Rise In Software-Driven Cars Brings Data Privacy Concerns

The first time H* (did not wish to be named), a 29-year-old Tata Nexon.ev user, realised that the car was mining his data was when his car started having charging issues. “I got a call from the service centre [saying] that the car is sending out a couple of signals…please send it across for servicing as soon as you can,” the Mumbai-based electric car owner told The Core. 

H*, who works in digital marketing, said that he was aware that the car, which comes with internet-connected features, would be collecting his data. “It's pretty obvious – if they're giving me the connected features, it's pretty obvious they're gonna track me,” he said. However, he added that there was no direct communication from the company on this during the purchase, and there is a lot of confusion over what data is being collected and how it is being used.

With the rise in the adoption of electric vehicles (EVs) and their dependence on data, come concerns over data privacy and cybersecurity. The automotive space has evolved manifold over the years. Smart (connected) cars and EVs have made private vehicles more software-driven now than they were before. A smart vehicle is usually connected via a SIM and functions like a smartphone on wheels. And like a smartphone, it can see, hear, and track the user. 

Data optimisation helps users with several things like route planning and cautioning about disruptions ahead. But it also allows car manufacturers to accumulate tonnes of personal information, giving rise to privacy concerns. And that has got consumers and the government thinking. The new Data Protection Act is expected to make it mandatory for companies to get informed consent from users on personal data sharing and storing. And if car manufacturers can voluntarily incorporate an informed approach to user data now, they could have a competitive edge, especially with the new generation of younger car owners.

How Is Data Collected And Is It Worrisome?

If your car or scooter has an internet connection and smart features like real-time location sharing and tracking, can connect with other devices like your smartphone and download software updates, it is probably collecting several data points. How this data is used, for how long it is stored, and who it is shared with, is still somewhat ambiguous. 

While some users The Core spoke to were not fully aware of their data being tracked until they were asked about it, all users said the ambiguity was a cause for concern. The new Digital Personal Data Protection Act, passed last year, is set to change this – making the law much more consumer-oriented, but its rules haven’t been notified yet.

One first needs to understand what data points are being collected by these vehicles. “My understanding is that it's primarily on three levels,” Arundhati Kale, a lawyer and policy associate with CyberPeace Foundation explains. First is your telematics – which looks at your driving pattern, your acceleration, speeding, and how many times you break, among other things. Second is your geospatial mapping, looking at your location and which routes you take. And the third would be your battery-related data in the case of EVs.

The company also has access to your data – like your name, address, phone number, email address, IP address, location data, and information about your device as soon as you interact with it, even on its website. 

One may ask – so what’s the harm? Companies do use a lot of this data, like your driving pattern, telematics, and location access, for instance, to better your user experience. Ather Energy, way back in 2019, said they were using real-time data from sensors to map out a complete road profile and analyse driving patterns to display visual alerts of the road ahead. This would alert drivers of, say, potholes ahead. 

And the users The Core spoke to said this was something they preferred. Bazid Ashraf, who works in Chennai, said his big joint family in Kerala owns several connected cars and EVs. “The elders sometimes go and check the speed or the location when my cousins or I have used the car, to keep an eye on it.” 

“It’s helpful – tomorrow if I get into an accident in the middle of nowhere, it’s going to send an alert,” another user said. 

It helps the company as well. A connected vehicle manufacturer will use this data in their research and development to understand how users are driving, and what areas need tweaking for example. “Or if I need to deliver better customer service to my customers, advise them on how to use the vehicle better, how to improve longevity, etc, I can use the data points regarding how that customer is driving the vehicle,” Kazim Rizvi, founding director of research and public policy think-tank The Dialogue, said. 

The Flip Side

But there’s a flip side to this. For one, there is still a lot of ambiguity about where the data is being used or how long it is being stored. It could be shared with third parties, for instance. “User data is a prized commodity. What happens is, if you're not aware of how valuable your privacy is, there is always a challenge that some entities could collect and sell it to third parties,” Rizvi said. 

A review of the privacy policies of some of the leading original equipment manufacturers (OEMs) shows that the language is still very ambiguous. For example, under the section on how long it stores your personal information, Tata Motors (EV) policy states, “We retain personal data/information for as long as we reasonably require it for legal or business purposes.”

Some cars have a feature that tracks routes being driven, and offers route optimisation, helping you reach your destination quicker. “If it is my own data, it is great. But let's say if my data is known to you…then you can over some time, tell me what route I will take, where's my home base, my office, how much time I spend, in each of these locations, who my friends are…So it creates a lot of privacy concerns,” Praveen Sasidharan, partner, cyber emerging technology at accounting firm Deloitte, said.

A global review of 25 car brands by Mozilla Foundation gave cars that they reviewed titles like ‘Worst Product Category’ for privacy. Out of these, Hyundai, Kia, Honda, and Toyota – leading brands in India – scored a “super creepy” in the Mozilla guide, for collecting data including sexual activity, genetic information, and geolocation and sharing it with marketing companies or law enforcement agencies. As many as 19 of the 25 car brands reviewed also stated that they sell users’ personal data.

There is also the risk of cybersecurity – someone hacking into your vehicle, for example, and accessing your information or even controlling some of its functions. There have been several documented instances of Teslas being hacked by researchers or ethical hackers. Researchers have showcased vulnerabilities that would allow hackers to turn off lights, honk the horn, open the trunk, activate windshield wipers, and more. Charging grids are also vulnerable. In 2022, Russian public chargers were hacked to display pro-Ukraine messages. 

Software-driven vehicles also function on millions of lines of code for everything from deploying airbags to blind spot assistance or lane keep assistance and driver attention systems. “Let's say this fails. It could cause chaos – injuries and death to the passengers and also to the pedestrians,” Sasidharan pointed out. 

Are Users Concerned? 

A survey by Deloitte in 2020 showed that nearly 70% of Indians were concerned about data privacy in connected vehicles. A more recent survey by LocalCircles revealed that 62% of Indian car buyers consider data privacy as a significant factor in their purchase decisions.

Users that The Core spoke to complained about the lack of transparency and choice. “My thought goes, what can I do? I don't have a choice,” Pune-based Mihir Khot, who owns an Ola Electric scooter, and a Tata Tigor EV, said. You can either sign the privacy policy and purchase the vehicle or refrain from it completely. H* added that while he could deny permission at some points on his smartphone app, it started working slower. 

S* (did not wish to be named), an entrepreneur based in Odisha, recently signed up to buy Tata Motors’ latest launch - the Punch EV. His decision to purchase the car, was in part, driven by the fact that it doesn’t come with an e-sim. But it wasn't a significant factor. "On a scale of 1 to 10, I would have a 2 or 3 for privacy in a car," he said.

“The one thing that is an issue to me is that – what are you doing with that data? Are you selling it to third-party vendors?” H* said. 

There is ambiguity in this as well. Tata’s EV privacy policy, for instance, states that “we do not sell or rent your personal details to third parties for marketing purposes. However, for data aggregation purposes we may use your personal data, which may be sold to other parties at our discretion.” 

Privacy policies we reviewed had options for revoking consent for sharing personal data with such third-party service providers by writing to the company. TVS Motors’ policy for iQube, however, adds the caveat – “you acknowledge that on exercising such an option, we may not be able to provide you with services associated with such personal information”. 

When asked whether they had tried these methods, users told The Core that they would find it too complicated to go about this. 

A New Law Changing The Landscape

The Digital Personal Data Protection Act, 2023 is expected to change the way companies collect, process, and use data when it comes to building, driving, and expanding business models, Rizvi said. 

It would put the onus on the companies to get informed consent from users. A company has to clearly state what data it is storing, where and for how long, and what purpose it will be used for. This needs to be done in clear language, so users can understand, and be available in all official languages used in India, not just in English. 

While the rules are yet to be notified, OEMs have already started making changes, Sasidharan said. Once rules are notified, there would be clarity and a clear timeline on when the companies would have to incorporate the new guidelines.

Certain companies are already updating privacy policies to make them more comprehensive, and using language that is easy to understand for users. Ola Electric’s policy page now states, “This policy is updated continuously to reflect the measures taken by us in relation to your personal data.” 

There are also measures in the pipeline for safety and security as well. The Automotive Industry Standards (AIS) in India – AIS 189 and AIS 190 – which are currently in the draft stage, will specify a framework for manufacturers to include cybersecurity management in their vehicles. “We are hoping that it will be a law by the third quarter of this year,” Sasidharan said. However, there is no official news on that yet. However, he said that it is likely that OEMs might get 2027 as the deadline to implement these. 

While the timeline for both laws is still unclear and may take a while, companies incorporating these right now will get a competitive edge. “Younger generations are very keen to know about how their data is being used…So definitely, this is a selling point,” Sasidharan said. 

He said that companies should advertise the fact that they are offering better security. 

“So this is now no longer a hygiene factor…I would definitely encourage OEMs to go ahead and advertise as part of their selling strategy or marketing strategy,” he added.