CyberWire Daily - Privacy needs where you least expect it. [CISO Perspectives]
Episode Date: November 4, 2025When discussing privacy risks, many often look to implementing strong encryption, secure data storage practices, and data sanitization processes to help ensure sensitive information remains protected.... Though these practices are good and should be prioritized, many often miss other key areas that need just as much focus. As the internet of things has only continued to grow larger and larger, so has the risk these devices inherently create as they collect and store more information than many would instinctively assume. In this episode of CISO Perspectives, host Kim Jones sits down with Merry Marwig, the Vice President of Global Communications & Advocacy at Privacy4Cars, to explore how privacy risks are in places many do not think to look. Together, Merry and Kim discuss why security leaders need to rethink how they approach privacy and consider how the devices we use every day could inadvertently expose our sensitive information. This episode of N2K Pro's CISO Perspectives podcast is brought to you by our sponsor, Meter. Meter provides a full-stack, enterprise-grade networking solution—wired, wireless, and cellular—designed, deployed, and managed end-to-end. From hardware to software, ISP to security, Meter delivers seamless, secure, and scalable connectivity for modern business environments. Learn more about Meter. Want more CISO Perspectives? Check out a companion blog post by our very own Ethan Cook, where he breaks down key insights, shares behind-the-scenes context, and highlights research that complements this episode. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
This exclusive N2K Pro subscriber-only episode of CISO Perspectives has been unlocked for all Cyberwire listeners through the generous support of Meter, building full-stack zero-trust networks from the ground up.
Trusted by security and network leaders everywhere, meter delivers fast, secure by digital.
design and scalable connectivity without the frustration, friction, complexity, and cost of managing an endless proliferation of vendors and tools.
Meter gives your enterprise a complete networking stack, secure wired, wireless, and cellular in one integrated solution built for performance, resilience, and scale.
Go to meter.com slash CISOP today to learn more and book your demo.
That's M-E-T-E-R-com
slash C-I-S-O-P.
Welcome back to C-S-O-P.
I'm Kim Jones, and I'm thrilled that you're here for this season's journey.
Throughout this season, we will be exploring some of the most pressing problems facing our industry today
and discussing with experts how we can better address them.
Today, we're expanding upon our last conversation, this time looking at a specific industry
in how privacy is all too often an afterthought.
Let's get into it.
In 2016, during a free-ranging discussion with journalists at the Consumer Electronics show,
Ford Motor Company CEO Mark Fields made the following statement.
Overall, when you look at our business, we're not only a car manufacturing company, he said.
We're a technology company.
As our vehicles become part of the Internet of Things,
and as consumers give permission to us to collect that data,
who also become an information company.
Fields went on to say that Ford is building up its analytics workforce as it gets ready
to process the terabytes of data which will stream to them in the future.
Further, Ford believes that the end result of all this data collection will be a product
that Ford can then offer current and future customers.
This goal shouldn't really be a surprise to anyone, as it speaks to the importance of data
in today's economy.
I would contend that data in this so-called data-driven economy is not the end, though, but a means to an end.
Data are raw, unorganized facts, which have little value in and of themselves.
Information, on the other hand, is data in context, that context being provided through organization or processing efforts.
Intelligence, the last step in the process, is information that has been analyzed, interpreted,
and synthesized to provide actionable insights and or guide strategic decision-making.
Intelligence is the ultimate goal of most companies that consume or advocate for your data.
More intelligence of business collects on you, the better and quicker they can anticipate
your needs as a consumer and at a lower cost point.
Want to take it a step further?
If I can obtain an intelligence by passively gathering seemingly innocuous data from devices
you use every day, I can build the complete picture of your habits and needs
easily anticipating your future purchasing decisions.
Sound crazy?
It shouldn't.
It's happening every day, and we are often willing, if not naive, participants.
Consider, grocery stores use loyalty programs to collect personal information,
shopping history, purchase frequency, and sometimes location data to build detailed
customer profiles.
This data is analyzed to create personalized offers, optimized store layouts, and power internal advertising platforms.
Google uses information collected about you via its multitude of platforms and systems to determine which advertisements should display to you.
Going back to our automotive use case that we use to start this conversation, we routinely connect our cell phones to the computer systems of rental cars.
Oftentimes we copy our contact list to the automobile to make it easier for us to navigate in unfamiliar cities while conducting business.
When we're done with the rental, however, how often do we take the time to wipe our data from the car's memory?
Worse, how often do we ask rental car agencies what they do to clean data off of their rental vehicles after a rental vehicle's return or before a rental vehicle is disposed of?
Now, as a C-So, ask yourself this question.
When is the last time we thought about how your corporate data might be leaking out the sources outside of your controls, such as rental vehicles, by a means for which you have no governance and have not had discussions, nor even an educational effort?
As we said last week, we can't rely solely on the legal or regulatory frameworks to guide us in our privacy efforts.
In many cases, you will be the first person to bring these concerns to light in your organization.
As we continue to enable our business lines, we must ensure these so-called edge-case situations are acknowledged and addressed by our business leaders.
My two sets.
Mary Marwig has been a crusader for educating consumers on how to better protect their personal interests.
data in an economy that is becoming ever-increasingly data-driven.
I sat down with Mary to discuss the specific privacy dangers that exist when utilizing
automation within automobiles.
A quick note that the opinions expressed by Mary in this segment are personal and should
not be interpreted as representing the opinions of any organization that Mary has worked
for past or present.
Mary, I really appreciate you making the time to have a conversation with us.
Welcome to the podcast.
How are you today?
I'm doing super.
Thank you so much for having me, Kim.
I'm glad to be here.
I'm glad that you are here.
This is going to be fantastic.
So you and I met when I was listening to a presentation that you gave at the Rocky Mountain Infoset conference a few months ago.
So would you please take a moment and introduce yourself?
Tell us a little bit about you.
Yeah, absolutely.
Well, first and foremost, thanks for having me.
And I'm super excited to have the opportunity to speak with your listeners today.
So thanks to also the people listening in today.
So about me. I've been a privacy professional for the past seven years or so. Prior to that, I worked in technology roles at high tech companies of all sorts. And I got into privacy when I heard about the GDPR. That's the European Union's data protection regulation, which gives everyday regular people rights and controls over some of the data that companies have about them.
So I just got super fascinated in that and decided to pivot my career.
And flashed forward seven years now, I work at a company called Privacy for Cars.
And what we do is provide both security and privacy solutions to automotive companies.
I think there's a lot of overlap between security professionals and privacy professionals.
We are distinct.
We do separate things, but some of the times we work better together.
What is one thing about Mary Marwig that most people don't know about you?
I'm kind of an open book.
Despite being a privacy professional, I really do love privacy.
A lot of people are like, this is kind of a dorky topic.
I'm like, not to me.
I live and breathe this.
It's been a career highlight to do this the last seven years.
Switching over into the automotive world has been eye-opening for me.
As a consumer, I just did not understand.
how the landscape of data security and privacy in the automotive industry was, the state of affairs.
So that's been fascinating.
But yeah, it's true.
I live and breathe this stuff.
A big pro-pragasy person.
Like most security professionals, you answered an open question without telling anyone anything directly about you, which is what I usually do.
So I'm really impressed.
Well played.
So that said, let's start very basically.
What is privacy?
This is one of those things that's hard to wrap like one easy definition around, just like security.
You know, it's not just locking your front doors and you're good.
It's always evolving.
So this is interesting.
I would say intrusion upon seclusion is what you're looking for.
And that is the like legal definition of privacy or a privacy issue.
or privacy harm and privacy invasion.
And obviously, legal definitions definitely matter.
But what I think is the bigger problem is there's a lack of awareness.
And again, that kind of ties back and like, how do I want to show up?
How can I control the information about me?
What are people saying about me?
Is it true?
Like, you know, is that how I want to be perceived?
I also, if you want to get back to fundamentals, Kim, I will also mention that in the
universal declaration of human rights. Article 12 deals with privacy. It's that no one shall be
subjected to arbitrary interference with his privacy, family, home, or correspondence,
nor to attacks upon his honor and reputation. So this goes way back. But what I think is important
is the acceleration of data collection, which is the privacy aspect of what we'll get to today,
and how that changes our perception of privacy because as technology changes, so does our understanding of privacy.
Yeah, and it's interesting that that declaration, which I am actually familiar with, talks about no intrusion upon privacy, again, without defining it, which gets to be very interesting within the environment.
So I'm going to tell you one thing, too, this, it's a hard thing to capture.
And I struggle with this when I'm trying to do imagery to show privacy. It's like, what's the graphic?
Like when it's security, it's like a lock and a key, you know, you get that.
But privacy, you know, what is it?
It's usually like an eye that's closed, you know, but is that really all-encompassing?
I'm not sure.
So you and I are in violent agreement on this.
I'm wondering, and this is for later, because I do want to get into some of the hows
and some of the ways that we are giving at privacy because I think that that's hugely important,
both at enterprise level and personal level.
There gets to be a concern just to put.
in the back of your mind that I want to get to a little later is it's if we can't define,
we can't necessarily control.
We don't know where to control, which is why I push for definition within the environment.
Or, you know, if I understand the definition, I can then extend that control framework accordingly.
So I want to put that aside because some of the areas that you've been alluding to,
which are hugely important in terms of some of the hows and awareness,
I do want to spend some time on because, you know,
I know it's important to you and it's absolutely important to me,
and I think our audience needs to get a handle around that.
So to that point, Kim, if you're looking for kind of guardrails,
there is a framework we can start from.
In the United States, we, where I think we're both based,
there is the notice and consent framework.
Where it's you tell people what you're doing and you get consent for it.
But I would argue the notice part and properly informing people has some room for improvements.
So let's get down to the house and then we can go back and talk about some of the challenges regarding notice, consent, et cetera, within the environment.
One of the things that you brought up, one of the things that your company brings up is there are places where we are surrendering.
our right to privacy or unaware that we have surrendered our right to privacy and in ways that
are potentially extremely harmful to our ability to control access within the environment.
And obviously, your company deals with that around automobiles.
So let's deep dive into that for a little bit.
Talk to me.
So you're totally touching on this whole notice and consent framework.
My argument is that if most people truly understood the data practices of many of the companies they do business with, they probably would say no.
And that leads to a fact that there's a problem with the notice.
Right now, you go to a company's website and you read their privacy notice or privacy policy, and it's written at, you know, postgraduate level.
And it takes you six hours to read or something.
Who is actually reading through those documents?
So that's a good place to start in the article context.
So in cars, like every time you get into like a rental car, for example,
are you actually reading the privacy notice of that car?
I mean, I would say most people don't.
I have this really great white paper that I'd like your readers to know about.
It's called Endpoints on Wheels, Protecting Company and Employee,
in cars. We have some information in there about how long it takes to read a standard privacy
notice for a car. And in this white paper, it's over six hours to actually understand the
data practices of that car and the car companies. And think about it. If you're going to rent a car,
let's say you're on a business trip, you fly in, you get to the rental car place, they gave
you the key. Are you going to sit in the parking lot for six hours to understand what
going on? Are you just going to turn on the key and go about your business?
What are some of the typical practices you're seeing buried in these notices that we are ignoring?
Well, it all goes back to what types of personal data these companies are collecting.
So, for example, it could be like identifiers, like even something simple like your name,
your email, your social media handles, biometrics. Does it take?
take voice prints. What else? Your geolocation. That's a big one. In all U.S. states in the United
States that have a privacy notice, precise geolocation isn't sensitive data type. So in some places,
you have rights to control that. So things of that nature, your preferences, some of the information
that like communications, information, like your text messages or your call logs, all those
sorts of things could be stored in the car. And I think a lot of people don't realize that it
persists. When you turn off the car, it doesn't go away. So I would really encourage people both
on a consumer level and an individual level to be aware of the types of data that cars are
collecting these days and what it gets used for. And then also at a corporate level, I know you've
got security professionals who are listening to this. This also applies to cars used in a
corporate context. So your fleet cars, your rental cars, or what I call B-Y-O-D cars,
you know, employees may use their cars and access corporate information on that. And do you have
a policy for that.
At Talas, they know cyber security can be tough and you can't protect everything.
But with Talas, you can secure what matters most.
With TALIS's industry-leading platforms, you can protect critical applications, data, and identities, anywhere and at scale with the highest ROI.
That's why the most trusted brands and largest banks, retailers, and healthcare companies in the world rely on TALIS to protect what matters most.
Applications, data, and identity.
That's TALIS.
T-H-A-L-E-S.
Learn more at TALIS Group.com slash cyber.
Rinse takes your laundry and hand delivers it to your door,
expertly cleaned and folded.
So you could take the time once spent folding and sorting and waiting
to finally pursue a whole new version of you.
Like tea time you.
Or this tea time you.
Or even this tea time you.
Said you hear about Dave?
Or even tea time, tea time, tea time you.
Mmm.
So update on Dave.
It's up to you.
We'll take the laundry.
Rinse.
It's time to be great.
So if I'm renting a vehicle within the environment, the data is persisting.
What rights are you seeing car companies or rental companies assert in terms of the utility of that data?
So that's the thing, again, going back to notice and consent.
I would argue a lot of people really just are unaware of the types of data that they are generating.
And then who owns that?
You know, your geolocation.
So if you're using a rental car for a business trip, you know, are you going to a confidential client location, right?
Who else should know about that?
Your rental car company sees where you're driving.
That information may be shared also with the manufacturer and what kind of data points can be inferred from that.
But it's not only just the data that's being shared, but it's also the data on the car.
So for companies like rental car companies that do not have a data sanitization process in place,
let's say you pair your phone and you make a bunch of calls to your boss or your M&A client or whoever,
that digital data trail is going to persist on that vehicle.
So the next person who has access could see that.
And I understand that, actually, having walked into vehicles where I have found that information sitting on, you know, the paired screens.
Are we seeing automotive companies assert the right to actually not just collect that data, but utilize that data in aggregate for marketing sales or any, any research?
reason whatsoever. If I rent my car at my rental car company, are we seeing, based upon your
company's research, I'm using Hertz as a common example that everyone is aware of, are we seeing
Hertz begin to utilize the aggregate data that their fleet has to do other things regarding
marketing analysis, et cetera, et cetera, et cetera, et cetera, et cetera. Are we beginning to see those companies first,
A, assert their right to utilize that data in their agreements, which I'm suspecting is yes,
but are we also beginning to be see them utilize that data?
Yeah, absolutely.
When you think about telematics data, it's really, you know, common uses are like geolocation,
where are my fleets going, what's the status of that car, is the fuel consumption fine,
what about the air filter, is the person driving it driving recklessly, are they falling asleep
at the wheel, what all sorts of things that, you know, there are valid business purposes for.
I would argue most people would be, you know, understand that. But in terms of the other types of
data collection for marketing, like, again, it's that notice and collection. Where when you sign up
with these car companies, as it does it say very clearly and quickly, hey, cars collect, you know,
identifiers. Cars collect geolocation data. Cars can collect, you know, biometric.
And we share this with insurance companies or we share this with our own like internal research, right?
That's just not happening as a business practice today.
And I would love to see that where people make informed choice.
It's not just notice in choice, but informed choice.
In terms of the data sharing, yeah, you know, there are some conflicts of who owns that data.
Like who has access to that data, which I don't want to get too far into.
But I will say if you are a security professional and you have a.
fleet or you use rental cars.
It's in your best interest to figure that out, right?
So one thing I'm really encouraging security professionals to do is work with their
procurement teams and their GRC teams to define that data.
So I would love for security teams to require two things when they contract with rental
car companies or fleet companies.
And first would be to provide the drivers with a simplified data disclosure.
What are the capabilities of that car?
And it's been specific, right?
Because some cars have different capabilities,
all sorts of different infotainment systems,
years, makes, models.
There's a wide breadth of capability.
So one, just give me a quick overview
so I can make informed choices
on whether I decide to pair my phone in that car or not, right?
And then the second thing I would really like security professionals
to do is to make sure there is media sanitization happening
after your employees use a car.
So in a rental car situation,
you know, someone brings the car back,
the rental company performs a data deletion
to properly wipe that infotainment system
of, you know, calls, contacts, locations,
all that sort of stuff.
And then they provide you with a certificate of deletion
showing it's done
so that you have the compliance record
and the peace of mind to know that your corporate data
and your employee's data
is not lingering and persisting
in a device that you don't have control over.
Okay, so let me play devil's advocate.
Yeah.
I work for Hertz.
What's the value proposition for Hertz to do this?
If you had a provider that lent out laptops to your staff when they're traveling or whatever,
and they had a policy where you just bring it back at like the way they cleaned it was they wiped off the top and where your fingerprints are,
but they did nothing with the hard drive and the files stored.
and the device itself, would that be acceptable to your security team?
The answer is obviously no, but I would also say to you,
you're relying on security teams to come change the business of the rental car industry.
It is very difficult for any advocacy group, et cetera,
to come together to change a business practice or business model.
So in the absence of that, I'm trying to sit here and say,
okay, until that occurs, do I tell my company,
not to run vehicles.
Absolutely not.
There's a, what I would consider, a very easy way forward.
First and foremost, there are commercially available data deletion solutions on the market
available to automotive companies.
So it exists.
This is not some future forward thing.
It's on the market.
It's just the adoption's been low because there hasn't been the market demand.
And so that's what I'd like to see security professionals use their power.
to do that. Okay. I've been in this business for almost 40 years. I'm still fighting at an enterprise
level and consumer level to get people to do the things that they should do in order for
my job to go away. Yeah. Fishing still works because people keep clicking on emails. Right. Ransomware
still works because people keep clicking on emails. The Nigerian print scam still works because
because people keep responding to emails.
I hear what you're saying and you know, because we've had this conversation,
I'm in violent agreement.
Yeah.
I used to, when I went into this civilian sector, my first background was in health care security.
And I was at the Hymns conference once, and I heard a great presentation called 150 years
of washing your hands.
And it was a presentation in the security standpoint that says, okay, it was X number,
a century ago, where we said,
hey, you need to wash your hands
in order for us to eliminate germs
and eliminate bacteria, et cetera,
within the environment.
A hundred years later,
studies were showing that the number one cause
for in-hospital post-surgical infections or illness, etc.,
are medical professionals not washing their hands.
Exactly.
So if we can't get doctors and nurses and others
to wash their hands.
The point was, why should we
a security professionals expect people
to do things that are in their best interest
that are just basically electronic hygiene?
Yeah.
My concern is, yes, you're absolutely correct.
I would love to be able to force individuals
and businesses to take this approach.
Yeah.
But we, at least here in the States,
We have surrendered our data protection for convenience in not just the automotive industry.
So can we put that genie back in the model?
And if not, are there other things we ought to be looking at within this?
And this is someone who, by the way, and I want to make it very clear, Mary, who is in violent agreement with you.
No, I'm with you.
Actually, your two examples completely underscore my point, which is this.
cannot fall on the consumer or the individual employee to do it. You need to have an organizational
process and who is the best person to make sure these media sanitizations happen? The company
you are renting from, the company that owns the device needs to be responsible for that.
And having them accept that responsibility and the associated costs, when the consumers
they're renting from aren't asking for, think Google. When I, again, notice,
respect to Google, et cetera. But as someone who does read the terms and services that come out
within the environment, because I am a little paranoid, you know, a decade ago when Google said
it was actually collecting 57 different signals for use of its product within the environment,
nobody blinked. Right. And nobody is still blinking within that environment.
Here is where I think CSOs do have power. We know that consumers do not have the type of corporate power
that some of these CSOs do have.
And so, for example, we got access to an infotainment system of a car.
And our researchers at our company turned it on.
There's no authentication, opened it up, and we found all of the contact details of a large
bank's executive, their family's names, their family's social security numbers,
their CEO's phone number, plain text, credit.
all sorts of things were on this car.
I just can't imagine understanding that this is a problem
and the security team hurting a blind eye.
And you also mentioned earlier,
you know, why is it the security team's problem?
And I'll say because procurement is busy doing purchasing
and they are not security professionals
and this is really a data security problem.
Cars are to many people just ways to get around, right?
But they're also computers now.
They're not just wheels.
They're computers that store data, unencrypted in plain text, available to anyone with the authentication, which is a literal key.
So as long as you have physical access to this thing, you can extract data or lean insights from that.
And if it's used in a corporate context, I don't see why it would not fall under the security team's purview.
It's the blame game.
No, it's them who should deal with it.
It's them who should deal with it.
It should be the fleet managers.
They're not security professionals.
They don't have the same type of knowledge and understanding
and frameworks in place that can be carried over
from how other endpoints like laptops and smartphones are managed
into an automotive context.
Yeah, and I have no problem with that.
As a worst point, Grant, I have no problem with taking responsibility, Mary.
And you'll find most of my contemporaries feel the same way.
It's not a matter of, excuse me.
me, why it should be my responsibility. It's a matter of, you know, are you overestimating our
ability to, you know, create the change in impact that you're asking for? Can I, as an example,
put together a policy that says either A, don't pair your device with the car, everyone will ignore
that because I have no way of enforcing that. Can I put together a policy that says, or a reminder
that you need to delete, you know, your access and your contacts, et cetera, from the car
should you pay? Yeah, absolutely. I could do that. And on the bell curve that says, you know,
20, 60, 20% of the people will always follow it, 60%, hopefully will follow it, 20% will ignore me.
I could still make things better in that regard. Let me tell you one really incredible example of
something we found. We were able to re-identify a military contractor's life using data
left in a de-fleated car. So a company car that this military contractor used for his work
went to auction, was sold, and never had any sort of media sanitization in place. Because again,
in a lot of places, this is not the policy, which is banana pants to me. If you had a refurbishing
of a computer, they would wipe the hard drive. Why do we not do this for cars? But anyway,
getting back to my point about this example, we were able to reconstruct this military
contractors' movements, we knew this person's full name, the exact address he lived at,
his smartphone contacts, because a local copy of smartphone data is stored on the vehicle.
It doesn't go away when you unplug the phone.
It persists on that device, which is the car.
So contacts, call history, text messages, his personal email, work email.
We found that he went to several.
military sites, including a, quote-unquote, decommissioned military site.
We were able to find that in the car.
We also found out his holiday home and information about his family, his children,
and that he loves watching particular sports games.
So all from a car.
And this guy had no idea that this data was persisting and that we could recreate it.
And thankfully, you know, we're ethical researchers, nothing bad.
happened under our watch. But imagine if that gets in the hands of a competitor or another type of
government or what have you. And so this is the type of data I am talking about. And so if you're
going to try to push this in your organization and you need a place to start, start with your
executives because that type of information that we were able to glean quickly out of a defleaded
car is just jaw dropping to me.
Mary, I really appreciate you taking some time to educate us about this gaping loophole in most of our protection postures and protection profiles out there.
We will make certain that the links to your website and links to your reporting are available.
I actually downloaded your report after I met you at Rocky Mountain.
and it is absolutely eye-opening.
So thank you for being here and thank you for educating us
and thank you for sharing.
Thanks so much, Kim.
Really had a fun time talking with you
and thanks for everybody from listening.
And that's a wrap for today's episode.
Thanks so much for tuning in
and for your support as N2K Pro subscribers.
Your continued support enables us to keep making shows like this one
and we couldn't do it without you.
If you enjoyed today's conversation
and are interested in learning more,
please visit the CISO Perspectives page
to read our accompanying blog post,
which provides you with additional resources
and analysis on today's topic.
There's a link in the show notes.
This episode was edited by Ethan Cook,
with content strategy provided by Myon Plout,
produced by Liz Stokes,
executive produced by Jennifer Ibin,
and mixing sound design and original music by Elliot Peltzman.
I'm Kim Jones.
See you next episode.