Automakers cleared in privacy lawsuit. Are your texts and call logs at risk? And what other data is being collected?

iPhone connected to a car with CarPlay displaying on the dashboard screen.
David Choffnes shares his thought on a recent ruling concerning automakers collecting texts and call log data. Photo by: Frank Duenzl/picture-alliance/dpa/AP Images

A federal judge in Seattle has thrown out a class-action lawsuit alleging that some of the top automakers had used vehicles’ onboard infotainment systems to record and intercept drivers’ texts and phone call logs. 

The judge, upholding the dismissal of a lower court, ruled that the practice did not violate the Washington Privacy Act, noting the plaintiffs failed to prove the activity threatened “their business, person or reputation.”

Honda, Toyota, Volkswagen and General Motors were among the automakers being sued. A case was also brought against Ford, but it had been dismissed earlier. 

Northeastern Global News caught up with David Choffnes, associate professor of computer science and privacy and cybersecurity expert, to get his thoughts on the ruling. 

This interview has been edited for brevity and clarity: 

Cars are increasingly becoming more computerized and being outfitted with new types of cameras, sensors and other tools to help collect data. What impact do these developments have on a driver’s security and privacy? 

Headshot of David Choffnes
Assistant professor David Choffnes. Adam Glanzman/Northeastern University

For the longest time, our cars were just cars. You got in them to go somewhere. If there was a crash, maybe there was some data stored in them to tell you how fast you were going up until that point. But for the most part, we didn’t see them as pieces of digital technology. 

Over the past decade, maybe a little bit longer, we’ve been seeing more and more technology. Of course, we started with simple things like CD players to now being able to generally always be connected to the internet some way or another and having all kinds of additional sensors on the car. Our connected cars today have everything from cameras and microphones to connections to our smartphones and, with the recent federal court case, the ability to read data from our phones.

If you’re using CarPlay or Android Auto, you’re projecting your phone onto the screen of the car. One way of looking at this is it’s like you’re streaming TV using a streaming app. Well unfortunately, just like TV companies are trying to recognize what content you are watching and send it back to the manufacturers, now we have concerns about what the car manufacturer is getting on your screen. We need to increasingly think of these as basically rolling sensors. Their cameras are always on, capturing what’s going on around the car as well as, depending on the vehicle, what’s happening inside the vehicle.

How consequential is this ruling in terms of its impact on American drivers? 

I’m not a lawyer … but I think the important thing to realize is that this is not a great sign. Text messages and call logs have always been considered pretty sensitive information. If the government were collecting that information without a warrant, it would be illegal. And just because it is legal currently, according to the ruling, for car companies to collect this data, it doesn’t mean that we should be OK with it. 

And it does raise the question as to what else might they be collecting and what will courts enforce on that.

So, for instance, could the Federal Trade Commission look into this and see that this is a deceptive and unfair business practice independent of the Washington privacy law? If car companies are taking this data, are they doing it in ways that are not made clear to consumers with no way for consumers to opt out. … If those conditions hold, then what the car companies are doing is a violation of the FTC Section 5, the prohibition against unfair and deceptive business practices. 

Why would automakers be interested in collecting people’s text messages and mobile phone log data? 

This is going to be hypothetical, but we almost always think about it in terms of incentives. Maybe they figure out who you are texting and they start directing ads toward them. “This is somebody who knows somebody who has this kind of vehicle. Maybe we can have a better chance of selling them that kind of car.” 

It could be that they sell it to law enforcement because law enforcement wants to know who you’re texting, who you’re calling, and law enforcement can’t collect it directly themselves. It was recently disclosed that the FBI actually bought data from data brokers about people’s GPS location. Why not buy this data if they can basically get around the Fourth Amendment in doing so?  

How are researchers in your field studying connected vehicles and their impact on user privacy?

The answer is there’s not much going on here. There’s been research on car security that dates back over 10 years. A group out of the University of Washington and UC San Diego had done all kinds of studies in collaboration with car manufacturers on how to hack cars. This is a big thing. You can’t just go and hack cars willy-nilly. If you don’t do it carefully, you can actually get people killed. That’s why they worked with manufactures so it wasn’t adversarial. 

One of the biggest impediments here is that cars are not cheap. Getting your hands on a modern connected car is going to set you back many tens of thousands of dollars. Believe it or not, taxpayers may not look at us buying $50,000 vehicles with taxpayer money through federal grants as the best use of that money. That’s one of the biggest challenges — getting your hands on the cars.  

The other challenge is the network connections they use to send data tend to be over cellular networks, which makes it much harder for us to instrument. These are not simple mobile devices. If I’m testing a phone, I can plug it into my computer and run apps and see what they do. I can even see what the operating system is doing because I can intercept the Wi-Fi communication and give it no cell connection so I have full control of everything. You can’t really do that with a car. 

Also if I break a phone, I can replace it very cheaply. You can’t replace a car very cheaply.

Cesareo Contreras is a Northeastern Global News reporter. Email him at c.contreras@northeastern.edu. Follow him on X/Twitter @cesareo_r and Threads @cesareor.