Am I reading this correctly? I could be a passenger in my friend's Subaru, or even in an Uber, and they claim they have a right to my personal data? Surely this isn't legal, there's no way they could claim to have consent for this...
Note, this is not a justification, but an attempt to understand how we got to now in hopes that by seeing where we've been, we can collectively make better decisions about where we are headed.
People carry phones in their pockets equipped with mics and running operating systems that have secret source code. If you think the mic can never turn on without you knowing you are in for a big surprise.
If Mozilla really wanted to be helpful they could suggest legal terms to cover the manufacturer for features people want, such as crash reporting or locating stolen vehicles - except I suspect that Mozilla would feel obligated to issue a scathing review of Mozilla's suggested privacy policy were they to do so.
Looking at the MySubaru app, it looks like I can cancel any subscription. There is also this opt-out setting to “Send Vehicle Location at Ignition-Off”:
Vehicle Location
If you choose to opt out of this service, MySubaru will not collect your vehicle location when you turn your ignition off. You will still be able to locate your vehicle by sending a remote command through the MySubaru app.It's worse than that. The way the law works is that you'll only have standing to sue if you're harmed in some way. But since your data is slurped into a big black box, and then passed around and used by 3rd parties, the connection back to the original ingress point is tenuous at best. Some of those 3rd parties, arguably the most harmful, will themselves be law enforcement, and in the US they have qualified immunity, section 720, and a vast array of a) excuses to snoop and b) immunity from consequence. So, it's worse than illegal because you'll never have standing to sue them and find out.
Of course, the solution is to not buy their products or, if you do, substantially modify them to remove all owner-hostile features after-market. Indeed, I predict a healthy secondary car (and phone!) market where trusted 3rd parties "sanitize" the product to protect the owner.
I mean, yes, the terms are insane, but I'd also never agree to a silly monthly subscription Internet/entertainment/whatever thing from a car company. I'd never even pay for Sirius.
How do you know that? There's a 5G modem.
Your real time location data (and everything else) from phone apps is sold on a semi-open marketplace to bill collectors, marketers, spies and PI's.
For example:
https://www.smithsonianmag.com/science-nature/scientists-pul...
Presumably this includes GPS data, so they know if you frequent Starbucks or McDonald's. And sell your data appropriately.
Are you sure there aren't local data privacy rules elsewhere that this also violates? GDPR itself basically just unified the existing privacy laws across ~EU member states.
How is this data tracking any different from what google, twitter, or Facebook use? If it’s legal for tech companies to collect user data, why would it be illegal for car companies?
You can write anything you want, but no that doesn’t make it a valid contract.
To use an application from one of these providers, you explicitly have to agree to their terms and services: a contract between you and the company is established. How is that equivalent to taking an uber?
1. Certain rights cannot be easily waived depending where you live — this requires "informed consent". Informed consent means you laid out what you are collecting and for which purposes clearly and in easy language — and that I consented to that.
2. Implying consent through action ala "by entering these doorsteps you have signed away your firstborn child" doesn't work.
3. At least under the GDPR not consenting shall not lead to a worse service.
If I enter the car of some guy and his cars manual (available only as pdf download) says on page 234 that he automatically consents to this by using the car, the manufacturer did neither gain his, nor my informed consent.
This is illegal under the GDPR — a law that doesn't only apply to cookie banners and the internet, but to any form of data collection.
(In the EU of course)
Salesman: "Do you have a Google account?"
My dad: "Yes, why?"
Salesman: "It's mandatory for purchasing a car with us."
The manufacturer has a checklist for "delivering" the car to the customer. Usually that's stuff like taking off the shipping labels and checking the systems. But now it also includes training th customer on the car's infotainment system and the mobile app.
The dealer doesn't get credit for the car unless the checklist is complete. So they demand the customer log in so the training can be held.
I created a dummy gMail account at the dealer to get this done. Haven't used it since.
There's probably a way to opt out of all of it, but I have no idea how or where you do it.
I have an AAOS Volvo. At no point was I ever asked by a dealership to create or log in with a Google account. Google accounts are not required unless you want to use Google Assistant or download things from the Play Store. If you want to use the Volvo On Call app then you need a Volvo ID instead, which the dealership did offer help with.
The infotainment may use Android, and the salesman may help you set it up but this is definitely not the red flag you think it is
Or "give me one moment while I set up an account that I will never look at again"
To me the reasons for this pressure seemed quite obvious: to ensure that I was fully enrolled in the data collection.
Just wait until it gets so tighly coupled to the car that when google bots decide to cancel your gmail account, the car won't start anymore.
My dad just bought a Nissan Qashqai (I hate it, but wathever). For legal reference, I'm on Spain, so EU GDPR framework. Every single time you start the car it shows a consent screen for data aquisition. By memory... "Driving data, location, statistics, blablabla for the Nissan Connect program."
- I haven't connected nor I have a user or anything at all in the Nissan Connect apps
- You can't disable the dialog, not even in the service menu
- I've been digging in forums and everyone says you have to bear with that for the whole life of the car
My parents new Hyundai does this too. You cant say no, and you cant store your reply. Incredible. I'll never ever purchase such a vehicle.
Also, people will put up with a lot to have that BMW that marketers have programmed them to associate with success and status.
Presumably they don't harrass users to accept the agreement once already accepted.
Sounds illegal indeed, GDPR requests the possibility to refuse the data and you can't just ask in a loop, that wouldn't be informed consent.
My car (Honda EDM) is 2018 and is - if we want to make lousy parallels - essentially a "dumb phone". Sadly I will have to get rid of it and buy an electric or plug-in hybrid due to legislation. The only way not to get my soul sucked in would be to keep it airgapped, if that's even possible.
The whole situation is an all too perfect example of "if they can do it, they will": the moment there was an upstream link manufacturers jumped on the occasion to mass-enshitify their cars.
Of note, Mazda is conspicuously absent from the report, I would have been quite curious about their stance here given they were among the rare ones resisting the virtual-knobs-on-a-big-screen move.
What jurisdiction is forcing you to replace your ICE car with an electric or hybrid?
its been proven before: https://en.wikipedia.org/wiki/Chrysler#Chrysler_Uconnect
and will be proven again
just like with all tech don't buy anything made after 1990. corporations now see your vehicle as a smart phone that just gets a stream of alpha quality software piled onto it and updated whenever they are told of their mistakes
> All 25 major car brands reviewed in Mozilla’s latest edition of Privacy Not Included (PNI) received failing marks for consumer privacy, a first in the buyer's guide’s seven-year history.
Porsche is reportedly concerned over the Android Auto collecting too much data.
https://www.theguardian.com/technology/2015/oct/07/google-de...
https://www.motorbiscuit.com/porsche-models-still-not-androi....
There’s probably other sensor gathering happening around the vehicle and obviously you can’t hide things like driving habits but it feels like staying out of the manufacturer’s homegrown OS gets rid of a good chunk of the worst privacy nightmares
Until this comes to be understood et large as a basic contributing doctrine of our basic value exchange system, this type of thing will continue to be more and more pervasive.
Given the multiple years we’ve been at it, I think a basic doctrine of privacy as a counterweight is too squishy to really settle in the public’s mind and countermand the negative effects of the surveillance at large.
A new counter doctrine will need to take place. I’m not sure what it would be.
"So you're saying everyone does it, no one really complains, all our competitors do it, it's legal... and highly profitable?"
I mean, of course they're doing it.
I can just see a board meeting "LG even records you when you watch TV?!?", uh, OK I guess, let's do it.
This has gotten to a point that we cannot let free markets resolve this, it requires government regulation and laws. I'm fortunate enough to live in EU.
The surveillance capitalists sell your data to the highest bidder, with the agreement that the source of the data is not revealed.
Parallel construction allows the govt. to avoid judicial checks and therefore public scrutiny.
So it's a self-reinforcing cycle where companies get govt. favors at least as money if not policy, and the companies override constitutional limitations of the state.
Willingness to violate manufacturer warranty is the #1 barrier. If you don't care, there isn't much to stop you from figuring it out on your own. Angle grinder will get you into anything. Just be careful with those high voltage systems in EVs...
Just like how warranty void if removed stickers are a lie under: https://en.m.wikipedia.org/wiki/Magnuson–Moss_Warranty_Act
In good news, if your car is old enough and came with a 3G transmitter, data transmission won't work anymore since most 3G networks have been shut off [2]
If someone knows of a wiki somewhere that lists the years/car models and what types of tracking they actually perform (not just what's theoretically in their privacy policy) that would be much appreciated. It would be nice to know if, when I get in someone's car, the conversation might be recorded and sent somewhere. Or which car models are sending the recordings of the cameras installed on the outside (or inside?) that can be viewed by the employees and shared around the office (not theoretical) [3]
[1] https://www.mavericktruckclub.com/forum/threads/experience-w...
[2] https://jalopnik.com/here-are-the-ways-shutting-off-3g-is-go...
[3] https://www.reuters.com/technology/tesla-workers-shared-sens...
[0] https://www.toyotanation.com/threads/disabling-the-dcm-in-my...
So removing the roof antenna might do it...but then again it may render the system unable to start entirely (in the future it likely will). I suspect this is going to need to be reviewed on a car by car basis. And all of this assumes there isn't another antenna hidden somewhere else in the vast wiring loom (or on a pcb).
Might be CYA, but I suspect it's more like "If we hit up 23andMe (who definitely sells deidentified genetic data and in all likelihood also sells the same tracking info from using their site as everyone else) maybe we have enough inference to figure out your generic makeup."
Even on an intellectual level, I'm curious if this can be done. So yeah, pretty sure Kia's data science team is more than encouraged to crack that code
When they're actually doing it: "don't care, it was in the privacy policy, of course they do it"
I think it's good to resist at every step.
I would argue that they're at step 1, yes, but that step 1 is telling you these manufacturers have no respect for your privacy, period.
https://foundation.mozilla.org/en/privacynotincluded/subaru/
For those of you who think for yourselves and are still reading, I'll explain why.
They have the best practices of any connected car listed, it's all opt in, and they collect nothing tied to your ID. Privacy aside, also there's no haggling, and it's a better car with lower TCO and more efficient drive train and wicked fun. The leather and mahogany and built in cigar cutter is not there, but hey you have a charging network.
Back to privacy, to me it's a feature, not a bug, that you can view live video from your car's many cameras while you are far away from your car. I can check from the office whether my garage door is open. That's good, not bad. Mozilla is really amping up the hyperventilation to think of this as a negative.
If you read carefully it sounds like nobody contributing to the article actually sat in a Tesla and went through the experience of how choices are presented.
The way I look at it most of the negatives they tried very hard to come up with in the article for Tesla boil down to "it seems we aren't sure if we can trust them because look at us, doing business with Google, which is also a privacy nightmare, and if we posture like this, Tesla might too" which is all fair, but very weak.
You actually don't see Tesla posturing about privacy, although maybe they might after this article. That would be reasonable. When you do read the fine print, it is very good for consumer privacy.
Just buy a great car that you love, but also one that you won't regret buying later.
The Ukraine thing is more nuanced than the media makes it out to be. They are in the business of selling drama.
No. Because of the owner.
Also, will these brand track geolocation information, etc?
Insane that any regulator would approve of this. A car shouldn’t be smart, it should be hardware that knows nothing about you. You can then enhance the car with something like Apple car play since you already use that phone everywhere anyway.
750 billion a year industry? What kind of dystopia do we live in?
Should we move to a system where a company can only do things or make things that are in their direct industry? So a car company can only make and sell cars and not sell data?
I have no idea what the solutions are, but this sounds horrible.
1. One time payment
2. Subscription payments
3. Usage-based payments
4. Selling personal data (to other _products_)
5. Showing ads (based on data collected by the product itself or bought)
If Google makes a car in this world, they'd have the option of making the thing free and in turn it sells data they can use for their ad business, basically how I'd say they monetise Chrome (beyond that sweet web monopoly they get out of it).
I think that could potentially be a lot more honest, consumers would know exactly what price they pay. And it'd make it a bit harder to build and maintain a monopoly through strategic product portfolios.
Seems like there's an argument there that complex/hidden pricing schemes and the illusion of free are too much to ask the typical consumer to untangle, it'd therefore classify as consumer protection in my book.
I noticed that companies that run most of their business units as profit centers (where units also generate revenue from other units) seem to do better than those that have mostly revenue and cost centers and lots of politics in-between. So maybe we'd even get better products this way.
Edit: Upon reflection, what's difficult is defining what a product is in this model. My spontaneous approach is that a product is anything than you can choose or decline to use. If my smart TV maker says "well the home menu is a different product from the TV" - totally fine. Give consumers the choice of using a different home menu and you got a deal. If those two things are inseparably (by practical means) intertwined, it's one product.
My straightforward guess is cameras pointed in the car, or collect information from the phones in the car and try to extrapolate using techniques perfected by Meta.
>Should we move to a system where a company can only do things or make things that are in their direct industry? So a car company can only make and sell cars and not sell data?
I would be interested in that just to see what happens to the FANGs. Google can pick between youtube and chromebooks; meta can't have its own VR headset; what even happens to Apple? It would at least get more people thinking about if hyper monopoly/monopsony and vertical integration into every area of life is actually desirable.
But the fact that we’re even discussing this is ridiculous.
I do think the data collection method seems puzzling, but if it were as simple as audio, I think that's what would be mentioned.
For most people, even those who don't subscribe to the internet requiring service, there is no way to disable it. Especially when the radio device is inaccessible.
On a separate note, I recently got a CPAP machine. It comes with a copy of the terms and conditions that i had to sign and return to the doctor. Before you connect it, you must attach an external radio device.
Luckily, they botched the delivery and the device was 4 months late. Then when they finally sent it, it went to the wrong address. I called and said i never received it, before the neighbors brought my package. That's when i learned that the $1000 device i got was actually a subscription for $50 a month after the insurance contribution. I never plugged the radio device and the machine works just fine.
I paid $1000 for a fan with a tube, but at least I'm not paying for the subscription and never connected the spying component.
Less luck with my CPAP. The one I got through my doctor was subject to the same issues, and they even tried to charge me after I sent it back. The replacement I purchased off Craigslist had been used in a smoking household, which I didn't think would be a problem, but turned out to be a huge problem. Even after disassembling the thing, soaking every part I could in bleach, and meticulously cleaning the pump, it still pumps out air that smells faintly of tar and soot. It would be nice to live in a country where healthcare was accessible.
[1]: https://boulter.com/blog/2008/08/20/the-mattress-industry-is... (This does not reference the affiliate review hustle that has blown up since it was published.)
It would require a really huge uproar, boycotts, lawsuits, and a wide spectrum movement.
Hard to get that together in a world where political consciousness is constantly trapped in the tar pit of culture war trolling. The culture war pretty much guarantees no other issues can sway elections.
…and of course all that data driven microtargeting is used to drive culture war rage trolling to keep things this way. They know exactly what will make you mad, and thus distract you.
Whoever makes these policies must get a chuckle knowing people will never do this.
I wonder if Apple saw this coming when they started their automobile program, which seems less crazy to me the more time goes on. I always figured it had more to do with screen time and entertainment for when full autonomous driving becomes available. But the more I think about it, that will probably be less of a unique feature than privacy.
Internet-connected cars fail privacy and security tests conducted by Mozilla
3 days ago|632 comments
I drove my friends Subaru with lane assist and adaptive cruise control and such. It’s nice, but I figured with the level of data collection that’s going on in these cars plus the fact that there seemed to be a cellular internet connection baked into the car there had to be some fucked up nonsense going on
My daily driver, a 2016 smart fortwo, is not as fancy or practical. But it is through and through a “dumb” car despite the name. It has no real modern creature comforts aside from automatic windshield wipers and headlights. Otherwise it’s like a car from 1998 with modern crash safety and I love it for that. Maybe it collects a ton of data but I’m very confident it doesn’t phone home. Plus a rear engined manual! Although a 3 cylinder one lol. At least you can park it basically anywhere
You will have no choice to move freely once all cars are self driving.
You will be tracked even more than today with these cars.
Personally I think cars and freedom of movement are very important. And I do everything in my power to oppose self driving cars.
The fact that Nissan was the worst offender and Renault the least problematic is interesting and shows that GDPR has been helpful in getting European focused brands to take privacy seriously.
EDIT: Looked at a few privacy policies and the CCPA link is often hard to find. Keywords to look for: "CCPA", "California Privacy", some examples of links I found:
https://www.honda.com/privacy/your-privacy-choices
https://www.tesla.com/legal/privacy#data-sharing
https://www.ford.com/help/privacy/ccpa/
https://ksupport.kiausa.com/ConsumerAffairs/PrivacyManagemen...
Something interesting I found is also this: https://www.honda.com/privacy/CCPA-Metrics which shows how many requests Honda received. It seems not many are aware of CCPA rights and this number of requests is not enough to deter companies from gathering personal information. These metrics need to be orders of magnitude higher to make a difference in company behavior. It seems like an automated service to send these requests and more public awareness of CCPA could help here.
EDIT2: A lot of these forms ask whether you're submitting the request for yourself or you're an authorized agent doing it for someone else. I found more details on "authorized agents" on the CCPA FAQ: https://oag.ca.gov/privacy/ccpa. Maybe an organization like Mozilla or EFF could setup a service where you can authorize them to do this for you? Then you could just select a checkbox of companies that you want CCPA deletion requests for and it would be sent on a regular schedule (quarterly? yearly?). If such a service became popular, it could really disrupt the personal data gathering of companies.
> The Mozilla Foundation works to ensure the internet remains a public resource that is open and accessible to us all.
??