Blog entry by Les Bell

Les Bell
Security News: 2023-09-22
by Les Bell - Friday, 22 September 2023, 9:57 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

The Worst Privacy-Invading Devices? Cars

The integration of embedded processors into cars began with simple devices for engine control, some diagnostics and the very basic 'trip computer' to help drivers estimate trip times. But as silicon has become both more powerful and less expensive than mechanical devices for displaying information on the dashboard, cars have become more electronic than mechanical. Add ubiquitous connectivity, smartphone integration and GPS for navigation, and your car is probably the smartest device you own. All this culminates in battery electric vehicles, of course, in which the car's intelligence is completely integrated with the drive train and other basic functionality.

So as you drive around, the car's systems know not just how fast you are going, but where you are, where you are going, whether you will run out of fuel before you get there, the driving conditions, the streaming service music you are playing and a lot more.

Now researchers with the Mozilla Foundation have researched the data-gathering capabilities of 25 different car brands, along with what the manufacturers do with that data and the terms of their privacy policies (I say 'manufacturers' but if the recent moves of BMW and others are any guide, we may soon have to think of them as 'service providers'. Think transportation-as-a-service). The results are startling:

"All 25 car brands we researched earned our *Privacy Not Included warning label -- making cars the official worst category of products for privacy that we have ever reviewed."

Every car brand collects more personal data than necessary, using that information for purposes other operating the vehicle and maintaining a customer relationship (a performance much worse than even mental health smartphone apps, only 63% of which earned the "*Privacy Not Included" label). Furthermore, most of them go beyond using the data internally for marketing and related purposes, and share (84%) or even sell (76%) personal information. 56% say they can share your information with governments or law enforcement in response to a request - not a court order or warrant, but a request.

Only two of the brands say that drivers have the right to have their personal data deleted - presumably to comply with the EU General Data Protection Regulation.

Another concern is a lack of assurance that the companies comply with good cybersecurity practices - for example, the researchers could not find out whether any of the cars encrypt the personal information they store. Email requests for clarification were mostly ignored, but a review of public breach disclosures over the last three years showed that 17 of the 25 car brands have a bad track record for leaks, hacks and breaches.

The companies' privacy policies make for concerning reading. Among the data categories collected by Nissan, according to their policy, is your "sexual activity". Kia can also collect information about your "sex life", apparently. In fact, six of the companies state that they can collect your genetic information or characteristics. The companies may also claim that their  policies also apply to passengers and it is the responsbility of the driver to inform them of this, ignoring the fact that just reading the policy to your passengers could take hours!

While most of the companies claim to comply with the Alliance for Automative Innovation's Consumer Protection Principles, but it seems that none of them actually comply in practice. And you really have little choice, since all the brands are similar and those that do allow you to opt out will dramatically reduce the smart functionality of the vehicle.

In short, you may wish to reconsider buying that new high-end EV.

Caltrider, Jen, Misha Rykov and Zoë MacDonald, It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy, Mozilla *Privacy Not Included review, 6 September 2023. Available online at https://foundation.mozilla.org/en/privacynotincluded/articles/its-official-cars-are-the-worst-product-category-we-have-ever-reviewed-for-privacy/.

Upcoming Courses

  • SE221 CISSP Fast Track Review, Virtual/Online, 13 - 17 November 2023
  • SE221 CISSP Fast Track Review, Sydney, 4 - 8 December 2023

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
Permalink