It looks like tech-savvy drivers will have to lead connected car data purge

Manufacturers seem reluctant to do anything about it

Got Tips? 37

The privacy issues thrown up by connected cars don't seem to be going anywhere soon.

Drivers of cars from BMW, Jaguar Land Rover and Mercedes-Benz have reported that previous owners retain unfettered access to the data and controls of connected cars after resale. The problem is international and extends to hire cars due to drivers connecting their smartphones to rented rides.

If smartphones are spies in your pocket, connected cars are spies on wheels.

Matt Watts, the IT worker whose travails with his Land Rover first encouraged us to look into the issue, said connected cars also pose a tracking risk in incidents of relationship breakdowns.

"You go somewhere they'd never expect you to be and yet a short time later they track the car and turn up! This whole topic has so many more implications than any of us realise and people simply aren't aware."

Watts told El Reg that he has relayed his concerns to relevant charities but is yet to hear back from them.

Used connected cars need disconnecting, as the UK's National Cyber Security Centre pointed out after our initial report.

Consumers have got used to the idea of factory resetting their smartphone before selling it on. Cleaning out a car before resale or after a rental is a well-understood practice but this applies only to the contents of a glove box and not to the data a connected car holds, which can include sensitive travel movements, contact details, call records from tethered smartphones and more.

Drivers normally get a warning when they hook up to their car through bluetooth but this is omitted when a USB connection is made, so motorists can unwittingly transfer their smartphone contacts and call logs onto the systems of leased or rented cars.


US car industry executive turned privacy advocate Andrea Amico said that almost every rental car is returned without the removal of private data, a problem that is replicated in the case of second-hand car sales. He blamed the complexity of the process of deleting data from connected cars – a procedure often only explained in the small print of long car manuals.

Amico told El Reg: "Infotainment systems, even from the same manufacturer, come with a variety of both hardware and firmware. Even within the same manufacturer and year of production, variances between models can go from small to huge. If it was truly easy and intuitive to delete information we would not see the statistics we see."

Amico is marketing a free mobile app called Privacy4Cars, which provides step-by-step tutorials to help users quickly erase personal information such as phone numbers, call logs, location history and garage door codes from vehicle infotainment systems.

Users are able to select from hundreds of vehicle makes, models and years. The same tech is been sold to the car industry (fleet management companies, car rental or car sharing operators, dealer groups etc.) commercially and as a software development kit that can be embedded into existing apps.

Amico, who heads up the privacy efforts at International Automotive Remarketers Alliance, said the app is as useful for European drivers as US car owners.

The Society of Motor Manufacturers and Traders, a UK trade body, said that although car makers have a responsibility for data processing, consumers also have to get into the habit of removing their data and dissociating their smartphones when they sell on their connected cars.

Is it realistic to expect buyers of second-hand cars to know if the car has been connected? The response from the car industry has been to put the onus on the previous owner to delete data while minimising the role of manufacturers to come up with a thought-through process for dealers to enforce.

ICO connection

Car makers typically run the apps and manage the servers through which connected car services are delivered, making them "data controllers" under the General Data Protection Regulation. Privacy watchdogs are actively examining the issues created by connected cars.

The UK's Information Commissioner's Office was a co-sponsor of the International Conference of Data Protection and Privacy Controllers' resolution on connected vehicles (PDF) that was put together last September. The ICO advocates a privacy-by-design approach, which would appear to require bringing manufacturers on board and may be difficult to apply to cars already on the road.

An ICO spokesperson told El Reg: "Data protection laws require the collection and use of personal data to be fair and transparent. Being clear with individuals about the use of their data, and providing options to control that data, are important matters for organisations to get right – particularly where new technologies and new ways of processing data are being introduced into existing products or services. This applies just as much to connected vehicles as it does to any other device or product.

"A key way this can be done is by considering privacy issues at the design stage, and by taking appropriate actions to address them. However, it isn't just about data protection compliance – it's about building trust among consumers, giving them good customer service and treating them with respect."


In response to our previous stories on connected cars, Reg readers have suggested the Driver and Vehicle Licensing Agency could have a role in easing the privacy headaches posed by connected cars.

When a car is sold, scrapped, or disposed of to a dealer in the UK the DVLA must be informed. Dealers have access to the DVLA database.

"Some way of linking the DLVA owner change event to a scrub it clean event ought not to be beyond the bounds of possibility," suggested Reg reader Neil Barnes.

Government IT projects have a dire reputation but the DVLA's driving licence verification tool protects privacy and is seen as something of a success. Whether the DVLA would be willing to accept a privacy regulating role that's outside its remit is questionable, as other readers have pointed out. ®

Sign up to our NewsletterGet IT in your inbox daily


Keep Reading

Heavy data protection regulation looms in Labour plans for post-Brexit flows and IoT devices

Westminster Hall debate shows parties in harmony over sticking their oar in

Microsoft embraces California data privacy law – don't expect Google to follow suit

Software giant promises to extend protections across US

British Airways and Marriott UK data protection fines deferred again as coronavirus shutdown hits business

May and June are new due dates and neither firm is going down quietly

Amazon straightens up its IoT house, complete with virtual Alexa, ahead of Las Vegas shindig

re:Invent Coffee machines will listen to you if vendors implement it

Pop quiz: Who's responsible for data protection compliance in the cloudy era? If you said 'dunno', you're not alone

Survey is thinly veiled marketing from Microsoft, but the issue is real

Apple and Google tweak key bits of contact-tracing privacy plan

As European nations back decentralised plan that leaves data on the device until users call in sick

Hanoi rocks for R&D – just ask Samsung: Chaebol starts work on $220m AI, IoT, 5G facility

Pandemic-dodging Sammy continues tradition of investment in Vietnam

Twitter takes away twits' ability to limit ad data sharing – after telling investors its own privacy settings hurt revenue

Except you in Europe and UK, you still get to control over analytics fuel

Advertisers want exemption from web privacy rules that, you know, enforce privacy

They also want a ban on interfering with their cookies

And we're back with the third review of Privacy Shield: Meh, sighs the European Commission

The US could do more, but it's like pulling teeth

Tech Resources

How to Fortify Your Organization’s Last Layer of Security – Your Employees

People impact security outcomes, much more often than any technology, policy or process.

Staying Healthy and Secure

Leaders will share how to create a vibrant, secure remote community that promotes safety, productivity, and engagement

How to simplify data protection on Amazon Web Services

The way we backup and restore has changed, but the outcomes are often just as bad. If you’re waiting hours to restore, or keeping terabytes of data because you don’t know if you can delete it, you’re wasting your time and your money. So imagine a service that restores in seconds, even individual files. Join Sebastian Straub, N2WS’s “personable IT magician” and Danny Michael, Head of IT at Gett, who promise to show us a better way in a live Regcast.

Third Party Privileged Access to Critical Systems

Third party privileged access is everywhere.