When Your Car Becomes a Witness
How vehicle telematics data is being subpoenaed, sold, and stolen — and why drivers are only beginning to understand the stakes
The man who discovered he had been betrayed wasn't a criminal. He was a driver in Palm Beach County, Florida, who had made a point of not enrolling in any data-sharing program. He had read the fine print — or tried to. When his auto insurance premium nearly doubled without explanation, he called his insurer and was told he had been denied coverage based on information in his LexisNexis report. A company he had never interacted with, never consented to, had assembled a detailed profile of his driving behavior and sold it upstream to the carriers who set his rates.
His name is Romeo Chicco, and his lawsuit against General Motors and LexisNexis filed in the U.S. District Court for Southern Florida in early 2024 pulled back the curtain on a practice that had been running quietly for years. He alleges that he was enrolled in OnStar's data-sharing program through what his attorneys describe as deceptive design — a dark pattern — despite never consenting. The lawsuit became one of many. By August 2024, GM was facing class-action suits representing 16 million drivers. By January 2025, the Federal Trade Commission had issued a formal order against GM banning the same conduct for five years. By May 2026, California extracted a $12.75 million settlement — the first cash penalty any U.S. authority had imposed on an automaker for selling driving data without consent.
This is what the reckoning looks like. It arrives slowly, through court filings and regulatory orders, while the data continues to move.
The Rolling Data Center You Drive to Work
Modern vehicles are not cars in any traditional sense. They are networked computing platforms that happen to carry passengers. A new connected car can generate and transmit data on speed, braking force, acceleration patterns, location history, seatbelt use, and cornering behavior. The infotainment system logs voice commands, navigation destinations, contacts, and call records pulled from any phone it has ever been paired with. Interior and exterior cameras record continuously. The vehicle's cellular connection sends this information back to the manufacturer's cloud in real time.
The Mozilla Foundation made headlines in 2023 when it reviewed 25 major car brands and declared automobiles the worst product category it had ever evaluated for privacy — worse than fitness trackers, worse than smart speakers, worse than any technology it had previously examined. Every single brand it reviewed failed its privacy test. Nissan's privacy policy, the researchers noted, claimed the right to collect information about drivers' sexual activity. Toyota maintains twelve separate privacy policy documents. Audi and Tesla feature policies described as confusing, lengthy, and deliberately vague. Twelve companies representing twenty car brands did not respond to Mozilla's inquiries at all.
What the infotainment system gathers is particularly expansive. When a driver pairs their phone via Bluetooth or a cable, manufacturers can access contacts, text messages, call history, social media usage, internet browsing history, and navigation destinations. The car's microphone waits for a wake word, which means it is listening before the command is ever given. Cameras record both the cabin and the road. Third-party sources — data brokers, social media companies, car dealers — supplement what the sensors collect directly.
All 14 automakers whose privacy policies were reviewed by InvestigateTV acknowledged collecting data beyond driving habits, including geolocation, search history, and voice recordings. All 14 confirmed they would disclose that data to law enforcement under warrants, subpoenas, or court orders. Several confirmed they were sharing it with insurance companies too.
The Insurance Trap
The General Motors story is the most extensively documented, but it is not unique. GM's Smart Driver program — embedded in the MyChevrolet, MyGMC, MyBuick, and MyCadillac apps — tracked hard braking, rapid acceleration, speeding over 80 miles per hour, and drive time. That data was sold to LexisNexis Risk Solutions and Verisk Analytics, which packaged it into driver behavior reports and sold those reports to auto insurance carriers. The carriers used the reports to raise premiums, cancel coverage, or deny applications outright — often without telling the affected driver why.
A New York Times investigation published in early 2024 brought the practice to wide attention through the story of Kenn Dahl, a Chevrolet Bolt driver whose insurance costs spiked 21 percent. He had never been in an accident. When the Times confronted GM, the company initially placed responsibility on vehicle owners. Under intensifying pressure, GM discontinued Smart Driver in April 2024 and terminated its data-sharing relationships with LexisNexis and Verisk. The damage, though, had already reached millions of drivers. One driver told the Times that LexisNexis had compiled 130 pages about his driving habits.
The practice had been running since at least 2015. By the time it came to public attention, data on the driving behavior of more than 16 million GM vehicle owners had moved through the broker pipeline and reached insurance carriers who used it to make coverage decisions. Nebraska's attorney general filed suit in July 2025, alleging GM and OnStar deceived drivers of over 14 million vehicles nationwide. The consolidated class-action complaint ran 627 pages.
The mechanism behind all of this — a risk score assigned to individual drivers by third-party analytics firms and sold to insurers — operates largely outside the driver's awareness. LexisNexis and Verisk are required by the Fair Credit Reporting Act to provide consumers with a copy of the files they maintain. Drivers who request their Consumer Disclosure Report have in some cases discovered detailed logs of trips they did not know were being recorded, scored against criteria they never agreed to, and used to quietly reshape their insurance costs.
The Subpoena Question
The corporate sale of data is one thing. Government access is another, and the line between the two is less clear than most drivers assume.
In 2018, the U.S. Supreme Court ruled in Carpenter v. United States that law enforcement must obtain a warrant to access long-term historical location data — the kind that reveals, as Chief Justice John Roberts wrote, "an intimate window into a person's life." The ruling has been widely understood to apply to vehicle telematics data in the same way it applies to cell phone location records.
The practice on the ground is messier. A 2024 Senate investigation led by Senators Ron Wyden and Edward Markey found that Toyota, Nissan, Subaru, Volkswagen, BMW, Mazda, Mercedes-Benz, and Kia all admitted they would share location data with police upon receiving a subpoena — despite having previously pledged to require a warrant. A subpoena, critically, can be issued by law enforcement without judicial approval. A warrant requires probable cause reviewed by a judge. Only GM, Ford, Honda, Tesla, and Stellantis received credit for requiring a warrant for location data outside of emergencies or explicit customer consent.
In the field of criminal law, telematics data has already been used to secure convictions for murder, robbery, burglary, and hit-and-run cases. Prosecutors have argued that the data could place a defendant near a crime scene, establish a timeline, or contradict a witness's account. Defense attorneys, meanwhile, have raised questions about chain of custody and reliability — Toyota has previously acknowledged that its event data recorders are not always accurate. Courts are still developing the evidentiary standards that govern this material.
The Chicco case and others like it expose a gap in the legal architecture. The Fourth Amendment governs what government can compel. It says nothing about what corporations can collect on their own initiative and then sell to anyone willing to pay, including data brokers whose customers may eventually include government agencies purchasing data commercially to sidestep the warrant requirement entirely.
The Theft Problem
The data being collected by automakers is not only being sold — it is being stolen.
In 2024, Volkswagen and its software subsidiary Cariad suffered a major cloud misconfiguration that exposed 15 million driver records along with terabytes of electric vehicle telematics data. The same year, Toyota lost 240 gigabytes of data — including customer information and internal network details — in a separate incident. Millions of Kia vehicles were found vulnerable to remote tracking through a dealer portal. BYD inadvertently exposed the location and profile data of 1.3 million users through another cloud misconfiguration.
At the Security Analyst Summit in 2025, Kaspersky researchers presented findings from a security audit that had exposed a zero-day vulnerability allowing unauthorized access to all connected vehicles of an undisclosed manufacturer. By exploiting a flaw in a contractor's publicly accessible application, researchers could gain control of the vehicle's telematics system entirely — including the ability to force gear shifts or cut the engine while a car was in motion.
The Pwn2Own Automotive competition held in Tokyo in January 2025 brought together security researchers from 13 countries who discovered 49 unique zero-day vulnerabilities across infotainment systems, vehicle operating platforms, and charging infrastructure. A total of 215 automotive cybersecurity incidents were recorded in 2024, according to VicOne, with cloud and backend vulnerabilities the most common attack surface.
Researchers at Northeastern University, working with Consumer Reports, published findings in early 2026 showing that hackers could exploit wireless systems in Tesla's Model 3 and Cybertruck to track vehicles, disrupt communications, and interfere with network performance. Tesla acknowledged that many of the identified weaknesses stemmed from cellular modem components supplied by third-party hardware vendors — a supply chain problem that affects the entire industry, not just one manufacturer.
The data sitting in automotive cloud infrastructure is valuable not only for what it reveals about individual drivers but for what it enables at scale. Stolen GPS history can reveal where someone lives, where they work, where their children go to school. Driving behavior logs can establish routine and predict future location. Researchers and law enforcement alike have documented cases where stolen telematics data, including real-time GPS tracking, has appeared for sale on dark web forums.
The Regulatory Gap
The legal framework around vehicle data in the United States remains largely unresolved. The Driver's Privacy Protection Act of 1994 governs information held by state Departments of Motor Vehicles but does not directly address telematics data gathered by manufacturers. The Fourth Amendment governs unreasonable government search but not private corporate collection. No federal statute specifically regulates what automakers may collect, how long they may retain it, or with whom they may share it.
The FTC's January 2025 order against GM carried no monetary penalty — the California settlement came separately and represented the first actual cash consequence for any automaker in this space. Senators Wyden and Markey called on the FTC to investigate both the automakers that shared data without informed consent and the data brokers that resold it, arguing that both parties had operated outside lawful parameters.
The legal framework protecting drivers is catching up, slowly. The Carpenter ruling provides some foundation. State privacy laws in California and a small number of other states offer additional protections. But the gap between what automakers collect and what drivers can meaningfully control remains vast, and the contractual consent buried in dealership paperwork — signed in the moment of purchasing a vehicle — is poorly understood by almost everyone who signs it.
What Drivers Can Do
The options available to drivers who want to limit their exposure are real but constrained.
Tools like Privacy4Cars allow drivers to enter their VIN and learn what categories of data their vehicle is equipped to gather, along with manufacturer-specific opt-out procedures. Mozilla's "Privacy Not Included" database documents automaker practices across brands. Under the Fair Credit Reporting Act, both LexisNexis and Verisk are required to provide consumers with copies of the files they maintain — requesting a Consumer Disclosure Report from each is the most direct way to learn whether your driving data has been scored and sold.
For infotainment data, the most effective protection is not pairing a personal phone to any vehicle that isn't your own — including rentals, loaner cars, and vehicles sold after your use. Infotainment systems retain contact lists, call histories, and navigation destinations long after a phone is disconnected. Clearing this data before selling or returning a vehicle limits downstream exposure.
But there is a limit to what individual action can accomplish. With new vehicle models, data collection is increasingly built into the fundamental operating architecture rather than offered as an optional feature. Some automakers require app connectivity to access basic functionality. The architecture of the modern connected car was not designed with driver privacy as a primary constraint.
That is what makes the GM cases, the Kaspersky disclosures, the Volkswagen breach, and the Senate investigation form a coherent picture rather than a series of isolated incidents. The vehicle has become a data collection endpoint. The question of who controls that data, who can compel its disclosure, and who can steal it in transit is no longer theoretical. It is actively being litigated, regulated, exploited, and sold — while most drivers remain unaware that the negotiation is happening at all.
Romeo Chicco found out when his premium doubled. By then, the data had already moved.
