Driver on his mobile phone

Your new car is legally required to spy on you

Every new car sold in the European Union is now required to feature an infrared camera aimed at the driver’s face under the Advanced Driver Distraction Warning (ADDW) system, prompting renewed debate over vehicle privacy and data security.

Since 7 July 2026, the ADDW system has been mandatory under the EU’s General Safety Regulation (EU) 2019/2144. The technology cannot be permanently disabled, drivers cannot opt out, and all newly sold vehicles must be equipped with the system.

Miguel Fornés, cybersecurity expert and Information Security Manager at Incogni, describes the requirement as a legally mandated surveillance system that drivers have no choice but to accept.

“Picture the Trojan Horse, but with a bureaucratic twist,” Fornés said. “The citizens of Troy weren’t tricked into dragging that horse through the gates. They were legally required to buy it, park it in their driveway, and sit inside it every day, and told the soldiers hiding inside were only there to protect them. We’re being asked to finance and drive our own Trojan Horses: vehicles designed, from the factory floor, to double as witnesses, data collectors, and potential informants against the person behind the wheel.”

Although the regulation states that ADDW footage must remain inside the vehicle, be processed locally and never be transmitted or used to identify the driver, Fornés argues that these safeguards are difficult to guarantee in today’s connected vehicles.

Modern cars routinely receive over-the-air software updates and connect to online services, creating potential attack surfaces that could undermine the promise of a closed data loop. Referring to the 2022 SiriusXM Connected Vehicle Services vulnerability, which allowed certain Honda, Nissan, Infiniti and Acura vehicles to be remotely unlocked, started and located using only a visible vehicle identification number (VIN), Fornés warned: “A single compromised API or a bad firmware push is all it takes to turn a local safety camera into a live feed. If a stranger can start your engine remotely through a back end API, pulling logs from a dashboard camera on the same network is not a big leap.”

Fornés also challenges regulators’ position that the system does not collect biometric data because it does not identify individual drivers.

“An infrared camera reading your face and eye movement in real time is capturing raw biological telemetry. The only thing standing between that footage and a facial recognition system is the software layer processing it today, and software layers change.”

He points to the March 2026 cyberattack on AI hiring platform Mercor, where a supply chain compromise involving the open-source tool LiteLLM reportedly exposed around four terabytes of data, including facial biometrics and Social Security numbers.

“This catastrophic leak proves that once physical attributes are digitized, regardless of whether they are temporarily labeled as just ‘gaze tracking’, they become a highly lucrative target for cybercriminals and are inevitably exposed, and biometric data can never be reset like a password.”

Fornés also argues that the regulation lacks clarity over how long any recorded footage may be retained after an alert is triggered, describing the issue as a “black box” for motorists.

“If you’re in a collision, insurers and investigators are going to want that footage,” he said. “Undefined retention no longer protects drivers; it simply means that nobody’s told them yet how long they’re being recorded.”

He notes that prosecutors in the United States have already used data from Tesla’s internal cabin cameras and event data recorders in vehicular manslaughter cases to establish driver inattention, suggesting similar legal precedents could emerge in Europe.

Fornés believes consent is another area of concern. While the General Data Protection Regulation (GDPR) is intended to protect personal data, he argues that many drivers effectively have little choice but to accept data-sharing terms.

“The ADDW system activates automatically above 20 km/h and cannot be permanently disabled. Consent to share related vehicle data is often buried deep in the lengthy terms of service required just to use a car’s infotainment screen. Therefore, you are not really being asked. You’re being told: agree, or lose your navigation and Bluetooth.”

His concerns echo findings from Mozilla’s 2023 Privacy Not Included report, which found that 84% of 25 major car brands stated they could share driver data with third parties, while 76% said they could sell that information. Some manufacturers’ privacy policies also acknowledged collecting highly sensitive personal data, including genetic information.

As connected vehicle technology becomes increasingly common, the debate over balancing road safety, cybersecurity and driver privacy is likely to intensify

Leave A Comment