Modern cars are computers on wheels. They collect and send a lot of data. In many cases, however, drivers can protect themselves from misuse, especially before selling their car.
Your favorite station is on every morning, the phone memory is full of contacts and the sat nav knows all the places you go to regularly. Above all the home address.
Modern cars know a lot about drivers and their driving habits, constantly store data and often share it with the manufacturer. Users must agree to this under the General Data Protection Regulation (GDPR). But which data is shared exactly and what happens to it often remains a secret.
Countless amounts of data are collected in a car with many different components, and up to 120 control units work in a vehicle. "All suppliers use microchips, including for safety and comfort features, as well as for the infotainment system," explains Sven Hansen from the IT trade magazine "c't". "During operation, a lot of data accumulates in the individual control units to which the driver has no access, but which is so specific that conclusions can be drawn about the driver and his driving behavior."
Much of it is not stored for long, but is permanently overwritten. Drivers also only have access to a small amount of data. This includes information in the navigation system and in the entertainment system. "But the engine data alone allows conclusions to be drawn about a certain driving behavior, such as the engine speed or how often the accelerator pedal has been depressed," says Hansen.
Only for whom is this data visible? According to the GDPR, the manufacturer must explain the purpose for which data is collected in the car and what happens to it. Telematics services and insurers, for example, are interested in optimizing their products with the help of such data.
Nathalie Teer, Mobility Advisor
According to Teer, the legislator specifies many parameters that must be collected for the purpose of safety and testing. "Some of the data only goes to the manufacturer and is not visible to customers at first glance." This included, for example, information read from the control unit during the main inspection.
Optional functions such as music services, driving settings or navigation, on the other hand, are easy to see, says Teer. "Users must actively agree to certain functions and will be informed about the whereabouts of the data." This applies in particular when data is shared with third parties. Via dashboards in the vehicle's infotainment system or via connected apps, drivers often receive overviews in order to grant approvals, withdraw them or delete data.
All data in the vehicle is relevant for data protection, says Christoph Krauss. "As soon as vehicle data can be linked to the vehicle identification number or the license plate number, these are to be regarded as personal because, among other things, movement profiles can be created," explains the professor for network security at the Darmstadt University of Applied Sciences. He coordinates the Secure Autonomous Driving area of the Athene Research Center.
Some data are particularly relevant to safety, such as the control data for the brakes, says Krauss. Manipulation of this data can have devastating effects. Many value-added functions also use personal data. For this purpose, when the smartphone is synchronized with the car, data is sent, such as location search, filling levels, locking and remote diagnosis of the car. The car also sends information about the E-Call automatic emergency call system and communication with other road users.
However, a car does not save all data locally, some end up on the manufacturer's servers or go to third-party providers. It depends on the make, model and year of the vehicle.
"Drivers can hardly protect themselves against cyber attacks and have to trust that the manufacturers have secured their vehicles and backend systems well," says Prof. Krauss. "For potential attackers, the manufacturer's backend with its large amount of data is much more interesting than a single vehicle, so these connections are more likely to be attacked."
In the past there have been repeated attempts to steal or manipulate data sets. That's why there are a number of security precautions in modern vehicles, explains Krauss: "To protect against a compromised smartphone connected to the infotainment system, for example, vehicle electrical systems are divided into domains so that access to safety-critical systems such as the brakes is not easily possible."
With the UNECE regulations R155 (Cybersecurity Management System) and R156 (Software Update and Software Update Management System), which have been in force since July 2022 for new type approvals, the EU has laid down guidelines for this. There, for example, the digital separation of owner and vehicle is regulated. However, it also contains specifications regarding the cyber security of vehicle concepts or mechanisms for secure software updates.
Vehicle manufacturers must also demonstrate a Cyber Security Management System (CSMS) that includes processes and measures that are suitable for repelling or quickly resolving IT security attacks. And that over the entire service life of the vehicle. The measures taken by manufacturers applying UNECE regulation R155 protect vehicles from unauthorized access. From July 2024, the regulation will then apply to all newly produced vehicles. Suppliers must also comply with the new rules.
And what happens to the data when you sell your car? Sven Hansen recommends resetting all systems. In addition to the entertainment system with navigation system and address book, this also includes assigning favorites to the radio and possible comfort settings. "Owners tend to forget to delete suitable apps or cloud connections with the car, which allows them further access to the car," says Hansen and warns: "But the electronic band must be completely cut."
The ADAC recommends a separate deregistration for apps preinstalled in the infotainment system, such as music streaming applications, before the vehicle is sold. It is also important to unlink remote apps that can be used to remotely control the car or car functions via smartphone. The complete deletion of personal data in the infotainment system is only possible via the "Reset to factory settings" function.
"Drivers have the legal option of having their data checked and deleted," explains ADAC Technical President Karsten Schulze. "In practice, however, this is not possible because it is not clear which data is collected for whom and for what purpose." Consumers cannot see through the flow of data, more transparency is needed.
According to Schulze, it would be ideal to have a list of all the data collected for each car model. "Drivers can then decide for themselves which data they want to have deleted." It would also be useful to have an onboard interface in the car that would allow you to access the data and make data available to third parties if you wish. In the future, independent workshops could also work better and more easily on cars.
Sven Hansen advises anyone who sells a car to inform the manufacturer's data protection officer that there has been a change of ownership and that the manufacturer should delete all data: "Every customer has a right to it, and he is on the safe side from data misuse. "
Resetting a car completely is currently not possible, says Hansen. The previous owner is still stuck somewhere in the car: Even if it's just the memory function of the automatic transmission for the shift times.
