In a deeply concerning report of car manufacturers recently released by Mozilla Foundation, 所有25个主要汽车品牌的隐私得分都不及格.1 有用的汽车功能, 比如备用摄像头, 变道助手和车载导航, have sensors that might collect sensitive information 和 provide it to the vehicle manufacturer. This information could be sold, unbeknownst to drivers 和 passengers, to data brokers.
Car manufacturers get away with collecting 和 selling excessive amounts of customer information because consumers are often unaware of these practices, 和, 在很多地区, there are weak or no laws 和 regulations in place to protect drivers from these malicious practices. 一些汽车制造商表示,他们收集基因信息, 和 one claims to collect information about sexual activity 和 intelligence.2
许多网站和消费者都写了关于Mozilla报告的文章, 和 the backlash against auto manufacturers’ privacy practices is strong. Mozilla’s report should serve as a reminder that just because enterprises may be permitted do something, 这并不意味着他们应该这么做. Treating compliance as an aspiration 和 collecting excessive amounts of information is harmful to consumers; privacy professionals must help their enterprises’ privacy practices be more ethically focused.
合规是底线,而不是上限
隐私 laws 和 regulations vary around the world 和 may differ based on industry. Despite the excessive amount of data collected by vehicle manufacturers, 它们中的许多都符合适用的法律法规. This paradox is possible because compliance is the bare minimum; it should be a given that enterprises are working toward being compliant. 遵从并不能保证道德行为.
澳门赌场官方下载应该以尊重和保护消费者为目标, 和 using compliance requirements as the goal is problematic for a few reasons. 第一个, consumers living in areas with weak privacy laws (or without privacy laws) are at a disadvantage compared to consumers in areas with strong privacy regulations in place. All consumers deserve privacy, regardless of the regulatory l和scape of their region. 第二个, privacy laws will not be able to protect consumers in every possible way: predatory enterprises will find loopholes to laws 和 regulations or choose to be noncompliant 和 pay any associated fines.
隐私 practitioners who work at enterprises that are solely focused on compliance should advocate for taking privacy measures a step further. They should look at what others in the industry are doing; if enterprises are going above 和 beyond to protect consumers, 他们将拥有竞争优势. Any enterprise that takes steps to better protect privacy can st和 apart from their competitors. 例如, if one of the car manufacturers reviewed by Mozilla had received a passing score, it would have been able to capitalize on this 和 received a lot of free positive publicity.
成为目标
The more data an enterprise has, the more of a target they are to hackers. 汽车可以访问位置数据, 健康相关信息和驾驶员习惯, 和 automotive enterprises have been breached in the past because of this. 梅赛德斯-奔驰(Mercedes-Benz)在2021年经历了一次数据泄露,影响了1亿人.600万条消费者记录, 其中包括信用卡信息, 社保号码和驾照号码.3 尽管仅此一点就令人担忧, consider what would happen if the other data such as health conditions 和 genetic information4 是妥协.
隐私 practitioners should emphasize the importance of data minimization (i.e., 数据充足, relevant 和 limited to what is necessary in relation to the purposes for which it is processed. Not having sensitive information can make enterprises less of a target to attackers, 和 not having a lot of information about consumers can minimize the harm to data subjects in the event of a breach.
It is also imperative that privacy professionals work closely with security professionals to ensure that data is protected. 取决于组织结构, privacy professionals should also work with data engineers 和 data scientists to better underst和 what information the enterprise collects 和 why.
考虑对消费者的伤害
对个人健康状况的假设, 政治信仰, 宗教和取向可以从澳门赌场官方下载收集的数据中得出.
In the case of vehicles, precise location data could be used to stalk people. In 2019, a man pleaded guilty to stalking his ex-girlfriend using an app that monitored her location. 该应用只需要她的车辆识别号码.5 Not adequately securing location data or selling it to third parties who then turn around 和 sell that to anyone who wants to purchase it could put consumers’ lives at risk.
Tesla’s sophisticated autopilot feature require a lot of sensors 和 awareness of surroundings. Teslas’ cameras can capture sensitive videos, 和 many employees have access to these clips. 特斯拉有一段视频,一个全裸的男人接近了一辆特斯拉. Another video of a Tesla hitting a child went viral at a Tesla office.6 在汽车摄像头的情况下, enterprises must ensure that customers know what the camera might capture, 即使没人开车. Ex-Tesla employees said their cars had footage of people doing laundry 和 other “really intimate things.”7 Although people may be aware that their car is capturing data while driving it, they may not consider that it is also capturing information while parked.
隐私 practitioners must ensure that consumers underst和 exactly what data may be collected 和 how it will be used. It is also important to look at the conclusions that can be drawn from the data collected. Although enterprise leaders may think they are only selling consumers’ location data, they are also selling all the assumptions associated with that location data. Underst和ing the conclusions that can be drawn about individuals based on their data is crucial to underst和ing the harms associated with collecting, 销售或共享数据.
It is also critical that all employees complete privacy awareness training. They must underst和 that sharing or mocking sensitive customer information with other employees would feel very violating to that customer, 这种行为应该有后果.
销售数据是必要的吗?
The average price for a new car in April 2023 was US$48,275 in the United States.8 Auto manufacturers could be financially stable without having to resort to selling data, 但销售数据可能是一项利润丰厚的业务. It is estimated that car-generated data could become a US$450-750 billion market by 2030.9
The US state of Massachusetts introduced legislation to address the privacy associated with cars,10 but enterprises should not look to laws 和 regulations for guidelines around selling data. It is likely that laws 和 regulations will not do enough to protect people from their data being sold. This is because data brokers spend a considerable amount of money to ensure they can continue to buy 和 sell personal information. After the US House of Representatives introduced the American Data 隐私 和 Protection Act, 数据经纪人游说活动大幅增加, 数据经纪人花费1美元.2022年第二季度为7300万美元,而去年同期为1亿美元.2021年第二季度为5500万美元.11
Many industries that do not need to sell data to survive are cashing in on this lucrative business. 隐私 professionals need to explain to senior leadership that when consumers eventually find out that their data is being sold, it could cause reputational harm to the enterprise 和 damage trust with consumers, 最终影响他们的底线.
提供无意义的选择
In many cases—not just with vehicles—privacy-related choices provided to consumers are meaningless: consent to excessive data collection or do not leverage the service. Given that every car brand Mozilla reviewed received a failing privacy score, consumers do not even have the option of selecting a car manufacturer that better protects privacy. 只有一家汽车制造商, passengers consent to their data being used or sold just by sitting in the car.12
隐私 professionals must advocate for meaningful privacy-related choices, not a zero-sum setup in which users have to accept the terms 和 conditions as they are. 用户应该能够精确地表达他们的隐私偏好.
隐私 professionals should also advocate for settings that default to protecting privacy. Providing consumers with the ability to express their preferences is important, but they should not have to do anything to have their privacy protected; it should be automatic. One car manufacturer responded to Mozilla’s report 和 emphasized that customers can opt out of some data collection.13 But that is not enough; the default should be that superfluous data collection does not happen. Practicing privacy by design can help ensure that default settings are privacy preserving.
隐私 professionals working at enterprises that leverage legal privacy loopholes with regards to their data processing must advocate for consumers.
结论
Just because enterprises are legally permitted to collect 和 use data in a certain manner does not mean they should. Building trust with consumers necessitates wanting to do more for them than the bare minimum legal obligations 和 underst和ing the harm that comes with excessive data collection 和 selling data. 隐私 professionals working at enterprises that leverage legal privacy loopholes with regards to their data processing must advocate for consumers; if harm comes to a data subject as a result of an enterprise’s use of that person’s data, 它可能会对消费者和供应商之间的信任造成不可逆转的损害. Any enterprise in an industry heavily relying on unethical data collection practices that chooses not to join their peers in excessive data collection can set themselves apart from their predatory competitors 和 gain a competitive advantage.
尾注
1 Mozilla,“隐私 Nightmare on Wheels’: Every Car Br和 Reviewed By Mozilla—Including Ford, 大众和丰田未通过隐私测试2023年9月6日
2 Caltrider J.; M. Rykov; Z. MacDonald; “After Researching Cars 和 隐私, Here’s What Keeps Us Up at NightMozilla, 2023年9月6日
3 沙玛,.; “梅赛德斯-奔驰数据泄露泄露ssn,信用卡号,《澳门赌场官方下载》,2021年6月25日
4 Op cit Caltrider
5 杨,.; “Man Pleads Guilty to Stalking His Ex Using Her Car's Built-In Tracking AppMashable, 2019年11月8日
6 随后,年代.; W. Cunningham; H. Jin; “特斯拉员工分享了客户汽车拍摄的敏感图像路透社,2023年4月6日
7 同前.
8 塔克年代.; “Average New Car Price Holds Steady; Incentives Rising,《澳门赌场官方软件》,2023年5月10日
9 麦肯锡公司, 汽车数据变现2016年9月,美国
10 达席尔瓦,年代.; “马萨诸塞州正在努力保护汽车数据隐私,《澳门赌场官方下载》,2023年9月18日
11 Ng,.; “隐私法案引发数据经纪人游说狂潮,《澳门赌场官方软件》,2022年8月28日
12 Mozilla。”斯巴鲁2023年8月15日
13 DeMattia N.; “BMW Defends Its Data 隐私 Policies, Rejects Mozilla’s Scathing Report,《澳门赌场官方下载》,2023年9月14日
萨菲亚Kazi, CSX-F, CIPT
ISACA的隐私专业实践负责人是谁®. 在这个角色中, 她专注于ISACA隐私相关资源的开发, 包括书籍, 白皮书和审查手册. Kazi在ISACA工作了9年,之前在 ISACA® 杂志 并开发屡获殊荣的ISACA播客. 2021年,她获得了AM奖&P网络的新兴领袖奖, which recognizes innovative association publishing professionals under the age of 35.
