Is Tesla a Privacy Failure?
Today’s newsletter is sponsored by Mine PrivacyOps, the #1 Highest-rated Data Privacy Management Platform on G2 - Join 1,000+ companies that automate & simplify data privacy compliance with Mine.
Read time: 6 minutes.
During the weekend, a friend excitedly told me about his new Tesla and its incredible tech features. He showed me how he could, from far away and directly from his smartwatch, lock the car, activate the alarm, and even turn on the air conditioner in advance. He said every Tesla has an independent internet connection and that the digital panel and the navigation system are incredible. As he smiled in pride, my 'privacy brain' sniffed danger, and I started to think about all the possible ways it could go wrong. What if someone got access to his smartwatch? Could the person lock him out of his car? If someone stole his phone, how could his car be compromised? What data about him could Tesla access daily? Why turn your vehicle into an additional surveillance device?
Despite knowing that they are electric cars, I had never read anything very specific about Tesla's tech features, so upon arriving home, I researched the company's value proposition, tech innovations, and privacy framework. Elon Musk seems to be a very intelligent person. If he sends rockets to space, he probably has Tesla's privacy in order - or so I thought.
One of the first issues with privacy relevance that caught my attention was Tesla's Sentry mode. According to Tesla:
"Sentry Mode adds a unique layer of protection to Tesla vehicles by continuously monitoring the environment around a car when it’s left unattended. When enabled, Sentry Mode enters a 'Standby' state, like many home alarm systems, which uses the car’s external cameras to detect potential threats. If a minimal threat is detected, such as someone leaning on a car, Sentry Mode switches to an 'Alert' state and displays a message on the touchscreen warning that its cameras are recording. If a more severe threat is detected, such as someone breaking a window, Sentry Mode switches to an 'Alarm' state, which activates the car alarm, increases the brightness of the center display, and plays music at maximum volume from the car’s audio system."
However, as Forbes observed, Sentry mode records not only activities that could damage the car. But also events, people, and objects that get too close. Individuals passing near the vehicle can set Sentry Mode to recording. According to a user, even a leaf falling on the car can trigger Sentry mode recording. A person passing by can be filmed simply by being close to a Tesla vehicle, and they will not know that they have been filmed. Two people interacting, a child, or anyone, for no particular reason, can be recorded and will have their image processed by Tesla systems without being properly notified.
In its 2020 report, the Bavarian Data Protection Authority concluded that, as soon as an owner activates the Sentry Mode, they will be considered as the data controller and must consequently be able to prove a legal basis for a recording.
Knowing the possible privacy implications, Tesla added the following note on its page describing the security features:
"It is your sole responsibility to consult and comply with all local regulations and property restrictions regarding the use of cameras."
I hope they are offering privacy law 101 to all the new owners so that they learn about notice and choice mechanisms, relevant privacy laws, and local regulations and restrictions regarding the use of cameras. Because most people do not know.
A quick internet search will take you through thousands of presumably unconsented videos obtained through Tesla Sentry mode cameras. If there is no consent and no notice of the image recording, it can be said to be unlawful according to the GDPR and other data protection regimes.
In 2021, Tesla launched Sentry Mode Live Camera access. It is a feature that allows live access to the footage from one of the outside cameras through an app installed on the Tesla owner's phone. With the same feature, it is also possible to use the pedestrian warning system's speaker to talk to those near the car. According to Elon Musk, this feature "is great for practical jokes."
The live feature presents privacy issues similar to the non-live, with the extra creepy factor that the speaker, when used irresponsibly, can cause real trauma to targeted passersby, especially children, seniors, and people with cognitive disabilities. They might not understand what is happening and undergo a negative physical and psychological experience, similar to a panic attack.
Another feature that has raised privacy concerns are the inside cameras. Some Tesla models can capture and transmit video images of drivers and passengers inside the car. According to Consumer Report, other car manufacturers, such as Ford, BMW, Subaru, and GM, use internal monitoring to help identify if the driver is paying attention to the road. But they do not record, save or transmit data or video. Instead, they deploy infrared technology to identify a driver’s eye movements or head position and alert the driver when they are not paying attention.
Tesla has argued that it uses camera footage for security reasons, stating that "the cameras allow it to review footage and bar owners from using features, like the Full Self-Driving beta." However, everything recorded, stored, and transmitted offers privacy risks. First, these footages can fall into the hands of malicious parties, which can misuse them, including for criminal activities. Second, Tesla might use the images for novel purposes in the future, such as making them available to public and private investigators, arranging partnerships with insurance companies, or for any other business or marketing deals.
Tesla allows owners to opt out of internal recording, but possibly many owners do not have this broad view of how much is being captured and how much it can reveal about them and about others in their families. Additionally, it seems that it is not easy to opt out, as this video by Henry from Techlore clarifies. It reminded me of GDPR art 7.3:
"The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent."
After a long and unsuccessful journey, Henry still did not manage to find out whether the warranty would still be valid without data sharing. In a follow-up video, Henry documented a second "Tesla vs privacy" saga, in which he requested to have access to the data Tesla collected and processed about him. Tesla returned with an empty report, saying there was nothing to report. In his analysis, he argues that Tesla states that all the vast information they collect is anonymous and follows privacy by design. Henry disagrees and explains why.
When describing the internal camera, Tesla stated:
"The cabin camera images you share with Tesla are not linked to your VIN [Vehicle Identification Number], and will be used to continuously improve the intelligence of features that rely on cabin camera. You may change your data sharing settings at any time."
However, when filming people's faces, this data is obviously identifiable. So if malicious parties have access to the footage, or if Tesla starts using these images for different purposes, privacy will be compromised.
Additionally, other passengers that are not the Tesla owner might not be aware that the system is enabled and might not have consented if they knew it. There is no mandatory consent mechanism or privacy warning after you enter a Tesla.
There are still privacy concerns in cases of theft or hacking of the car. Not only will the person have financial losses, but massive amounts of personal information could be potentially disclosed. If a Tesla owner's smartwatch or phone gets hacked or stolen, there are also potential privacy risks involving their Tesla if the devices are linked.
I wish Tesla were more realistic and proactive about all the risks involved in super-connected and surveillance-based cars.
Tesla has installed the technology, which can be replicated by other manufacturers and become a new de facto car standard. From a privacy perspective, we always need to think beyond the initial enthusiasm and fascination with the technology: is autonomy being respected? Are human values being preserved? Are fundamental principles being guarded?
It looks like Tesla could have much better privacy foundations and features. It would benefit not only Tesla owners and passersby but society in general. Being the innovative company they are, had they made privacy a priority, competitors and Musk-wannabes would follow suit.
Going back to my friend, I hope he will still be happy with his Tesla after reading this.
What are your thoughts on that? What other privacy implications can you identify? I would love to read your opinion.
Privacy needs critical thinkers like you. Consider taking 2 minutes of your time to start a conversation about the topic.
✅ Before you go:
Did someone forward this article to you? Subscribe to The Privacy Whisperer and receive this weekly newsletter in your email.
For more privacy-related content, check out The Privacy Whisperer Podcast and my Twitter, LinkedIn & YouTube accounts.
At Implement Privacy, I offer specialized privacy courses to help you advance your career. I invite you to check them out and get in touch if you have any questions.
See you next week. All the best, Luiza Jarovsky