> Here's something you might not realize. The moment you sit in the passenger seat of a Subaru that uses connected services, you've consented to allow them to use -- and maybe even sell -- your personal information. According to their privacy policy, that means things like your name, location, "Audio recordings of Vehicle Occupants", and inferences they can draw about things like your "characteristics, predispositions, behavior, or attitudes." Call us bonkers, but we don't think that simply sitting in the passenger seat of someone's Subaru should mean you consent to having any of your personal information use for, well, pretty much anything at all. Let alone potentially sold to data brokers or shared with third party marketers so they can target you with ads about who knows what based on the the inferences they draw about you because you sat in the back seat of a Subaru in the mountains of Colorado. We're gonna really call out Subaru for this, because they lay it out so clearly in their privacy policy, but please know, Subaru isn't the only car company doing this sort of icky thing.
Am I reading this correctly? I could be a passenger in my friend's Subaru, or even in an Uber, and they claim they have a right to my personal data? Surely this isn't legal, there's no way they could claim to have consent for this...
"So, what's the worst that could happen with your happy little Subaru Outback? Well, it would really stink to go visit your Mom, go for a ride in her new Subaru with all it's fancy, connected features, have a private conversation with Mom about how you helped your friend drive from state that outlawed abortion to one that does, and then end up have that audio recorded, then shared with law enforcement because Subaru says in their privacy policy they can share or sell that personal information, including to "detect and prevent criminal activity." That is perhaps a far fetched scenario and we really hope Subaru would never do that...but still, it seems like it is something that could happen, based on their privacy policy.
As someone who works in privacy I find it really funny and sad that all of the legal requirements to create and display privacy policies result only in this: conjecture about what a company might do based on its vague privacy policy language.
I respectfully disagree with your initial point regarding "can" versus "what they do."
Even if a company provides assurances and pledges never to mishandle your data or use it for nefarious purposes, there remains a risk that your data could still end up in the wrong hands.
Would you sign a paper saying I can come into your house unannounced if I suspect you stole something? If you do not steal you have nothing to worry about
It's crazy, almost like people don't trust corporations to be reasonable when they have such vague abuses of the law to escape into. Maybe we shouldn't have to trust corporations not to spy on us in spaces that carry reasonable expectations of privacy. Maybe we should regulate their greedy data-grubbing into the ground so we don't even have to speculate, and so the miserable people who work at these corporations are stymied from even attempting it. What a splendid utopian ideal.
But that's the point of the privacy policy. Why would you have a privacy policy that says you can do a thing if you have no intention of ever doing it. It's plausible that the lawyers were instructed to capture as much as possible with the intention of worrying about what was actually wanted later, but that's precisely the point. Later, they could decide to do anything covered by the policy and there's not only no recourse but no way of knowing what they are doing. That's why you have to take the privacy policy at face value.
Signal for example, is also subject to US law. They can be compelled to reveal everything they have in a person. Which they happily do: they hand over a page with the date of account creation and the day it last connected. Which is all they have.
Don't collect information, and you don't have a problem.
I think the GP's question is more rhetorical, or, to put it as a non-rhetorical question:
"Why is it acceptable on any level for my car to become a spyware device on par with Facebook, when I paid an enormous sum to be its owner and controller for my own benefit, and not to become a residual profit stream for ${CAR_COMPANY}?".
Because there's no law preventing it? Ideally there would be regulations making this illegal unless they get the user's consent at the time of purchase as well as allowing users to opt out at any point thereafter.
Many potential forms of ISP data collection are unlawful in the US thanks to wiretap laws, which is why we don't generally see this level of surveillance from ISPs here.
I have been living under a rock the last ten years so I thought the EU still had the data retention directive. Between 2006-2014 all ISPs were required to logg traffic in the EU. I am so glad you are right!
Excuse my French, but audio recordings, holy shit. I thought we were still living in a society where recording audio of unsuspecting people in semi private spaces was at least a line that would not be crossed that casually. Apparently not.
I agree with you, but we also collectively bought devices with active mics, cameras and a constant internet connection while legal aspects of data privacy were (and still are) a bit of a Wild West, so I'm not sure what anyone expected. We as consumers and citizens need to stop assuming our governments and corporations will just do the right thing and not tread those ethically grey lines. When "consent" is defined by those doing the exploiting, only total abstinence from the decision is the safe option, but we all continued to buy smart phones.
Note, this is not a justification, but an attempt to understand how we got to now in hopes that by seeing where we've been, we can collectively make better decisions about where we are headed.
> legal aspects of data privacy were (and still are) a bit of a Wild West, so I’m not sure what anyone expected. […] we all continued to buy smart phones.
Widespread breach of privacy is not a valid excuse for companies to continue violating privacy and even collecting potentially illegal surveillance, right? Phone taps and home searches without a warrant have been illegal for decades, and the fourth amendment to the constitution prohibits government search without probable cause in general. So what I expect is that the existing and established laws and goals carry forward in obvious and reasonable and unsurprising ways from the consumer’s point of view, without vested interests trying to pretend like digital devices’ ability to communicate are somehow radically different from any other type of communication. The only thing that’s changed is that recording and sharing and searching got much, much faster and easier. People who stand to benefit from that are arguing that because it got easier, it should be allowed, but from the privacy perspective it’s the opposite: because it got easier it means we need to actually enforce privacy, and put a stop to the contorted arguments that try to justify data collection without explicit consent.
American law doesn’t generally prevent them from surveillance, so long as a shrinkwrap license provides consent and any token one-time fines are classifiable as necessary opex if they survive a decade of court appeals.
This is slowly changing, but with 50 member states and aging union leadership, there is no GDPR equivalent yet for citizens of the US.
(And, CCPA protections are only offered to citizens of California, which demonstrates the corporate incentives to keep it fractured and at the state level nicely.)
The most effective way to get this changed would be to identify the cars used by every US senator, and then write them letters pointing out that their cars have granted a sometimes-foreign corporation permission to record every conversation they have, keep a file on who they meet, and document their sexual activities. This is standard espionage tactics, and as awareness of it should be spread in Washington DC in particular.
You’re right, of course, but we shouldn’t really need a GDPR when we should already have an established reasonable expectation of privacy inside a car. Google search takes me to lawyers who agree, for what that’s worth… https://dworkenlaw.com/when-can-the-police-search-my-vehicle....
A person can give up their right to privacy to any officer of the law, and to a corporation just as easily.
US corporations now demand you give up all rights that the law permits you to give up, and they do so by shrinkwrap licenses that are “take it or leave it”, while denying the ability to deactivate a reasonable and small subset of functionality if the buyer disagrees.
This is typically where regulation steps in, and does so quite successfully in the EU but not the US, to say that consumers may not contractually give up their right to privacy without express, plainly-sought consent — so, not just shrinkwrap licenses — and that refusal or revocation of that consent shall not deny someone access to functionality that can be reasonably delivered without it. The US has its work cut out for it to catch up here.
Not directly related to the car situation, but the last time I bought a TV my first question was whether non-smart TVs exist. They do, but they're not worth the effort and my best option was to not connect the TV to the network.
It sounds like it's no longer even an option to buy a car that doesn't come with a bunch of uplinks to the car company, maybe to the insurance company airplane-black-box-style, etc.
Some IoT devices now are programmed to reach out to public or known (ISP) wifi networks and connect automatically without your knowledge or consent. This is what it looks like when your government is by and for corporations.
> We as consumers and citizens need to stop assuming our governments and corporations will just do the right thing and not tread those ethically grey lines.
We—as in most people on this forum—can do much more than that. We can actually refuse to work for these companies, and to build such features. We can implore our colleagues to do the same, and inform our family and friends of these features, and suggest alternatives.
Yet many of us don't think twice about working for an adtech company, because of the prestige, compensation, or some other personal benefit.
> Excuse my French, but audio recordings, holy shit.
People carry phones in their pockets equipped with mics and running operating systems that have secret source code. If you think the mic can never turn on without you knowing you are in for a big surprise.
To my knowledge though this has never been proven. Yes, the base band can in theory access this stuff, and the OS could do so stealthily I suppose -- but this is Subaru SAYING they are doing it every time you get in the car for no really good reason.
If the hardware and software allows it its not science fiction that it will be used in that way one day if its not already the case. And of course it works better if you dont tell people about it unlike Subaru
The companies selling those phone swear they are not listening to everything you say.
Whether you believe them or not, it's a completely different situation from reserving the right to record everything and sell the recordings to whoever they want.
One giant reason that the
Police of Zürich did not purchase Tesla's for their electric fleet was this. Although I assume the audis they have now also would be able to record passanger audio it can be removed.
I'm confused how all of this doesn't violate the GDRP in the EU? I'm not an expert, but at face value I'd assume none of this is allowed by the GDRP, unless they found a loophole or no one was aware of it.
Supposedly EU data is stored in a Netherlands DC but it may still violate the law.
For sure the Tesla recording while parked feature is illegal. I dont know why nothing is done about it. Probably just slow moving government. Especially now in Switzerland with the new privacy law. Private survalance of public grounds is illegal. Survalance of private property requires posting a clear sign of such including data retention, where data is stores and contact information.
> Are dashcams illegal too? If not, how is it different?
A state court in Landgericht ruled that everyone who is participating in traffic is aware of being seen and recorded [1], so apparently it's different from being near a parked Tesla in public in which you might be recorded without your knowledge.
There have been similar decisions by other courts, apparently.
However, the law is probably a bit tricky, in that it might be legal to use the recorded video as evidence in court (or perhaps insurance purposes?), but probably not for other purposes such as posting it on Youtube.
Last time I checked, in Spain (and probably other EU countries) similar reasoning applied for recording videos in public places, e.g. while you're walking on the street: I think you can record other people in public without their consent as part of your interactions with them, as long as you safeguard the recorded video and not publish it (and probably only for as long as it might be needed). You could use these recordings as evidence in court, but probably not for almost any other purpose.
You might, however, be prone to being punched in the face, as many people find that to be quite aggressive behavior. Police may even arrest you and confiscate your equipment as they're not all necessarily aware of all the intricacies of data protection laws.
In Switzerland you can record crowds and in public but as soon as your footage focuses on a specific person you are violating their rights and require consent which can be revoked any time in the future.
If you watch news footage you will see street footage but as soon as a person is too close or start being the focus they will blur it out.
However there are exceptions, for example a large public gathering that is broadcast on television you can not expect privacy. For example the street parade.
I ended up in a CD album art booklet without my knowledge or consent but it was at the street parade at which you can't expect privacy if you are attending.
> In Switzerland you can record crowds and in public but as soon as your footage focuses on a specific person you are violating their rights and require consent which can be revoked any time in the future.
Probably I didn't make this very clear, but in the specific scenario I mentioned, it is legal to record a specific person without their consent but only if:
1. You are interacting with that person, and
2. You don't publish the recording (without the person's consent).
And I think there are other restrictions as well, although I don't remember exactly, e.g. you might be required to delete the recording if it's no longer needed and/or you might only be allowed to record it if you intend to use it as legal evidence and/or you might be required to take reasonable steps to protect the recording (i.e. not allow other people to access it). But again, I'm not sure about these latter restrictions.
Also, there is a distinction between recording someone (or some place) and just keeping the recording vs publishing the recording. The latter has more restrictions than the former, obviously.
Although I have no clue how live streaming fits into all of this, as you're not (necessarily) saving the recording? So I'm not sure how the GDPR laws come into the live streaming scenario, if at all.
If dashcams are then so are Tesla's and bigger issue with Tesla is if any of this footage leaves the car. Especially if it goes outside the EU like autopilot disengagements.
This isn't something tne Tesla owner can sign in the ToS because the people in the footage are others. Tesla probably uses the excuse that you the operator are in violation not them but then again a Tesla owner has only limited control over this. I can legally buy a surveillance camera but it is my responsibility to use it legally.
But why do you think dashcams are illegal in the EU?
It's been ruled by multiple courts in the EU that dashcam recordings can be done legally because everyone is aware that they might be recorded in traffic at any time (e.g. by traffic cameras). That said, you have to comply with some restrictions. For example, you are probably not allowed to publish these recordings on Youtube. But they can definitely be used as legal evidence in court.
Secondly, I don't think Tesla's dashcam footage leaves the car in the EU (unless there is an accident, perhaps).
As far as I know, they don't even transmit or save any recording unless there is an accident or the user presses a button to save the footage into a USB drive inside the car.
In the accident scenario, it is quite clear that it's legal to keep this recording, because these can be used in court as legal evidence. As far as I know, there are many situations in which you are not allowed to film someone or something in the EU in general, but you are allowed to do so if you intend to use it as legal evidence, as that purpose trumps the other privacy concerns.
In the "user presses a button" scenario, it would be the user's responsibility to make sure that the recording is used legally. But again, if the user does not publish the recording and is only filming traffic, this is quite likely to be legal, especially if you only use it in reasonable scenarios (such as recording an accident in which you are not involved, or someone driving drunkenly).
It's not like anyone is going to be pressing the button every 10 minutes. And even if they were, it would be their responsibility to make sure it's legal to do so. It wouldn't be dashcams themselves that are illegal, but rather, what you do with them and the saved footage (if there's any).
Edit: I'm talking about the normal usage of the dashcams, not the Sentry mode functionality which has additional concerns (as you're not recording traffic, but rather people in the immediate surroundings of the car, when the car detects movement around it). As far as I know, courts have already decided that it's legal to have Sentry mode as well, but Tesla was required to warn users that they have to comply with data protection regulations when they use this functionality.
That said, I'm not sure what are the exact requirements for using Sentry mode legally.
There is one potential way it may be getting used which would probably be legal.
Years ago, before smart phones became ubiquitous, I worked for a company that had a contract to provide kiosks containing travel planning software to bus and rail stations. As part of this, one of the jobs I had to do was create a method of recording information from an onboard camera in the case of the kiosk being vandalised.
How it worked is I made a rolling cache of the last 30 seconds of video; this was never saved unless an onboard "shock sensor" was activated. If the shock sensor was activated then I would save the last 30 seconds of video plus another minute or so. This could then be used as evidence by the police to help catch the vandals.
I have no insight into how the Sentry Mode functionality works, but it could very easily use a similar sensor to car alarms to only actually save the recorded video if there is some sort of "impact" on the car.
It does, but in most cases how can you prove that the car record and send such information to the OEM and others? Most new cars offer some kind of audio interfaces, so they NORMALLY listen to you, some also have various "security features" to monitor driver attention that demand video. Can you prove in a closed source system that such information does not goes beyond the car itself?
Until we properly fund the data protection agencies not much can be investigated and thus enforced. Also enforcement starts mostly with ‘please don’t do that’…
When your car crashes and it calls for help do you really want to sit through "this call may be recorded for quality assurance" and other disclaimers?
If Mozilla really wanted to be helpful they could suggest legal terms to cover the manufacturer for features people want, such as crash reporting or locating stolen vehicles - except I suspect that Mozilla would feel obligated to issue a scathing review of Mozilla's suggested privacy policy were they to do so.
When your car crashes, do you really want it selling the livestream? Because it seems like the agreement would allow that.
If contrarians really wanted to be helpful, they'd not downplay risks inherent in the utter lack of basic privacy legislation in the US and pretend this is all fine and normal. But instead they shill for car manufacturers, pretend adtech is harmless and try to portray anyone who has a problem with these things as weirdos.
If it’s about expediting emergency calls then say so and limit the recording (declared and actual) to that situation. This ‘including, but not limited to’ wording that everyone uses is bs.
The point is that it's not so easy to narrowly construct a legal contract that covers the manufacturers from liability.
Don't you think Mozilla's message would be much stronger if their privacy guide had an example of what the legal agreement should look like? I didn't see anything like this, maybe I missed it. Clearly manufacturers have gone overboard in some cases, but I don't believe it's that easy to make you guys happy.
There are lawyers in the audience here, how about post some legal contract that protects manufacturers from a passenger pressing the OnStar button while the driver is in the gas station bathroom and being liable for anything resulting from that, and every other possible liability from OnStar. I'll take my -4 and your lack of constructive counterargument as the answer I know it is.
Thanks for posting this. At the dealer last year, I thought it strange when, after I refused the Starlink Security Plus subscription with fee, they offered it “for free”. Starlink Safety Plus is already included for the first three years.
Looking at the MySubaru app, it looks like I can cancel any subscription. There is also this opt-out setting to “Send Vehicle Location at Ignition-Off”:
Vehicle Location
If you choose to opt out of this service, MySubaru will not collect your vehicle location when you turn your ignition off. You will still be able to locate your vehicle by sending a remote command through the MySubaru app.
It's worse than that. The way the law works is that you'll only have standing to sue if you're harmed in some way. But since your data is slurped into a big black box, and then passed around and used by 3rd parties, the connection back to the original ingress point is tenuous at best. Some of those 3rd parties, arguably the most harmful, will themselves be law enforcement, and in the US they have qualified immunity, section 720, and a vast array of a) excuses to snoop and b) immunity from consequence. So, it's worse than illegal because you'll never have standing to sue them and find out.
Of course, the solution is to not buy their products or, if you do, substantially modify them to remove all owner-hostile features after-market. Indeed, I predict a healthy secondary car (and phone!) market where trusted 3rd parties "sanitize" the product to protect the owner.
I read the whole thing, wondered how any of this could be possible, and then realized "oh, this is about that stupid expensive monthly service thing I don't use." Neither of my Subaru's is transmitting anything to anywhere. They're just GPS (and FM radio) receivers.
I mean, yes, the terms are insane, but I'd also never agree to a silly monthly subscription Internet/entertainment/whatever thing from a car company. I'd never even pay for Sirius.
I also assume that as long as the car is in range of a 5G tower, the NSA is able to remotely activate the mic and modem to capture recordings, regardless of a person's location in the world and regardless of whether they're paying for service.
Ditto (eventually) for several other spy agencies around the world.
Given Apple's and Google's emphasis on security, I'm doubtful the same is happening for phones... but with targeted use of zero-days (assuming the right ones exist) it's at least possible in theory.
Or, you know, your telco provider, who then bundles and sells such data in aggregation to third party services. They've been caught doing it with location services over and over; it wouldn't take much for them to include audio recordings, as long as they have their terms & conditions sorted out
Phone apps developed by well-known companies such as Google, Microsoft, Uber, banks, etc.? Or just the shadier apps whose developers most people haven't heard of outside of the app store like IoT junk?
I want to know more about the "genetic information" collection. Is there a needle and an entire next-gen sequencer hiding under my seat, or will that be in the 2027 model?
Or is it...this is in case they are asked to allow DNA collection from your car while being serviced without a warrant based on request from law enforcement.
I am assuming it doesn't go that far and is referring more towards eye/hair/skin color...maybe just a CYA in case they "accidentally" collect info that could be identifying on a level not allowed (discrimination/privacy laws?).
Sure, but that's dependent on jurisdiction. Maybe you have standing in federal court if you drive from a one-party-consent state to a two-party-consent state, making it a matter of interstate commerce. Or a federal court would just rule that it's governed by the law of the state in which you registered the vehicle. In the US there's no federal protection for this that I'm aware of.
GDPR, to the extent that this data collection also occurs with European vehicles
Are you sure there aren't local data privacy rules elsewhere that this also violates? GDPR itself basically just unified the existing privacy laws across ~EU member states.
I was thinking about the USA in my post, but if the GDPR protects against this then that's great. I've also seen mention that in e.g. Germany the standard EULA is basically illegal (or at least unenforceable) because you can't reasonably agree to it.
Well, unethical yes. But it’s not illegal. You are not being forced to buy a car, you are free to walk away from or stop using a product at any time for any reason.
How is this data tracking any different from what google, twitter, or Facebook use? If it’s legal for tech companies to collect user data, why would it be illegal for car companies?
Not really equivalent, as in a public space you have an expectation of being filmed (at least in the US.) Facebook isn't claiming anyone in those photos has agreed to anything, the law generally permits it unless the copyright ownership stands in the way. Your presence in any of those photos does not create an explicit grant to rights outside of the implicit grant created by the copyright holder that posts the photo.
I think the degree to which there’s an expectation of privacy is a bit of a distraction from the core issue: Facebook is not claiming that you have any sort of legal agreement with them simply by appearing in your friend’s photo. They’re still going to use it to construct shadow profiles, of course, but if it somehow came up in court they’d say it was your friend’s responsibility to secure rights. It’s not great but what these manufacturers are doing seems to be even worse than Facebook, which is somewhat impressive.
To be clear, I’m not claiming it’s legal (or agreeing with the guy who says it’s no big deal). Just pointing out it is fairly equivalent. More than I expected before I started thinking about the comparison.
To be equivalent FB would need to be taking the photos themselves and then selling the data. I really can’t think of a good online equivalent. Google street view would be close except they blur peoples faces.
An unsuspecting person (Alice) ends up with a shadow FB profile because someone (Bob) who actually created an account (therefore having an opportunity to read terms of service) decided to take a photo of Alice and send it to Facebook.
An unsuspecting person (Alice) ends up with Subaru having an audio recording of what they said because someone (Bob) who actually bought the car (therefore having an opportunity to read terms of service) decided to invite Alice into the car.
In both cases, the company receiving Alice's information would likely say that Alice should take issue with Bob's behavior, not the company's behavior, if they don't like the situation.
I’m a little more concerned about someone bugging my house than someone saving stuff sent to them.
I don’t think FB is arguing they have consent for shadow profiles. Where Subaru’s argument would presumably extend to secretly uploading and selling conversations that took place in a car they no longer own.
Would that make it the owner who is liable for any illegality, then, if they didn't inform their passenger(s) about the recording to which they, the owner, agreed?
I'm not so sure. There are certain expectations about how things are used. There's no reasonable expectation that getting into someone else's car implies any consent that the manufacturer of the car can now harvest data about you at will. I reserve judgement on the legality of this until it's actually tested. In any case, it being legal is readily remediable if the law makers care enough.
I've never been a fan of the "you're free to severely hinder your ability to operate in society because them's the breaks" schtick. Why not change the laws? Why not be better?
In EU it's very illegal. You can't tie consent to use personal data which isn't absolutely necessary to provide the service. If it wasn't car companies (pet EU regulators industry) we would be talking about billions in fines already.
It is possible; maybe you are mistaking it for other legal basis such as legitimate interest. Or maybe I get this wrong?
But you are right that this is illegal, because just sitting in a car is not a “specific, informed and unambiguous indication of the data subject's wishes”, which mandatory for consent (GDPR article 4(11)). Neither it is “transparent” (GDPR article 6(1)a).
>How is this data tracking any different from what google, twitter, or Facebook use?
To use an application from one of these providers, you explicitly have to agree to their terms and services: a contract between you and the company is established. How is that equivalent to taking an uber?
Your access and use of the Services constitutes your agreement to be bound by these Terms, which establishes a contractual relationship between you and Uber. If you do not agree to these Terms, you may not access or use the Services.
The Services may be made available or accessed in connection with third party services and content (including advertising) that Uber does not control.
Yes: using Uber obviously involves a relationship between you and Uber, and you agree to that when you open the app.
What’s different here is that car manufacturers are claiming that, say, sitting in that Uber gives them the right to record your audio and sell it to advertisers. That’s illegal in many places such as the EU or states with two-party consent laws, and it’s unlikely that courts would accept it elsewhere without some kind of informed consent.
> hat’s illegal in many places such as the EU or states with two-party consent laws
you accepted the tos, you've been informed, that's not unlawful if you gave your consent and the data is kept in the EU.
Moreover, the article is claiming that the manufacturer can "maybe even sell" the recordings but the official statement is that they are only collecting the data, not selling it (it would be stupid to claim otherwise).
The blog post specifically use the sentence and maybe even sell, because it is not stated anywhere.
> and it’s unlikely that courts would accept it elsewhere without some kind of informed consent.
meanwhile the advertisers already used your data, and there's nothing you could do about it.
Except not using Uber (that's why I never used one, even though cabs in my Country and especially in my city, are a big "mafia style" mob)
> you accepted the tos, you've been informed, that's not unlawful if you gave your consent and the data is kept in the EU.
Are you seriously saying that everyone who gets in an Uber signs a form the driver gives them saying that the car manufacturer might resell all of their data?
> Are you seriously saying that everyone who gets in an Uber signs a form the driver gives them saying that the car manufacturer might resell all of their data?
No, I am saying that Uber can collect that data itself through the app.
I was replying to "To use an application from one of these providers, you explicitly have to agree to their terms and services: a contract between you and the company is established. How is that equivalent to taking an uber?"
It is equivalent because to use Uber you have to accept their license agreement.
Nobody ever explicitly said "resell" because it would be stupid.
It's allegedly proposed by the blog post, but it's not officially stated anywhere.
BTW as written in the part of the Uber TOS I've quoted, they explicitly says that the service can be provided by third parties "outside of their control" and you accept their terms of services by accepting the service provided on the Uber platform.
So yeah, you could be accepting to have your conversation recorder by the driver (or by an autonomous vehicle which is considered a third party provider) or your orders being linked to your persona by the restaurant.
Third-Party Services and Content.
While many Third-Party Services are available in the Uber App, certain Third-Party Services or content are only accessible by exiting the Uber App (“Out-of-App Experiences”). Once you click on a link to access Out-of-App Experiences, you will be subject to the terms and conditions and privacy policy of that website, destination, or Out-of-App Experience provider, which are different from Uber’s
1. Certain rights cannot be easily waived depending where you live — this requires "informed consent". Informed consent means you laid out what you are collecting and for which purposes clearly and in easy language — and that I consented to that.
2. Implying consent through action ala "by entering these doorsteps you have signed away your firstborn child" doesn't work.
3. At least under the GDPR not consenting shall not lead to a worse service.
If I enter the car of some guy and his cars manual (available only as pdf download) says on page 234 that he automatically consents to this by using the car, the manufacturer did neither gain his, nor my informed consent.
This is illegal under the GDPR — a law that doesn't only apply to cookie banners and the internet, but to any form of data collection.
I know this exact sequence, because I've seen it with Volvo as well. Any car that's using AAOS now, really.
The manufacturer has a checklist for "delivering" the car to the customer. Usually that's stuff like taking off the shipping labels and checking the systems. But now it also includes training th customer on the car's infotainment system and the mobile app.
The dealer doesn't get credit for the car unless the checklist is complete. So they demand the customer log in so the training can be held.
I created a dummy gMail account at the dealer to get this done. Haven't used it since.
There's probably a way to opt out of all of it, but I have no idea how or where you do it.
> I know this exact sequence, because I've seen it with Volvo as well.
I have an AAOS Volvo. At no point was I ever asked by a dealership to create or log in with a Google account. Google accounts are not required unless you want to use Google Assistant or download things from the Play Store. If you want to use the Volvo On Call app then you need a Volvo ID instead, which the dealership did offer help with.
Your comment is a bit jumbled: it’s definitely a red flag. Are you saying that it’s not a real requirement but something the dealer misunderstood or is making up?
Speculation without a source lacks credibility. Without a reputable basis for speculation, the information is unreliable. Speculate all you want but do not expect to be taken seriously.
Not who you responded to be a dealer mentioned to that getting an in-state financing was mandatory either through them or any in state agency and I couldn't use what I had.
Until I said, oh well that sucks and tried walking out. "Wait let us see what we can do."
One moment? Have you created a Google account recently? It's not nearly as easy as it used to be. Wants to know DOB, gender, a working phone number that they verify, etc. Seems to me that by linking the phone number to what is probably the same phone number for your other Google accounts, you may as well just have used your main Google account to begin with.
Google will know (and can even be pretty sure based on correlation of other things, like endpoint location if you tend to use multiple accounts from the same IP address) but at least the car dealer/manufacturer won't have your other email address, which solves for one possible threat model.
There's that, but even DOB feels weird. And about twice a month when I log in Google tries to get me to fork over my home address.
KYC outside of industries like banking frustrates me to no end because when it comes to things like money laundering, they still drop the K. I'm reminded of an anecdote from a book I read a while ago, that some rich European had a really big account with either Chase or JP Morgan and his name wasn't attached to that account in any of their internal systems because he requested it.
Car dealerships are an insulating layer to protect manufacturers from the repercussions of the bullshit they inflict on customers. In exchange, dealerships are allowed to inject their own layer of bullshit.
Similar experience. I bought a Kia last month. The salesman was insistent that his "delivery checklist" needed to be complete or he'd be in trouble with his manager. It included sitting with me in the car to make sure the app got installed on my phone. Thankfully, my trusty Moto is too old and the Play Store said it was incompatible with the app (I'd be curious to know exactly why, but haven't pursued it). The salesman looked quite dejected.
To me the reasons for this pressure seemed quite obvious: to ensure that I was fully enrolled in the data collection.
it shouldnt be, its like needing loyalty points for buying things, should be counted as using a non state currency. there is just a lack of legal power on the side of people not in bed with corporations
Most important sentence of the article is the first:
> All 25 major car brands reviewed in Mozilla’s latest edition of Privacy Not Included (PNI) received failing marks for consumer privacy, a first in the buyer's guide’s seven-year history.
I dont care if Porsche collect data on my driving style to improve their cars.
Car manufacturers will see how ineffective and dangerous the ABS/ESP can be in some situations, just like flappy paddle gear boxes still need a clutch pedal to engage the clutch when driving over low grip situations like oil, ice, snow and rain, and the car gets out of shape, because few are perfectly balanced.
Dipping the clutch to bring the car under control and pointing in the direction you want to travel is essential in these situations.
Here [1] Misha could have dipped the clutch or knocked the gears up from 4 to 5 or 6, to prevent the engine and rear wheels acting like a hand brake.
Whats also interesting to note is the traction didnt kick in for a second or two, once he was already getting more side ways.
Now I know the Mercedes AMG have had their traction control setup for at least a decade with drift mode tolerances, but in this situation, the traction should have cut in more quickly to bring the speed down and apply the front brakes only.
So whilst the driver waits for the traction to kick in, having a clutch peddle to dip is the next best thing if the flappy paddle gear box cant knock the gearbox up a couple of higher gears quickly enough, even being able to change the brake bias quickly on the fly like in rally cars could help.
Its also why when a car gets sideways, it invariably leaves skid marks on the road before a crash. Some people are capable of driving with faster reaction times than the systems can react.
I know this because I've had to switch my traction control off "mid situation" to avoid a crash and now as a default switch mine off religiously when driving.
I object to the data being shared, just like the UK Govt shares the names and addresses of every person who is eligible to vote with people who stand in a parliamentary election when they can stump up a £500 deposit which is far cheaper than any mailing list! Makes me wonder about the Monster Raving Loony Party!
And other entities can also get this data which shows the law is not fit for purpose in some areas in todays day and age.
So there should be a default data cant be shared unless opting in imo.
They say "major brands". Isn't porsche a luxury brand with relatively low sales in comparison to the big ones? As such it's not relevant to most consumers.
Until this comes to be understood et large as a basic contributing doctrine of our basic value exchange system, this type of thing will continue to be more and more pervasive.
Given the multiple years we’ve been at it, I think a basic doctrine of privacy as a counterweight is too squishy to really settle in the public’s mind and countermand the negative effects of the surveillance at large.
A new counter doctrine will need to take place. I’m not sure what it would be.
It's really like that nowadays. As I become more and more aware and learnt, I started reading privacy policies of products. All of them have blanket statements. They claim ownership of any and all data they'll access for functionality. So I stopped reading them. I implicitly agree that any product I use can and will use all the data I hand over to them. I only think if it's a beneficial trade for me.
This has gotten to a point that we cannot let free markets resolve this, it requires government regulation and laws. I'm fortunate enough to live in EU.
Surveillance capitalism dovetails nicely with parallel construction [1].
The surveillance capitalists sell your data to the highest bidder, with the agreement that the source of the data is not revealed.
Parallel construction allows the govt. to avoid judicial checks and therefore public scrutiny.
So it's a self-reinforcing cycle where companies get govt. favors at least as money if not policy, and the companies override constitutional limitations of the state.
I went in there looking because of the amazing notion that car makers grant themselves the right to gather and divulge information related to (quote) your "sex life".
And indeed KIA wins the Internet of Creeps with the aforementied explicitly included in the data they somehow (how?) aim to gather and distribute to the winds. https://foundation.mozilla.org/en/privacynotincluded/kia/
Genetic information is also included, but come on, does a KIA steering wheel suck up your sweat and send it to an hidden PCR machine???
I think the people at KIA who wrote that "cover our arses" legalese going through every piece of data they could possibly at one time gather needs to factor in the cost of some customers, me included, never ever getting a KIA. Anyways as I understand they are extremely easy to steal, looks like a failing brand won't be able to get parts (or private parts) for long.
>Genetic information is also included, but come on, does a KIA steering wheel suck up your sweat and send it to an hidden PCR machine???
Might be CYA, but I suspect it's more like "If we hit up 23andMe (who definitely sells deidentified genetic data and in all likelihood also sells the same tracking info from using their site as everyone else) maybe we have enough inference to figure out your generic makeup."
Even on an intellectual level, I'm curious if this can be done. So yeah, pretty sure Kia's data science team is more than encouraged to crack that code
Look at bright side: when car detects that you're knocked up, it can automatically route you to nearest abortion provider. No tech company will dare to track you there!
On a less jokey tone, it’s really not a stretch to imagine someone like a Texas AG filing subpoenas demanding cell providers, cars with data services, etc. identify customers in their state who stopped near clinics in adjacent free states. I’m actually a little surprised that hadn’t already happened.
To be fair, a customer discerning enough to read the privacy policy probably isn't considering a brand with a reputation as dubious as KIA (at least in the USA).
As laughable as that rule is, it seems to me like this is also the easiest starting point for inducing change. Make a rule that says this isn't a reasonable demand, and consent must be explicit. This doesn't prevent surveillance, but it definitely makes it a lot less convenient.
Ok hackers. Tell us how to disable this crap. Surely all of this is easily defeated by removing the hardware that has the radio transmitter. Would love to see more technical articles on how all this stuff works such that it can be defeated or even better fake pumped.
I killed the OnStar module in my old car by cutting a wire.
Willingness to violate manufacturer warranty is the #1 barrier. If you don't care, there isn't much to stop you from figuring it out on your own. Angle grinder will get you into anything. Just be careful with those high voltage systems in EVs...
I think technically they would still have to honor the warranty on anything not directly effected by wire you cut, but you would probably have to fight them on it.
The term you want to search for is "Telematic Control Unit." If there's a fuse for it (or if you can remove it entirely), that should take out most of this stuff. I found this thread[1] where people reported pulling the fuse for it in a Ford truck and the rest of the vehicle still working properly.
In good news, if your car is old enough and came with a 3G transmitter, data transmission won't work anymore since most 3G networks have been shut off [2]
If someone knows of a wiki somewhere that lists the years/car models and what types of tracking they actually perform (not just what's theoretically in their privacy policy) that would be much appreciated. It would be nice to know if, when I get in someone's car, the conversation might be recorded and sent somewhere. Or which car models are sending the recordings of the cameras installed on the outside (or inside?) that can be viewed by the employees and shared around the office (not theoretical) [3]
Well in Toyota's, DCM modules were recently moved behind the nav screen, have to pop the dash and remove the fuse itself to cut power to module until replaced. There's videos on youtube to help, as well as included in car manual[0]. Before recent, DCM was clearly marked in the fuse box, easily pulled there.
From what I have seen on my 2013 VW the antenna on the roof is for the satellite/gps/phone (up to 3 wires in it, mine only has 1) the antennas for the FM/AM are incorporated into the windows...based on the brief stuff I read on the internet.
So removing the roof antenna might do it...but then again it may render the system unable to start entirely (in the future it likely will). I suspect this is going to need to be reviewed on a car by car basis. And all of this assumes there isn't another antenna hidden somewhere else in the vast wiring loom (or on a pcb).
These internet connected cars will eventually turn into Westinghouse Radiohubs. [1]
For most people, even those who don't subscribe to the internet requiring service, there is no way to disable it. Especially when the radio device is inaccessible.
On a separate note, I recently got a CPAP machine. It comes with a copy of the terms and conditions that i had to sign and return to the doctor. Before you connect it, you must attach an external radio device.
Luckily, they botched the delivery and the device was 4 months late. Then when they finally sent it, it went to the wrong address. I called and said i never received it, before the neighbors brought my package. That's when i learned that the $1000 device i got was actually a subscription for $50 a month after the insurance contribution. I never plugged the radio device and the machine works just fine.
I paid $1000 for a fan with a tube, but at least I'm not paying for the subscription and never connected the spying component.
There seems to be a decent amount of terrible-business-practice-bullet-dodging these days, thanks in part to the slapdash nature of how many of these companies operate. I needed a new mattress a few years ago, and reluctantly dived into a market that is widely known to be a massive scam.[1] At the end of my second 100-day-trial, I prepared to return my unit and get my $700 back (much better than the $2000 I'd put on credit for the preceding one). However, the company I used simply processed the refund and suggested I move the mattress to a guest room, or donate it (at my expense). Something tells me that it was not actually worth anywhere close to $700.
Less luck with my CPAP. The one I got through my doctor was subject to the same issues, and they even tried to charge me after I sent it back. The replacement I purchased off Craigslist had been used in a smoking household, which I didn't think would be a problem, but turned out to be a huge problem. Even after disassembling the thing, soaking every part I could in bleach, and meticulously cleaning the pump, it still pumps out air that smells faintly of tar and soot. It would be nice to live in a country where healthcare was accessible.
In the US, if the CPAP is being paid for by insurance, the cellular modem is used to track "compliance" -- i.e. are you using the thing enough for them to justify paying for it. But if not, the CPAPs I've seen have an "airplane" mode where the cellular modem can be turned off, and you can google for guides to physically disconnect the modem internally.
I wonder what happens when lawyers realize they can subpoena all that. My client was subject to a hit and run, please provide all data related to red Subarus in San Francisco on April first from 1 pm to 2 pm pacific. Yeesh. Seems like a lot of data to wrangle.
> The very worst offender is Nissan. The Japanese car manufacturer admits in their privacy policy to collecting a wide range of information, including sexual activity, health diagnosis data, and genetic data — but doesn’t specify how.
My dad just bought a Nissan Qashqai (I hate it, but wathever). For legal reference, I'm on Spain, so EU GDPR framework. Every single time you start the car it shows a consent screen for data aquisition. By memory... "Driving data, location, statistics, blablabla for the Nissan Connect program."
- I haven't connected nor I have a user or anything at all in the Nissan Connect apps
- You can't disable the dialog, not even in the service menu
- I've been digging in forums and everyone says you have to bear with that for the whole life of the car
Is their car connected? I have a 2022 Hyundai and all it does is tell me to drive safely but if you don’t respond it goes straight to CarPlay. I imagine you need to connect the car to Hyundais app for them to get data right?
The data mining probably doesn't really register, I suppose it never shows up again when you press yes, which almost everyone will reflexively do right away.
Also, people will put up with a lot to have that BMW that marketers have programmed them to associate with success and status.
Presumably they don't harrass users to accept the agreement once already accepted
They may have to, as long as they can't identify who's behind the wheel: a single driver can't (legally) accept those terms for all future drivers of the car.
I’m privacy conscious, and on the side of Mozilla here. But I wish the article showed examples of how the data is actually being shared rather than an analysis of the terms. What’s an example of my health data being used somewhere else. I know it’s hard to get proof of this but that is what would make the public more aware.
Mozilla clearly has not looked at how data is collected at all. They're at step 1 of the privacy invasion story: let's shame the lawyers for all the unenforceable crap they wrote in the terms of service.
"So, what's the worst that could happen with your happy little Subaru Outback? Well, it would really stink to go visit your Mom, go for a ride in her new Subaru with all it's fancy, connected features, have a private conversation with Mom about how you helped your friend drive from state that outlawed abortion to one that does, and then end up have that audio recorded, then shared with law enforcement because Subaru says in their privacy policy they can share or sell that personal information, including to "detect and prevent criminal activity." That is perhaps a far fetched scenario and we really hope Subaru would never do that...but still, it seems like it is something that could happen, based on their privacy policy."
Curious how much less data these manufacturers get if I’m using CarPlay instead of their own homegrown console. It’s getting to the point where I straight up won’t purchase a new vehicle if it doesn’t offer CarPlay.
There’s probably other sensor gathering happening around the vehicle and obviously you can’t hide things like driving habits but it feels like staying out of the manufacturer’s homegrown OS gets rid of a good chunk of the worst privacy nightmares
Collect information about your sex life!? In what way?
Also, will these brand track geolocation information, etc?
Insane that any regulator would approve of this. A car shouldn’t be smart, it should be hardware that knows nothing about you. You can then enhance the car with something like Apple car play since you already use that phone everywhere anyway.
750 billion a year industry? What kind of dystopia do we live in?
Should we move to a system where a company can only do things or make things that are in their direct industry? So a car company can only make and sell cars and not sell data?
I have no idea what the solutions are, but this sounds horrible.
I think rather than saying a company can only do one thing, one could argue a product should only do one thing to extract value from it:
1. One time payment
2. Subscription payments
3. Usage-based payments
4. Selling personal data (to other _products_)
5. Showing ads (based on data collected by the product itself or bought)
If Google makes a car in this world, they'd have the option of making the thing free and in turn it sells data they can use for their ad business, basically how I'd say they monetise Chrome (beyond that sweet web monopoly they get out of it).
I think that could potentially be a lot more honest, consumers would know exactly what price they pay. And it'd make it a bit harder to build and maintain a monopoly through strategic product portfolios.
Seems like there's an argument there that complex/hidden pricing schemes and the illusion of free are too much to ask the typical consumer to untangle, it'd therefore classify as consumer protection in my book.
I noticed that companies that run most of their business units as profit centers (where units also generate revenue from other units) seem to do better than those that have mostly revenue and cost centers and lots of politics in-between. So maybe we'd even get better products this way.
Edit: Upon reflection, what's difficult is defining what a product is in this model. My spontaneous approach is that a product is anything than you can choose or decline to use. If my smart TV maker says "well the home menu is a different product from the TV" - totally fine. Give consumers the choice of using a different home menu and you got a deal. If those two things are inseparably (by practical means) intertwined, it's one product.
>Collect information about your sex life!? In what way?
My straightforward guess is cameras pointed in the car, or collect information from the phones in the car and try to extrapolate using techniques perfected by Meta.
>Should we move to a system where a company can only do things or make things that are in their direct industry? So a car company can only make and sell cars and not sell data?
I would be interested in that just to see what happens to the FANGs. Google can pick between youtube and chromebooks; meta can't have its own VR headset; what even happens to Apple? It would at least get more people thinking about if hyper monopoly/monopsony and vertical integration into every area of life is actually desirable.
Its about to get a whole lot worse folks. up until now this was semi-frivolous info like location etc but with the advent of fitness trackers & AR you will have something constantly tracking your Bio-signs with increasing sophistication. Its not long before someone makes a bunch of ML models to connetect then to health problems and insurability in general. I hate apple as much as the next pro-open-source nerd but I hope to god Apple fares much better than 'others' in terms of privacy.
Humble suggestion: What if many enough people went through the motions of buying a car, and backed off at the last moment because of unacceptable data collection. That would piss off the car dealers, who might vent their frustration to the importers, who might pass a word to the factories and designers...
Even the stuff that used to be entirely consumer-oriented are now data harvesters. Want to protect your car from being stolen? Put in several GPS chips that will help us locate it - but until you need it, those chips are basically geolocation beacon for context ads. Convenience is being used to track everyone and everything.
I assume calling out specific topics like users'sex life is a CYA move. They could very well be storing any and all audio in the car, at which point they could store info on anything said.
I agree, I assume the manufacturers aren’t out there writing code to detect, categorize and store sexual acts happening in their cars, and then selling that data to third parties.
But the fact that we’re even discussing this is ridiculous.
It’s especially easy to imagine happening implicitly: feed everything into an ML system and if it tags it with something like “(sex noises)” or “(moaning)” (which Hollywood subtitles and other things in someone’s training data probably have) that’s searchable without anyone explicitly setting out to build a system.
I'd assume they are more likely to get valuable data from people talking about their sex life, if companies are actively trying to monetize in that way
Oh, sure. The point is just that nobody has to put a business goal in to directly create that feature for it to be exposed by a general purpose classifier.
If it were truly a CYA move, shouldn't it mention any & all audio? Conversations were not listed by Mozilla, but surely that would be extremely privacy-relevant, for example.
I do think the data collection method seems puzzling, but if it were as simple as audio, I think that's what would be mentioned.
Connecting your phone to a rental or friends cars bluetooth will also snarf all your contacts and identifying phone data. Often times in a way that cannot be erased, even by a tech.
In Android, at least, it defaults the checkbox to allow contact and text message sharing. You have to uncheck it before hitting connect. It's not actually an allow/deny contact sharing button. It's an extra step if and only if you want to deny. Dark pattern.
If it weren’t so hard to start a successful car company, I would say this is a situation ripe with opportunity. A privacy focused vehicle could probably sway enough customers for it to be a meaningful advantage, even if it wasn’t people’s number one priority.
I wonder if Apple saw this coming when they started their automobile program, which seems less crazy to me the more time goes on. I always figured it had more to do with screen time and entertainment for when full autonomous driving becomes available. But the more I think about it, that will probably be less of a unique feature than privacy.
just like with all tech don't buy anything made after 1990. corporations now see your vehicle as a smart phone that just gets a stream of alpha quality software piled onto it and updated whenever they are told of their mistakes
I work in the broad "automotive" sector. After ISO-9000 and 14000 and SOX and all the emissions regulations and the emissions documentation regulations and all the other make-work-for-auditing-firms regulations and certifications, the latest craze sweeping the industry is "functional safety." It sounds all well and good, but the requirements to satisfy the certifications are yet another enormous amount of work on top of all the rest, and I fear that companies are yet again getting caught up in the stuff that can be easily audited, and will be "straining at gnats and swallowing camels" when it comes to actual device security. To wit: all the stories about how KIA's are trivial to break into and drive away come to mind.
1990? You can find model years up to 2010 with an in-dash CD player and no screens (that's my litmus test). The BIG problem is that ALL EVs come with full telemetry and drive-by-wire. I'm hoping that someone builds an EV without telemetry and without drive-by-wire - it's one thing to lose control of a server to script kids, it's quite another to lose control of my car. It may be that I'll be limited to a retrofitted older car, but that's okay.
they had complex ECUs with no auditing (some bigot cartel fat cat in the government rubber stamping random shit which may or may not be credible because it came out of some formal methods university doeesn't count) for decades before that just as with all embedded software. and drive by wire as you mentioned i don't think is ever going away.
i dont even want tls (since ssl is dead, just like tls will be) in my browser, why would i need that in my car? my car shouldnt have any software ever.
Do the manufacturers have seperate aggrements for corporate/government fleet vehicles? Lots of confidential information would otherwise be recorded, like business deals and patient information.
Let me repeat what I have already state elsewhere : the only way the privacy nightmare ends is when we thouroughly regulate the personal data market out of existence - meaning going one step further than GDPR and just forbid any use of my personal data except in the context of fulfilling an actual purchase or specific request by me and for communicating with me to the extent I allow it. All other uses are banned.
I think there should be a statutory penalty for possession or transmission of personal information. There's such a penalty for copyrighted music recordings. It creates an incentive for lawyers to act as bounty hunters on behalf of victims, for a cut of the settlement.
That’d be pretty hard to get passed since not only does the government buy this data but political campaigns are massive customers. Every political party in the world is leveraging microtargeting now.
It would require a really huge uproar, boycotts, lawsuits, and a wide spectrum movement.
Hard to get that together in a world where political consciousness is constantly trapped in the tar pit of culture war trolling. The culture war pretty much guarantees no other issues can sway elections.
…and of course all that data driven microtargeting is used to drive culture war rage trolling to keep things this way. They know exactly what will make you mad, and thus distract you.
How does any if this work for second hand cars? If I buy a car second hand, I'm not party of any agreement between the original owner and the car maker.
I drove my friends Subaru with lane assist and adaptive cruise control and such. It’s nice, but I figured with the level of data collection that’s going on in these cars plus the fact that there seemed to be a cellular internet connection baked into the car there had to be some fucked up nonsense going on
My daily driver, a 2016 smart fortwo, is not as fancy or practical. But it is through and through a “dumb” car despite the name. It has no real modern creature comforts aside from automatic windshield wipers and headlights. Otherwise it’s like a car from 1998 with modern crash safety and I love it for that. Maybe it collects a ton of data but I’m very confident it doesn’t phone home. Plus a rear engined manual! Although a 3 cylinder one lol. At least you can park it basically anywhere
Both Nissan and Renault are under the same corporate umbrella (RNMA) and share parts and practices (including infotainment systems) quite regularly.
The fact that Nissan was the worst offender and Renault the least problematic is interesting and shows that GDPR has been helpful in getting European focused brands to take privacy seriously.
California has CCPA https://en.wikipedia.org/wiki/California_Consumer_Privacy_Ac... Could this be used to force these companies to delete all personal data? It would have to be done periodically since after deletion the data would accumulate again. It seems like there's a potential business idea here of automatically sending out CCPA deletion notices to companies on a schedule. While this wouldn't stop the collection of data, regularly interrupting them with deletion requests could make storing personal data costly enough to at least reduce whatever profits they would get from it.
EDIT: Looked at a few privacy policies and the CCPA link is often hard to find. Keywords to look for: "CCPA", "California Privacy", some examples of links I found:
Something interesting I found is also this: https://www.honda.com/privacy/CCPA-Metrics which shows how many requests Honda received. It seems not many are aware of CCPA rights and this number of requests is not enough to deter companies from gathering personal information. These metrics need to be orders of magnitude higher to make a difference in company behavior. It seems like an automated service to send these requests and more public awareness of CCPA could help here.
EDIT2: A lot of these forms ask whether you're submitting the request for yourself or you're an authorized agent doing it for someone else. I found more details on "authorized agents" on the CCPA FAQ: https://oag.ca.gov/privacy/ccpa. Maybe an organization like Mozilla or EFF could setup a service where you can authorize them to do this for you? Then you could just select a checkbox of companies that you want CCPA deletion requests for and it would be sent on a regular schedule (quarterly? yearly?). If such a service became popular, it could really disrupt the personal data gathering of companies.
Can anyone more familiar with the subject let us know around what year of manufacturing in cars did this trend start? I don't particularly want to keep driving a petrol car, but seriously don't want this crap either.. I might just keep my 2010 alive as long as I can.
A quick litmus test would be any car that is able to connect to the internet or to a manufacturer app on a smartphone.
My car (Honda EDM) is 2018 and is - if we want to make lousy parallels - essentially a "dumb phone". Sadly I will have to get rid of it and buy an electric or plug-in hybrid due to legislation. The only way not to get my soul sucked in would be to keep it airgapped, if that's even possible.
The whole situation is an all too perfect example of "if they can do it, they will": the moment there was an upstream link manufacturers jumped on the occasion to mass-enshitify their cars.
Of note, Mazda is conspicuously absent from the report, I would have been quite curious about their stance here given they were among the rare ones resisting the virtual-knobs-on-a-big-screen move.
I drive a top trim 2021 Mazda 6 and as far as I can tell it doesn't even have any sort of bidirectional data transmission outside of the standard Sirius XM traffic/weather/whatever systems. The internal GPS doesn't even work right since i declined to buy the $400 map pack (carplay is more than good enough for me). I haven't read any privacy policies yet, but my hunch is that there's nothing that bad in them, especially since I'm not even sure how they'd get the data off beyond a dealer service.
France. Crit'air is gearing up in highly polluted major cities subject to LEZ, with accelerated calendars to comply with emissions regulations.
Mine is ranked tier 2 (EURO V petrol) and will be forbidden to drive starting January 2025.
The only ones allowed will be tier 1 (EURO VI petrol) and tier 0 (EV and PHEV).
There's no calendar yet for tier 1, but I'm sure as hell not going to buy a tier 1 car and find myself in the same spot of having a perfectly maintained and efficient car with a lot of mileage remaining that I can't resell or have to scrap in 3-5 years when (PH)EVs will be the only ones allowed.
That's good to know. I bought a 2015 Subaru just a year ago. Any chance you can share your source so that I can feel complete comfort about the data privacy of my car?
Subaru; I posed as an internal developer and contacted a few of their software groups inquiring about their internal utilities. The systems they use now were not in place until the 2017 model year.
Are commercial vehicles the same as consumer vehicles? I know there's not really a great distinction, at least in the U.S. but if I buy a cargo van and add some seats to it, is there some distinction between that and the latest super-connected consumer model sedan?
Presumably they have their own mobile modem with a plan used only for that kind of telemetry. If purchased in big volumes that would cost to car manufacturers a lot less than the money they can make either by offering services or simply by selling users data.
How? in what way? A car neither has cellular data nor has a fiber ethernet running through it. Does it collect data and relay it to a server whenever like a mobile phone is connected or a wifi network is connected or goes to a service center?
Allow me to introduce you to the Telematic Control unit, not to be confused with the transmission control unit. Funny how they named it so similarly, it’s almost like they want it to be difficult to identify.
Google your car make and model for a specific version. You might be able to physically remove it by searching for “tcu replacement / repair” etc.
I was always skeptical of these fancy new vehicles with shiny electronics. I'm glad I still drive a 15 year old car and a 10 year old motorcycle where the most advanced tech is ABS.
To a whole new degree. You want to go to the bar? Car says no because it talked with your health insurance and decided your liver doesn't meet minimum health requirements for beers with friends. Want to take a trip to DC? You criticized a past president on social media once, so you might be a terrorist so cars aren't allowed to take you within ten miles of the district.
although the article is mostly about in-car privacy, try querying your personal identifiable data at major auto brands online, no matter if you bought a car there or you sometimes stopped in the buying process. good luck! it's a nightmare - not only for you to file your wish, but also to get the data. and its your legal right with GDPR. tried it on two brands, it's a true nightmare.
For those of you who think for yourselves and are still reading, I'll explain why.
They have the best practices of any connected car listed, it's all opt in, and they collect nothing tied to your ID. Privacy aside, also there's no haggling, and it's a better car with lower TCO and more efficient drive train and wicked fun. The leather and mahogany and built in cigar cutter is not there, but hey you have a charging network.
Back to privacy, to me it's a feature, not a bug, that you can view live video from your car's many cameras while you are far away from your car. I can check from the office whether my garage door is open. That's good, not bad. Mozilla is really amping up the hyperventilation to think of this as a negative.
If you read carefully it sounds like nobody contributing to the article actually sat in a Tesla and went through the experience of how choices are presented.
The way I look at it most of the negatives they tried very hard to come up with in the article for Tesla boil down to "it seems we aren't sure if we can trust them because look at us, doing business with Google, which is also a privacy nightmare, and if we posture like this, Tesla might too" which is all fair, but very weak.
You actually don't see Tesla posturing about privacy, although maybe they might after this article. That would be reasonable. When you do read the fine print, it is very good for consumer privacy.
Just buy a great car that you love, but also one that you won't regret buying later.
Until Musk decides that you dont get updates (& maybe airbags deployed) because you said something anti-russia/pro-union/anti-whatever-his-whim. Not sure I wanna get into anything he makes after the latest revelations on Ukraine. He is hardly the underdog he claims he was, not anymore.
He's using his bullhorn at Twitter to spread antisemitic lies at a time when hate crimes against Jews are escalating. That definitely rubs me the wrong way and I worry about those it doesn't.
You're papering over explicit anti-semitism that's being celebrated by neo-Nazis who are gleefully quoting him and claiming him as one of their own and by doing so affirming that his statements are antisemitic. You can offer as many charitable excuses as you like, but from here that is not a good look at all, and my version of good guys doesn't include those who pick up neo-Nazi fan clubs gleefully quoting them and claiming by their words that they are members of the same ideological group.
Internet-connected cars fail privacy and security tests conducted by Mozilla
3 days ago|632 comments
https://news.ycombinator.com/item?id=37404413