Next privacy trap for consumers? Their cars.

A self-driving Chevy Bolt on the GM assembly line. Self driving features in modern cars could pose risks for driver privacy.

With flak still flying in the battle over the privacy of data shared on social networks, consumer advocates are raising a red flag about the data that is being collected and shared using another type of consumer platform: automobiles.

Manufacturers such as BMW, General Motors (GM), Nissan, Tesla and Toyota are selling vehicles with data connections that allow them to gather detailed portraits of both car and driver, according to a report posted online by consumer watchdog organization Consumer Reports.

Since these technologies are in the early stages of rollout, the automobile industry still has time to get a handle on how it will protect consumer privacy in light of the collection of this data—and it should do this as soon as possible, the advocacy group believes.

[Also check out: Consumer Reports: Flaws Make Samsung, Roku TVs Vulnerable]

Social-media data sharing is already “out of hand”—hence the ongoing debate over and scrutiny of data-privacy policies of Facebook and others, said Jeff Plungis, Consumer Reports lead automotive investigative reporter and author of the report. However, the collection of car and driver data has been “a slow evolution of different types of technologies that seem to be suddenly arriving at a critical mass,” he told Security Ledger.

“There’s an opportunity for the auto industry to get the privacy concerns right,” he said. “That’s why it’s worth paying attention right now [to this issue] with cars. This part of their business is just now getting under way.”

New technology, new rules

For several decades, cars have had a variety of onboard sensors and rudimentary computer controls to help coordinate systems such as antilock brakes, fuel injection, airbags and emissions, according to Consumer Reports. Using the onboard diagnostic port (OBD-II), data from these systems could be accessed during diagnostic sessions at a mechanic’s or a dealership, or after a crash through event data recorders (EDRs).

Concerned about consumer privacy, in 2015 Congress passed a the Driver Privacy Act, making it clear that data from these systems belongs to a car’s owner and can’t be used against a driver in court in case of an accident or other type of incident. In other words, “you can prevent your car from testifying against you,” Plungis said.

However, thanks to the Internet of things (IoT), new cars are beginning to share data with auto makers over the air thanks to a telematics modem that transmits data like a SIM card transmits data from a mobile device. “This is a chip that’s pre-installed in your car and it’s sending a stream of data back to the car company,” Plungis explained.

Data the chip transmits include the status of certain systems in the car and how parts of the car are operating—which could include things like when a driver brakes or how he or she steers the car, potentially in emergency situations or even accidents, he said.

GM’s Cadillac CT6 features Super Cruise, which has a camera that monitors driver movements. Consumer advocates are concerned about car-owner privacy due to increased data collection like this by automakers.

Other emerging data-collection features in vehicles include sophisticated ways to monitor drivers using cameras, Plungis said. GM’s Super Cruise feature—available on models like the Cadillac CT6–is an example of this, he said.

“It’s a cruise-control function that not only takes over the acceleration but also the breaking and also the steering while it’s engaged,” Plungis explained. “Because none of these systems is fully self-driving yet, the human driver in every case on the road today has to serve as the back-up, and has to be paying attention in case something happens.”

To make sure that happens, Super Cruise has a camera on the steering column that monitors the driver’s attention through eye and other body movements.

“If you’re looking at your phone or you turn your head, it will issue warnings, and if you don’t respond, it will pull over and stop on the side of the road,” Plungis said of the feature.

But what if the camera actually records video and GM has access to that video, Plungis wonders. He said that Consumer Reports spoke with the automaker and officials said they are not recording video images through this feature. Still, “If there is video or audio or other kind of highly sensitive information such as precise geo-location [being recorded], all of that data needs special attention and special controls,” he said.

While auto makers want to use this data to help them refine the design of their cars, it also has the potential to be used against the driver in case of an accident or misused in another way, he said. And at this time, it’s not clear whether the Driver Privacy Act  giving ownership of car data to consumers applies to data that’s transmitted over the air to auto companies, Plungis said.

“It seems like there may be a loophole that’s emerged to override this important consumer protection,” he said.

Consumer protection a top priority

To help close that loophole, Consumer Reports has some basic guiding principles for automobile manufacturers to keep data collected in their cars in the hands of the owners of those vehicles so it can’t be shared or used without their consent.

First, the group believes that the data collected should be as narrowly defined and closely targeted as possible, Plungis said. Automakers also must clearly articulate in ways that consumers understand and acknowledge how their data is being collected and potentially shared, he said.

“So there is a fear that automakers do already disclose what are their policies, but they may not disclose it at a time or place where the consumer actually understands what’s going on,” Plungis said.

Instead, automakers must present to the consumer exactly what data they are collecting and how it’s being collected “in a way that’s easy to understand and the consumer actually knows where the data is going and how it’s going to be used,” he said.

Automakers also must notify customers in specific instances when they plan to share data with other stakeholders—for example, insurance companies—and not just blanket these deals in a broader disclosure clause that consumers may not read or understand.

“They need to let people know that something material has changed,” Plungis said.

Auto makers should also give consumers a choice when it comes to data sharing, allowing them to opt in or out of this type of activity, he said. “We definitely believe that when it comes to automotive data the car that you own is generating, you are the owner of that data, and the car companies are borrowing it with your permission.”