Tesla says your cabin camera footage is anonymous and private. But Tesla employees were caught sharing your private videos — including footage of people undressed, children, and inside garages — as entertainment and memes at work. They could also look up exactly where each video was recorded, defeating the claimed anonymity. Tesla promises to protect your personal data, but a whistleblower leaked over 100 gigabytes of Tesla's internal files — including Social Security numbers of 100,000+ employees, customer banking details, and hidden complaints about Autopilot accelerating on its own. If Tesla can't protect its own internal data, the privacy promises in their policy ring hollow.
What they claim: Tesla's privacy notice claims: 'cabin camera data is not associated with your vehicle identification number' and 'cabin camera does not perform facial recognition or any other method of identity verification.' Tesla also states: 'We do not sell your personal data to anyone for any purpose.'
What we found: Reuters investigation (April 2023) documented that Tesla employees between 2019-2022 privately shared 'highly invasive videos and images recorded by customer car cameras' via internal messaging systems. Despite Tesla's claim that data is not linked to identity, employees retained the ability to look up GPS location of each recording, effectively enabling re-identification. Shared footage included a naked man, crash footage, children, and private garage/driveway scenes. Employees created memes from customer footage viewed by scores of staff. A class-action lawsuit was filed.
What they claim: Tesla's privacy notice focuses on vehicle-related data collection: telemetry, location, camera data, and charging information. The cabin camera manual emphasizes that data sharing is opt-in and limited to safety events.
What we found: The Tesla companion app (v4.53.1) requests 40 permissions including: READ_CONTACTS (access to phone contacts), READ_CALENDAR and WRITE_CALENDAR (full calendar access), RECORD_AUDIO (microphone access), CAMERA (phone camera), CALL_PHONE (make phone calls), HIGH_SAMPLING_RATE_SENSORS (detailed motion data), UWB_RANGING (ultra-wideband proximity tracking), WRITE_SETTINGS (modify phone settings), and SYSTEM_ALERT_WINDOW (draw over other apps). These permissions enable data collection far beyond what the privacy notice discloses about vehicle operation. The app also contains 3 trackers: Google CrashLytics, Google Firebase Analytics, and Sentry.
What they claim: Tesla's marketing page positions cameras as safety features: 'exterior cameras that enable 360-degree visibility, plus safety features.' The cabin camera is presented as a driver attention monitoring tool. Sentry Mode is marketed as vehicle security.
What we found: The vehicle has 8 external cameras and 1 cabin camera. With data sharing enabled, all cameras can upload video snippets to Tesla for FSD training — Tesla states 'over 100 years of anonymous real-world driving scenarios from the fleet.' The firmware connects to telemetry.tesla.com and fleet-api.prd.na.vn.cloud.tesla.com for continuous data upload. This means cameras marketed as 'safety features' double as a massive distributed surveillance and AI training data collection network covering public streets, pedestrians, license plates, and neighbouring properties.
What they claim: A car companion app should need permissions related to vehicle control: Bluetooth for key functionality, location for finding the car, and internet for remote commands.
What we found: The Tesla app requests READ_CONTACTS, READ_CALENDAR, WRITE_CALENDAR, RECORD_AUDIO, CALL_PHONE, and DETECT_SCREEN_CAPTURE — none of which are needed for vehicle operation, remote start, climate control, or charging management. READ_CONTACTS enables the app to harvest your phone's contact list. RECORD_AUDIO enables ambient listening. DETECT_SCREEN_CAPTURE monitors if you screenshot the app. Combined with the vehicle's own data collection (8 cameras, GPS, telemetry to 7 cloud endpoints), Tesla builds a comprehensive profile spanning your car and phone.
What they claim: Tesla states: 'We do not sell your personal data to anyone for any purpose.' The privacy notice presents Tesla as protective of user data.
What we found: The Tesla app (v4.53.1) includes the AD_ID permission (Google Advertising ID) and 3 trackers: Google Firebase Analytics, Google CrashLytics, and Sentry. The AD_ID permission provides a unique advertising identifier that enables cross-app tracking and targeted advertising. Google Firebase Analytics collects user engagement data, screen views, and in-app events. While Tesla may not directly 'sell' data, enabling Google's advertising infrastructure in the app means user behavior data flows to Google's advertising ecosystem.
What they claim: Tesla's marketing page for Sentry Mode presents it purely as a security feature that 'monitors the environment around your car when it is left unattended.' Sentry Mode recordings are stated to remain local on the vehicle.
What we found: Sentry Mode uses 4+ external cameras to continuously film public streets, sidewalks, and neighbouring properties 24/7 whenever the vehicle is parked. This captures pedestrians, license plates, private homes, and bystanders without their knowledge or consent. In many jurisdictions (including some Australian states), recording public spaces and individuals without consent raises significant legal concerns under the Privacy Act 1988 and state surveillance legislation. Mozilla specifically flagged this as 'Sentry Mode records people passing near vehicles without consent, potentially violating bystander privacy.' Every parked Tesla is effectively an unregulated CCTV camera pointed at the street.
What they claim: Tesla's privacy notice states it may share data with government authorities 'if we believe in good faith that the law requires it' — with no explicit requirement for court orders, warrants, or subpoenas.
What we found: After the Las Vegas Cybertruck explosion on New Year's Day 2025, Tesla tracked the driver's exact movements from Denver to Las Vegas in real time and shared this with law enforcement, demonstrating the depth of continuous location tracking. Tesla's policy language allows voluntary disclosure to government authorities without court orders, and the Mozilla review flagged this as enabling broad government access. Combined with vehicle telemetry endpoints (telemetry.tesla.com) constantly collecting GPS, speed, braking, and route data, every Tesla is effectively a tracking device.
What they claim: Tesla's privacy notice states: 'We do not sell your personal data to anyone for any purpose.' The cabin camera manual states data sharing requires explicit opt-in consent controlled through the vehicle touchscreen.
What we found: The May 2023 'Tesla Files' whistleblower leak to Handelsblatt exposed 100+ GB of confidential internal files including: personal data of 100,000+ current and former employees (including Social Security numbers), customer banking details, vehicle data, and 2,400+ Autopilot self-acceleration complaints that Tesla allegedly attempted to downplay. The Dutch Data Protection Authority confirmed investigation as a potential GDPR violation. This demonstrates systemic data protection failures contradicting Tesla's privacy commitments.
What they claim: Tesla markets over-the-air updates as a consumer benefit and safety feature — keeping vehicles current with the latest software and security patches.
What we found: CVE-2023-32156 reveals a Gateway firmware signature validation bypass (CVSS 7.8) allowing arbitrary code execution on the Gateway ECU through improper error handling during firmware updates. CVE-2025-2082 reveals an integer overflow in the VCSEC module (CVSS 7.5) allowing CAN bus message injection affecting locks and alarms. Pwn2Own Automotive 2024 demonstrated IVI system compromise via the LTE connectivity card through a heap buffer overflow in Tesla's Ofono plug-in. The same OTA update mechanism that Tesla depends on for 'safety' contains critical vulnerabilities, and the always-connected architecture (7 hardcoded cloud endpoints) expands the attack surface.
What they claim: Mozilla's Privacy Not Included review gave Tesla the worst privacy rating of any product ever reviewed, including the rare 'Untrustworthy AI' label. Mozilla noted Tesla failed to respond to privacy inquiries.
What we found: Tesla's Autopilot/FSD system has been involved in 17 fatalities and 736 crashes (per Mozilla's review). The system is trained on data collected from the fleet of 6+ million vehicles. Tesla collects data categories including 'sexual activity, immigration status, race, facial expressions, weight, health and genetic information' (per Mozilla's analysis of the privacy policy). The Bugcrowd bug bounty program acknowledges ongoing security vulnerabilities. Tesla received sub-standard scores on ALL of Mozilla's privacy and security criteria — the only product ever to fail every single category.
What they claim: Tesla's privacy notice claims data sharing is optional and user-controlled: 'Your consent is required and can be controlled through the vehicle's touchscreen at any time (Software > Data Sharing).'
What we found: Tesla's own privacy notice simultaneously warns that opting out of data collection may cause 'serious damage, or inoperability' of vehicle systems, and that 'certain advanced features such as over-the-air updates, remote services, and interactivity with mobile applications rely on such connectivity.' Mozilla's review confirmed this as coercive consent — effectively punishing users who exercise privacy choices by degrading their vehicle's functionality. This is not meaningful consent.