Car manufacturers are engaging in a “privacy nightmare” by scraping sensitive user data and potentially selling it to unknown actors, according to a new report on the widespread terrible practices in the industry.

Mozilla’s Privacy Not Included found 25 major car brands are “terrible at privacy and security” of user data, and their policies allow widespread scraping of personal data well beyond the scope of transport, such as medical history, genetic information, sex life and where you drive.

Dali Kaafar, executive director of the Macquarie University Cyber Security Hub, said internet-connected smart cars create an ecosystem with other devices to gather as much data as possible on users.

“Customers and users — at the end of the day —do not have a choice and any notion of consent about the possibility of who accesses data becomes obsolete,” he said.

“The report highlights that a lot of the functionality and features will be disabled if you say no.”

Eighty four per cent of car manufacturers share or sell user data, according to their privacy policies, turning consumers’ private information into a side product to be sold for research, marketing or ‘business purposes’.

The data being collected includes facial expressions, weight, health information, where people drive and, in some cases, sexual activity, race and immigration status gathered from third-party apps.

The almighty dollar

The worst offender, according to Mozilla, was Nissan, whose privacy policy includes the right to sell or share “preferences, characteristics, psychological trends, predispositions, behaviours, attitudes, intelligence, abilities and aptitudes” to data brokers, police and third parties.

Nissan was named the worst offender by Mozilla. Photo: Nissan

Professor Kaafar said the ultimate goal of collecting expansive personal data of users is “dollars, dollars and dollars”.

“When you are enabling connectivity to the mobile app, that probably means you are giving them a lot more than what you think you’re giving them access to,” he said.

“In the privacy policies, they are giving themselves the freedom to collect that data and to sell it, what we don’t know and the tricky thing to find out is how that data is being sold and to whom.”

Only two of the 25 car brands reviewed by Mozilla give users the right to have their data deleted, Dacia and Renault, which Professor Kaafar said is likely because they are positioned within the European Union and are therefore subject to its strict privacy legislation.

“The majority of these brands that are collecting this data have really bad track records when it comes to data breaches and the level of security they’ve shown in the past,” he said.

“It goes way beyond travelling from point A to B. It’s also very personal information like age, probably your work and home address, your favourite cafes, your daily life and lifestyle habits.”

He said car manufacturers are using the opportunity to collect data as a way to monetise their customers even further.

“What is really striking and pretty scary is that the vast majority, if not all, are really having exceptionally bad practices when it comes to privacy,” Professor Kaafar said.

“They are essentially trying to find loopholes in the privacy regulation to go around the need for them to protect their customers’ privacy.”

Further action needed

Some major car brand privacy policies are more than 9000 pages long, creating a mountain of information for consumers to scour through if they want to truly know where and how their personal data is being used.

Professor Kaafar said he hopes the report will encourage legislators to hold car companies accountable for how they treat customer data.

“Down the track, there’s going to be something they didn’t account for while they’re sucking up all the data from their customers,” he said.

“When there is a data breach in a couple of months or years, that’ll be a deeply damaging thing for them.”

Seventy nine per cent of the companies’ privacy policies allow them to sell the data without any recourse from consumers, and 56 per cent said they can share information at government or law enforcement request, without a court order.

Some manufacturers’ privacy policies allow them to scrape data from third-party apps. Photo: Getty

Professor Kaafar said it should be an alarm signal for customers who worry about their data privacy.

“These companies find ways to do things [that are] a sort of dodgy but legal way because they’re manoeuvring through all these privacy policies,” he said.

“It’s one of those areas where the technology is new for most consumers as well.”

The brands tested by Mozilla are Renault, Dacia, BMW, Subaru, Fiat, Jeep, Chrysler, Dodge, Volkswagen, Toyota, Lexus, Ford, Lincoln, Audi, Mercedes-Benz, Honda, Acura, Kia, Chevrolet, Buick, GMC, Cadillac, Hyundai, Nissan and Tesla.

In the report, Mozilla stated it can not confirm if any brands encrypt the collected data.