued. The crash that occurred on January 29, 2022, was horrific. The Challenger, driven by Gary Dean Robinson, slammed into the right side of a Toyota Sienna minivan crossing the intersection. Robinson and his passenger were killed, as were all seven people in the minivan (including four children). Erlinda Zacarias, the mother of four of the crash victims and sister to another, told the local CBS station that her family was returning from a visit to a park. “I kept calling everybody’s phone because all of them have phones and nobody answered me,” she said. Fearing the worst, she drove toward where she imagined her family might be and soon found the crash site. “I started screaming,” Zacarias said. Over 100 Americans die in traffic collisions on an average day, but 9 fatalities from a single incident is exceptional. Crash investigations are typically handled by local authorities, but in this case, the National Transportation Safety Board (NTSB) also launched one of its own. In its findings and recommendations, which were released last week, NTSB placed blame on Robinson, whose body showed evidence of PCP, alcohol, and cocaine. Robinson also had a history of reckless driving, leading NTSB to cite “Nevada’s failure to deter the driver’s speeding recidivism.” Those findings and related recommendations were unsurprising. But NTSB’s investigation summary also included something else: The agency recommended that automakers install technology on all new cars that can prevent reckless speeding—and, for the first time, called on the National Highway Traffic Safety Administration to mandate it.”

Traffic Cam Photobooth. December 17, 2024. Traffic Cam Photobooth is a website that allows anybody to locate their nearest publicly available traffic camera and use it to take pictures of themselves. While these cameras are ostensibly intended for traffic, they also serve to acclimate us to the idea that constant monitoring is an everyday part life in the city. No matter the target of this surveillance, its clear from looking at the map that most New Yorkers get unconsentingly captured by the lens of at least one camera – if not several – every day. TCP offers visitors an engaging and lighthearted way to engage with this very serious topic by drawing attention to these easily ignored cameras. People can use their feeds, which their tax dollars help fund, to take pictures of themselves, spreading the knowledge of this sprawling surveillance apparatus through fun self-portraits designed to be sharable online. This is not the first project to focus on traffic camera surveillance, other developers and artists such as boringcactus, Dries Depoorter, and more have all done work with these feeds. I recommend anyone interested in this also check them out. –WTTDOTM.”

You’re Being Tracked by ALPRs. DeFlockMe – 10,760 ALPRs Reported Worldwide and rapidly growing. Automated License Plate Readers (ALPRs) are monitoring your every move. Learn more about how they work and how you can protect your privacy. Privacy Violations – ALPRs track your movements and store your data for long periods of time, creating a detailed record of your location history. They surveil mostly innocent people while claiming to target criminals. The Dangers of ALPRs – ALPRs are a threat to your privacy and civil liberties. They can be used to track your movements, profile you, and even stalk you. Learn more about the dangers of ALPRs and how you can protect yourself. Explore ALPR Locations Near You and Search for ALRPs by location.

Hackers Can Jailbreak Digital License Plates to Make Others Pay Their Tolls and Tickets. Wired, December 15, 2024. “Digital license plates sold by Reviver, already legal to buy in some states and drive with nationwide, can be hacked by their owners to evade traffic regulations or even law enforcement surveillance. Digital license plates, already legal to buy in a growing number of states and to drive with nationwide, offer a few perks over their sheet metal predecessors. You can change their display on the fly to frame your plate number with novelty messages, for instance, or to flag that your car has been stolen. Now one security researcher has shown how they can also be hacked to enable a less benign feature: changing a car’s license plate number at will to avoid traffic tickets and tolls—or even pin them on someone else. Josep Rodriguez, a researcher at security firm IOActive, has revealed a technique to “jailbreak” digital license plates sold by Reviver, the leading vendor of those plates in the US with 65,000 plates already sold. By removing a sticker on the back of the plate and attaching a cable to its internal connectors, he’s able to rewrite a Reviver plate’s firmware in a matter of minutes. Then, with that custom firmware installed, the jailbroken license plate can receive commands via Bluetooth from a smartphone app to instantly change its display to show any characters or image. That susceptibility to jailbreaking, Rodriguez points out, could let drivers with the license plates evade any system that depends on license plate numbers for enforcement or surveillance, from tolls to speeding and parking tickets to automatic license plate readers that police use to track criminal suspects. “You can put whatever you want on the screen, which users are not supposed to be able to do,” says Rodriguez. “Imagine you are going through a speed camera or if you are a criminal and you don’t want to get caught.”

Location data firm helps police find out when suspects visited their doctor. Ars Technica, December 10, 2024. “A location-tracking company that sells its services to police departments is apparently using addresses and coordinates of doctors’ and lawyers’ offices and other types of locations to help cops compile lists of places visited by suspects, according to a 404 Media report published today. Fog Data Science, which says it “harness[es] the power of data to safeguard national security and provide law enforcement with actionable intelligence,” has a “Project Intake Form” that asks police for locations where potential suspects and their mobile devices might be found. The form, obtained by 404 Media, instructs police officers to list locations of friends’ and families’ houses, associates’ homes and offices, and the offices of a person’s doctor or lawyer. Fog Data has a trove of location data derived from smartphones’ geolocation signals, which would already include doctors’ offices and many other types of locations even before police ask for information on a specific person. Details provided by police on the intake form seem likely to help Fog Data conduct more effective searches of its database to find out when suspects visited particular places. The form also asks police to identify the person of interest’s name and/or known aliases and their “link to criminal activity.” “Known locations a POI [Person of Interest] may visit are valuable, even without dates/times,” the form says. It asks for street addresses or geographic coordinates.”

Location Tracking Tools Endanger Abortion Access. Lawmakers Must Act Now. EFF, December 5, 2024. “…EFF has warned before about how the location data market threatens reproductive rights. The recent reports on Locate X illustrate even more starkly how the collection and sale of location data endangers patients in states with abortion bans and restrictions.In late October, 404 Media reported that privacy advocates from Atlas Privacy, a data removal company, were able to get their hands on Locate X and use it to track an individual device’s location data as it traveled across state lines to visit an abortion clinic. Although the tool was designed for law enforcement, the advocates gained access by simply asserting that they planned to work with law enforcement in the future. They were then able to use the tool to track an individual device as it traveled from an apparent residence in Alabama, where there is a complete abortion ban, to a reproductive health clinic in Florida, where abortion is banned after 6 weeks of pregnancy. Following this report, we published a guide to help people shield themselves from tracking tools like Locate X. While we urge everyone to take appropriate technical precautions for their situation, it’s far past time to address the issue at its source. The onus shouldn’t be on individuals to protect themselves from such invasive surveillance. Tools like Locate X only exist because U.S. lawmakers have failed to enact legislation that would protect our location data from being bought and sold to the highest bidder. Thankfully, there’s still time to reshape the system, and there are a number of laws legislators could pass today to help protect us from mass location surveillance. Remember: when our location information is for sale, so is our safety…”

Alliance for Automotive Innovation, December 2023 – They claim – No, your car isn’t spying… it’s keeping you safe. ..No, not recording every movement. But yes, modern vehicles are increasingly equipped with cameras – inside and outside the vehicle. Again, think about the safety applications. In-vehicle cameras may support occupant safety features, like systems to warn a driver when they are distracted, drowsy or inattentive, or to detect a child left unattended in the backseat of a vehicle. These cameras can also support new theft prevention features, allow parents to set controls (like limits on speed and audio volume), or allow drivers to start a vehicle without a key fob…

Never give a cop your phone and other security tips. The Silicon Underground December 4, 2024 – “The political climate in the United States means everyone, but especially marginalized groups, need to be thinking about phone security. It’s not just something security professionals and people who handle sensitive information for a living need to worry about anymore. In light of that, I present five phone security tips I wish everyone knew and followed. Keep your phone up to date is security tip number one. Your whole life is on this phone. If a cop wants to see it, make them get a search warrant. Let’s start with the basics. Your phone wants to apply security updates periodically. Apple phones get updates on an irregular basis. Android phones get them every month. Regardless of which one you have, you need to be applying updates. Apple marketing claims they have the best security and privacy in the industry. Apple fans will drag me for this, but someone needs to say it. If you are paying a premium for Apple and not applying updates, you aren’t getting what you pay for. If your device isn’t up to date, it’s not secure. And that’s all there is to it. An up to date Android is more secure than an out of date iPhone.We all have that one retired IT guy we’re connected to on social media who says not to update your devices because you might break something. Don’t listen to him. People like that are also the reason that five companies I do business with got breached in the last 12 months. I remember the last time a security update broke something for me like it was yesterday. But it happened in 2006. Updates do sometimes break things, but it’s rare. In the event a system update does break something, more often than not, a later system update or an update to the app will fix it. Especially if it is a popular app. As much of your life as you keep on your phone, it’s not worth the security risk just because of the low possibility next month’s update might break Flappy Bird…”

FTC Bans Location Data Company That Powers the Surveillance Ecosystem, December 3, 2024. “The Federal Trade Commission (FTC) proposed order bans use or sale of data associated with military installations, churches, healthcare facilities, or other sensitive locations. The Federal Trade Commission will prohibit data broker Mobilewalla, Inc. from selling sensitive location data, including data that reveals the identity of an individual’s private home, to settle allegations the data broker sold such information without taking reasonable steps to verify consumers’ consent. Under the FTC’s proposed settlement order, Mobilewalla will also be banned from collecting consumer data from online advertising auctions for purposes other than participating in those auctions, marking the first time the agency has alleged such a practice was an unfair act or practice. “Persistent tracking by data brokers can put millions of Americans at risk, exposing the precise locations where service members are stationed or which medical treatments someone is seeking,” said FTC Chair Lina Khan. “Mobilewalla exploited vulnerabilities in digital ad markets to harvest this data at a stunning scale. The FTC is cracking down on firms that unlawfully exploit people’s sensitive location data and ensuring that we protect Americans from unchecked surveillance.” The FTC alleges in a complaint that Georgia-based Mobilewalla collected data from real-time bidding exchanges and third-party aggregators. Often consumers had no knowledge that Chamblee-Georgia-based Mobilewalla had obtained their data. “Mobilewalla collected massive amounts of sensitive consumer data – including visits to health clinics and places of worship – and sold this data in a way that exposed consumers to harm,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The FTC is acting today to stop these invasive practices and protect the public from always-on surveillance…”

How G.M. Tricked Millions of Drivers Into Being Spied On (Including Me). The New York Times, April 24, 2024. This privacy reporter and her husband bought a Chevrolet Bolt in December. Two risk-profiling companies had been getting detailed data about their driving ever since. Automakers have been selling data about the driving behavior of millions of people to the insurance industry. In the case of General Motors, affected drivers weren’t informed, and the tracking led insurance companies to charge some of them more for premiums. I’m the reporter who broke the story. I recently discovered that I’m among the drivers who was spied on. My husband and I bought a G.M.-manufactured 2023 Chevrolet Bolt in December. This month, my husband received his “consumer disclosure files” from LexisNexis Risk Solutions and Verisk, two data brokers that work with the insurance industry and that G.M. had been providing with data. (He requested the files after my article came out in March, heeding the advice I had given to readers.) My husband’s LexisNexis report had a breakdown of the 203 trips we had taken in the car since January, including the distance, the start and end times, and how often we hard-braked or accelerated rapidly. The Verisk report, which dated back to mid-December and recounted 297 trips, had a high-level summary at the top: 1,890.89 miles driven; 4,251 driving minutes; 170 hard-brake events; 24 rapid accelerations, and, on a positive note, zero speeding events. I had requested my own LexisNexis file while reporting, but it didn’t have driving data on it. Though both of our names are on the car’s title, the data from our Bolt accrued to my husband alone because the G.M. dealership listed him as the primary owner. G.M.’s spokeswoman had told me that this data collection happened only to people who turned on OnStar, its connected services plan, and enrolled in Smart Driver, a gamified program that offers feedback and digital badges for good driving, either at the time of purchase or via their vehicle’s mobile app.

GM, LexisNexis face class action over telematics insurance data collection. Massive class action potential as Florida man sues over Liberty Mutual insurance rise, March 5, 2024. According to a NY Times report, last December Romeo Chicco faced rejection from seven insurance providers before finally securing a policy at nearly twice his former rate. A recent legal filing seeking to establish a class action claims the giant jump in premiums was linked to his 2021 Cadillac XT6’s invasive data tracking. And, as reported in Insurance Business earlier this week, Chicco isn’t the only policyholder complaining to the Times. Dubbed by some as “smartphones on wheels”, many modern vehicles are internet-connected and equipped with various sensors and cameras. These sensors can, in some cases send telematics data back to the manufacturer, and from there the data can be sold to carriers. This telematics market is dominated by US-based Progressive, Allstate, Liberty Mutual, Nationwide and State Farm. At the end of 2022 there were 16.8 million telematics policies in the country – and growing at a CAGR of 11.7%, that number is predicted to reach almost 30 million by 2027. Chicco claims that he had no idea that his car was telling anyone about his premium-increasing driving habits until learned from a Liberty Mutual representative that his insurance application was declined due to findings in his “LexisNexis report”. LexisNexis Risk Solutions is a firm that compiles data for insurers on drivers’ histories and has been gathering information for insurers for a number of years. It had detailed records of Chicco’s driving habits, provided by Cadillac’s parent company, General Motors. Upon reviewing his report from LexisNexis, Chicco discovered it chronicled 258 of his journeys in the last six months, including specific details like trip durations, distances, and instances of speeding or abrupt driving maneuvers. This discovery led him to file a lawsuit in the US District Court for the Southern District of Florida against General Motors and LexisNexis Risk Solutions, alleging breaches of privacy and consumer laws. This action comes in the wake of a New York Times investigation that uncovered the secretive sharing of driver information with insurers by car manufacturers, potentially leading to higher insurance premiums for some. LexisNexis and another company, Verisk, reportedly have access to a vast amount of driving data from countless vehicles.

The Radical Scope of Tesla’s Data Hoard. IEE Spectrum August 3, 2022. Almost every new production vehicle has a battery of sensors, including cameras and radars, that capture data about their drivers, other road users, and their surroundings. There is now a worldwide connected car-data industry, trading in anonymized vehicle, driver, and location data aggregated from billions of journeys made in tens of millions of vehicles from all the major automotive equipment manufacturers. But none seem to store that information and send it back to the manufacturer as regularly, or in such volume, or have been doing so for as long, as those made by Tesla.nTesla recently faced a negligence lawsuit after two young men died in a fiery car crash while driving a Model S belonging to a father of one of the accident victims. As part of its defense, the company submitted a historical speed analysis showing that the car had been driven with a daily top speed averaging over 90 miles per hour (145 kilometers per hour) in the months before the crash. This information was quietly captured by the car and uploaded to Tesla’s servers. (A jury later found Tesla just 1 percent negligent in the case.) Meanwhile, every recent-model Tesla reportedly records a breadcrumb GPS trail of every trip it makes—and shares it with the company. While this data is supposedly anonymized, experts are skeptical. Alongside its advances in electric propulsion, Tesla’s innovations in data collection, analysis, and usage are transforming the automotive industry, and society itself, in ways that appear genuinely revolutionary. “Gateway log” files—periodically uploaded to Tesla—include seatbelt, Autopilot, and cruise-control settings, and whether drivers had their hands on the steering wheel. In a series of articles (story 2; story 3), IEEE Spectrum is examining exactly what data Tesla vehicles collect, how the company uses them to develop its automated driving systems, and whether owners or the company are in the driver’s seat when it comes to accessing and exploiting that data. There is no evidence that Tesla collects any data beyond what customers agree to in their terms of service—even though opting out of this completely appears to be very difficult. Almost every new production vehicle has a battery of sensors, including cameras and radars, that capture data about their drivers, other road users, and their surroundings. There is now a worldwide connected car-data industry, trading in anonymized vehicle, driver, and location data aggregated from billions of journeys made in tens of millions of vehicles from all the major automotive equipment manufacturers. But none seem to store that information and send it back to the manufacturer as regularly, or in such volume, or have been doing so for as long, as those made by Tesla. “As far as we know, Tesla vehicles collect the most amount of data,” says Francis Hoogendijk, a researcher at the Netherlands Forensic Institute who began investigating Tesla’s data systems after fatal crashes in the United States and the Netherlands in 2016. Spectrum has used expert analyses, NTSB crash investigations, NHTSA reports, and Tesla’s own documents to build up as complete a picture as possible of the data Tesla vehicles collect and what the company does with them. To start with, Teslas, like over 99 percent of new vehicles, have event data recorders (EDRs). These “black box” recorders are triggered by a crash and collect a scant 5 seconds of information, including speed, acceleration, brake use, steering input, and automatic brake and stability controls, to assist in crash investigations. But Tesla also makes a permanent record of these data—and many more—on a 4-gigabyte SD or 8-GB microSD card located in the car’s Media Control Unit (MCU) Linux infotainment computer. These time-stamped “gateway log” files also include seatbelt, Autopilot, and cruise-control settings, and whether drivers had their hands on the steering wheel. They are normally recorded at a relatively low resolution, such as 5 hertz, allowing the cards to store months’ or years’ worth of data, even up to the lifetime of the vehicle.

Facebook Tweet LinkedIn

Posted in: Civil Liberties, Cybercrime, Cybersecurity, Legal Research, Privacy, Spyware, Technology Trends, Travel

January 2025
M	T	W	T	F	S	S
« Dec
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31