Project - Surveillance by Products - Vehicles::Car

Project - Surveillance by Products - Vehicles::Car

The project

The project actually arose from the shocking realizations that one of our founders had when planning to buy a new vehicle for his wife. Since the team has been installing secure smartphones since 2017 and the current setup, which we will shortly be introducing as part of EURAFRI, is a pure, completely rooted LineageOS (Android without Google Apps, or Gapps) with an extensive firewall for incoming and outgoing traffic and all apps from the F-Droid Store, the idea of buying an unprotected, data-collecting smartphone with four wheels when buying a new vehicle was unbearable.

Data octopus and mass surveillance?

As part of the search for a new vehicle, things came to light that should not be accepted by the owners of a new vehicle under any circumstances, and it also became clear that the average vehicle user does not understand the technical background and needs to be informed about this and similar areas is urgently needed. Unfortunately, there is often a lack of in-depth IT basic knowledge at school and in further training, which is an absolute necessity for a digital generation.

The problems

The following are just a few of the massive problems associated with the use of IT, IoT and SIM cards for data transmission in the car. The list is by no means exhaustive, but we didn’t want to overwhelm the readers.

Offline data collection

  • Complete tracking of the movement via navigation system or extra GPS system, sometimes without the possibility of deleting the stored data or preventing their storage in advance. There has to be an easy way, preferably a hardware clear-all-data button, to irrevocably delete all this data, otherwise the vehicle will obviously collect data for someone else who does not want the owner or user to be able delete it. With this and the functions listed below, this button is also essential for rental cars.

  • Possibility of collecting data on the driving behavior of the driver, who does not have to be the owner if the driver changes, in connection with the GPS position data. Usually no deletion option for the owner or the driver and with physical access to the vehicle, unrestricted access to this data for people with the appropriate technical device. In any case, a device for reading out and irrevocably deleting the data would have to be delivered with the vehicle, or the deletion should take place with the above-mentioned button. In addition, this function must be an opt-in function that is deactivated by default. Use of the data by third parties, e.g. insurance companies, etc. must be excluded.

  • The collection of consumption values for the new EU law and the transfer of data to the EU must be regulated very precisely. Under no circumstances may access be made online. In addition, data that is passed on to third parties, such as the EU, may under no circumstances be brought into connection with position data, driving behavior data, persons or legal entities.

Online data collection and criticism

  • Partly very deep integration of the e-call in the vehicle system and thus it is unclear whether the SIM card of the e-call system is also used for other purposes. In addition, it is unclear whether the IMEI number of the device, which basically corresponds to a mobile phone, is linked to the vehicle and / or the owner. If the E-Call system is too deeply rooted in the board computer and especially if the IMEI is linked to the owner, it is not guaranteed that it can be used for localization with hidden SMS or full surveillance with video and sound from the outside via the Internet.

  • In many cases, SIM and cards are also installed and thus vehicle data are transmitted. 3G, 4G and 5G cellular networks are now available almost everywhere in Europe. In some cases, attempts are also made to sell this option as an additional benefit for the user with additional contracts, or to offer it as a free option as an extra contract in order to obtain the GDPR approval. We believe that nobody needs to receive an email when the vehicle is due for repairs. Messages in the display are more than sufficient, data-saving, and give the owner the opportunity to choose an appointment and workshop himself. In our opinion, all these transfers do not serve the owner, whose advantages are not really given, since all information can be shown on the vehicle display, but only to the manufacturer to create profiles of the owners, predictable sales from the car stock on the street generate and possibly generate income or benefits from the transmission of the data to third parties. And in order to prevent counter-arguments, we do not refuse to use data-saving error memories that can be read out in the workshop so that they can carry out a better analysis in the event of a defect.

  • Hack risk due to the vehicle’s continuous internet connection. In addition, the vehicle could establish a continuous connection to the manufacturer’s or dealer’s computers via the internet connection. As a result, since the vehicle can be assigned to the owner for the manufacturer or dealer, there is a risk of user profiles with unambiguous user identification. Different people using the vehicle could also be identified through voice control and driver settings storage. Theoretically, via the camera in the dashboard, also with a picture of the people currently in the vehicle. Hackers and others with access to the vehicle would have full access to the computer, position tracking, driving behavior, camera and microphone and could carry out full monitoring of people with potentially far-reaching consequences for the owner or the people in the vehicle.

  • Risk from mobile phone apps or web access to the vehicle computer including the position of the vehicle. To do this, you first have to explain the path of data from the mobile phone or browser to the vehicle and back. Many software developers do not use overlay networks for direct access to the vehicle. As a result, communication takes place in such a way that the vehicle establishes a connection to the manufacturer’s computer and the app or web browser also connects to this manufacturer’s computer. As a result, the manufacturer’s network has continuous full access to or into the vehicle via the reconnect and the entire data traffic runs through the manufacturer’s computer. This could add the data, IP address and location of the mobile phone to the user profile. Much of this data on the mobile phone can only be prevented with the Tor Browser or an app routed via Tor via Orbot. Since there is probably no end-to-end encryption here, the data stream on the relay server would also be readable when using Tor.

  • Partly missing or difficult to find possibility to disconnect mobile phones connected to the vehicle. In theory, devices that were connected earlier could, for example, still locate the vehicle. In order to prevent third parties from accessing the contacts, SMS and other data due to the risks mentioned above, there must be a way of only using the vehicle’s hands-free system without giving the vehicle access to the mobile phone. However, there must be a reset of the system, with simultaneous separation of the devices and deletion of the data via hardware button or quick function. In particular, when using Google or Apple software in the vehicle, it must be possible to protect contacts, SMS and other data.

  • Hardware switches to deactivate the camera and microphone in the car would be desirable, including the possibility of removing any SIM card from the mobile phone network using a hardware switch. Since there are professional groups, such as journalists, who need this, this also applies to the e-call.

  • Attempt in the sales contract or through an additional contract to secure legal access to the data.

  • As soon as we find lawyers as volunteers for the project, we will try to create an addendum to the purchase or rental agreement that prohibits the storage, transfer and use of data with a contractual penalty per incident per transfer or use and dealers , or rental companies and manufacturer are obliged to the buyer or owner to the undivided hand. The whole thing with a reversal of the burden of proof, so that the owners cannot be obliged to provide technically impossible evidence. Those interested in data protection can then have this signed, binding to the main contract, in order to start into a data-efficient future. If the contract is not countersigned by the seller, it would be advisable to choose another vehicle.


Groups for whom their own data is of no value and who do not care about any of the above risks should of course be able to use the built-in software. However, there must be a way for others who place great value on data protection and privacy to switch off and permanently prevent all these storage and transmission. Furthermore, when people change drivers, no data of any kind whatsoever from other users may be evaluated or transmitted.

-EXPOSED! The Connected Car (

Info for manufacturers

EURAFRI sees itself as an organization that wants to provide information and knowledge and is not involved in attacks against data collectors. Where there is data, or where data can be generated, there will always be a desire to get this data.

The EURAFRI approach is based on the assumption that only a well-informed user base, which at least understands the broad context, can bring about a change in behavior. It has to be cool to be in control of your own data in order to bring about a sustainable change to data-efficient solutions.

It follows that the project - surveillance by products - vehicles :: car - will publish a list of vehicles from the data generation communicated by manufacturers and importers, respectively, without evaluating it per vehicle. The user or buyer will find a decision aid for themselves.

The list, currently filled with sample values, can be found here below:

Changes can be tracked via Mastodon and RSS.

We know that it will be difficult to get data from the manufacturers and we have planned a lot of time for this project. Contacting the PR departments of the respective companies is a great effort for our team and takes a lot of time. Of course, we assume that manufacturers who offer data-efficient vehicles want to present themselves in the list faster than others. A listing of the date of contact with the respective PR department is planned.

Manufacturers can download the CSV file and a sample file here:

[EURAFRI Gitea Instance [(

The transmission to us can be carried out in various ways. For questions we are happy to assist you:

Request data protection

Of course we know that data protection, privacy and anonymization represent a certain additional effort for the user, but it is necessary to avoid the generation of personal data before it can be stored anywhere. Because where there is data, there is a desire from many sides to be able to access it.

And yes, it’s really cool to be able to say: “No, they don’t have any data from me!”

Ask? We are happy to discuss all topics within the framework of our project in the matrix!

We look forward to active participation in the EURAFRI project and ask you to also visit the EURAFRI reception in the matrix.


Photo ©: / Karl M. Joch