The two researchers say they bought a totaled Model 3 in late 2018. When they accessed the car’s computer, they found unencrypted data from “at least 17 different devices,” according to the report. (The car had been owned by a construction company and presumably used by multiple employees.) That included 11 driver or passenger phonebooks, with numbers, email addresses, and calendar entries intact. The researchers also gained access to the last 73 locations that had been plugged into the car’s navigation system.
In addition, the car’s computer still contained footage from one of the Model 3’s seven cameras. This included the forward-facing view of the wreck that totaled the car, as well as a clip of a previous crash that was less serious.
One of the researchers told CNBC that he found similar data from other Tesla vehicles, too, including a Tesla Model S, Model X, and two other Model 3s. “Given how technically sophisticated Teslas are, I’m really surprised to learn that they would handle data so carelessly,” Ashkan Soltani, a security researcher and former chief technologist for the FTC, said in an email to The Verge
As CNBC points out, personal data retention is a problem more readily associated with rental cars. The Federal Trade Commission has repeatedly reminded consumers to be careful with their information when renting. But as cars are outfitted with ever more sensors and computers, those that have been sold or crashed now contain far more granular data about an owner than what’s generated over a few days in a rental.
The problem with all this “data waste” is that some manufacturers shift the burden for privacy to consumers. The Jetta owner, for example, didn’t know Volkswagen puts the onus on the customer to wipe their data before selling their car — even if it’s being sold back to a dealership. So new car buyers should start treating vehicles like they would a smartphone and be sure to wipe any data before selling it to anyone.
“I do think automakers should be taking steps to make sure that information isn’t available to unauthorized access (secondary owners or used car dealerships, for example),” Soltani writes. “Location and contacts are incredibly personal and sensitive, [and] I think it’s problematic to leave that information laying around. Specially given that unlike mobile phones, cars typically stay in circulation for decades.”
Even if they behave perfectly, car owners don’t always necessarily have control over the situation. In a crash like the one CNBC reported on, the last thing an owner is likely going to think about after slamming into a tree is that they need to factory reset their car. And depending on the severity of the crash, the car’s screen may not even work, making doing so impossible without extra hardware.
So as cars continue to collect more and more data, everyone — from the companies that make them, to the people who buy them, to the regulators overseeing the evolving market — needs to think a little harder about how to make sure that data doesn’t wind up in the wrong hands.