CyberWire Daily – "Privacy needs where you least expect it. [CISO Perspectives]"

Date: November 4, 2025
Host: Kim Jones, N2K Networks
Guest: Mary Marwig, Privacy for Cars

Main Theme:

This episode confronts the evolving and often overlooked privacy risks inherent to today’s automotive industry—especially within the context of connected, data-rich vehicles. Host Kim Jones interviews privacy expert Mary Marwig to detail how everyday practices with rental and corporate vehicles result in widespread data collection and the routine—and dangerous—overlooking of privacy protections. The conversation highlights both the technical and human factors at play, and it calls corporate security leaders to urgent action around “edge cases” like cars as data endpoints.

Key Discussion Points and Insights

1. Data from Cars: An Unseen Information Goldmine

• Automotive industry transformation: Companies like Ford see themselves not just as car manufacturers, but as technology and information companies, collecting massive amounts of data from connected vehicles ([02:38]-[03:09]).
• Purpose of data collection: The shift isn’t only to deliver better products; data is a means for deeper customer intelligence and competitive edge ([03:09]).
• Everyday examples: Even basic actions, like syncing your phone to a rental car, leave lasting data imprints, often forgotten by users ([03:09]-[05:51]).

“If I can obtain intelligence by passively gathering seemingly innocuous data from devices you use every day, I can build a complete picture of your habits and needs, easily anticipating your future purchasing decisions. Sound crazy? It shouldn't. It's happening every day...”
— Kim Jones, [03:09]

2. Defining Privacy—A Moving Target

• Complexity of definition: Privacy isn’t a single lock; it evolves with technology and societal standards.
• Legal frameworks: Cites “intrusion upon seclusion” and international rights (e.g., Universal Declaration of Human Rights Article 12) ([09:18]-[10:46]).
• Imagery problem: “For security, it’s like a lock and a key...but privacy, you know, what is it? It's usually like an eye that's closed...But is that really all encompassing?” (Mary Marwig, [10:57])

3. Notice and Consent: A Broken System

• Misleading policies and over-complexity: Privacy notices are written at a postgraduate reading level and can take hours to read—making “informed” consent nearly impossible ([13:29]-[15:08]).
• Practical disconnect: No one has time to read a six-hour privacy notice before driving a rental car ([13:29]-[15:08]).

“Right now you go to a company's website...it's written at, you know, postgraduate level and it takes you six hours to read or something. Who is actually reading through those documents?”
— Mary Marwig, [13:29]

4. The Reality of Data Collection in Cars

• Types of data collected: Identifiers (names, emails, handles), biometrics (voice prints), precise geolocation, communications, preferences, call/text logs ([15:14]).
• Persistence: Data does not clear when you turn off the car. Huge risk for both personal privacy and businesses whose employees use cars for work ([15:14]-[16:39]).
• Corporate risk: “BYOD cars”—employee-owned vehicles accessing corporate data—are a wild card with minimal control measures.

5. Rental Car Data: What Companies Do With It

• Ownership/retention of data: Many rental car companies lack comprehensive data sanitization policies, letting user data persist for subsequent renters to access ([18:47]).
• Claimed rights: Some companies assert rights in contracts to use aggregate telematics data for fleet optimization and potentially for marketing/sales analytics, but often fail to clearly disclose this ([20:53]).

“...does it say very clearly and quickly, hey, cars collect identifiers, cars collect geolocation data, cars can collect biometrics. And we share this with insurance companies or we share this with our own internal research. That's just not happening as a business practice today.”
— Mary Marwig, [20:53]

6. CISO Action Steps: What Organizations Must Do

• Security professionals’ role: CISOs must recognize cars as unmanaged endpoints holding potentially sensitive corporate data ([22:33]).
• Vendor requirements: Security teams should demand:
  • Quick, clear data-disclosure for drivers about what their rental vehicle can collect/capture
  • Proof of data sanitization (media/data deletion) after vehicle use, with written certificate/record ([21:34]-[23:43]).
• Policy hurdles: Changing industry practice is not trivial, but pressure from corporate buyers is one lever ([23:43]).

7. The Human Factor & Friction of Change

• Analogy to basic hygiene: There's a parallel between struggles in improving cybersecurity hygiene (e.g., people persistently falling for phishing or failing to wash hands) and changing organizational data-handling practices ([25:56]-[26:32]).
• Reality check: Most consumers (and many employees) trade privacy for convenience, often unaware of the risks ([27:02]).

8. Organizational, Not Individual, Responsibility

• Don't expect individuals to solve the problem: Effective data protection cannot depend on employees/users remembering to wipe cars. Organizations (and vendors) must own sanitization ([27:31]-[28:04]).
• CISO leverage: Security and procurement teams must align. “Cars are, to many people, just ways to get around...But they're also computers...that store data unencrypted in plain text, available to anyone with the authentication, which is a literal key.”
  — Mary Marwig, [28:26]

9. Stark Example: What Data Can Reveal

• Real-world breach: Researchers at Privacy for Cars recovered a military contractor’s full name, address, contact list, call history, email, movements (including visits to a “decommissioned” military site), and family info from a corporate fleet car sold at auction ([31:19]-[33:41]).

“We were able to re-identify a military contractor’s life...We could recreate it. Thankfully...we’re ethical researchers. But imagine if that gets in the hands of a competitor or another government.”
— Mary Marwig, [31:19]

Notable Quotes & Memorable Moments

• “Privacy...it's a hard thing to capture and I struggle with this when I'm trying to do imagery to show privacy. For security, it's like a lock and a key, you know, you get that. But privacy...what is it?”
  — Mary Marwig, [10:57]

• “This cannot fall on the consumer or the individual employee to do it. You need to have an organizational process...”
  — Mary Marwig, [27:31]

• “Cars are...computers that store data unencrypted in plain text, available to anyone with the authentication, which is a literal key.”
  — Mary Marwig, [28:26]

• “We were able to reconstruct this military contractor's movements...his full name, the exact address he lived at, his smartphone contacts...his children...all from a car. And this guy had no idea that this data was persisting and that we could recreate it.”
  — Mary Marwig, [31:19]

Timestamps for Key Segments

• [02:38] – Cars as data/information companies (Ford context and industry overview)
• [09:18] – What is privacy? Legal/historic definitions
• [13:29] – The broken system of privacy notices and (lack of) informed consent
• [15:14] – What data do cars collect—and what persists?
• [20:53] – Who owns your data? Rental car company practices and poor disclosure
• [22:33] – Security teams and vendor requirements: what should be demanded?
• [23:43] – Getting rental agencies to change: incentives and responsibility
• [25:56] – “Hygiene” analogies and why the human factor is slow to change
• [27:31] – Organizational responsibility and rejection of “blame the user”
• [28:26] – Cars as insecure computers; why it’s a CISO problem
• [31:19] – Real incident: recovering sensitive info from a defleeted corporate car

Tone, Flow, and Takeaways

• Candid, practical, and at times frustrated—both host and guest show deep awareness of the inertia in privacy/cybersecurity change.
• Real-world focus: Both technical and policy perspectives are grounded with concrete examples and practical advice.
• Call to action: Security professionals must not overlook privacy holes in unexpected places like cars—and must push vendors and the business to adopt basic data hygiene (demand sanitization, clear disclosures).
• Final thought: Personal and corporate data are deeply enmeshed in the automotive ecosystem, making privacy not just an IT issue or a legal compliance checkbox, but a true organizational risk.

Resources Mentioned:

• “Endpoints on Wheels, Protecting Company and Employee Data in Cars” (White paper by Privacy for Cars)
• Universal Declaration of Human Rights, Article 12 (Privacy)

(Podcast ads, intros, and outros are omitted from this summary for clarity.)