What does your car know about you? We hacked a Chevy to find out your car is likely collecting about 25 gigabytes of your data per hour — but ask automakers what they do with it all, and they clam up.
Behind the wheel, it’s nothing but you, the open road — and your car quietly recording your every move.
On a recent drive, a 2017 Chevrolet collected my precise location. It stored my phone’s ID and the people I called. It judged my acceleration and braking style, beaming back reports to its maker General Motors over an always-on Internet connection.
Cars have become the most sophisticated computers many of us own, filled with hundreds of sensors. Even older models know an awful lot about you. Many copy over personal data as soon as you plug in a smartphone.
But for the thousands you spend to buy a car, the data it produces doesn’t belong to you. My Chevy’s dashboard didn’t say what the car was recording. It wasn’t in the owner’s manual. There was no way to download it.
To glimpse my car data, I had to hack my way in.
Spilling our Chevy Volt’s secrets (What does your car know about you? We hacked a Chevy to find out)
What does your car know about you? We hacked a Chevy to find out, Jim Mason hacks into cars for a living, but usually just to better understand crashes and thefts. The Caltech-trained engineer works in Oakland, California, for a firm called ARCCA that helps reconstruct accidents. He agreed to help conduct a forensic analysis of my privacy.
I chose a Chevrolet as our test subject because its maker GM has had the longest of any automaker to figure out data transparency. It began connecting cars with its OnStar service in 1996, initially to summon emergency assistance. Today, GM has more than 11 million 4G and/or LTE data-equipped vehicles on the road.
Modern vehicles don’t just have one computer. What does your car know about you? We hacked a Chevy to find out, there are multiple, interconnected brains that can generate up to 25 gigabytes of data per hour from sensors all over the car. Even with all our gear, we could only access some of these systems.
This kind of hacking isn’t a security risk for most of us — it requires hours of physical access to a vehicle. We brought a laptop, special software, a box of circuit boards and dozens of sockets and screwdrivers.
We focused on the computer with the most accessible data: the infotainment system. You might think of it as the car’s touch screen audio controls, yet many systems interact with it, from navigation to a synced-up smartphone. The only problem? This computer is buried beneath the dashboard. After an hour of prying and unscrewing, our Chevy’s interior looked like it had been lobotomized.
(Don’t try this at home. Seriously — we had to take the car into a repair shop to get the infotainment computer reset.)
What does your car know about you? We hacked a Chevy to find out it was worth the trouble when I saw my data. There on a map was the precise location where I’d driven to take apart the Chevy. There were my other destinations, such as the hardware store I’d stopped at to buy some tape.
Among the trove of data points were unique identifiers for my and Doug’s phones, and a detailed log of phone calls from the previous week. There was a long list of contacts, right down to people’s address, emails and even photos.
Infotainment systems can collect even more. Mason has hacked into Fords that record locations once every few minutes, even when you don’t use the navigation system. He’s seen German cars with 300-gigabyte hard drives — five times as much as a basic iPhone 11. The Tesla Model 3 can collect video snippets from the car’s many cameras. Coming next: face data, used to personalize the vehicle and track driver attention.
GM spokesman David Caldwell declined to offer specifics on Doug’s Chevy, but said the data GM collects generally falls into three categories: vehicle location, vehicle performance and driver behavior. “Much of this data is highly technical, not linkable to individuals and doesn’t leave the vehicle itself,” he said.
The company, he said, collects real-time data to monitor vehicle performance to improve safety and to help design future products and services.
But there were clues to what more GM knows on its website and app. It offers a Smart Driver score – a measure of good driving – based on how hard you brake and turn, and how often you drive late at night. They’ll share that with insurance companies, if you want. With paid OnStar service, I could, on demand, locate the car’s exact location.
It’s likely GM and other automakers only keep just a slice of the data cars generate. But think of that as a temporary phenomenon. Coming 5G cellular networks promise to link cars to the Internet with ultra-fast, ultra-high-capacity connections. As wireless connections get cheaper and data becomes more valuable, anything the car knows about you is fair game.
Disconnecting in today’s connected age
GM’s view, echoed by many other automakers, is that we gave them permission for all of this. “Nothing happens without customer consent,” said GM’s Caldwell.
When my volunteer Doug bought his Chevy, he didn’t even realize OnStar basic service came standard. There is no button or menu inside the Chevy to shut off OnStar or other data collection, though GM says it has added one to newer vehicles. Customers can press the console OnStar button and ask a representative to remotely disconnect.
What’s the worry? From conversations with industry insiders, I know many automakers haven’t totally figured out what to do with the growing amounts of driving data we generate. But that’s hardly stopping them from collecting it.
Five years ago, 20 automakers signed onto volunteer privacy standards, pledging to “provide customers with clear, meaningful information about the types of information collected and how it is used” as well as “ways for customers to manage their data.” However,when called eight of the largest automakers, not even one offered a dashboard for customers to look at, download and control their data.
Automakers haven’t had a data reckoning yet, but they’re due for one. GM ran an experiment in which it tracked the radio music tastes of 90,000 volunteer drivers to look for patterns with where they traveled. According to the Detroit Free Press, GM told marketers that the data might help them persuade a country music fan who normally stopped at Tim Horton’s to go to McDonald’s instead.
GM would not tell me exactly what data it collected for that program but said “personal information was not involved” because it was anonymized data. (Privacy advocates have warned that location data is personal because it can be re-identified with individuals because we follow such unique patterns.)
Are any car makers better? Among the privacy policies I read, Toyota’s stood out for drawing a few clear lines in the sand about data sharing. It says it won’t share “personal information” with data re-sellers, social networks or ad networks — but still carves out the right to share what it calls “vehicle data” with business partners.
Until automakers put even a fraction of the effort they put into TV commercials into giving us control over our data, I’d be wary about using in-vehicle apps or signing up for additional data services.
If you’re buying a new vehicle, tell the dealer you want to know about connected services — and how to turn them off. Few offer an Internet “kill switch,” but they may at least allow you to turn off location tracking.
Or, for now at least, you can just buy an older car, without the bells and whistles.