ASIO has warned politicians and public servants against discussing classified or sensitive information in internet-connected cars due to risks of eavesdropping and surveillance. The advice is sensible for those handling security-classified material. Modern vehicles are sophisticated data collectors that continuously transmit information to manufacturers and third parties.
In a recent Senate estimates hearing, ASIO Deputy Director-General Lisa Alonso Love confirmed that because modern internet-connected vehicles send real-time data back to manufacturers, any vehicle - regardless of brand or country of origin - represents an insecure environment for sensitive discussions. The warning applies across the board.
Public focus has been mainly on Chinese-made vehicles such as BYD, MG, and Chery. This is understandable given legitimate concerns about China's National Intelligence Law, which obliges organisations and citizens to assist state intelligence agencies when requested. That law creates a structural vulnerability that cannot be ignored in national security assessments. However, acknowledging a theoretical risk is not the same as proving active, widespread espionage through consumer vehicles in Australia.
While the US and UK have progressively tightened restrictions on Chinese vehicles over data privacy concerns, critics argue these policies mirror past technology bans that lacked transparent, credible evidence (such as against Huawei). However, security officials argue that China's National Intelligence Law creates a risk that cannot be ignored.
Meanwhile, there is no public evidence that Chinese-made vehicles sold in Australia (or elsewhere) are systematically collecting intelligence on ordinary citizens or public servants. For manufacturers fighting for market share in competitive export markets, engaging in such activity would risk severe commercial backlash, regulatory bans, and reputational damage.
All modern cars are computers on wheels. They commonly track location, store call logs, access phone contacts and messages via Bluetooth, and in many cases include microphones and cameras for voice commands and cabin monitoring. European, Japanese, Korean, and American brands share these capabilities. Data is often uploaded to cloud servers located in various jurisdictions, raising questions about access by foreign governments, law enforcement, or commercial interests.
The risks extend beyond driving. Even when parked, internet-connected vehicles can maintain low-level connectivity, periodically transmit data, or remaining susceptible to remote activation of microphones and sensors. This makes them a potential concern when left near government offices, secure facilities, or officials' residences.
For public servants, particularly those in national security, defence, and foreign affairs employment, the implications are significant. Government agencies should review fleet policies, security protocols, and operational practices with heightened scrutiny. Public servants handling classified information need to treat vehicles as potential listening devices. This has practical consequences for daily work.
Secure conversations should occur only in designated secure facilities. Casual discussions during commutes, site visits, or while travelling require greater discipline. Agencies may need to invest in additional training on these risks, update security awareness programs, and consider vehicle-related restrictions for officers with higher security clearances - including where their vehicles are parked.
Such caution needs to be balanced. Chinese electric vehicles have increased competition, improved affordability, and supported Australia's transition to lower-emission transport. Public sector fleet decisions must carefully balance cost, environmental objectives, and national security considerations rather than defaulting to overly broad restrictions without justification.
For most Australians, and indeed most public servants in non-sensitive roles, the greater concern is privacy rather than espionage. Consumers deserve clear information about what data their vehicle collects, where it is stored, how long it is retained, and who can access it. These questions apply equally to vehicles from China, the US, Europe, Japan, or South Korea.
A foreign intelligence service seeking detailed personal data would likely prioritise an individual's smartphone rather than a vehicle. Individuals have their phones with them most of the time, while most vehicles are used intermittently.
Overemphasising vehicles from one country risks creating a "politics of fear" that distracts from the systemic challenge: protecting Australians from excessive data collection by any connected device. Public servants should lead by example in demanding greater transparency from manufacturers, but they should avoid allowing caution to become counterproductive paranoia.
Strong cyber security standards, mandatory transparency requirements, independent security testing, and robust privacy regulation offer the most appropriate responses. Australia's existing frameworks provide avenues for proportionate, evidence-based action as technology and threats evolve.
The key issue is not whether a vehicle is manufactured in China, the US, Europe, or Japan. It is whether Australians - and particularly those entrusted with public responsibilities - are adequately protected from unauthorised data collection. Effective policy should address the technology itself rather than defaulting to country-of-origin presumptions.
Government fleets can reasonably adopt higher security standards where national security is involved. However, these policies should remain evidence-based, regularly reviewed, and proportionate to the actual risk. Public servants must stay vigilant without letting concern paralyse normal activities or unnecessarily limit Australia's access to beneficial technologies.
Prudent risk management should guide both individual behaviour and departmental policy.
