The privacy issues thrown up by connected cars don't seem to be going anywhere soon.

Drivers of cars from BMW, Jaguar Land Rover and Mercedes-Benz have reported that previous owners retain unfettered access to the data and controls of connected cars after resale. The problem is international and extends to hire cars due to drivers connecting their smartphones to rented rides.

If smartphones are spies in your pocket, connected cars are spies on wheels.

Matt Watts, the IT worker whose travails with his Land Rover first encouraged us to look into the issue, said connected cars also pose a tracking risk in incidents of relationship breakdowns.

"You go somewhere they'd never expect you to be and yet a short time later they track the car and turn up! This whole topic has so many more implications than any of us realise and people simply aren't aware."

Watts told El Reg that he has relayed his concerns to relevant charities but is yet to hear back from them.

Used connected cars need disconnecting, as the UK's National Cyber Security Centre pointed out after our initial report.

Consumers have got used to the idea of factory resetting their smartphone before selling it on. Cleaning out a car before resale or after a rental is a well-understood practice but this applies only to the contents of a glove box and not to the data a connected car holds, which can include sensitive travel movements, contact details, call records from tethered smartphones and more.

Drivers normally get a warning when they hook up to their car through bluetooth but this is omitted when a USB connection is made, so motorists can unwittingly transfer their smartphone contacts and call logs onto the systems of leased or rented cars.

Privacy4cars

US car industry executive turned privacy advocate Andrea Amico said that almost every rental car is returned without the removal of private data, a problem that is replicated in the case of second-hand car sales. He blamed the complexity of the process of deleting data from connected cars – a procedure often only explained in the small print of long car manuals.

Amico told El Reg: "Infotainment systems, even from the same manufacturer, come with a variety of both hardware and firmware. Even within the same manufacturer and year of production, variances between models can go from small to huge. If it was truly easy and intuitive to delete information we would not see the statistics we see."

Amico is marketing a free mobile app called Privacy4Cars, which provides step-by-step tutorials to help users quickly erase personal information such as phone numbers, call logs, location history and garage door codes from vehicle infotainment systems.

Users are able to select from hundreds of vehicle makes, models and years. The same tech is been sold to the car industry (fleet management companies, car rental or car sharing operators, dealer groups etc.) commercially and as a software development kit that can be embedded into existing apps.

Amico, who heads up the privacy efforts at International Automotive Remarketers Alliance, said the app is as useful for European drivers as US car owners.

The Society of Motor Manufacturers and Traders, a UK trade body, said that although car makers have a responsibility for data processing, consumers also have to get into the habit of removing their data and dissociating their smartphones when they sell on their connected cars.

Is it realistic to expect buyers of second-hand cars to know if the car has been connected? The response from the car industry has been to put the onus on the previous owner to delete data while minimising the role of manufacturers to come up with a thought-through process for dealers to enforce.

ICO connection

Car makers typically run the apps and manage the servers through which connected car services are delivered, making them "data controllers" under the General Data Protection Regulation. Privacy watchdogs are actively examining the issues created by connected cars.

The UK's Information Commissioner's Office was a co-sponsor of the International Conference of Data Protection and Privacy Controllers' resolution on connected vehicles (PDF) that was put together last September. The ICO advocates a privacy-by-design approach, which would appear to require bringing manufacturers on board and may be difficult to apply to cars already on the road.

An ICO spokesperson told El Reg: "Data protection laws require the collection and use of personal data to be fair and transparent. Being clear with individuals about the use of their data, and providing options to control that data, are important matters for organisations to get right – particularly where new technologies and new ways of processing data are being introduced into existing products or services. This applies just as much to connected vehicles as it does to any other device or product.

"A key way this can be done is by considering privacy issues at the design stage, and by taking appropriate actions to address them. However, it isn't just about data protection compliance – it's about building trust among consumers, giving them good customer service and treating them with respect."

DVLA

In response to our previous stories on connected cars, Reg readers have suggested the Driver and Vehicle Licensing Agency could have a role in easing the privacy headaches posed by connected cars.

When a car is sold, scrapped, or disposed of to a dealer in the UK the DVLA must be informed. Dealers have access to the DVLA database.

"Some way of linking the DLVA owner change event to a scrub it clean event ought not to be beyond the bounds of possibility," suggested Reg reader Neil Barnes.

Government IT projects have a dire reputation but the DVLA's driving licence verification tool protects privacy and is seen as something of a success. Whether the DVLA would be willing to accept a privacy regulating role that's outside its remit is questionable, as other readers have pointed out. ®