By design, in-car telematics systems are a two-way street. Only after collecting data about a driver’s coordinates can they offer the location of the nearest gas station or a recommendation for a nearby pizzeria. But as the owner of a Nissan Leaf recently discovered, once a service possesses a motorist’s data, it is unclear how it might be used.

Casey Halverson, a self-described free-lance security blogger who was profiled on June 14 by the Web site for Computer World magazine, discovered what he thought was a security loophole in the Leaf’s onboard communications and navigation system. He found that information about Leaf owners could be culled and transmitted without their knowledge.

Called Carwings, the system can be configured to pull down breaking news and information to the car using a built-in cellular data connection. Owners can select specific Web-based news updates that are sent using RSS feeds, a widespread form of concise automated news alerts. Such updates can keep a driver informed about severe weather conditions ahead, or looming traffic jams. However, through a bit of tinkering, Mr. Halverson discovered that information about his car also was being sent back to the RSS feed provider.

This meant that any RSS feed provider, including Mr. Halverson himself, could cull information about Leaf owners. That information could in turn be used for any purpose, legitimate or otherwise, without restrictions.

“They pretty much left it wide open,” Mr. Halverson said in a telephone interview.

Any company providing an RSS feed to Carwings could look at a vehicle’s location, speed and direction and determine whether a driver was violating the speed limit, for example, or nearing a particular retail outlet. Conceivably, the latter piece of data could be used to send location-based ads to the car, much in the same way that Web sites track online visitors and deliver ads aimed at their individual interests.

Based on reader comments, the privacy implications wrankled many who saw the Computer World blog post. However, it is not clear how extensive the problem actually is or can become.

For example, according to Mr. Halverson’s analysis, data that could be used to identify an individual Leaf owner is not included in the information sent back to companies who serve RSS feeds. Presumably, then, such data would not be available to divorce lawyers hoping to track a suspected adulterer’s movements or local police remotely hunting for speeders.

Furthermore, data about the Leaf is only sent to information providers when an RSS feed is pulled down to the car. This would complicate any attempt to track a vehicle’s down-the-road progress unless the feed was being requested by the Leaf driver every few seconds. It is difficult to assess whether a determined hacker could overcome those restrictions, however.

According to Nissan, the company has taken steps to prevent unauthorized use of the data. Responding to a request from The Times, Katherine Zachary, a company spokeswoman, wrote in an e-mail: “Nissan takes consumer concerns very seriously and has responded quickly to stop the transmission of a vehicle owner’s privacy-related data for nonofficial RSS sites. The data involved does not and cannot be attributed to any specific vehicle or owner.” The statement did not qualify whether Mr. Halverson’s blog post precipitated Nissan’s response, or what form that response took.

Meanwhile, how official Carwings RSS sites may choose to use driver data remains unclear. But just as Web sites like Facebook have drawn scrutiny for somewhat opaque privacy practices, the proliferation of in-car telematics is going to raise similar issues for drivers.