Your car is spying on you.
Privacy campaigners have called for independent oversight of police use of car hacking software after two thirds of forces refused to disclose whether they possess the technology - despite acknowledging increased reliance on the technique.
At least two thirds of Britain’s police forces have refused to disclose whether they use powerful car hacking software which can download vast quantities of data from satnav entries to social media content, i can reveal.
Thirty out of the 45 main police forces in the UK declined a request under Freedom of Information (FOI) rules to disclose whether they use advanced digital forensics technologies which are capable of extracting technical and personal data including text messages, bank details and location information from targeted vehicles. It was previously revealed by i that data collected by modern cars is proving invaluable to law enforcement agencies trying to catch criminals but the extent of its use is increasingly opaque.
Privacy campaigners accused police of “unacceptable secrecy”, saying the public were being left in the dark about how often and why car data is downloaded for criminal investigations. Lobby group Privacy International said the potential for “intrusive surveillance” provided by the car hacking technology means there is an urgent need for regulation and independent oversight of its use.
The National Police Chiefs’ Council (NPCC) insisted that the ethics and legislation surrounding any new technology are central to its use and given due consideration by forces.
Modern cars and vehicles typically contain 75 or more computer systems, which record everything from when doors are opened to gear changes and climate control settings, through to information from mobile phones synched with infotainment systems. According to one estimate, a normal car generates 25GB of data for every hour of use – roughly three times the average amount consumed each month by a mobile phone user.
The existence of what one investigator described as a “vast treasure trove” of vehicle information has sparked a boom for specialist companies providing software capable of downloading and sifting this data as police forces in Britain and beyond increasingly harness the technology to investigate and track crime.
According to US-based Berla Corporation, whose iVe extraction system is one of the most widely used by law enforcement agencies around the world – including the US Secret Service, according to US government documents – some 80 per cent of criminal offences involve the use of a vehicle at some point in their instigation or planning.
In March, the College of Policing, which advises on standards and skills in UK policing, unveiled its first online training course in digital vehicle forensics with the aim of teaching officers good practice and techniques including how to exploit “infotainment systems, trackers and in-car navigation systems” while investigating a crime scene.
Based on information in the public domain, i has been able to establish at least 13 UK police forces – including the Metropolitan Police, West Midlands Police and the National Crime Agency – have contracts with or staff members trained by Berla.
But when asked directly under FOI rules whether they use the company’s systems, the vast majority of UK forces either failed to respond or refused to disclose whether they used vehicle data extraction equipment provided either by Berla or any other supplier.
Anyone who believes modern vehicles are simply a means of getting from A to B should think again. In the words of one police investigator, they are “data collection devices on wheels”.
In the search for ever greater efficiency and comfort, cars have been adapted to hoover up vast quantities of information. This ranges from technical minutiae such as fuel consumption and when gears are changed or lights switched on, through to the contents of mobile phones when they are synchronised with infotainment and payment systems.
Whether they are driven by electricity or the combustion engine, modern vehicles contain anywhere between 75 and 100 onboard computer modules, enacting 150 million lines of code. As a result, for each hour of use they generate the same amount of data as downloading a dozen high-definition movies.
The result is a library of personal and mechanical metrics – arguably overtaking mobile phones in some respects – which is proving increasingly invaluable to law enforcement agencies.
When it comes to investigating crashes, police now effectively have at their disposal the equivalent of an aircraft’s “black box” by accessing data such as speed and location to discern a vehicle’s behaviour prior to a collision.
But it is in the pursuit of serious criminality that the techniques are proving most useful. The ability to link an individual to a vehicle and its movements, as well as phones or messages sent from the vehicle, can be crucial in helping to place suspects at crime scenes or track their associates and networks.
Just two forces – Derbyshire and Gwent – confirmed they used the technology, with the former saying it had spent just over £48,000 on Berla equipment and training since 2018, including a downloading software licence valid until next year. A total of 30 forces refused to disclose whether they used vehicle hacking software, while a further 13 did not respond.
The Derbyshire force underlined that its use of the Berla system was reserved for the most serious types of offences, including murder, kidnap and robbery. It added that the technique was governed by digital evidence guidelines drawn up in 2012 as well as existing legislation on evidence gathering and human rights.
Police Scotland refused to disclose the information despite the force previously confirming to i that it has been using the iVe system since late last year in investigations including a “high-profile” murder.
In the vast majority of cases, those forces which refused to disclose the information provided identically-worded responses declining to say whether or not they used vehicle data extraction technology on the basis that to do so risked providing criminals with insights as to the investigative tools and techniques available to police.
Describing the sector as “rapidly evolving”, the responses nonetheless added: “In recent years, criminal investigations have become more sophisticated, relying more heavily on the data extracted from vehicles.”
When detectives in Derbyshire were faced with the task of finding the perpetrators of a drug-feud shooting compared to “a scene from a Western”, the ability to download data from vehicles proved invaluable.
A white BMW car identified as having been used in the 2020 ambush of an alleged drug dealer on the edge of Derby led to the vehicle being seized and its trove of onboard data extracted for examination by officers.
The resulting logs allowed detectives to track the vehicle’s movements in the days before the ambush, leading to the identification of individuals linked to the crime. Ultimately, the evidence helped secure the conviction of nine defendants two years later.
Derbyshire Constabulary is one of the few UK police forces willing to cast light on how data is downloaded from vehicles to fight crime.
The Midlands force, which uses the iVe system produced by American company Berla, told i that it deploys its ability to access forensic information stored in vehicles for some of the most serious offences or events, including murder, kidnap, robbery, fatal crashes and stalking.
The force, one of only two in the UK willing to disclose its use of car hacking technology, said its use is governed by longstanding national guidance on the use of digital evidence as well as conforming with five pieces of legislation, including the European Convention on Human Rights.
In the last year, its specialist vehicle examination team has received 34 requests to examine information held on vehicles potentially linked to crimes or serious incidents.
Law enforcement sources told i that information found on vehicles was proving increasingly “invaluable” to investigators in areas ranging from piecing together the aftermath of accidents, including the ability to precisely plot the route and speed of vehicles, through to serious crime by tracking the movements and communications of individuals both before and after offences.
The ability to hack data from vehicles even extends to key fobs, which can contain information such as the unique vehicle identification number, the mileage of the car and the dates and times when it was last used. Photos used on social media profiles, which are shared with some infotainment systems, can also prove useful in understanding the make-up of criminal networks.
But campaigners warned millions of car owners have been left in a “strange space” where it is highly likely multiple police forces are using data extraction techniques but do not know how they are deployed, which rules apply to them and whether the system allows “abuse”. Existing legislative safeguards mean police cannot randomly download the contents of electronic devices such as phones or vehicle systems, but there are concerns that there is little or no public understanding of how and why car data might be accessed.
Privacy International, a leading lobby group on data rights and transparency, told i: “It’s unacceptable that police are claiming secrecy over a technology that is known to be used by forces. This isn’t how things are done in a democracy under the rule of law.
“Technology which extracts vast amounts of data from our cars enables intrusive surveillance that the public deserves to know about. We need to know how police are using it, when, and what happens to the data they collect from our cars. We need proper regulation and independent oversight.”
Privacy campaigners on both sides of the Atlantic have previously warned of what they say are insufficient safeguards for the information gathered by modern vehicles. Particular concern has been raised by security services about the possibility that Chinese-made electric vehicles, which are increasingly to be found on British roads, could be monitored or emptied of their data remotely.
A study by the US-based Mozilla Foundation, which campaigns on data security, found that 84 per cent of manufacturers reserve the right to share information such as digital vehicle logs with service providers and brokers. A further 74 per cent allow for the possibility of selling such data in the small print of their privacy contracts.
It is understood by i that vehicle data systems can also present “backdoors” into the information that they hold or download.
According to one industry source, simply connecting a phone to a car socket to recharge its battery results in some data being downloaded to the vehicle. Even deleting a phone and its details from a car’s infotainment systems does not necessarily mean it has been permanently erased because the relevant information is often simply transferred to “unallocated space” on the data system, from which it can be later recovered.
One investigator said: “Each and every modern vehicle on our roads is now a vast treasure trove of data. In some ways, there is almost too much of it. It has to be used lawfully and proportionately but in my view it helps us make people safer.”
The NPCC said that the use of new technology remains an “essential” part of policing. A spokesperson said: “Considerations about the ethics, proportionality and legislation surrounding use of technologies, are central to their development and use – whether existing or new.”