It's perfectly legal for cars to harvest your texts, call logs
Just because they store messages in a way owners can't access doesn't mean it's a privacy violation, US court rules
In response to five class-action lawsuits, a Washington appeals court has decided that Honda and several other automakers did nothing wrong by storing text messages and call records from connected smartphones.
Honda, Toyota, Volkswagen, and General Motors were all facing charges in separate but related class-action suits that all claimed they violated Washington state privacy laws. The cases were all dismissed in court earlier this year, and the US Court of Appeals for the 9th Circuit decided [PDF] this week they weren't going to reopen the cases to further litigation.
The Circuit judges hearing the case lumped all of them together because "the factual background and legal issues are virtually identical," and dismissed the appeal not because the automakers hadn't done anything wrong, but rather because the claims didn't meet the Washington Privacy Act's (WPA) statutory injury requirements.
"To succeed at the pleading stage of a WPA claim, a plaintiff must allege an injury to 'his or her business, his or her person, or his or her reputation,'" the judges ruled. "Contrary to Plaintiffs' argument, a bare violation of the WPA is insufficient to satisfy the statutory injury requirement."
In other words, it's A-OK for your car to "automatically and without authorization, instantaneously intercept, record, download, store, and [be] capable of transmitting" text messages and call logs since the privacy violation is potential, but the injury not necessarily actual.
The 9th Circuit judges' determination was based on the dismissal of a fifth class-action lawsuit in Washington that made the same arguments against Ford, which was dismissed in late October on identical grounds. One of the same 9th Circuit judges, Michael Daly Hawkins, was on the appeals panel that made both decisions.
We asked Honda and lawyers for both sides of the case to comment but haven't heard back.
- We already give up our privacy to use phones, why not with cars too?
- Ford SYNC 3 infotainment vulnerable to drive-by Wi-Fi hijacking
- Mozilla calls cars from 25 automakers 'data privacy nightmares on wheels'
- Car rental firms told: Tell your customers about in-car data slurps
Per the first amended complaint [PDF] filed in the Honda case, Honda infotainment systems in vehicles manufactured from 2014 onward "store each intercepted, recorded, and downloaded copy of text messages in non-temporary computer memory in such a manner that the vehicle owner cannot access it or delete it," plaintiffs argued. "Even if the text message is deleted from the smartphone, the Honda vehicle retains a copy in on-board memory, even after the smartphone is disconnected."
The same goes for call logs, the class-action complaint argued.
Plaintiffs accusing Honda of WPA violations pointed to Maryland-based Berla Corporation, which manufactures equipment "capable of extracting stored text messages from infotainment systems" as a reason for owners to consider the data harvesting a privacy concern. According to the suit, Berla software isn't generally available to the public, and is designed for law enforcement use.
"Copies of text messages and call logs stored on Honda vehicles can be, and are, retrieved by unauthorized users of Berla's equipment without any password, fingerprint, face image, or other security measures, thus bypassing any security measures Plaintiffs and class members employ to secure data on their phones," the complaint alleged.
The Honda case and those involving Toyota, VW, and GM were all dismissed with prejudice, so the only way for the cases to go is up to the Supreme Court on further appeal. It's not immediately clear if further appeals are planned. ®