If your car was manufactured within the last few years, you might be surprised to learn that it likely contains a device that records your driving behavior and your car’s performance. That device is the so-called “black box” or Event Data Recorder (EDR).

What does your EDR record say about you and your driving habits? How long does it store that data? The manufacturer is not required to tell you. Who has access to your data and what are they doing with it? It’s impossible to find out.

The National Highway Traffic Safety Administration (NHTSA) wants to make black boxes mandatory in all new cars and light trucks by September 1, 2014. The NHTSA believes that your privacy is not its responsibility and has proposed rules for black boxes without any privacy protections. The way the rules are worded now, there is no way to know if your employer, your insurance company, your spouse, your mechanic, or even the police are keeping tabs on where, when, and how you drive. You deserve better.

There is no doubt that black boxes serve a valuable forensic function. They collect a variety of technical data while you’re driving, including engine RPM, accelerator pedal position, brake use, safety belt status, air bag deployment and vehicle speed. If a crash is detected, at least five seconds of data will be recorded and “locked.” Investigators then can use that data to find out flaws in vehicle design, or to reconstruct the crash.

Unlike the more familiar black boxes found in airplanes, automotive EDRs are not required to record audio, video, or location information. However, nothing in the rules prohibits any of those from being recorded either. NHTSA claims that such data isn’t collected by the current generation of EDRs, but that could change at any time.

Worse still, other than a boilerplate statement in the back of the owner’s manual that the black box exists, car manufacturers are not required to tell you what data your car actually records beyond the minimum requirement, or for how long it’s kept. If your car is recording your voice, your picture, or your location, you deserve to know. And because the rules don’t specify a maximum recording length, there is nothing to prevent the black box from storing five minutes, or even five months, of data. There needs to be a ceiling to the black box collection requirements, not just a floor. The rules need to state that the vehicle owner also owns all data recorded by the black box, and that the owner may expect that black box data remain private until he or she consents to its disclosure.

The proposed rules don’t address driver privacy in any way. NHTSA only states that it is non-binding agency policy “to treat EDR data as the property of the vehicle owner.” In light of the number of people affected, and the volume of personal data at stake, that’s not enough. The government is currently considering whether to revise those proposed rules before they go into effect. Those revisions must take place to ensure that you know what your car’s black box knows about you, and to ensure that you control that data.