Cars downloading text messages from phones doesn’t violate state privacy law.

A Ford Escape infotainment system shows a list of messages.
<a href=httpscdnarstechnicanetwp contentuploads202311getty ford infotainmentjpg>Enlarge<a> Infotainment system in a 2016 Ford EscapeGetty Images | Todd Korol

49WITH

A federal appeals court rejected lawsuits that alleged five major carmakers violated a Washington state privacy law. The lawsuits centered on car infotainment systems that store text messages in a way that potentially allows the messages to be retrieved by law enforcement using specialized hardware and software. The rulings in the carmakers’ favor came in cases against Ford, General Motors, Honda, Toyota, and Volkswagen.

A three-judge panel at the US Court of Appeals for the 9th Circuit unanimously upheld US District Court rulings that dismissed the five class-action lawsuits, which were almost identical. The appeals court ruled in Ford’s favor on October 27, then issued rulings upholding the dismissals of the other four cases on Tuesday this week.

We’ll cover the Ford ruling here since the other decisions don’t go into the same level of detail, and the arguments were similar in all five cases. The simple version is that the cases failed because the plaintiffs’ data stayed in the car systems and apparently was never transmitted to law enforcement, Ford, or anyone else.

The class-action “complaint alleges that the vehicle’s system downloads all text messages and call logs from Plaintiffs’ cellphones as soon as they are connected,” the Ford ruling said. “The complaint also alleges that the infotainment system permanently stores the private communications without Plaintiffs’ knowledge or consent.” The complaint’s allegations refer to Ford cars made in 2014 and after.Advertisement

Plaintiffs alleged that there is no way to delete the text messages and call logs from the car system. “If text messages or call logs are deleted from a cellphone, the vehicle nevertheless retains the communications on the vehicle’s on-board memory, even after the cellphone is disconnected. Vehicle owners cannot access or delete their personal information once it has been stored,” the ruling’s summary of the complaint said.

Products can extract messages and call logs

Ford’s website provides instructions for a factory reset that “erases all stored data, such as call history, text messages, previously paired phones,” and other data. That’s useful before one sells or transfers a car but doesn’t allow drivers to manually delete specific messages or call logs while they’re still using the vehicle with a connected phone.

There was no allegation that Ford or the other carmakers directly accessed text messages or call logs, or that they stored the data in their own systems. The privacy concern comes from the fact that a company called Berla sells specialized data-retrieval products to law enforcement, which could use the products to obtain messages and logs from a car.

Berla’s website boasts that “having access to a suspect’s connected vehicle is the next best thing behind having the actual phone itself.” In a statement quoted in the plaintiffs’ complaint, Berla also says that if “a driver uses the infotainment interface to ‘delete’ their device, that device information often remains in unallocated space and can be recovered.”

“According to the Plaintiffs, Berla produces hardware and software capable of extracting stored text messages and call logs stored on a vehicle’s on-board memory,” the appeals court ruling said. “Berla products are not generally available to the public, and sales access is restricted to law enforcement, the military, civil and regulatory agencies, and select private investigation service providers.”

Law requires actual injury

The Washington State Privacy Act prohibits “any individual, partnership, corporation, association, or the State of Washington, its agencies and political subdivisions” from intercepting or recording any private communication transmitted by telephone, said the US District Court ruling that dismissed the Ford lawsuit in May 2022. The state law “requires an injury to one’s business, person, or reputation” in order for a lawsuit to proceed.

The class-action complaint contended that “text message and call log data copied onto the vehicle can be, and is, transmitted to users of Berla’s equipment without requiring any kind of password, biometric, or other security measure.” The complaint pointed to a 2017 CyberScoop report that quoted Berla CEO and founder Ben LeMere as saying his firm was working with carmakers to educate them on securing private data, but only “when it’s part of an agreement that they will allow law enforcement in.”

Ford court filing said that making a vehicle containing an infotainment system does not create liability under the state law “any more than selling computers and smartphones to purchasers who make and record calls and store texts on their devices. Any recording in this case was done by Plaintiffs, or by the system itself, which resides in a vehicle they own or use.”

Ford also stated that “law enforcement may record or intercept communications under the [state law] if they properly obtain a court order,” and argued that drivers gave “implied” consent to have their text messages stored on the cars. “Washington courts have repeatedly held that those who send electronic communications, such as emails and text messages, understand these messages will be preserved in multiple forms and thus impliedly consent to the recording of such messages,” Ford wrote.Advertisement

The District Court found that plaintiffs did not assert that Ford “reviews, utilizes, benefits from, or even has the ability to retrieve the cellphone data collected and stored by an infotainment system.” Ford’s only role was apparently designing and installing the system.

The car, not Ford, records messages

The District Court ruling said there was no injury to the plaintiffs since there was no allegation that their data was accessed by law enforcement or anyone else:

The appeals court affirmed the District Court’s judgment, agreeing that the plaintiffs failed to allege an injury. Under the state law, “an invasion of privacy, without more, is insufficient to meet the statutory injury requirements,” the judges’ panel wrote.

While the class-action lawsuit failed, researchers and regulators are increasingly looking into privacy risks posed by connected car systems. A California state regulator is investigating the privacy practices of connected vehicle makers, the agency announced in July. Security researchers have found vulnerabilities in the cars, and a Mozilla research report called modern cars “a privacy nightmare.”

LEAVE A REPLY

Please enter your comment!
Please enter your name here