Connected Car Privacy: Your EV Is A Data Archive
TL;DR - Modern cars record GPS trip history, driving behaviour, paired phone contacts, home addresses, and voice clips, mostly unencrypted, and that data survives sale, write-off and scrapping. Manufacturers ship the defaults against you, and US insurers are already buying the data. What you need to do: turn off data sharing in the manufacturer app, decline driver-score programmes, set a PIN on the head unit, never pair your phone to a hire car, and factory reset before you sell, crash or scrap.
I pick up a new BYD Atto3 on Friday.
The fuel crisis has been squeezing every family on the street for months, and after running the numbers for the third time, the EV maths finally stopped insulting me. Lease signed. Delivery slot booked. Kid already arguing over which colour cable to plug in. Connected car privacy was not on my mind.
Then I read a piece on ITnews about a French security researcher who bought a wrecked BYD Seal telematics unit from a Polish junkyard and pulled GPS logs off it covering the entire life of the car. Factory in China. Delivery to the UK. Daily commutes. The exact coordinates where it flipped and died. All of it sitting on a chip in a scrapyard, completely unencrypted.
I put my coffee down.
I am the kind of person who writes a cybersecurity newsletter. I'm a CISSP. I've spent 15 years doing this. And I had somehow let the excitement of cheaper kilometres bury the question I should have asked before signing anything: what exactly is this car going to remember about me, and who gets to read it?
Let me walk you through what happened, why it matters even if you drive a 2012 Corolla, and what you can actually do about it - before you buy, while you own it, and especially when you get rid of it.
By The Numbers
| Figure | What it is |
|---|---|
| 25 of 25 | Car brands that failed Mozilla's 2023 privacy review. 100% failure rate, the worst of any product category Mozilla has ever reviewed. |
| $0 | What BYD spent encrypting the GPS logs on the Seal TCU pulled from the Polish junkyard. |
| August 2024 | Texas Attorney General sued General Motors for selling driver data to LexisNexis and Verisk without meaningful consent. |
| 3 countries | How far one BYD Seal's GPS history travelled, readable by anyone with the scrapped unit: China → UK → Poland. |
| 21% | Typical insurance premium hike seen by US drivers whose "Drive Score" data was sold to brokers. |
| ~10 minutes | How long it takes to turn off the worst of it in the manufacturer app. |
The Research That Made Me Sit Up
The researcher is Romain Marchand at Quarkslab, a Paris-based security firm. He bought a Telematic Control Unit (TCU) from a BYD Seal off a Polish salvage yard. A TCU is the little black box in modern cars that handles the connected-services side: GPS, mobile network, remote commands, over-the-air updates. Every modern EV has one. Most new petrol cars do too.
What he found on the chip:
- GPS coordinates of the car from the factory in China, across its operational life in the United Kingdom, to its final resting place in Poland.
- A tight cluster of GPS points at one specific spot that turned out to correlate with a public Facebook post showing the same model flipped on its roof.
- System configuration logs and event logs going back to the beginning.
- None of it encrypted. No password. No wipe.
Quoted from the research: "The telematics unit was more than a device; it was a data archive."
That line is the whole blog post in one sentence. The second you drive a modern car off the lot, it starts writing a diary about you. When you sell it, crash it, or send it to the wreckers, the diary goes with it. The wreckers don't wipe it. The insurer doesn't wipe it. The manufacturer, in most cases, has no legal obligation to wipe it.
Your car will outlive your ownership of it, and it will happily tell its next reader where you live, where you work, where your kids go to school, and where you were last Friday night.
This Is Not Just A BYD Problem
I need to say this up front because I'm literally about to drive a BYD. This isn't a "Chinese EVs are spying on you" post. The exact same category of data sits inside a Tesla, a Toyota, a Ford, a Hyundai, a Polestar, a Volkswagen, and every other connected car built in the last decade.
In fact, the nastiest real-world abuse of car data I've seen in the last two years came from American legacy manufacturers, not Chinese ones. Quick tour:
- General Motors was sued by the Texas Attorney General in August 2024 for selling driver behaviour data (hard braking, speeding events, trip lengths) to data brokers LexisNexis and Verisk, who then sold it on to insurance companies, who then jacked up premiums. Drivers had no idea. GM quietly killed the programme in March 2024 once the New York Times reporter Kashmir Hill broke the story.
- Toyota, Honda, Hyundai, Subaru, Kia, Nissan, BMW, Mercedes, Ford, Stellantis - the Mozilla Foundation's 2023 "Privacy Not Included" review looked at 25 car brands and failed every single one on privacy. It is the only product category they've ever reviewed where 100% of entries failed. They called cars "the worst product category we have ever reviewed for privacy." Nissan's privacy policy literally reserved the right to collect data on "sexual activity."
- Tesla employees were caught in 2023 sharing intimate dashcam and in-cabin-camera footage between themselves, per a Reuters investigation. Nudity, crashes, kids. Internal Slack-style channels.
When I say your car is a data archive, this is the cast of characters reading it: manufacturers, their overseas subsidiaries, their cloud partners, insurance companies, data brokers, lease finance companies, law enforcement (often without a warrant in Australia - the ASD and state police routinely pull connected-car data), repair shops, dealers, and whoever buys the wreck at auction.
Your car knows more about your daily life than your phone does, and has fewer privacy settings.
What Your Car Actually Stores
Here's the quick inventory of what a modern connected car typically writes to disk. Not every car does every item. Most do most of them.
| Data type | Where it lives | Who can read it |
|---|---|---|
| GPS trip history | TCU + infotainment | Manufacturer, insurer (if enrolled), wreckers |
| Driving behaviour (hard brakes, acceleration, speed) | TCU | Manufacturer, data brokers, insurers |
| Paired phone contacts | Infotainment | Anyone who boots the head unit |
| Text messages and call logs (if phone was paired) | Infotainment | Anyone who boots the head unit |
| Home and work addresses (as map favourites) | Infotainment | Anyone who boots the head unit |
| Garage door codes (HomeLink) | Interior module | Whoever steals the car |
| Cabin camera footage (Tesla, some BYDs, Ford BlueCruise cars) | Onboard storage + cloud | Manufacturer employees, law enforcement |
| Voice recordings (in-cabin assistants) | Cloud | Manufacturer and cloud partners |
| Wi-Fi network names and passwords (if you used the car as a hotspot client) | Infotainment | Next owner |
| Account credentials (Spotify, Apple, manufacturer app) | Infotainment | Next owner if not logged out |
| Biometric profiles (face unlock, fingerprint for start) | Secure element | Usually wiped by factory reset, sometimes not |
If that list looks like the contents of your phone, that's because it basically is. Except your phone has a pin, a biometric lock, remote wipe, and encryption turned on by default. Your car has none of those things for most of this data.
The Insurance Angle Is The One That Should Scare You
The ITnews article is about junked cars. The GM story is about currently-on-the-road cars. Both deserve the same response.
Here's the pattern, simplified:
- You buy a modern car.
- At the dealership, you sign a stack of forms. Somewhere in that stack is a consent form for "connected services" or "smart driver features" or similar. You sign it because every form has to be signed to drive home.
- Six months later, your insurance premium goes up 21%. You don't know why. Your insurer doesn't have to tell you why, because the data came from a broker, not from them.
- The broker got the data from the car manufacturer, who got it from the car, which you consented to at signing.
This happened to real people in the United States. It resulted in lawsuits. It is the kind of thing Australian regulators under APP 11 (the Privacy Act's "reasonable steps" to secure personal information) and the OAIC would have strong opinions about if they caught wind of it at scale. We are not ahead of the US here, just behind in adoption.
The good news? You can opt out of almost all of it. The manufacturers do not tell you this loudly. They tell you this in a buried submenu in the manufacturer app, a hidden page in the infotainment settings, and a two-page form the dealer forgets to print.
Buying a new car this year? You're probably your family's IT person too.
The same instinct that makes you read the privacy policy before signing the lease is what makes your mum call you when her iPad asks for a weird password. Both jobs are the same job.
Get my Personal Security Quick-Start Guide - the 193-page practical handbook for busy people who want to protect their families without becoming cybersecurity experts.
Plus: Join 158+ Australians getting one 5-minute security briefing every Friday.
What To Do Before You Buy
These are the questions I wish I'd asked before signing the Atto3 lease. Ask them before signing yours.
- "Show me every consent form you need me to sign today." Read the connected-services form specifically. Look for the words "third parties," "analytics partners," "marketing," and "driving behaviour." If you don't like what you see, refuse to sign. The car still works without it.
- "Does this model have an in-cabin camera? Can I turn it off?" Tesla, some BYDs, some GM cars ship with cabin-facing cameras that record while you drive. They're for "safety monitoring." They're also how Tesla employees ended up sharing clips of customers.
- "Is the data stored locally encrypted?" They'll likely not know. That's fine. The fact that you asked goes in their notes.
- "What's the factory-reset procedure if I sell this car privately?" If the dealer can't answer this in under a minute, assume the answer is "there isn't a real one."
- "What happens to my data if the car is written off in a crash?" Again, they'll likely not know. Escalate to the manufacturer's privacy officer if you care.
None of this is exciting. But it works. The dealer is much less likely to try to upsell you on a "premium connected package" if they can see you've read the fine print.
What To Do While You Own It
Once the car is in your driveway, do these in the first week. They take under an hour total.
1. Turn off data sharing in the manufacturer app
Every major brand has this. BYD's app calls it "User Experience Programme." Tesla calls it "Data Sharing." Hyundai/Kia calls it "Bluelink Analytics." Toyota calls it "Connected Services Data Sharing." Ford calls it "Connected Vehicle Data."
Default answer: off. All of it. You do not need to opt in to "help us improve our products" for your car to start and stop.
2. Decline OEM-to-insurer direct data sharing
This is the GM-lawsuit one. It's usually phrased as "Smart Driver Score" or "Drive Score" or similar. It is almost always opt-in at enrolment, but some brands are getting sneakier about when "enrolment" happens. Check it once a quarter, because manufacturers love to re-enable these things in "terms of service updates."
3. Set a PIN on the head unit
Most infotainment systems support a 4 or 6 digit PIN for accessing user profiles. Most people never enable it. The PIN protects map favourites, paired phone contacts, and stored credentials if the car is stolen or sent to a valet.
4. Be careful what you pair
When you pair your phone for Bluetooth, the car often asks "import contacts and messages?" Say no. You get Bluetooth audio and hands-free calling either way. You don't need the car to download your entire contact list to enjoy Spotify.
5. Never pair your phone to a hire car. Ever.
If you need music, pair a burner Bluetooth speaker. If you need maps, run them on your phone with the phone mount. The hire-car industry has a well-documented problem with contacts and message logs being left on infotainment systems for the next renter to browse. I have personally seen the entire contact list of a previous renter still sitting in a rental Ford in Melbourne. This is the most common car-privacy leak in the wild, by a wide margin.
6. Disable "Remote Commands" if you don't use them
Most EVs let you unlock, start, and precondition the car from the manufacturer app. Great feature. Also a network-exposed remote-control interface over your mobile data, secured by an app password you probably re-use. If you don't use the remote commands, turn them off in the app. It closes the largest remote attack surface on a modern car.
What To Do When You Sell It, Crash It, Or Scrap It
This is the bit that almost nobody does, and it's the bit the Quarkslab research is directly about. If you sell your car without doing these, the buyer inherits your GPS history, your paired devices, your home address, and whatever accounts you were logged into.
Selling privately or trading in
- Factory reset the infotainment. Every brand has this buried in Settings. Search "[your model] factory reset infotainment" on YouTube the night before. Do it while the car is in your driveway, not at the dealer.
- Un-pair your phone from the Bluetooth list. The factory reset usually does this, but confirm.
- Log out of every app on the head unit. Spotify, Apple Music, YouTube Music, the manufacturer app itself. Check each one.
- Remove the car from your manufacturer app. Open the Atto3 app, open the Tesla app, whatever you've got. Go to the vehicle and "remove from account" or "transfer ownership." This is the step that revokes remote commands from your phone. It is also the step almost everyone forgets.
- Reset the garage door (HomeLink) buttons if you set them.
- Pull the dashcam SD card if you have one.
After a crash (write-off)
This is the ITnews scenario. The insurer takes the car, sells it at a salvage auction, and the TCU ends up in a Polish junkyard.
- Before the tow truck leaves, if the car is safe to sit in, do the factory reset. Takes five minutes. Most work even on a car that won't start, because the infotainment runs on its own 12V feed.
- Remove the car from your manufacturer app the same day.
- Email the insurer and ask in writing what their data handling procedure is for written-off vehicles. Make them answer in writing. This is the documentation that creates accountability. For Australian readers, reference APP 11 in the email. Insurers hate seeing APP 11 in writing.
- If you can get it, ask for the TCU to be destroyed rather than resold. Some insurers will do this if asked. Most won't unless pushed.
Scrapping / end of life
- Factory reset (as above).
- Physically remove the TCU if you're comfortable doing it. It's usually under the dash or in the boot. Drop it in a drill press, then bin it. This is a research-grade precaution, not a normal consumer one, but for high-value targets (journalists, executives, domestic violence survivors) it's the only reliable wipe.
- For everyone else: factory reset and accept that the risk is lower than rental-car phone pairing.
Key Takeaways
- Your car is a diary. GPS history, driving behaviour, paired phones, paired contacts, app logins, and home addresses all get written to unencrypted storage, most of which survives sale, crash, and scrapping.
- The manufacturer is not your friend here. All 25 brands reviewed by Mozilla failed on privacy. The defaults ship against you.
- Insurance data sharing is the most immediate financial risk. Check your manufacturer app today for "Drive Score" or similar. Turn it off.
- Rental cars are the biggest real-world leak. Never pair your phone to one. Ever.
- Factory reset before sale, trade-in, or scrapping. Three minutes of your time. Prevents the whole ITnews scenario.
- Remove the car from your manufacturer app when you sell it. Otherwise you keep remote unlock on a car you don't own.
- Ask in writing what insurers and wreckers do with the data. APP 11 creates teeth.
FAQ
Is this a problem specific to Chinese EVs like BYD? No. It's a problem across every major brand. Tesla, Ford, GM, Toyota, Hyundai, Kia, Nissan, BMW, Mercedes, Subaru, Stellantis and Volkswagen all failed Mozilla's 2023 privacy review. The BYD case in the research happened because the researcher bought a BYD Seal TCU. He'd have found the same data on a Golf TCU.
Can I just tell my car to stop collecting data? Partially. You can turn off most optional telemetry, driver-score programmes, and in-cabin camera data sharing via the manufacturer app. You generally cannot turn off local logging (GPS history on the head unit, event logs on the TCU) because those are tied to vehicle function.
What should I do before selling my car privately? Factory reset the infotainment, unpair your phone, log out of every streaming and manufacturer account, remove the car from your manufacturer app, and reset the garage door (HomeLink) buttons. If you have a dashcam, take the SD card.
Is my car safer because it's an older petrol car? Usually yes. Pre-2015 cars often lack a TCU entirely, or have one with minimal connectivity. The trade-off is that they usually also lack modern safety features. It's not a reason to keep an old car. It's just worth knowing that "connected" and "modern" are now the same word.
Are Australian privacy laws doing anything about this? The OAIC is aware, and APP 11 (reasonable steps to secure personal information) arguably applies to car manufacturers operating in Australia. The 2024 Privacy Act reforms add teeth but haven't specifically called out connected vehicles yet. Expect that to change once a big-brand insurance data story breaks here.
Does the manufacturer app get my location even when the car is off? Often yes. If the TCU has a SIM with data, the car can still ping home. This is how Find My Car works. It is also how data sharing works. You can usually disable non-essential pings in the app. You cannot usually disable the SIM itself.
I'm picking up a new EV this week. What's the single most important thing to do? Open the manufacturer app after delivery. Go to privacy/data settings. Turn off every optional data sharing setting. Decline the driver-score programme. Then set a PIN on the head unit. That's the 10-minute starter pack.
My Take
I'm still picking up the Atto3 on Friday. The numbers still make sense. The fuel crisis hasn't magically ended just because I read one research paper.
But I've got a list taped to my fridge now, and it starts with "open app, turn off everything." The car industry has spent the last 15 years quietly copying the surveillance playbook from the tech industry without any of the privacy tooling we've slowly beaten into phones and laptops. No encryption by default. No remote wipe. No biometric lock. No clear consent flows. No privacy dashboard. Just a salesperson handing you a clipboard and saying "sign here for the connected services, it's how the navigation works."
The good news is that the fix doesn't need regulation. It needs ten minutes per driver. Turn the stuff off, reset the car when you sell it, don't pair your phone to a rental. None of this is exciting. But it works. Full stop.
The bad news is that most drivers won't do it. Which is exactly why, in about four years, we'll read a big Australian version of the GM lawsuit, and everyone will act surprised.
Don't act surprised. Act now. Before the TCU in your current car ends up on a bench in a Polish junkyard, telling a stranger where your kids go to school.
Mathew Clark Founder, SecureInSeconds Currently: reading the BYD Atto3 privacy policy with a highlighter, pickup Friday.
Further Reading
- Dead cars tell tales by storing data that's never wiped - ITnews coverage of the Quarkslab research that kicked this post off.
- Mozilla Foundation: It's Official, Cars Are the Worst Product Category We Have Ever Reviewed for Privacy - the 25-brand review. Read this before buying anything.
- Kashmir Hill, New York Times: Automakers Are Sharing Consumers' Driving Behavior With Insurance Companies - the GM/LexisNexis/Verisk exposé.
- OAIC: Australian Privacy Principle 11 - Security of personal information - the rule that covers connected car data in Australia.
- SecureInSeconds: The Security Tools Your Vendor Didn't Tell You About - more on turning defaults off.
- SecureInSeconds: Zero Trust for Normal People - the mindset that makes all of this easy.
- SecureInSeconds: How to Stay Safe Online - the cornerstone family-security post this one sits alongside.
