The Complicated World of Used Car Data
By Naomi Brockwell, Founder and Director of NBTV
Cars as Data Collection Machines
Modern cars are horrendous data collection machines. They listen to you, film you, ingest the contacts and photos from your phone, and share this information with countless third parties. Some car companies even collect information about your sexual activity as per their privacy policies.
A giant shift has happened over the past 20 years, where our cars became smart devices with hundreds of computers collecting and analyzing data about your activities. These computers are networked together and share information with each other, but your car is also connected to the internet, sending a trove of your data to remote servers.
The Data Dilemma When Selling Your Car
Given the vast amount of information stored in our cars, what happens when we sell them? Do we just hand this sensitive information off to the next owner? On top of that, given the remote capability of modern cars, how do we make sure that the previous owner of our car doesn’t still have access to our location and cameras? This article explores the complexities of the modern car-surveillance world, and provides practical tools for dealing with used vehicles.
Expert Insights on Car Data
Andrea Amico, founder of Privacy4Cars, Woody, a renowned digital tracking expert, and Sam Curry, a famous car hacker, provide insights into these questions. Woody points out, “When you sell a vehicle or if you lease a vehicle, there's a lot of data that can go with that vehicle. You’re giving away personal information. You’re giving away where you go, your vacation spots, where your family goes … those patterns of life are all stored on that vehicle you sell.”
Sam shares a story about buying a used Tesla and discovering that the previous owner had left their home address and garage door opener saved in the head unit. This information could have easily been used to access the previous owner’s home.
Under the Hood: Telematics and Event Data Recorders
Beyond what can be accessed through the infotainment system, there are telematics units that send data like real-time location tracking, vehicle diagnostics, and driving behavior to manufacturers and third parties. For example, the Event Data Recorder (EDR), akin to an airplane's black box, captures critical data during incidents, such as speed, throttle position, brake use, and airbag deployment details.
Accessing the bulk of the data inside your car’s network of computers requires specialized equipment. The OBD port (On-Board Diagnostics), usually found under the dashboard, allows access to this internal network, where data from various electronic control units can be analyzed.
Real-Life Examples of Data Vulnerability
Andrea Amico recounts his experience running a vehicle inspection company: “I turned on a car and within minutes knew it was owned by a woman, an engineer. I knew where she lived, had access to her garage, knew where her kids went to school and where they went on play dates, and even that she was a breast cancer survivor.” This experience from nearly a decade ago highlights how much worse it is now with advanced technology.
When selling your car, it’s crucial to understand that all this data goes with it. Over four out of five cars are resold by dealerships with the data of previous consumers. People rarely realize how much data they’re giving away when selling a vehicle. Most people focus on selling the car, not on data privacy.
Renting a Car: A Similar Concern
It’s not just when selling a car that we need to be mindful of data privacy. Renting a car also poses risks. Consider when you turn on your rental vehicle and see 200 previously connected devices in the Bluetooth settings. Previous renters rarely remove their data before returning the car — In our rush to return vehicles, deleting data is usually the last thing on our minds.
Steps to Protect Your Data
We need to start thinking about our cars the same way we think about our computers and phones. Just as we delete data from our phones before replacing them, we should do the same for our cars.
How do we do this, though? Data relating to vehicle performance or telemetry may be stored in areas consumers can’t easily access, and some apps send data to the cloud.
One thing that you can do to decrease data collection is to be mindful of which apps you enable in your car in the first place.
One area where we have more control is the infotainment system, or head unit, usually located in the center of the dashboard. These systems store data from our phones, including contact lists, call logs, text messages, and sometimes even a full copy of your phone. Woody emphasizes that most people don’t realize how much personal data is transferred when they connect their phones to a car.
Deleting Data from the Head Unit
Privacy4Cars offers a database with instructions on deleting data from various car models. For example, on a 2015 Ford Ranger, they show how to navigate to the Master reset button, and on a 2024 Toyota 4Runner, the “Delete Personal Data” button. They even list cars that don’t store data in the head unit, providing peace of mind when selling your car.
For added security, Woody suggests replacing the entire head unit before selling your vehicle. While prices vary, an extra head unit can ensure none of your data transfers to the new owner.
When Buying a Used Car
When buying a used car, ensure the previous owner no longer has access to remote features. Andrea recommends downloading the car’s app, creating an account, and syncing it with your car to notify the manufacturer that you’re the new owner. This process should cut off the existing owner from the app.
Privacy4Cars can automate contacting dealerships and manufacturers to ensure your privacy, preserving anonymity while advocating for you.
Recap and Future Steps
To recap, when selling your car, delete data from the head unit or consider replacing it. When buying a used car, disconnect any existing devices synced to the vehicle and use services like Privacy4Cars to understand and remove monitoring services.
This doesn’t solve the problem of car data collection, but it’s a great start. In our next installment, we’ll discuss making your current car more private, like disabling the Wi-Fi and SIM, and understanding the privacy tradeoffs of remote services.
The world of car privacy is complex, and we’re only beginning to understand how much of our car activity is shared and where our data ends up. Awareness is key. Once we understand what’s happening with our data, we can make better choices and push back against invasive practices.
Support and Call for Tips
NBTV is funded by community donations. If you found this article useful, consider visiting nbtv.media/support. For those starting out, check out our Beginner’s Introduction to Privacy book, which supports our channel.
Data harvesting is opaque, and not many people talk about it. If you work in the automotive industry and have insights into data collection practices, we’d love to hear from you. Reach out privately at tips.tccug@simplelogin.com.
A version of this article first appeared in video form on NBTV. NBTV is a non-profit educational platform that teaches people how to reclaim control of their lives in the digital age. NBTV and The Ludlow Institute give people the tools they need to take back their privacy, money, and free online expression.
Learn more at NBTV.media