For the modern driver, the car has become a rolling archive. While consumers often worry about the data their smartphones transmit to the cloud, a significant amount of sensitive information never leaves the vehicle's physical hardware. Recently, a group of white-hat hackers demonstrated the permanence of this digital footprint by purchasing a used telematics module from a wrecked BYD Seal. From that single component, they were able to reconstruct every mile the vehicle had ever traveled — a complete, unencrypted record of everywhere the car had been.

These modules, which handle everything from cellular connectivity to GPS positioning, essentially function as unencrypted black boxes. Because the data is stored locally and often lacks robust encryption, anyone with physical access to the hardware can bypass the car's interface to extract a granular history of its movements and mechanical state. In the case of the salvaged BYD, the researchers found a complete record of the car's life, effectively resurrecting its history from a scrap heap.

A Privacy Architecture Built for Convenience, Not Protection

The finding is not entirely surprising to those who have followed the trajectory of automotive data collection. Over the past decade, vehicles have evolved from machines with limited onboard computing into networked platforms running dozens of electronic control units. Telematics control units, or TCUs, sit at the center of this architecture. They aggregate GPS coordinates, speed data, battery or engine diagnostics, and often cellular handshake logs — the kind of information that, taken together, can reconstruct not just where a car went but how it was driven, when it stopped, and for how long.

The automotive industry has largely treated this data as an operational resource rather than a privacy liability. Telematics feeds support over-the-air software updates, remote diagnostics, usage-based insurance programs, and fleet management tools. The commercial incentives to collect and retain data are strong. The incentives to encrypt it at the hardware level, or to purge it when a vehicle changes hands, have been comparatively weak.

This stands in contrast to how the consumer electronics industry has evolved. Smartphones, for instance, now ship with hardware-level encryption enabled by default, and factory reset protocols are designed to render stored data unrecoverable. No equivalent standard exists for automotive components. When a car is totaled and its parts enter the secondary market, the data goes with them — intact, readable, and unprotected.

The Salvage Yard as Data Market

The implications extend well beyond a single BYD module. Millions of vehicles built in the last two decades carry similar telematics hardware. When those cars are wrecked, decommissioned, or simply parted out, their components enter a sprawling global market for used auto parts. Salvage yards, online resellers, and overseas exporters trade in these modules routinely, typically for their functional value. The data stored on them is, in most cases, an unconsidered byproduct.

But that byproduct has value. A complete movement history can reveal home and work addresses, daily routines, frequent stops, and travel patterns — the kind of behavioral profile that data brokers, stalkers, or state actors could exploit. The European Union's General Data Protection Regulation and California's Consumer Privacy Act both establish frameworks for digital data protection, yet neither regime has produced clear, enforceable rules for data embedded in physical vehicle components that change hands through salvage channels.

Automakers face a design question that is also a regulatory one: should telematics modules encrypt data at rest by default, and should end-of-life protocols mandate data destruction before components are resold? The technical solutions are not exotic. Encryption at the chip level is well understood, and secure erase functions are standard in other industries. What remains absent is the regulatory pressure or market incentive to implement them.

The tension is structural. Connectivity sells cars. Data retention supports the services that connectivity enables. But the same architecture that makes a vehicle smart also makes it a liability once it leaves the original owner's control. Whether the industry addresses that gap through self-regulation, government mandate, or consumer backlash remains an open question — one that grows more urgent with every vehicle that rolls off the line carrying an unencrypted record of its driver's life.

With reporting from The Drive.

Source · The Drive