Doug Ford, Premier of Ontario, recently called Chinese electric vehicles “spy vehicles”.

This might seem like textbook protectionism. Ford leads a jurisdiction whose economy depends heavily on auto manufacturing.1 His comments came just as Prime Minister Carney announced a trade deal allowing up to 49,000 Chinese EVs per year into Canada, vehicles that will compete directly with the products of Ontario’s auto sector. Retired CSIS officer Neil Bisson piled on, warning of “another portal into our infrastructure, both communication-wise and energy-wise.” Cybersecurity CEO David Shipley maintained his earlier characterization of Chinese EVs as “rolling spy vans.”

It’s easy to imagine this is just fear-mongering: dragging out hackneyed fears of The Other to justify protecting a favoured domestic industry. Canada’s federal government, which negotiated the deal, certainly seems to think so; Public Safety Minister Gary Anandasangaree remarked blithely that “From a Canadian safety and security, public safety perspective, we don’t have concerns.”

Unfortunately, Anandasangaree is wrong, and Ford is right. Chinese electric vehicles absolutely can function as espionage platforms. The technical and legal capabilities exist, as do the political incentives. This isn’t fear-mongering, but an accurate description of how connected vehicles work, what they can do, and what Chinese law requires of Chinese companies.

Having said that, Canada should let the Chinese EVs in anyway.

Why Doug Ford Is Right

China’s 2017 National Intelligence Law requires companies to “support and cooperate” with national intelligence efforts. This is a binding law that Chinese automakers must obey, and there are a variety of ways they could assist with the work.

We don’t often describe them in these terms, but modern connected vehicles are mobile computers that can record their entire journeys and everything that happens inside the car while they do so. To put it more precisely: modern vehicles are sensor platforms that can capture external video from their surround cameras (used for parking and driver assistance), as well as a continuous record of where the vehicle went and the precise route it took to get there (using GPS and inertial-location traces). In that regard, they also log speed, braking, and steering inputs, which they collect as frequently as every three seconds.

That would be bad enough, that a bad actor might be able to know all the details of our trips, i.e., where we went and how we got there. But connected vehicles also collect data on the car’s occupants. They take information from internal video from driver-monitoring systems and microphone audio from always-on voice assistants. The avowed purpose of this is to assemble datasets on seatbelt use, occupancy, and biometric proxies like driver attention and fatigue, but it takes little imagination to conceive of other purposes these capabilities could fulfill.

It seems like belabouring the point to add that if you pair your phone to the car’s audio system, the car also captures all of your contacts.

Morio, MG iGS top camera, Auto China 2016. 2 May 2016. Licensed under CC BY-SA 4.0.

Once collected by a Chinese-built vehicle, this data will, per the National Intelligence Law, be available to Chinese intelligence services. And clearly the PRC thinks it will be valuable to them: when Tesla began selling cars in China, it had to build a Shanghai data center, because Chinese law also stipulates that vehicle data captured in China must not be stored abroad. Beijing takes its ability to access vehicle data in China seriously; it’s reasonable to it would find vehicle data from other countries to be equally important.

So, for the record, Ford, Bisson, and Shipley aren’t crying wolf, nor exaggerating a threat to back a protectionist play. Chinese EVs entering Canada could indeed serve as espionage platforms, feeding data back to Beijing through legal compulsion that Chinese manufacturers cannot refuse.

Before you decide how concerned to be, though, please remember that everything you fear a Chinese car might do, American cars are already doing.

Here in Your Car, I Can Listen to You

Between 2018 and 2024, GM collected driving behaviour data from vehicles participating in their OnStar Smart Driver program: acceleration, speed, hard braking, late-night driving, location. They collected this from an estimated eight million vehicles, as often as every three seconds.

Having collected it, GM sold this data to LexisNexis Risk Solutions and Verisk Analytics for the sum of fifty cents per vehicle. LexisNexis and Verisk used it to create “risk scores” for the associated drivers, which the firms sold on to insurance companies. The insurers used them to raise premiums: some drivers saw theirs increase by as much as 80%, and one driver was rejected by seven consecutive insurance companies. To its credit, the USA’s Federal Trade Commission (FTC) moved in January 2025 against this practice. Their proposed order, finalized last month, bans GM from sharing drivers’ geolocation and behavior data with consumer reporting agencies… for five years.

(Why not indefinitely? I wish I knew.)

Nor was GM alone. Hyundai shared data from 1.7 million vehicles, which they captured from any customer who activated their car’s onboard internet connection. Honda also played the game, though they didn’t play it as well: they only sold data from 97,000 vehicles at 26 cents per car.

Over 25 class action lawsuits against GM alone have been consolidated into a single proceeding, which is underway, but the damage has been done and the point established: American and Japanese carmakers capture lots of data from their loyal customers, and they don’t feel any need to protect it or their customers’ best interests. Instead, they sell it to willing buyers for trifling sums: given a choice between protecting your entire driving history or being given a dollar (or less!), the carmakers choose the dollar.

Sometimes they don’t even need a dollar; they just need to be asked nicely.

According to a 2024 US Senate investigation, Toyota, Nissan, Subaru, Volkswagen, BMW, Mazda, Mercedes-Benz, and Kia share vehicle location data with law enforcement upon receiving a subpoena.2 A subpoena is a very low bar to clear: unlike a warrant, it doesn’t require judicial approval, nor a finding of probable cause, just that the material is relevant to a proceeding already underway. Canadian law sets a nominally higher bar: production orders compelling data disclosure from third parties generally require a judge’s sign-off. But that formality matters less than it seems, because nothing prevents automakers from sharing data voluntarily before any legal process begins, and no Canadian investigation has documented whether they do.

And the police know exactly what to ask for. In 2025, WIRED made public-records requests to the California Highway Patrol (CHP) and obtained training documents that showed that police agencies are very well aware of what data cars collect. The CHP trains its officers to know exactly what data is available from each automaker. Presumably, when they ask for that data, they get it.

So insurance companies and the cops have your data. Anyone else?

Yes: foreign spy agencies.

One U.S. defense contractor marketed vehicle telematics data explicitly for intelligence purposes, claiming it could “remotely geolocate vehicles in nearly every country except North Korea and Cuba on a near real-time basis“ with access to “over 15 billion vehicle locations around the world every month.” Sample maps in their pitch materials showed vehicle locations across Russia, Ukraine, and Turkey; one presumes cars in Canada, Europe, and the USA itself would be equally easy to track. U.S. intelligence agencies themselves have extensively purchased commercial location data from brokers.

Which means that if they want it, Chinese intelligence agencies can buy it commercially also.

True, the Protecting Americans’ Data from Foreign Adversaries Act and Executive Order 14117, both from 2024, ban sales of personally-identifiable sensitive data to China, Russia, North Korea, and Iran. But it’s not clear that this law is enforced, nor has anyone been prosecuted under it. Given how cavalier the automakers are with this data, and how skilled the PRC is at hacking, it’s reasonable to suppose they have this data anyway, laws or no. (Meanwhile, Canada lacks any such prohibition at all.)

I have said before that, when it comes to public surveillance, we live in the worst-case world. We have simultaneously too much surveillance for a society committed to civil liberties, and yet too little for one committed to public safety. This perversity applies especially to how we treat vehicle data.

If we cared about privacy, we’d insist that carmakers never sell on our commercial data, and never disclose it without a warrant, and certainly never disclose it without letting us know. And if we cared about public safety, we’d require that insurers and the police be given this data proactively, or take some other, systematic approach.

But we do neither.

Our Four Bad Options

So yes, Chinese EVs are spy cars, or can be. But so are American and Japanese and South Korean and European cars, at far larger scale, with their data available for commercial purchase. Given this, what are Canadians to do? We have four possible policy responses, none of which are attractive.

We can ban Chinese EVs, as protectionists across North America would like us to do. Will this make us safer? No, since China can buy vehicle data from the manufacturers whom we do permit to sell us cars. In return for being no safer, we lose access to cheap, state-of-the-art vehicles that help us make progress on our climate goals, while making the Canada–Chinese trading relationship harder, at a time when we need all the trading partners we can get. So this option is just security theatre… that reduces our standard of living… while accelerating climate change.

We can crack down on all vehicle surveillance. At first glance, this sounds promising. We could ban commercial data sales, require warrants for law-enforcement access, mandate transparency reports, establish independent oversight bodies, and require cybersecurity certification. All of which will help us prevent exploitation of our data, but only by non-Chinese manufacturers. Chinese carmakers are still subject to Beijing’s National Intelligence Law and can be compelled to share data, irrespective of what other countries’ law requires. So this option means that our data is still given away, but only to the PRC, which doesn’t seem like a win.

We could do both: ban Chinese vehicles while simultaneously fixing the Western vehicle data exploitation problem. This would actually work… but it has a sequencing problem. Banning Chinese EVs, or tariffing them so hard so as to implement a de facto ban, is easy; it took Canada only four months to implement the 100% tariff on Chinese EVs back in 2024. Comprehensive surveillance reform is a multi-year regulatory project that will take much longer: it would require new regulations with comment periods, large grants of time for industry to enter into compliance, and the creation of new enforcement mechanisms. And I am no expert on law-making; doing all this requires new legislation as well, which is notoriously time-consuming.

So ‘do both’ collapses into ‘ban now, reform later’. It delivers all the costs—reduced consumer choice, slower climate progress, and trade friction—immediately, while the security benefits arrive years hence, if ever. And even then, the arithmetic is unflattering: the Carney deal permits 49,000 Chinese EVs annually into a market of 1.5 to 2.0 million vehicles, virtually all of which already feed data to commercial brokers accessible to any buyer, Beijing included. We’d be paying real costs to close a small window while the front door remains ajar.

That leaves the fourth, least-bad option: don’t ban Chinese EVs.

Why is this an option? Not because Chinese surveillance concerns are imaginary; to the contrary, they’re quite real. It’s an option because, right now, the ban is pointless. In an environment where Beijing can purchase Canadian vehicle data commercially, from brokers fed by GM and Toyota and Volkswagen, the marginal risk from Chinese-manufactured vehicles is vanishingly small.

This is an argument about today rather than always. The case I’ve made depends entirely on the data-governance vacuum that allows commercial brokers to sell vehicle location and behaviour data to any buyer. Fill that vacuum by banning commercial-data sales, requiring warrants for law-enforcement access, and seriously enforcing those rules, and the calculation changes. In a well-governed environment, Chinese EVs genuinely do become a distinct risk, a tunnel through the PRC could access Canadian data and that no Canadian law can close. At that point, absent any plausible and verifiable commitment from the PRC to give up access, excluding the EVs would be sound policy.

So the honest position is this: let them in now, and get serious about governance, understanding that a properly-reformed data regime may well lead us back to the question of Chinese EVs on different terms. The goal isn’t to make peace with surveillance; it’s to address the large problem before the small one, without pretending the small one doesn’t exist.

Doug Ford is right that Chinese vehicles have the potential to spy on us. He is wrong that banning them, today, makes anyone safer. Build the governance framework first, and then we can determine what the risks are and how to address them.