Your car is a data broker on wheels — and the SDK is wide open

5 min read 1 source clear_take
├── "Connected cars are the worst privacy product category ever audited and the industry has no guardrails"
│  ├── BBC Future (BBC) → read

The BBC article frames connected cars as a uniquely egregious privacy failure, citing Mozilla's finding that all 25 audited brands failed — worse than mental-health apps or dating apps. It highlights policies reserving rights to collect data on drivers' sexual activity, sex life, and genetic information, with 84% of brands sharing or selling the data.

│  └── @1vuio0pswjnm7 (Hacker News, 313 pts) → view

By surfacing the BBC investigation to Hacker News, this submitter amplifies the position that automotive surveillance is an industry-wide architectural problem rather than the failure of a single bad actor. The 313-point score signals broad developer agreement that the current state is indefensible.

├── "The real story for developers is architecture and liability, not just privacy outrage"
│  └── top10.dev editorial (top10.dev) → read below

The editorial reframes the debate away from moral outrage and toward the technical reality that cars have become rolling data-collection platforms with cellular modems, cameras, and CAN-bus telemetry streaming to proprietary clouds every few minutes. It argues developers should focus on the architectural decisions — and the liability exposure — that enabled GM to funnel Chevy Bolt telemetry to LexisNexis and Verisk without meaningful consent.

└── "Regulation is catching up and will force a structural shift in vehicle data handling"
  └── top10.dev editorial (top10.dev) → read below

The editorial notes the EU Data Act will require carmakers to share telemetry with third parties on driver request, and California's CPRA already classifies geolocation and biometrics as sensitive data. Combined with EU GSR Phase 2 mandating always-on driver-monitoring cameras from July 2026, regulation is simultaneously expanding the collection surface and constraining how that data can be used.

What happened

The BBC's latest dive into connected-car privacy lands on a number that should embarrass an entire industry: when Mozilla's *Privacy Not Included* researchers audited 25 major car brands, all 25 failed — making cars the worst product category Mozilla has ever reviewed, beating out mental-health apps, smart speakers, and dating apps. Every brand. No exceptions. Nissan's privacy policy explicitly reserves the right to collect data on drivers' "sexual activity." Kia's reserves the right to collect data on "sex life." Six brands say they can collect genetic information. Eighty-four percent share or sell the data they collect.

The mechanism is no longer the OBD-II port or a third-party dongle. It is the car itself — a rolling fleet of cameras, microphones, LIDAR units, cellular modems, GPS receivers, and CAN-bus telemetry, all feeding a proprietary cloud the moment the ignition turns over. A 2023 *Washington Post* teardown of a Chevy Bolt found it transmitting data to GM's servers roughly every three minutes, including precise location, driving behavior, and seatbelt status. GM was subsequently caught funneling that data to LexisNexis and Verisk, who repackaged it for auto insurers — without meaningful driver consent. The FTC opened an investigation; GM "voluntarily" suspended the program. The architecture that enabled it is still in every car on the lot.

The BBC piece extends the timeline forward. EU regulators are advancing the Data Act, which would force carmakers to share telemetry with third parties on driver request. California's CPRA already classifies geolocation and biometric data as sensitive. And the next vehicle generation — with always-on driver-monitoring cameras mandated by EU GSR Phase 2 from July 2026 — will multiply the collection surface by an order of magnitude.

Why it matters

The story everyone wants to tell here is privacy outrage. The story developers should be reading is architecture and liability.

Cars are now distributed systems with the data-collection footprint of a mid-size adtech company, the security posture of a 2009 SOHO router, and the regulatory exposure of a HIPAA-covered entity — all sharing a single VIN. Modern vehicles run 100M+ lines of code across 70-150 ECUs, with infotainment stacks built on Android Automotive, QNX, or Linux variants. The telematics control unit (TCU) typically maintains a persistent LTE/5G connection to a manufacturer cloud, with MQTT or proprietary protocols for streaming. There is no industry-wide standard for what gets collected, how long it's retained, or who can request deletion. There is no equivalent of TLS-as-default for in-vehicle data flows.

The data-broker chain is the part that should scare anyone who has shipped a regulated system. Once telemetry leaves the OEM, it passes through Otonomo, Wejo (now defunct, assets acquired), LexisNexis Risk Solutions, Verisk, and a long tail of fleet-analytics startups. Each handoff degrades consent provenance. By the time location pings show up in a subpoena response or an insurance underwriting model, the chain-of-custody documentation is somewhere between thin and fictional. If you're a backend engineer at any company that ingests vehicle telemetry — fleet management, usage-based insurance, EV charging networks, last-mile logistics — your data lake is currently downstream of a consent framework that wouldn't survive a serious GDPR audit.

The community reaction has been instructive. On the original Hacker News thread (313 points), the top comments split predictably: half are reflexive "buy a 1995 Miata" advice, the other half are working engineers from auto OEMs explaining, often anonymously, that internal pushback against data-monetization roadmaps gets steamrolled by the finance org. One commenter — claiming to be a former Stellantis telematics lead — noted that the monetization assumptions baked into 2024-2028 product plans assume $2,000-$5,000 of lifetime data revenue per vehicle. That number is why none of this is going away voluntarily.

Compare this to the smartphone trajectory. iOS App Tracking Transparency wiped an estimated $10B off Meta's 2022 revenue in 18 months. The car industry has no equivalent kill switch, no platform-level permission prompt, and no Tim Cook willing to draw a line. The closest analog is the EU's Data Act, but its driver-consent UX is going to be implemented by the same people who built the current infotainment systems. Expect dark patterns.

What this means for your stack

If you build software that touches vehicle data — directly or two hops downstream — three things change in the next 18 months.

First, assume a regulatory reclassification. The FTC's GM action, the EU Data Act, and pending state-level bills (Massachusetts, Washington, New York all have active drafts) are converging on a model where vehicle telemetry is treated as sensitive personal data with explicit consent requirements, deletion rights, and breach-notification obligations. If your current data architecture treats VIN-linked location and behavior data as "operational telemetry" rather than PII, you have a six-to-twelve-month window to refactor before that distinction becomes legally indefensible. Audit your ingestion: tag VIN, MAC, IMEI, and high-precision geolocation as sensitive at the schema level, not at the application layer.

Second, build for data-provenance auditability. The chain-of-custody problem isn't going to be solved by the OEMs — it has to be solved by whoever sits in front of the regulator. That means cryptographically signed consent receipts at ingest, immutable audit logs (append-only Postgres tables with a hash chain are sufficient; you don't need a blockchain), and the ability to produce a per-driver "who has my data" report on demand. Companies that bolt this on after the first subpoena will lose the contract; companies that ship it as a default will eat the market.

Third, the in-car app surface is about to open up, and it will be a mess. Android Automotive's app ecosystem, Apple's next-gen CarPlay, and the Rivian/Tesla custom SDKs are all racing to onboard third-party developers. The permission models are inconsistent — some expose cabin-camera frames to apps under user consent, others gate it behind OEM partnership agreements. If you're shipping into this surface, treat every permission you request as a future headline. The first "navigation app secretly logged driver attention scores" story is coming, and you do not want to be in it.

Looking ahead

The car-as-surveillance-platform problem is not going to be solved by consumer outrage, because the consumer-facing UX is a checkbox buried in a 47-page agreement signed at a dealership. It will be solved — partially, messily — by regulation, class-action discovery, and the first OEM that decides privacy is a feature it can charge for. Watch the EU Data Act implementation deadlines in 2026, the FTC's next move on the GM-LexisNexis residue, and which carmaker is first to ship a real per-data-category consent dashboard. The OEM that treats data minimization as a competitive moat will look prescient in 36 months. The rest will be defendants.

Hacker News 461 pts 257 comments

Cars are trying to spy on you, and it's only just the beginning

→ read on Hacker News

// share this

// get daily digest

Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.