Most major automakers share driver location data without a warrant or court order despite having publicly pledged not to do so, a congressional investigation released Tuesday revealed.
Only five of 14 queried auto manufacturers require a warrant or court order before giving law enforcement connected car owners’ location data, and only one alerts customers to law enforcement requests for their information, they found.
A fifteenth automaker, Volvo, did not respond to senators’ request for information, which was made through an unnamed auto industry association.
The automakers have all pledged through their primary industry association to protect car owners’ location data and to insist on warrants or court orders before giving law enforcement the data — a promise the senators called deceptive in a press release.
Sen. Ron Wyden (D-OR) made the inquiry, and Sen. Ed Markey (D-MA) has been a leader on the issue. They jointly sent a letter to the Federal Trade Commission (FTC) on Tuesday demanding an investigation.
Toyota, Nissan, Subaru, Volkswagen, BMW, Mazda, Mercedes-Benz and Kia all acknowledged that they only require subpoenas, which do not require a judge to sign off, before sharing the location data with government agencies, the senators said.
The senators noted that Volkswagen said it insists on a warrant for more than a week’s worth of location data.
“Automakers have not only kept consumers in the dark regarding their actual practices, but multiple companies misled consumers for over a decade by failing to honor the industry’s own voluntary privacy principles,” the letter said. “To that end, we urge the FTC to investigate these auto manufacturers’ deceptive claims as well as their harmful data retention practices.”
The global auto industry’s only visible association, the Alliance for Automotive Innovation, released a statement saying car manufacturers are “committed to protecting sensitive vehicle location information.”
“This is a complex issue,” the statement said. “Vehicle location information is only provided to law enforcement under specific and limited circumstances, such as when the automaker is provided a warrant or court order or in situations where there is an imminent threat of serious bodily harm or death to an individual.”
The statement appeared to rebut Wyden’s findings, which he said he obtained from auto manufacturers through the unnamed industry association. It is unclear why the statement from the Alliance for Automotive Innovation appeared to contradict automakers’ admissions to Wyden. A spokesman for the association did not reply to a request for comment on that point.
At a March event hosted by the Future of Privacy Forum, Hilary Cain — the association’s senior vice president for policy — repeatedly referred to the automakers’ voluntary principles in explaining the industry’s commitment to privacy, calling them “industry standards.”
According to the senators, in some cases the auto manufacturers store location data for a decade or more, while others are quick to erase it.
Mercedes-Benz told the senators the company “does not engage in the systematic collection of historical location data from the vehicle.” It said it only stores where a given vehicle has most recently parked and erases that data once a vehicle is moved.
But the senators said Hyundai acknowledged it “routinely” collects and retains vehicle location data for as many as 15 years, Toyota for as many as 10 years, and Honda for as many as seven years.
In 2014, a group of now-defunct auto industry associations wrote a letter to the FTC promoting their pledge that “requests or demand from governmental entities for geolocation information, must be in the form of a warrant or court order,” except in emergencies or with the consent of the vehicle owner.
The Automotive Alliance for Innovation has said it reviews and updates those pledges every two years and still makes the promise not to give law enforcement location data without a warrant or court order.
“These companies are not just less protective of their customers’ privacy,” the senators said. “Their policies directly contradict the public commitment the companies made and invited the FTC to enforce.”
Connected car data is uniquely vulnerable to law enforcement, as Recorded Future News reported in December. The contents of emails, private photos saved in the cloud, and mobile phones all require a warrant for law enforcement to access in keeping with Fourth Amendment protections against unreasonable searches and seizures.
“Consumers can only vote with their wallets when companies — or regulators — make such important product information available to the public,” the senators wrote to the FTC. “In this case, automakers have not only kept consumers in the dark regarding their actual practices, but multiple companies misled consumers for over a decade by failing to honor the industry’s own voluntary privacy principles.”