in , , , , , ,

How Your Car Watches Everything You Do And Everywhere You Go

How Your Car Watches Everything You Do And Everywhere You Go

When police came across a crashed Honda Accord in the Great Smoky Mountains National Park in Tennessee, they noticed some opened containers of alcohol. They suspected intoxication may have played a part in the single-vehicle accident that had led to the death of one of the two passengers.

The driver was asked by a National Park Service investigator whether or not he’d been drinking, to which he said he had not. But the sister of the surviving passenger told law enforcement that all three of those inside the car had been consuming alcohol on the evening of the crash.

To try to determine what state the driver was in, the Tennessee Highway Patrol stepped in and determined that they should look at data from the airbag control module (ACM). This hidden part of the car records the approximate speed, the braking and the amount of throttle used by the driver. The police wanted to know what was happening before and during impact. (No charges have been filed against the driver, so Forbes is not revealing his name.)

It’s obvious why law enforcement would want access to such information: it could help prove a driver was in an inebriated state when behind the wheel, or show they were controlled up until the accident. But the warrant also points to a wider issue: how modern vehicles record almost everything a person does when they’re driving.

The ACM is just one of many modules that records what’s happening in a vehicle at any one time. Ben LeMere is a former government forensics officer and the founder of Berla, one of the federal and local law enforcement’s favorite car forensics providers. He explains that the airbag module will typically only store data permanently in the event of a crash. The only information recorded is from the preceding seconds before the accident and during the event. Everything else gets wiped.

But LeMere notes there are many other modules within a vehicle that may record data. Location information, for instance, could either be held in the entertainment systems or in the brake light module, depending on the vehicle. If a phone connects to the infotainment module, it can suck in all contacts from the device, as well as information about its make and unique identifying number. Whatever passengers and drivers have been watching or listening to could also be recorded within the relevant part of the car’s network.

A car is a network now

“Not all cars are equal,” LeMere told Forbes. “It’s tough to say blanket statements like all modern day cars record location data when you’re not using them because that’s not true… some do, some don’t. It could be in the infotainment system, it could be in the telematics module. It could even be in the brake light module… And there’s over 25GB of data per hour flowing around this [car] network, and the modules have to communicate with one another to make the car actually just work. It’s up to the individual developers of those modules what they choose to record.”

Andrea Amico is the founder of Privacy4Cars, which has a free tool that helps consumers remove their personal data from vehicles and works with manufacturers to improve privacy protections. He fears that whilst police in the United States need a warrant to get information from the Event Data Recorder – considered one of the more valuable parts of a network for law enforcement as it’s a hub that maintains data on car usage – they don’t need a judge’s permission before raiding other parts of a vehicle.

“Nobody has been able to point to me which law actually says that you need to have a warrant,” Amico adds. He notes that the law also permits the government to search a car’s network without a warrant when permission is given by the lawful owner of the vehicle. That may not be the driver of the car. It could be a rental company or even a bank, if they’re financing the purchase, Amico says. “We think that this is really problematic.”

But LeMere says in his experience police typically do get the permissions they need before grabbing information from automobiles. “Best practice here in the United States is that police would absolutely get a warrant…. Every cop that I know wants to do it the right way. They’re going to get the paperwork, they’re going to do the work, get the court order.”

Sometimes police can also go to the manufacturers themselves to get the data they’re after. As Forbes recently reported, GM’s OnStar has repeatedly been called on to provide location data to the police, whilst fleet management providers like Geotab and Spireon have also been asked to cough up similar information.

What’re car makers doing with your data?

But LeMere believes a more valid concern is what car makers, parts manufacturers and their advertising partners are doing with all that data flowing around a vehicle’s network. Just as internet giants like Facebook and Google make money from their users’ data by funnelling it to advertisers, car companies are doing the same with their customers’ information. The automotive market is just as convoluted as the internet industry when it comes to where people’s data goes and how it’s used. But there is, occasionally, some transparency. Take, for instance, GM’s privacy policy that notes it has “disclosed or sold Personal information to third parties for a business or commercial purpose in the preceding 12 months in the following categories: Identifiers and internet or similar network activity.”

“We all as citizens of the world are giving our privacy away to Apple and Google, and the automotive manufacturers and no one’s going to jail over it,” LeMere adds. “We give up our data every day, all day long, freely to these companies that use it in really more egregious ways than the government.”

This story is part of The Wire IRL feature in my newsletter, The Wiretap. Out every Monday, it’s a mix of strange true crime and real-world surveillance, with all the relevant search warrants and court documents for you to pore over. There’s also all the cybersecurity and privacy news you need to read. Sign up here.

What do you think?

California teenager invents AI-powered tool for early wildfire detection

California teenager invents AI-powered tool for early wildfire detection

China’s Cybersecurity Regulator Targets More U.S.-Listed Tech Companies After Didi Investigation

China’s Cybersecurity Regulator Targets More U.S.-Listed Tech Companies After Didi Investigation