Connected Cars Will Run on Your Personal Data

Fully autonomous cars won’t be deployed en masse for a while, maybe even decades. In the meantime, cars that are smarter and more connected than your average sedan are already sitting in parking lots and driving on highways, and they’re collecting all kinds of information about you. US privacy laws aren’t doing enough to keep up.

Other countries are taking note. A Canadian Senate committee last month flagged privacy and security as major issues of the coming internet-connected automotive revolution, and Europe’s impending General Data Protection Regulation (GDPR) will set the global bar on data privacy. The US, however, has consistently erred on the side of business when it comes to data privacy. The world, and the US in particular, is woefully unprepared for the lightning-fast advancements being made in the connected-vehicle industry—and that should be a cause for concern.

“This is the kind of technological advancement that’s intended to bring public safety and individual safety to the forefront,” Albert Gidari, the director of privacy at Stanford University’s Center For Internet and Society, told me over the phone.

“But the trade off is, you’re sacrificing individual privacy for the common good.”

The data-gathering possibilities in a connected car are endless. Engine performance, telematics, the music you listen to, the locations you visit, the phone conversations you have via the infotainment system, maybe even your eye movements, your pulse, and your unique voice signature, can all be recorded and mined for data. The patchwork of privacy laws in the US leaves gaping loopholes that effectively grant private companies free and unfettered access to massive volumes of data for current and future, to-be-determined usage. You can bet all your bitcoins that the automotive business will take advantage of this.

The details of this data-gathering are densely written and buried deep in user manuals and terms of service agreements, never to be looked at or understood. We usually aren’t told where and how the data is stored, nor how it will be used. How far removed are we really from our off-key driving singalongs being repurposed to pick up our voices in public?

Still, we’re being sold on the idea that all this has some greater, altruistic purpose. Connected and self-driving cars will save lives. Their sensors will detect other cars and prevent crashes. They’ll (usually) drive the speed limit and reduce congestion. Your traffic nightmares will be over.

Connected cars are no different from the other “smart” devices in our lives—and we’ve agreed, sometimes unwittingly, to sign over our digital civil liberties in exchange for convenience and cool toys, while US lawmakers bide their time on updating privacy rules for the connected future. “Everyone focuses on the common good and not the collateral consequences,” said Gidari.

There are some outliers. The Canadian Senate committee, which was convened two years ago to look at connected and self-driving cars, specifically called out “car hacking and the erosion of personal privacy” as areas of particular concern.

“Several witnesses suggested that, in discussions of data ownership, it is important to distinguish between data essential to the functioning of the car and data gathered for other purposes,” the report says.

Unlike the US, Canada has a comprehensive federal digital privacy law that will govern the connected-vehicles business. Europe’s GDPR—which goes into effect May 25, 2018—is setting perhaps the most definitive set of privacy rules in the world by demanding, for instance, that companies ask for data-collecting consent in simpler terms. These rules apply to most “smart” electronics, not just vehicles.

Right now we can opt out of driving connected cars, but there may come a time when we won’t have a choice. That may happen before the US enacts consumer-friendly privacy laws—if it ever does. Even then, privacy rules are often so long and verbose it’s almost impossible to understand our rights and when they’re being violated, said Gidari. The current conversation around privacy reminds him of his past work in environmental law.

“When you see ‘clean’ in environmental statutes, it’s not about being clean. It’s about how much you can pollute legally,” explained Gidari. The same goes for privacy: “It’s more about what people can do with your information without your consent.”

“Maybe the world is too complex for complex legislation,” he sighed.

Get six of our favorite Motherboard stories every day by signing up for our newsletter \.