The same data uploads and downloads that make Teslas dream cars for some Tesla owners also may make them security hell for all Tesla drivers. That’s because Tesla vehicles are big, wheeled Internet of Things devices.
We were moved to write this article when a colleague told us that “You car will be relaying live information about HOW you drive; WHERE you are driving; WHICH wear and tear you are “inflicting” upon the vehicle components; WHICH software you are using (on car) …This data will move from your car sensors to the onboard computer, then through a telecom operator to a cloud services provider and then to the Tesla data center and even authorized workshops and IT landscapes… that data is personal data, since your behavior is generating it… If you have an accident (God forbid) the car will issue an alert to fire departments and the police, besides Tesla… This is IoT and this information is neither encrypted nor do this companies have data processing agreements between them. By the way… it’s not just Tesla that does this, many other manufacturers have similar services… were you asked for consent; did they explained the “value chain”?”
(The above-cited colleague is now a GDPR professional, however previously they headed a Connected Car team at a large multinational IT company that developed, among other things, some of these solutions for the largest EU car manufacturers.)
We have been reporting for years on the security nightmare that these onboard data reservoirs and conduits pose. In 2015, in our artice Can Your Car be Hacked through its Onboard Wireless? we noted that Senator Edward Markey of Massachusetts had reached out to 20 automakers, including Tesla, “asking for information on what technology is onboard their automobiles, what security is onboard to protect the technology against hacking, and also what personal information (about the owner/driver) is collected.”
The vast majority (17) of them responded; Tesla was among the three who didn’t respond.
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
With this in mind, and our colleague’s words spurring us on, we did some research. And as it turns out, even the most cursory of searches quickly turns up a wealth of information about that Tesla data. And fairly damning information it is.
For example, [destination content has been removed at other end :~( ] by a software developer who is also a Tesla owner, in which he notes that all anyone needs to access an owner’s data through the Tesla API is the login, and that with the API data, “anyone can tell where I live, work, go shopping, eat out, and go on vacation. Anyone who has access to this data can learn a great deal about me,” to which another savvy Tesla owner replied “Privacy is not the only concern, but the weak security of the account also makes it easy to open the car…”. In fact, he elaborated in his own blog post here, titled “Why I deactivated Tesla app access”, and pointing out that “When I first discovered that the Tesla account is secured only with a password, I was bewildered. I mean, this account is essentially a virtual key to my car.”
However don’t think for a minute that this data access is a two-way street. Oh no. In fact, as Ecommerce Daily News revealed, “according to two former Tesla service employees who requested anonymity, when owners try to analyze or modify their own vehicles’ systems, the company may flag them as hackers, alerting Telsa of their skills. Tesla then ensures that these flagged people are not among the first to get new software updates.”
That, however, was not even the lead in the Ecommerce Daily News story. That news article, Researchers find totaled Teslas contain unencrypted and personally revealing data about owners, including locations visited, phone contacts, and dash cam video was talking about the fact that researchers found that upon crashing and/or being junked, the onboard computers on Tesla vehicles – you know, the ones that report back to Tesla, among other things, retain all the data that the driver has knowingly stored, “plus tons of other information generated by the vehicles including video, location and navigational data.”
This jives with the CNBC expose that CNBC did earlier this year, in which they found not only that data is not wiped before a Tesla goes to the junk yard after being totaled, but that Tesla sometimes sends a used Tesla out to an automotive auction house, Maneheim, and that “A former Manheim employee, who asked to remain anonymous, confirmed that employees do not wipe the cars’ computers with a factory reset.”
And let us remind you that much of this data is unencrypted.
Tesla is notoriously stingy about sharing your Tesla’s data with you – the person whose car is generating the data – in fact they require a subpoena for it. Which is kind of crazy given that with your password and the Tesla API even a high school level hacker can access it without a subpoena. In fact, you’d probably pay the high school hacker substantially less than it would cost you to hire a lawyer to get the subpoena!
However Tesla has been very quick to use that same data themselves in the several lawsuits they have been defending when a user owner gets into an accident.
Wait, did we say “several lawsuits”? Indeed we did, even though we bet you’ve only heard of one or two.
Most recently, the family of a California man filed a lawsuit just a few weeks ago, claiming that the Tesla Autopilot system was defective, leading to the crash in which the man died.
Then there is this barely reported, recently filed lawsuit, Chan versus Tesla, filed at the end of October, 2018, which alleges that “On December 13, 2017, at or about 4:40PM Eastern Time, Chan was driving the Vehicle eastbound in the far-right lane of the Long Island Expressway (U.S. 495) near Exit 26 and 185th Street. The Vehicle’s Traffic-Aware Cruise Control and Autosteer functions were engaged. Chan was driving with his hands on the steering wheel but the Tesla, as programed, was operating the steering function in an automated fashion. Chan’s feet were not on either the brake or accelerator pedal as braking and steering were being conducted by the Tesla. In dense traffic, the Vehicle was following a white tractor-trailer truck at an appropriate distance determined by Tesla when, from an entrance ramp to the right, a white Audi began to merge in between the truck and the Vehicle. At first, the Vehicle seemed to recognize the merging Audi and decelerated to maintain its preset follow distance. However, as the Audi completed its merge maneuver, the Vehicle moved forward suddenly and on a collision course with the Audi. The Vehicle failed to brake or otherwise avoid the collision. The Vehicle failed to warn Chan of the impending collision. Chan intervened as quickly as he could, but he was unable, even by the exercise of reasonable care, to avoid the accident. Chan redirected the Vehicle to the open lane to the left and tried to decelerate. The Vehicle moved into the left lane but again failed to recognize and avoid obstacles ahead. The Vehicle collided with two other vehicles before coming to a stop. Upon later inspection, the Vehicle was deemed a total loss.
Curiously, it turns out to be very difficult to determine the number of accidents involving Teslas. The closest we could find was this very comprehensive article on Medium, claiming that Tesla’s driver fatality rate is more than triple that of luxury cars, and which digs deeply into the statistics.
Of course, many of the accidents and most of the lawsuits will turn in large part on the data from or which flowed through the Tesla involved – the same data that Tesla will use but make difficult for the car owners or their families to access.
Equally curious is that an article by the Bloomberg Bureau of National Affairs, talking about Tesla’s access to car data, has been so completely buried that we have to give you the link to the archived version at archive.org instead.
In the piece Bloomberg explained that “Tesla Inc.’s quick access to the driving data streaming in from its cars is at the cutting edge of auto technology,” and that they are collection of “acceleration, braking, speed, and other data points from Model X, Model S, and Model 3 cars” provides Tesla with “an early advantage in responding to crash reports and lawsuits, as several incidents and Tesla’s own comments about cases indicate.”
And, Bloomberg said, “And the carmaker isn’t shy about using the continuous, almost real-time vehicle information it collects when it comes to protecting itself, either in the media or in the courtroom.”
Tesla Data Showing When Driver had Their Hands On and Off the Steering Wheel
So, what exactly is the data that the Tesla is collecting about you, which is accessible through the API, at least some of which is not encrypted, and which is protected by only a password?
Here’s what Tesla’s Terms of Service for Tesla car data says (Terms of Service for a car, who would even imagine that their car came with Terms of Service, let alone find and read them?). We have bolded certain items for ease of reading:
Tesla Car Terms of Service
We may collect a variety of information from or about your Tesla vehicle, including:
• Telematics log data: To improve our vehicles and services for you, we may collect certain telematics data regarding the performance, usage, operation, and condition of your Tesla vehicle, including: vehicle identification number; speed information; odometer readings; battery use management information; battery charging history; electrical system functions; software version information; infotainment system data; safety-related data and camera images (including information regarding the vehicle’s SRS systems, braking and acceleration, security, e-brake, and accidents); short video clips of accidents; information regarding the use and operation of Autopilot, Summon, and other features; and other data to assist in identifying issues and analyzing the performance of the vehicle. We may collect such information either in person (such as during a service appointment) or via remote access.
• Remote analysis data: We may be able to dynamically connect to your Tesla vehicle to diagnose and resolve issues with it, and this process may result in access to personal settings in the vehicle (such as contacts, browsing history, navigation history, and radio listening history). This dynamic connection also enables us to view the current location of your vehicle, but such access is restricted to a limited number of personnel within Tesla.
• Other vehicle data: In order to help improve our products and services, we may collect and store other vehicle data, including: data about accidents involving your Tesla vehicle (e.g., air bag deployment and other recent sensor data); data about remote services (e.g., remote lock/unlock, start/stop charge, and honk-the-horn commands); a data report to confirm that your vehicle is online together with information about the current software version and certain telematics data; vehicle connectivity information; data about any issues that could materially impair operation of your vehicle; data about any safety-critical issues; and data about each software and firmware update. We may collect such information either in person (such as during a service appointment) or via remote access.
• Service history: In order to facilitate the servicing of your car, we may collect and process data about the service history of each Tesla vehicle, such as the customer’s name, vehicle identification number, repair history, any outstanding recalls, any bills due, any customer complaints, and any other information related to its service history.
• Charging station information: We may collect information regarding the charge rate and charging stations used by you (including outlets) in order to, e.g., analyze which charging stations are being utilized, how long and efficient battery charges are, and where additional charging stations are needed.
• Advanced features:
• We may provide you with features in your Tesla vehicle, such as real-time traffic, Autopilot, and Summon, which make use of the road segment data of your vehicle and we may share this data with partners that contribute similar data to help us provide the service, but we only collect or share the data in a way that does not identify you or your car. We also may collect similar data in connection with other features, such as the navigation data for the online routing feature, and may share it with business partners where necessary to provide the feature to you, but, again, we only collect or share the data in a way that does not identify you or your car. We also only collect or share this data if you enable this collection, although if you do so, your vehicle may send this data to Tesla and its partners even if you are not actively using a feature that needs this information. You can enable or disable the collection and sharing of this data at any time via the “DATA SHARING” setting in Controls > Settings > Safety & Security.
• To further help develop and improve autonomous safety features, we may collect short video clips using the car’s external cameras to learn how to recognize things like lane lines, street signs, and traffic light positions. These short video clips are not linked to your vehicle identification number and we have ensured that there is no way to search our system for clips that are associated with a specific car. You can enable or disable the collection of these clips any time via the “DATA SHARING” setting in Controls > Settings > Safety & Security.
If you no longer wish us to collect telematics log data or any other data from your Tesla vehicle, please contact us as indicated in the “How to Contact Us” section below. Please note that if you opt out from the collection of telematics log data or any other data from your Tesla vehicle (with the exception of the Data Sharing setting detailed above), we will not be able to notify you of issues applicable to your vehicle in real time. This may result in your vehicle suffering from reduced functionality, serious damage, or inoperability, and it may also disable many features of your vehicle including periodic software and firmware updates, remote services, and interactivity with mobile applications and in-car features such as location search, Internet radio, voice commands, and web browser functionality.
We think that it’s worth noting here that in 2016, Tesla failed to disclose a fatal crash involving a Tesla, and specifically involving use of the Tesla autopilot, which had occurred just 11 days before Tesla went public and their stock went on the market. As we reported then, Tesla did not disclose this crash until the occurrence of a second crash (this time not fatal), and when asked why Tesla had not disclosed the fatal crash before the stock offering, Elon Musk said it was because the news of a fatal Tesla crash “is not material to the value of Tesla”.
Perhaps, in much the same way, the (in)security of your personal data in the hands of Tesla is not material to the value of Tesla – but given that they use it to defend lawsuits, to share with partners, and in other ways, you can bet your bottom dollar that your data itself is very much of value to Tesla.
Given that, wouldn’t you think that they would take measures to protect it just a little more carefully?
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
