New APIs from Tesla and GM will deliver programmable cars by letting applications directly access in-vehicle systems – but there is a downside, with security researchers warning that increasing data collection is turning new vehicles into “privacy nightmares on wheels”.

The publication of a formal application programming interface (APIs) marks a significant step for developers, who have so far had to reverse-engineer the APIs or develop workarounds to add features such as compatibility with Apple CarPlay.

Published screenshots suggest that the new ‘Discovery Tier’ API – which is being taken as the precursor to a system that will make it easier for businesses to manage large fleets of Tesla vehicles – will allow applications to access drivers’ profile details, view live vehicle location and operational data, lock and unlock vehicles, access SentryCam security videos, travel history, charging history, and more.

Direct access to Tesla car data will enable developers to build new applications that will, industry watchers have speculated, pave the way for Tesla to host and market third-party apps for cars through an app store similar to what Apple and Google offer for smartphones.

Auto giant General Motors, for its part, has released a set of APIs called uServices that outline a standard for ‘common vehicle services’ that will allow software developers to build apps that run, unmodified, across a broad range of vehicles.

The specifications for uServices have been submitted to the Connected Vehicle Systems Alliance (COVESA), an automotive industry consortium whose members also include BMW, Ford, Bosch, Honda, and Hyundai as well as consumer electronics brands like LG, BlackBerry, Alpine, and Garmin.

Allowing vehicle owners to download and install apps on their cars, and giving those apps easier access to live vehicle data, will enable a broad range of new connected vehicle applications – think apps optimising energy consumption, smart parking tools, weather-related vehicle reconfiguration, queue warnings or signalling road infrastructure to provide priority thoroughfares for emergency or freight vehicles.

App stores will also allow car makers to charge drivers fees to activate specific features, such as heated seats, self parking, or autonomous driving.

Yet the increased access is also sure to raise new security concerns: with hackers already proving proficient at bypassing in-vehicle controls, wirelessly compromising Teslas and Jeeps, and manipulating remote keyless entry systems, the prospect of legitimate access to vehicle data and systems is sure to drive many to further push the boundaries.

Automotive security has already become a major issue, with a recent report by Upstream finding that the number of automotive API attacks increased by 380 per cent last year – with 63 per cent of incidents carried out by black-hat cyber criminals – despite equipment makers “employing advanced IT cybersecurity protections.”

“IT-based solutions struggle to handle the scope and magnitude of vehicle attacks,” the report’s authors warned, “especially as they lack the context and deep understanding of how vehicles behave and operate.”

Building security features into the new API sets will give developers and applications a better view of the vehicles’ operations, but the ability to control entire fleets of connected cars is expected to become a honeypot for malicious actors that exploit the connectivity to attack vehicle controls and data en masse.

Your privacy is no longer yours

Yet even as car makers look to improve connectivity with their systems – and the prospect of new revenue streams by selling app-based subscriptions to their customers – privacy advocates are already up in arms about the potential for operational data to be used and abused.

“All new cars today are privacy nightmares on wheels that collect huge amounts of personal information,” Mozilla Foundation Privacy Not Included (PNI) program director Jen Caltrider said in releasing a new report that found today’s cars “can collect deeply personal data” including sexual activity, immigration status, race, facial expressions, weight, health and genetic information as well as detailed records of where and when drivers go.

Data is being collected by in-car sensors, microphones, cameras and the phones and other devices that drivers connect to their cars, PNI found in warning that car brands such as BMW, Ford, Toyota, Tesla, Kia, and Subaru can collect, analyse, and sell detailed information about their customers’ activities and preferences.

All 25 major brands reviewed in the study were scored as failing consumer privacy protections, the organisation found.

Nissan was the worst offender, with a privacy policy that “admits to” collecting information including sexual activity, health diagnosis data, and genetic data and claims the ability to share and sell consumer “preferences, characteristics, psychological trends, predispositions, behaviour, attitudes, intelligence, abilities, and aptitudes”.

Volkswagen collects demographic data and data on driving behaviours for targeted marketing purposes while Kia’s privacy policy reportedly includes a statement that the company can collect information about your “sex life”.

Global revenues from selling this data could reach $1.1 trillion ($US750 billion) by 2030, a recent McKinsey analysis predicted – and while APIs will enable better connectivity, Caltrider warned that cars are no longer the sanctuaries they used to be.

“Many people think of their car as a private space,” she said.

“They’re somewhere to call your doctor, have a personal conversation with your kid on the way to school, cry your eyes out over a break-up, or drive places you might not want the world to know about.

“But that perception no longer matches reality.”