Privacy in your vehicle: The info that's collected and who can a - News, Weather & Sports

Privacy in your vehicle: The info that's collected and who can access it

Posted: Updated:
Dr. Adel Elmaghraby Dr. Adel Elmaghraby
Professor Michael Losavio Professor Michael Losavio
Mike Ochsner Mike Ochsner
A voice controlled in-car navigation system A voice controlled in-car navigation system

LOUISVILLE, KY (WAVE) - Very few of us would be comfortable with someone knowing our every move, but privacy is a tradeoff. We give little bits of information about ourselves in exchange for security or convenience, but the amount of information out there may surprise you. Could it be that even our cars are spying on us?

Driving is the time most of us can unplug to be alone with our thoughts. But these days, we are rarely truly disconnected, and all that convenience comes at a cost.

"If you chose to do these things, you will lose a lot of your privacy," said Dr. Adel Elmaghraby, computer science and computer engineering chair at University of Louisville's Speed School.  Elmaghraby said to think of your vehicle as a complex network of computer systems.

"They evolved from just one unit to multi units, then they became networks of computers within the car," Elmaghraby said. "Then came the GPS, came the entertainment systems, came the cell phones. They all became connected to the same network."

Just who has access to that network is hard to say. Elmaghraby said in general, the network is not locked down through security systems that we're familiar with on our home and work computers. He said experiments at some universities have demonstrated that vehicles are vulnerable to hacking.

"Someone could drive by your car or send your car messages which could, in a sense, make it appear like you are doing it," Elmaghraby said. "It could affect what your car is going to do. Maybe efficiency, maybe even if the car is moving, it could force it to go to a different direction."

A "drive-by hacker" could also access information that your car has stored in its computer systems.

"Everything we do is being collected in some sort of electronic database," pointed out UofL Law School Professor Michael Losavio.

Losavio said many of us have invited complete strangers into our cars without even knowing it through what's technically called telematics: location and emergency systems like GM's OnStar or Toyota's Safety Connect.  It could provide a world of information about you. [Read on to find GM and Toyota's privacy policies for these systems.]

"If someone gets access to your GPS track," Losavio said, "they can see that you went to an oncologist's office. So now they know that there's a pretty good chance that you're being at least examined for cancer, and that can have huge repercussions on a person's life."

You may be saying, "Well, I don't have GPS systems, so this doesn't apply to me." But chances are if your car was made in the last 10 years, what you do have is something that is commonly called a "black box." Its real name is "event data recorder," and it's used in the event of a crash. The government is considering making them mandatory.

Just who should have access to information recorded by EDRs is still a fierce debate.

Nate Cardoza, a staff attorney at the non-profit Electronic Frontier Foundation, said there is no limit to the amount and type of information these recorders collect or how far back that information might go.  [You can find a question and answer section from Cardoza at the bottom of this story.]

Already your car records a wide variety of information in its power train control module or electronic control module when the check engine light comes on and it's time to go to the mechanic. The government made it mandatory in many vehicles made after 1996 in a program requiring On Board Diagnostics, a computer system built into your car.

Losavio said once you give that information up when it's accessed by a dealership or a mechanic, you no longer control who has access to it, including insurance companies and law enforcement.

"What if they go to the dealership and say, 'Can we see all of the records regarding what this person has been doing with their car?' The dealership can say, 'Well, sure,'" according to Losavio.

As with so many things that involve rapidly evolving technology, lawmakers need to act to outline who can collect that information, what they can do with it and whether they can sell it to third parties, Losavio said.

"I think if you know that people are monitoring you, you can make that decision," Losavio said.

Until then, Elmaghraby says the best advice may be to play it safe even in what you believe is the privacy of your own car.

"Only do things that you are willing that the whole world will know," Elmaghraby said.

WAVE 3 contacted the two automobile makers mentioned in this story to inquire about privacy policies. Brian Lyons, Safety and Technology Communications Manager with Toyota, provided the following explanation of both the electronic data recorder and Safety Connect:

Safety Connect

Toyota uses customer data to deploy and enable the subscribed to benefits of the Safety Connect service and this data is maintained in a highly secure infrastructure. If a customer no longer wishes to subscribe to Safety Connect, the hardware is shut off, the services will not work and no data can be transmitted. 

Safety Connect is a subscription based service that is available on a limited number of Toyota vehicles and standard on Lexus vehicles.  Safety Connect provides automatic crash notification, SOS emergency button, stolen vehicle location, and enhanced roadside assistance.  To perform these services Toyota's vendor must know the vehicle's location, otherwise they would not be able to provide the services.  The vehicle's location is only transmitted to the vendor upon activation of the services, for example: airbag deployment or the SOS button is pressed.  No data is sent unless the customer uses the service.   The vehicle location information only applies to the time of the incident and it is only shared with 3rd parties to provide the EMS service (fire, ambulance, police).  The data is stored by the vendor in a secure system that has multiple levels of IT and physical security.   The data that is wirelessly transmitted contains the vehicle location, direction, and a unique number; it does not contain the customer's name or vehicle identification number (VIN).  There are numerous proprietary methods to ensure that the data transmitted by the vehicle is only sent to Toyota's vendor. 

If the vehicle is stolen the customer is required to file a police report first and then provide the police report number to Toyota.  Toyota will attempt to remotely activate the stolen vehicle tracking function and if the vehicle is located then this location will only be provided to the police, it will not be provided to the customer.

The Safety Connect service is included in the vehicle sale for the first year of ownership and the customer may opt out of the service which means Toyota will remotely turn off the internal hardware and therefore the services.  Also, if the customer does not renew their subscription after that first year Toyota will remotely turn off the hardware and services.  Once the hardware is turned off it will no longer transmit any data (no services will work) until the customer re-activates the service. 

If Toyota Motor Credit Corporation (TMCC) requests that we locate a vehicle because of alleged fraud or breach of lease or loan agreement then we will work to locate the vehicle.   

Lexus vehicles also have Safety Connect, plus the ability for the customer to speak to an operator who will locate a destination and send it to the vehicle navigation system while the customer is driving to help avoid driver distraction.  Also, there is a feature that allows the customer before his or her trip to pick out their destinations online and then send to their vehicle navigation system.  These systems have the same set of security as previously mentioned.    

There are some Lexus vehicles that transmit vehicle diagnostic codes (but not the location) to Lexus engineers.  During enrollment or at any time the customer can opt out of this capability, but still use the other services.  If the customer does not renew their subscription then Lexus will remotely shut off the hardware none of these services will work including the ability to send vehicle diagnostic codes.

Event data recorder (owner's manual content)

This vehicle is equipped with an event data recorder (EDR). The main purpose of an EDR is to record, in certain crash or near crash-like situations, such as an air bag deployment or hitting a road obstacle, data that will assist in understanding how a vehicle's systems performed. The EDR is designed to record data related to vehicle dynamics and safety systems for a short period of time, typically 30 seconds or less.  The EDR in this vehicle is designed to record such data as:

• How various systems in your vehicle were operating;
• Whether or not the driver and passenger safety belts were buckled/fastened;
• How far (if at all) the driver was depressing the accelerator and/or brake pedal; and
• How fast the vehicle was traveling.

These data can help provide a better understanding of the circumstances in which crashes and injuries occur.

NOTE: EDR data are recorded by your vehicle only if a non-trivial crash situation occurs; no data are recorded by the EDR under normal driving conditions and no personal data (e.g., name, gender, age, and crash location) are recorded. However, other parties, such as law enforcement, could combine the EDR data with the type of personally identifying data routinely acquired during a crash investigation.

To read data recorded by an EDR, special equipment is required, and access to the vehicle or the EDR is needed. In addition to the vehicle manufacturer, other parties, such as law enforcement, that have the special equipment, can read the information if they have access to the vehicle or the EDR.

Disclosure of the EDR data

Toyota will not disclose the data recorded in an EDR to a third party except when:

  • An agreement from the vehicle's owner (or the lessee for a leased vehicle) is obtained
  • Officially requested by the police or other authorities
  • For use by Toyota in a lawsuit
  • Ordered by a court of law

However, if necessary, Toyota will:

  • Use the data for research on vehicle safety performance
  • Disclose the data to a third party for research purposes without disclosing information about the specific vehicle or vehicle owner

OnStar Communications Manager Cheryl McCarron provided this statement:

For OnStar, nothing is more important than the safety and security of our subscribers and their family. We apply that belief to every aspect of our service – including the protection of information. We use the information we collect to provide the products and services that the subscriber requests, for troubleshooting, analysis, and research, safety, to prevent fraud or misuse, to tell subscribers about other OnStar or GM products or services, and for litigation resolution. In general, we do not share personal information with third-party marketers, unless we have asked for and obtained explicit consent.

Our privacy statement is available at

Ford Motor Company Safety Communications Manager Kelli Felker provided this statement:

The SYNC 911 Assist feature uses your cell phone to call 911 just as if you called 911 on a handheld phone; that information is not stored.

To answer your question about event data recorders, they record information – such as air bag deployment, vehicle speed and pedal positions – which can be used to help analyze accidents and inform the development of future innovations. Ford continues to recognize our customers' privacy and does not access event data recorder information without obtaining consent, or unless required by law.

Nate Cardoza of the Electronic Frontier Foundation provided the answers to the following questions in an email exchange:

What do we know about specifically the range of data that is being collected? 

Very little. We know the minimum data points that are required by NHTSA regulation. Those include things like accelerator and brake pedal position, seat belt engagement, engine rpm, airbag status, lateral movement. However, manufacturers are free to include any data they want in the black box, and if they do so, they don't have to disclose that collection to the driver. For instance, if they were to include GPS location data in the black box, you would have no way of knowing.

How far back might the collection go?

You have no way of knowing. Again, the regulations specify only a minimum collection time frame (the last 5 seconds before a crash); however, nothing prevents manufacturers collecting data over a much longer time frame. Days or months would be feasible. And again, they're not required to disclose the length of time they have data.

Who should you expect to be able to access that information?

Anyone with physical access to the car, at a minimum. The port is unlocked and easily accessible in almost all cars. That means your mechanic certainly has access, as does any state safety inspector. My organization believes that if law enforcement wants access, they must first obtain a warrant, but we understand that some law enforcement agencies may think otherwise. For some newer cars that include internet access in their infotainment systems, EDR data may be accessible remotely. Several states have passed laws that prohibit insurance companies from requiring access to the EDR as a condition of coverage, but in most states, the companies are free to do so.

The NHTSA has proposed rules to make black boxes mandatory in all cars. I submitted formal comments to that proposed rule, requesting that the regulations force manufacturers to disclose all the data points that they collect and for how long. I also requested that the regulations include a statement that the driver has an expectation that the data remain private.

Here's my write up of the comments:

Copyright 2013 WAVE News.  All rights reserved.