Both EVs and conventional cars are collecting “extensive customer data” about driving habits that may be onsold to insurance and finance companies, consumer advocates have warned as the government moves to secure vulnerable parts of the renewables supply chain.

The warning comes after consumer group Choice singled out the data collection practices of Toyota, whose Toyota Connected Services (TCS) technology collects data about vehicle locations, driving data, fuel levels, and phone numbers and email addresses loaded into its system through connectivity with drivers’ phones.

Described by the company as “an advanced suite of smart technologies designed to simplify your everyday life”, TCS is activated on suitably equipped vehicles after consent buried in the contract of sale – meaning that consumers cannot opt out from what is described as “collecting and utilising your vehicle and personal data for the purpose of delivering TCS and for research and development purposes.”

Toyota is “incredibly vague about what actually counts as ‘consent’,” Choice senior campaigns and policy advisor Rafi Alam said as the company warned that “privacy problems are fast becoming a real issue with cars, as just about every new vehicle seems to have a ‘smart’ connection installed.”

Whether being stored and processed in Australia or overseas, Toyota’s policy says, data “is treated with the highest level of safety and security standards associated with Toyota” – but that assurance may ring hollow given that data breaches of Toyota Australia in at least 2023, 2022 and 2019 have compromised the personal information of thousands of Australians.

“Car companies say these technology features increase driver safety,” Alam said, “but people shouldn’t have to give up their privacy rights in order to purchase a new car.”

Potential privacy risks were enough to convince one longtime Toyota owner to cancel the purchase of his $68,000 Hilux after he began getting pre-delivery emails prompting him to sign up for TCS – something he says “the dealer never told me about…. [subsequently] I was told if you remove it, you will void your warranty and you’ll likely put your insurance at risk as well.”

He's not the only one to back away: a November survey of 2,000 US drivers by security firm Kaspersky found that 71 per cent of respondents would consider buying an older car, or one with less technology, to protect their privacy and security – an option that, the company noted, is “likely to get less realistic as time goes on and connected cars make up a growing share of the available inventory.”

Potential privacy exposure will increase as data from connected cars increasingly supports third party services; it is already being used to drive ‘insurtech’ services like ‘pay per kilometre’ insurance provider Koba, which base their services and pricing on real-time driving data including details of drivers’ acceleration, braking, and cornering techniques.

Despite a recent Mozilla study that called cars “the worst product category we have ever reviewed for privacy” – and shellacked Toyota and 24 other brands for their data practices – auto makers have increasingly moved to exploit the data they collect for third-party usage, with Tesla and GM now offering formal application programming interfaces (APIs) that let third-party applications engage with their vehicles and others using new industry connectivity standards.

That connectivity is catnip for car hackers that revel in doing things like tricking car navigation radars into swerving around non-existent obstacles – and congregate at regular hackathons such as Pwn2Own, a long-running bug bounty event where security researchers this year discovered 49 zero-day vulnerabilities in electric vehicles (EVs) and public car charging stations.

Securing the renewable transport supply chain

Choice’s Alam called on the government to “urgently… introduce stronger safeguards and prohibitions on the collection and use of this kind of highly personal data,” but reports suggest the government’s attention is focused elsewhere in the EV supply chain.

Recent Senate estimates testimony revealed that the Department of Climate Change, Energy, the Environment and Water (DCCEEW) has commissioned Standards Australia to address the risks of security vulnerabilities in ‘distributed energy resources’ (DER) such as rooftop solar – which is being rolled out so quickly that some days this summer saw rooftop solar supplying all of South Australia’s total energy needs, and two-thirds of demand in Victoria.

With every solar installation needing an inverter to convert solar panels’ DC energy to AC power for homes and businesses, DCCEEW’s efforts will focus on the security of those inverters, energy storage batteries and other devices – which are generally connected via Wi-Fi and have been repeatedly found to have often critical security vulnerabilities.

Similar concerns have also been raised regarding EV charging stations that are widespread, publicly accessible and offer hackers tantalising opportunities to interfere with what has fast become critical national infrastructure.

Australian industry body the Electric Vehicle Council recently asked the government not to go overboard in regulating charging station cyber security, but internationally that horse has already bolted – with US National Institute of Standards and Technology (NIST) already offering a formal framework to address what researchers have called the “significantly increased” risks of “catastrophic” risks around EV charging station security.

As cars increasingly become honeypots of personal and driving data – and are regularly connected to solar systems, public charging infrastructure and even integrated with solar panels, batteries and other devices as part of smart-home ecosystems – end-to-end security will become increasingly important.

“The concern,” Liberal Senator Hollie Hughes noted, “is that there is the possibility for international interference in these inverters because they can be controlled from outside.”