Your new car is probably spying on you.

Modern vehicles are powerful data-scraping machines, warns a group of B.C. privacy advocates, and Canada urgently needs to regulate what companies can do with the information cars send them.

The British Columbia Freedom of Information and Privacy Association (FIPA) published a 123-page report Wednesday, detailing what your vehicle might know about you and who can access that information.

In the report, which is the culmination of a year's worth of research, the group calls for immediate action in creating standards for “connected cars” -- vehicles equipped with the Internet, providing features like navigation and parking assistance, in-car entertainment and a range of safety features.

“Policy-makers have to provide the guidance that the automotive industry desperately needs on how general principles of data protection apply in their sector,” the report reads.

Electronic control units keep track of everything from how fast you drive to how long your car idles and how suddenly you brake, the report says. Your car’s GPS system, for example, also keeps track of your exact location, sending that information to the car’s manufacturer, or possibly a third-party call centre or an insurance agency.

Detailed information about where a person spends their time paints an intimate picture of their life, the report says, and can be dangerous in the wrong hands.

“Such data can be used to embarrass or blackmail a person, to stalk individuals, to steal identities, to facilitate robberies, or to create a profile that can then be used by commercial entities in unexpected ways.”

Vincent Gogolek, the executive director of FIPA, says most people are probably somewhat aware of what these systems can do. General Motors’ OnStar, for example, advertises its ability to detect collisions and other problems automatically.

Ford VP Jim Farley quote

What might not be so obvious to motorists, however, are the consequences of having your car constantly monitored.

“You watch it and you go, ‘that’s really interesting, that’s really useful,’ ” Gogolek told in a phone interview. “Then you go, ‘wait a second -- if they have microphones in the car, can they listen to what I’m saying?’ ”

Though it doesn’t appear GM’s mics are always on, it wasn’t too long ago that a Ford executive unsettled attendees at a data-privacy panel discussion.

"We know everyone who breaks the law; we know when you're doing it,” Ford VP Jim Farley said last year. “We have GPS in your car, so we know what you're doing.

“By the way, we don't supply that data to anyone," he added, later backpedaling.

‘Computers on wheels’

Most car companies have connectivity systems, complete with individual brand names. Honda and Hyundai call theirs “HondaLink” and “BlueLink,” for example. Audi, Mazda and Chrysler have “AudiConnect,” “MazdaConnect” and “uConnect.”

A connected car with a fancy computer system isn’t just an upgrade anymore. In 2012, the U.S. National Highway Traffic Safety Administration (NHTSA) estimated that 96 per cent of 2013-model vehicles have event data recorders capable of tracking information about when airbags are set off, if brakes are applied before a collision, and whether seatbelts are buckled.

The trend is gaining momentum. Chevrolet’s 2016 Malibu will feature a system that lets parents monitor their teen’s driving, providing them with a “report card” of statistics such as the distance their car was driven, the maximum speed it reached and the number of times anti-lock brakes were activated.

This new Malibu was crafted using four decades of data, according to GM.

“Data-collection boxes are placed in cars in real-world driving conditions around the world,” reads their website. “Since 1972, these devices have accurately recorded the harshness and frequency of every jounce, bump and shudder inflicted on the car on roads in the U.S., Russia, Saudi Arabia and developing markets.”

And a recent example of your car keeping tabs on you is rental company Hertz installing driver-facing cameras in their rental cars – though they say the cameras are “inactive.”

The road that led us here

Modern vehicles are essentially “computers on wheels,” the FIPA report says. Mundane statistics like engine temperature, fuel levels and tire pressure are tracked by up to 70 control units powered by millions of lines of computer code.

Computer systems inside vehicles aren’t new, says Gogolek. Anti-lock brakes, for example, use an automated system to stop a car by pumping the brakes more rapidly than a human ever could.

In the beginning, those systems didn’t store any data as they operated. Then, in 1996, on-board diagnostics systems became standard in all vehicles.

The Connected Car

Mandated to monitor emissions as part of the Clean Air Act, these computer-based systems allowed technicians to diagnose problems by tapping into the basic data kept by your car. These are also the systems that operate the “check engine” light, giving warnings that service might be necessary.

As smartphones and wireless technology emerged and became more sophisticated, onboard car computers evolved to collect and send all sorts of data to manufacturers, insurance companies, call centres and other third parties.

“Suddenly you have more and more data being collected,” Gogolek says. “And wherever it’s being sent, it’s leaving the vehicle constantly.”

This is where the road forks: instant access to detailed data can be used to keep consumers safe and the environment clean. But it can also be used to track individuals, or be sold to marketers or other groups who would benefit from knowing the details of your life.

This, Gogolek says, is why it’s important to create comprehensive policy outlining what manufacturers are allowed to do with the personal data they collect – and as soon as possible.

“What we’re suggesting is something that would work for everybody,” he says. “And the time to do it is now.”

Moving towards privacy

Gogolek and his group say connected car technology is rapidly accelerating, but policy defining appropriate practices for collecting and using telemetric data is lagging behind.

The report calls for a set of regulations similar to the safety standards that put seatbelts, airbags and other life-saving technology in every car on the road.

The group says personal privacy laws already exist in Canada; they’re just not being fully enforced when it comes to vehicles.

The federal Personal Information Protection and Electronic Documents Act (PIPEDA) lays out several principles of data protection in most Canadian provinces. Alberta, British Columbia and Quebec also have “substantially similar” legislation guiding the use of personal data.


For example, companies must identify the purposes for which they’re collecting information, rather than just gathering what they can. Individuals also have the right to access the information a company holds about them.

Consumers must also provide informed consent to have their data collected – something the report says often isn’t the case.

“Our review of connected car terms of service and privacy policies ... indicates that automakers are failing to meet their legal obligations under almost every principle of data protection law.”

To fix this, the report recommends specific guidelines when it comes to collecting telemetric vehicle data.

FIPA says data-protection regulations are needed for both the car industry and insurance companies who hope to tailor individual rates based on recorded driving habits. Privacy experts should also be consulted when designing the systems that will be used to collect data, FIPA says.

And Gogolek says “Privacy by Design” principles should be followed as well, comparing an early adoption of privacy standards to safety and environmental rights.

“We’re at a point where this can be done without costing a fortune.”

But this window of time, where the connected car industry is still in its relative infancy, might not be open for long. Cars are ingrained in the Canadian way of life, the report says. And soon, mass-data collection will be ingrained in automakers.

“What is needed in this industry are clear, specific and relevant limits on collection, retention, use and disclosure of personal customer data,” the report concludes. “We need industry-specific data protection regulations for the connected car industry.”