Laudator: Dr. Thilo Weichert
The BigBrotherAward 2020 in the “Mobility” Category goes to
Tesla Inc., represented by Tesla Germany GmbH in Munich,
not for the logging of a Brandenburg forestry to build their new plant, and not for the accidents caused by inattentive drivers who overtrusted Tesla’s assistance systems.
Tesla receives this award for marketing cars that extensively and perpetually surveil their passengers and car surroundings. The data obtained is constantly analysed and can be used for any purpose.
The car manufacturer Tesla has received a lot of praise for their electric cars. Among rich and eco-conscious people these cars have developed a cult following. The fact that they are surveillance systems on wheels does not seem to be of any concern to them. The hip cars from California are equipped with sensors for practically everything happening in and around the car.
The privacy statement
To justify this surveillance orgy, Tesla’s terms and conditions refer to consent, to the sales contract, and to legitimate interest, without giving further details.1
The terms and conditions inform customers what data the company – and I quote – “may collect in a variety of ways”, which include their “digital services”, “other sources”, the “Tesla account”, “offline”, “through your browser or device”.
When collecting data “about your Tesla vehicle”, the company lays claim to the recording of “telematics log data”, “remote analysis data”, “safety analysis data”, “service history”, “charging information”, “navigation data” as a part of “advanced features”, as well as “short video clips using the car’s external cameras”.2
What remains unclear is which sensor data is transferred to and stored by Tesla and which stays with the car and is overwritten. Elon Musk’s company grants itself virtually unlimited rights in its terms and conditions. From a consumer protection standpoint one has to assume that everything that is stated, the company eventually intends to do. Quote:
“By using our products or services … you consent to the transfer of information from or about you or your use ... to countries outside of your country of residence, including the United States.”
Those who disapprove of so much data processing can object online, via e‑mail or by post to an address – in the U.S. However, in the next breath Tesla go on to advise against taking such measures. The company writes:
“This may result in your vehicle suffering from reduced functionality, serious damage, or inoperability.”3
Hurray for voluntariness!
Surveillance all around
One central function of Tesla vehicles is their video and ultrasound surveillance, in driving mode as well as parking mode:
“Eight surround cameras provide 360 degrees of visibility around the car at up to 250 meters of range. Twelve updated ultrasonic sensors complement this vision”4
These sensors facilitate the driver assistance and autopilot function, that is to say semiautonomous driving. They also complement the dashcam, where information can be read out retrospectively in case of accidents. Irrespective of an accident the last 10 minutes can be saved at the push of a button. Via the USB interface the incoming data can be read and analysed continuously.
When the cameras are put into “sentry mode”, a function that has been available since 2019, they capture their surroundings non-stop. As soon as the camera senses a noteworthy movement, a red light flashes on screen and it starts recording. For that to be triggered it suffices that a person walks closely to the car or a car passes close to it. Youtube boasts a host of these clips. A tremor or forced entry into the vehicle triggers an alarm on a smart phone, and if desired the stereo can blast automatically.5
Registration plate capture and face recognition – it’s all possible
To demonstrate the potential that this technology holds, the security researcher Truman Kain has built, with little effort, a “Surveillance Detection Scout”, a mini computer that he connected to the USB interface of Tesla vehicles. With it he was able to analyse all cameras in use, capture registration plate information and even conduct face recognition. If, for example, the scout detects the same registration plate several times in a row, it sends an automatic message to the owner’s smart phone and to the car screen: “You’re being followed.”6
Musk’s Surveillance Phantasies
Yet another camera is present in the interior of the Tesla Models 3 and Y, right above the central rear-view mirror. It is pointed at the vehicle’s passengers. In a video, Tesla boss Elon Musk justifies its use by explaining that his vehicles can be employed as ridesharing services and self-driving taxis. Via the interior camera, third parties could be held liable for any damages or soiling that occured during a ride.7
But that is not the end of Musk’s surveillance phantasies by any stretch of the imagination. Through Twitter he announced, accentuated by music, that his company was working on a feature that would let Tesla vehicles talk to passers-by. In a video a Model 3 can be seen talking at a pedestrian: “Don’t just stand there staring – hop in.” Musk explains: “Teslas will soon talk to people if you want. This is real.”8
Soon, parked vehicles will be able to intervene in our discussions, unprompted, while we are out and about looking to have a peaceful conversation.
Tesla and the GDPR
Tesla makes no mention of the GDPR, which is in effect since May 2018. The terms and conditions are only available in full through several clicks, they do not contain a date signature, and they can be unilaterally changed at any time, an option that has been exercised. Regarding information transmission to the U.S. they also invoke the Privacy Shield9, a treaty that was recently declared void by the European Court of Justice.10
Consequently, even normal operation of a Tesla is in violation of the GDPR. The condition of “concise, transparent, intelligible and easily accessible form, using clear and plain language”11 is by no means fulfilled.
Another important critique: this pseudo-consent is only being solicited from the car’s owner. Data collection mainly concerns the driver and/or passengers, who are not necessarily the same person.
A definite no-go in light of the GDPR is the continuous monitoring of the vehicle’s surroundings, i.e. the public sphere. Videotaping and recording people who walk by a car, without acting suspiciously in any way, constitutes a classic case of data retention. In the public space near a Tesla vehicle, we are being recorded, followed, possibly identified, depending on which technology is active. We do not know which of these functions the car is exercising at any given time. Similarly, the hidden video recordings of the interior that are available in some of the models are inadmissable.12
To us the case is clear: Tesla vehicles are legally inadmissable, plain and simple. Anyone who purchases a Tesla – in 2019 alone 10,000 new vehicles were registered in Germany – would have to deactivate many services to be in compliance with the GDPR.13 They would not be allowed to let anyone enter or drive their car without an instruction on privacy issues. Tesla is a case for the – undoubtably already overwhelmed – data protection authorities. We do not have issues with car assistance systems, nor are we against semiautomated driving. These systems do require sensors and even artificial intelligence. But, from a data protection standpoint, the data collected has to stay largely in the vehicle itself. The transmission and external retention of data has to be restricted to clearly defined situations, such as the triggering of an airbag. However, Teslas continuously gush data and have a long memory.
Our giving this award to Tesla today should not be understood by other German or European manufacturers as a carte blanche for full automation of their line. On the contrary: Their product range, too, stinks to high heaven in many data protection respects. More on that maybe later.
At any rate, at Tesla the stench is excessively foul. That is why:
Congratulations on the BigBrotherAward 2020 in the “Mobility” Category, Tesla Germany.
10 ECJ ruling from July, 16th, 2020 – C-311/18
11 Article 12(1) GDPR