Confusion over what should happen to data uploaded from phones connected to infotainment systems in rental cars -- and who is responsible for deleting it -- could be putting the privacy of customers at risk.
A new report suggests it is not clear who is responsible for protecting the data that can be uploaded from smartphones when they connect to in-car systems. This data can include the location and contents of the smartphone as well as the user's home address, and it is often stored in the connected infotainment system and is not deleted.
Privacy International rented a series of internet-connected cars from vehicle hire and car sharing firms and found that not only was information about previous drivers collected and retained in the infotainment system, the system also contained past locations the vehicle had travelled to and could identify previously connected smartphones.
"In most of them there were between five and ten different phone identifiers. When you connect to the Bluetooth, it will store your identifier," Millie Graham Wood, solicitor and legal officer at Privacy International, told ZDNet.
"We also looked at the navigation systems: a lot of locations were stored. Places people had driven to you could possibly link up with their name and drive there," she added.
Cars were rented from hire companies including Sixt, Enterprise, National, Zipcar, and Thrifty, while models tested included the Audi A3 and the Nissan Qashqai. Privacy International warns that not enough is being done to ensure that user information is protected, with rental firms suggesting it falls on the user to delete the data.
"The unanimous responses were, not only is it the individual's responsibility to delete their data when they return the rental car, the individual is further responsible for informing other passengers who connect their devices to the car that their data is being stored on the car, and not necessarily deleted," said the What Happens To Data On Rental Cars? report.
According to Privacy International, there's no agreement over if the manufacturer or the hire firm is the data controller.
"That's a concern: if you don't know who can access it or know who the data controller is, how can you assert your data protection rights when you want that data removed?" said Graham Wood.
One rental company, Thrifty, said it was creating an internal policy on deleting driver information as part of GDPR, while Sixt also said it is working on a policy to cover users and is committed to all matters GDPR.
Enterprise told Privacy International it's the responsibility of the users to ensure the data is deleted from the infotainment system.
"It is the vehicle user's choice and responsibility to use and remove data via the infotainment options available in each vehicle," the company said in a statement.
"We cannot guarantee the privacy or confidentiality of such information, and you must wipe it before you return the Vehicle to us. If you do not do this, the next users of the Vehicle will be able to access this information," Enterprise added.
A spokesperson for Enterprise Holdings -- which incorporates Enterprise, Alamo and National -- told ZDNet: "Enterprise welcomes all attempts to highlight the challenges associated with the use of infotainment systems in rental vehicles and hopes that the Privacy International report will assist in moving that debate forwards."
Most of the companies involved say the rules on deleting user information are in the terms and conditions for the car hire, but according to Privacy International, these aren't made clear to users -- and their passengers.
"They lacked any form of detail, any form of clarity, and the text was so small. People don't realise that if you're driving with friends and one connects their Bluetooth to the car, you're actually responsible for drawing their attention to the terms of conditions -- and no one would do that," said Graham Wood.
Privacy International notes that while some cars appear to give the drivers the ability to perform a 'factory reset' of the car, in some instances the option is difficult to locate and is also not clear on what data will be deleted.
When approached to offer comment on the situation, Nissan said it was up to the car hire company or the customer to clear data, and that as manufacturer, Nissan doesn't have access to the internal systems of a car which isn't fully internet-connected.
"As this is a rental company fleet vehicle, Nissan does not have access to or control of a vehicle to carry out such reset after each rental customer and would expect the customer or rental company to carry out any necessary resets," the company said in a statement.
"What needs to happen immediately is that car rental and car sharing schemes need to completely review how they approach this data and to provide very clear instructions to drivers. But they also need to do it themselves: the onus shouldn't be left on the customers - in the same way a car is cleaned, the data should be wiped," said Privacy International's Graham Wood.
"A lot of thinking needs to go on by both rental firms and car manufacturers about how they manage data and the duty of care they have to their customers."
In response to the research, a Zipcar spokesperson told ZDNet: "At Zipcar we treat the security of our members' personal data seriously and are putting the necessary safety measures in place that will ensure we are ready for the GDPR regulations coming into force in May 2018."
In an email to ZDNet, a Sixt spokesperson said: "The rental of Sixt complies with the current legal regulations regarding data protection. With regard to the new regulations in the coming year, Sixt will of course ensure that they are fully complied with.
"Furthermore, Sixt would like to point out that a customer can decide at any time which data he/she wants to release in the vehicle and can delete it at any time."
Enterprise Holdings said they're trying to help customers keep their data safe and secure. "To try and address this issue, we are proactively looking at different options to develop technology and procedures that could assist with wiping this infotainment data. In addition, we are also currently working on a campaign to educate consumers about syncing phones to the rental vehicle," a spokesperson said.
The Information Commissioner's Office told ZDNet that it is aware of the report and "will be considering whether the issues raised need to be looked at further."
ZDNet has attempted to contact every rental firm and car manufacturer mentioned in the report.
Recent and related coverage
As driverless technologies improve, cars will likely become more of a membership perk than objects of ownership.
Intel, Ericsson, Toyota, Denso, and NTT DoCoMo have announced attaining speeds of 1Gbps down and 600Mbps up while streaming 4K video from a connected vehicle across a 5G trial network in Japan.
To achieve full, Level 5 autonomy, vehicles need to be able to handle all of the environmental conditions a human can.
READ MORE ON CYBERSECURITY
- Ransomware's next target: Your car and your home
- Smart gadgets need security. Startups, that's your cue [CNET]
- How secure is your car? Unpatchable flaw lets attackers disable safety features
- Why laws regulating autonomous vehicles are needed now [TechRepublic]
- Self-driving cars vs hackers: Can these eight rules stop security breaches?