Connected cars: What happens to your data after you leave your rental car behind?

Connecting your phone to a rental car could put your data in the hands of other people.
Image: iStock
Confusion over what should happen to data uploaded from phones connected to infotainment systems in rental cars — and who is responsible for deleting it — could be putting the privacy of customers at risk.
鄂尔多斯市安全生产监督管理局关于全市工贸行业企业安全生产专项督…
A new report suggests it is not clear who is responsible for protecting the data that can be uploaded from smartphones when they connect to in-car systems. This data can include location, contents of their smartphone and home address, and it is often stored in the connected infotainment system and is not deleted.
Privacy International rented a series of internet connected cars from vehicle hire and car sharing firms and found that not only was information about previous drivers collected and retained in the infotainment system, it also contained past locations the vehicle had travelled to and was able to identify previously connected smartphones.
“In most of them there were between five and ten different phone identifiers. When you connect to the Bluetooth, it will store your identifier,” Millie Graham Wood, solicitor and legal officer at Privacy International told ZDNet.
“We also looked at the navigation systems: a lot of locations were stored. Places people had driven to you could possibly link up with their name and drive there,” she added.
Cars were rented from hire companies including Sixt, Enterprise, National, Zipcar and Thrifty, while models tested included the Audi A3 and the Nissan Qashqai. Privacy International warns that not enough is being done to ensure that user information is protected, with firms suggesting it falls on the user to delete the data.
“The unanimous responses were, not only is it the individual’s responsibility to delete their data when they return the rental car, the individual is further responsible for informing other passengers who connect their devices to the car that their data is being stored on the car, and not necessarily deleted,” said the What Happens To Data On Rental Cars? report.
如何才能获得业界经验丰富的信息安全专家团队的鼎力支持呢,查看谁能帮您发掘需求、策划、创作和交付整体培训方案。
According to Privacy International, there’s no agreement over if the manufacturer or the hire firm is the data controller.
“That’s a concern: if you don’t know who can access it or know who the data controller is, how can you assert your data protection rights when you want that data removed?” said Graham Wood.

One rental company – Thrifty – were quick to say they were creating an internal policy on deleting driver information as part of GDPR, while Sixt also said it is working on a policy to cover users and are committed to all matters GDPR.
Enterprise told Privacy International it’s the responsibility of the users to ensure the data was deleted from the infotainment system.
“It is the vehicle user’s choice and responsibility to use and remove data via the infotainment options available in each vehicle,” the company said in a statement.
“We cannot guarantee the privacy or confidentiality of such information, and you must wipe it before you return the Vehicle to us. If you do not do this, the next users of the Vehicle will be able to access this information,” Enterprise added.
A spokesperson for Enterprise Holdings – which incorporates Enterprise, Alamo and National – told ZDNet “”Enterprise welcomes all attempts to highlight the challenges associated with the use of infotainment systems in rental vehicles and hopes that the Privacy International report will assist in moving that debate forwards.”
See also: What is GDPR? Everything you need to know about the new general data protection regulations
Most of the companies involved say the rules on deleting user information are in the terms and conditions of the car hire, but according to Privacy International, these aren’t made clear to users – and their passengers.
“They lacked any form of detail, any form of clarity and the text was so small. People don’t realise that if you’re driving with friends and one connects their Bluetooth to the car, you’re actually responsible for drawing their attention to the terms of conditions – and no one would do that!,” said Graham Wood.
Privacy International notes that while some cars appear to give the drivers the ability to perform a ‘factory reset’ of the car, in some instances the option is difficult to locate while also not being clear on what data will be deleted.
When approached to offer comment on the situation, Nissan said it wasn’t up to the individual to clear any data in the infotainment system, but the car hire company or the customer – and that as manufacturer, Nissan doesn’t have access to the internal systems of a car which isn’t fully internet connected.
“As this is a rental company fleet vehicle, Nissan does not have access to or control of a vehicle to carry out such reset after each rental customer and would expect the customer or rental company to carry out any necessary resets,” the company said in a statement.
“What needs to happen immediately is that car rental and car sharing schemes need to completely review how they approach this data and to provide very clear instructions to drivers. But they also need to do it themselves: the onus shouldn’t be left on the customers – in the same way a car is cleaned, the data should be wiped,” said Graham Wood.
“A lot of thinking needs to go on by both rental firms and car manufacturers about how they manage data and the duty of care they have to their customers,”
In response to the research, a Zipcar spokesperson told ZDNet: “At Zipcar we treat the security of our Members’ personal data seriously and are putting the necessary safety measures in place that will ensure we are ready for the GDPR regulations coming into force in May 2018”.
In an email to ZDNet, a Sixt spokesperson said: “The rental of Sixt complies with the current legal regulations regarding data protection. With regard to the new regulations in the coming year, Sixt will of course ensure that they are fully complied with.
“Furthermore, Sixt would like to point out that a customer can decide at any time which data he/she wants to release in the vehicle and can delete it at any time,” they added.
Enterprise Holdings said they’retrying to help customers keep their data safe and secure.
“To try and address this issue, we are proactively looking at different options to develop technology and procedures that could assist with wiping this infotainment data. In addition, we are also currently working on a campaign to educate consumers about synching phones to the rental vehicle,” a spokesperson said.
ZDNet has attempted to contact every rental firm and car manufacturer mentioned in the report.
READ MORE ON CYBER SECURITYRansomware’s next target: Your car and your home Smart gadgets need security. Startups, that’s your cue [CNET]How secure is your car? Unpatchable flaw lets attackers disable safety features Why laws regulating autonomous vehicles are needed now [TechRepublic]Self-driving cars vs hackers: Can these eight rules stop security breaches?
Related Topics:
Security TV
Data Management
SQL注入问题的解决最终只能依赖程序开发人员的安全意识,另外,不少人都喜欢在不同的网站使用相同的密码,这也太危险。

猜您喜欢

提升工业信息系统安全防护 推进"中国制造2025"
三分钟,改变安全培训人员的工作状态
学习管理系统LMS 学员操作演示
DNF: 全职业完美换装难度大排行
YOUTUBE MISTRESSLYNNSLAIR
互联网金融您不知道的肮胀交易