Last December, Ashley Sehatti sold her 2015 Jetta back to a local Volkswagen dealership in California. So when the calendar turned over, she didn’t understand why she was still getting sent monthly reports about the car’s health. After another one came in April, she finally logged on to VW’s online portal for Car-Net, the telematics system that runs in many of the company’s modern cars.

To her surprise, Sehatti saw the location of her old Jetta on a map, up-to-date mileage, and the status of the car’s locks and lights. It had been resold, and yet she still had access to some of the car’s systems. “There was nothing in place to stop me from accessing the full UI,” she says over email.

Volkswagen doesn’t wipe Car-Net accounts even if the car is resold through a dealer

What Sehatti hadn’t realized is that Volkswagen puts the burden of disabling access to Car-Net squarely on the customer in its terms of service agreement when they decide to sell or exchange a car — even if the car is going back to a VW dealer. If a VW owner sells their car without disabling Car-Net, and the vehicle’s next owner doesn’t immediately sign up for the service, there’s a chance that the previous owner could still have access to compromising information about that car.

With the advent of services like CarPlay and Android Auto and forward-thinking automakers like Tesla entering the industry, the pressure to add more technology to cars has never been higher. But oftentimes, this means legacy automakers are working with technology and speeds that they might not be used to, which has led to some bumps in the road for both companies and customers.

In this case, it’s not like Sehatti could have done much with her lingering access to the car besides honk the horn or flash the lights. The location data, though, spooked her. “I didn’t actually zoom out to see where [the car] was,” she says. “I didn’t want to be creepy.”

Volkswagen “values the privacy and security of consumer data, and is taking this customer concern very seriously,” Catharina Mette, the head of technology communications for Volkswagen Group’s North Americas region, said in an emailed response about Sehatti’s discovery. The company didn’t offer any further information about specific questions regarding the issue, and instead directed The Verge to its terms of service. “Our Car-Net Terms of Service explicitly outlines that as a subscriber, the customer has the responsibility to terminate the contract when selling their vehicle. This is a practice common in the industry.”

“I didn’t want to be creepy.”

Other automakers that offer telematics services similar to Car-Net, like GM (OnStar) or Volvo (On Call), also tend to put the burden on the customer to disable subscriptions to these services in their terms of service (TOS) agreements. But these automakers also say they have backstops in place that help make sure customers who forget to discontinue these subscriptions (or who, like many, never read the TOS agreements in the first place) don’t retain access to the telematics systems when the car changes hands.

“The customer is expected to clear all their information (Volvo On Call, Pandora accounts, etc.) from the system when they sell the car,” Jim Nichols, the technology and product communications manager for Volvo Cars USA tells The Verge. But when a Volvo car is resold through a Volvo retailer, he says, “the retailer is expected to reset the system before they sell the car as a backup.”

The same goes at GM, according to Stephanie Lang, a communications manager for the company’s Global Connected Customer Experience division. “Whether opting in or out of a service, customer consent is paramount to everything we do at OnStar. Should a customer decide to sell their vehicle, they simply need to hit the blue button to disconnect services,” she tells The Verge. But, like Volvo, there’s another layer of protection. “If a customer sells the vehicle, we do receive a notification by a third party that the vehicle has been sold and we’ll cancel the service,” she says.

None of those backstops are in place at VW, according to its TOS:

You must notify us if you sell your Vehicle or end its lease. If you fail to notify us, you will remain responsible for all charges for any Service incurred in connection with such Vehicle. It is your responsibility to remove all data and content (including any personal information), if any, that you may have stored on your system before you sell or transfer your Vehicle, to the extent permitted by the Equipment. You agree that you will be responsible for notifying your Vehicle’s new owner if any services or features are active when you transfer the Vehicle, and you must disclose to the new owner that those services or features involve the collection, use and sharing of data as described in these Terms of Service and the VW Car-Net Security & Service privacy policy.

It’s pretty widely accepted that most people don’t read TOS agreements line by line. Another reason why it might be easy for owners like Sehatti to wind up in this situation is the way that Car-Net is paid for. Customers are incentivized by VW to pay a one-time discounted fee for a number of years of service up front instead of paying month-to-month.

For example, once VW’s Car-Net free trial expires, customers are given the option to pay $199 for one year of service, $378 for two years, or $540 for three years. A month-to-month subscription to Car-Net would theoretically be easier to notice on a billing statement after you sell your car, but it runs $17.99 per month, which winds up costing anywhere from $15 to over $100 more than those one-time payments depending on how long the customer owns the car. This was the case with Sehatti, who says she had paid for Car-Net through December 2018.

There’s another problem, too: even the extra protections offered by GM and Volvo aren’t worth anything if an owner sells their car directly to someone. In cases like those, the automakers default back to their position that it’s up to the owner to remember.

In that sense, this is just as much about a problem with behavior as it is about automakers adapting to new technologies, according to Ashkan Soltani, security researcher and a former chief technologist for the FTC.

“Things are no longer just things, they’re also computers.”

“Online services [like Car-Net] are often kind of a new and somewhat external to the typical sale and flow of the vehicle,” he says, so “it’s not surprising that the safeguards aren’t really in place.” The key then, he says, “is to realize that with the prevalence of IOT, that things are no longer just things, they’re also computers.”

Soltani says there are probably ways to fix this problem in the short term, especially by building a better process to deregister each car from Car-Net (or other services) when they get sold through a dealership. But problems with “data waste,” as he calls it, have been around for decades, whether it’s leftover hard drives on used photocopiers or people leaving their login credentials on a computer at the library.

The trick now is to try to get people to remember that cars need to be treated the same way as, say, your smartphone. You wouldn’t sell a smartphone to someone else without wiping your data, so the same should probably go for your car.