03/25/2015 12:51 EDT | Updated 05/25/2015 05:59 EDT

Connected cars are perfect for harvesting personal data, report warns

As our cars get more high-tech and connected, they are increasingly spying on us and sending highly personal data about us to many different parties — in violation of Canadian privacy laws, a new report warns.

Regulators need to step up and protect the privacy of car users at a time when the range and amount of potentially sensitive — and commercially valuable — data being collected by cars is only growing, says the study funded by the Office of the Privacy Commissioner of Canada and released today by the B.C. Freedom of Information and Privacy Association.

The report titled "Connected cars: Who is in the driver's seat?" was unveiled at the Vancouver Auto Show.

The group notes that "most, if not all" new cars being sold in North America now have at least some wireless connectivity, and "fully" connected cars are expected to dominate the market in the next few years.

"With connectivity, cars are becoming highly efficient data harvesting machines," says the report, citing a wide variety of data collection systems such as:

- Vehicle performance monitors that transmit information about vehicle health and driver behaviour wirelessly to computers used by car dealers and mechanics.

- Navigation systems that record the vehicle's location and the routes it has taken.

- Telematics systems that collect information on driving behaviour and send it to insurance companies to deliver new "usage-based insurance."

- Infotainment systems that can collect information about personal communication, web browsing data, personal contacts and schedules, and preferences with respect to music and video content.

While those systems offer "undeniable benefits" to car owners and drivers, the data they generate is extremely valuable to insurers, governments and law enforcement agencies, and companies that might be interested in tracking and profiling users for target marketing and other purposes.

"In the frenzy to take advantage of this new technology and keep up with the competition, automakers and their corporate partners appear to have ignored Canadian data protection laws," the report says. In fact, "automakers are failing to meet their legal obligations under almost every principle of data protection law."

For example, many service providers required customers who sign up for a service to agree to the use of their personal data not just for delivering the service, but also for marketing, product developing and "business purposes."

That's violates Canadian laws that require clear, informed consent for the use of any personal data for secondary purposes such as marketing, the report says.

The authors also raise concerns about the fact that unnecessary data is being collected and kept for an indefinite period of time, putting car users at risk of having their personal data hacked and stolen.

The report recommends that governments bring in data protection regulations that are specific to the connected car industry.

For example, it suggests, there are already limits on the use of data collected by "event data recorders" that collect information about conditions that could precede a crash. New laws should also ban that type of information from being disclosed wirelessly.

"Policy-makers," it said, "have to provide the guidance that the automotive industry desperately needs on how general principles of data protection apply in their sector."