The connected car has become the latest casualty in the war on personal privacy. This is because your car’s “subscription-based features drastically increase the amount of data that can be accessed during law enforcement investigations,” Dell Cameron wrote for Wired magazine recently. And while most car makers state that they can’t obtain access to this data without some kind of court order, that isn’t the final answer. What congressional investigators found is that some car makers will divulge this data when contacted by law enforcement. And then there is this: there is no hard and fast rule of what data can be collected, because it varies by the make and model of your car, whether you once had any connected car subscription service (such as GM’s OnStar), and what broadband provider you use.
Re-read that last sentence again. Even if you cancelled your OnStar subscription, your Chevy might still be recording when you took it to the levee. There is some direct evidence of this, based on data found in police documents that Wired and the ACLU saw from several investigations.
I wrote about connected car issues almost three years ago, but not from a privacy POV. That post shows that car companies have embraced subscription services, thanks to Telsa’s early lead (so much for that) and a realization that they could extract recurring revenue that had a better aura than so-called “extended warranties.” Figuring out the costs of the various subscription options is still not easy. For example, GM’s OnStar has a confusing series of different plans. With BMW, you can get an idea of what connected service is available here, but to get actual prices you will first have to become a BMW customer. Some features are free and some require the latest car OS v9 or are only available on particular vehicles. And for those of you still interested in Tesla, they have a free basic plan – which just includes GPS. If you want more features you will have to sign up for its premium plan that includes dozens of other features for $10 a month. And we found out the hard way that all Teslas are really roving reality video studios – meaning that they are constantly recording from their numerous cameras — when one of their cars blew up outside a Vegas casino.
Think of the data originating from your connected car as the hidden browser pixel: you know there is something fishy going on. Whether or not you are paranoid enough to worry about it, or just accept it as another part of modern life, is up to you.
David,
Consider also that the insurance industry is pushing very aggressively to have all cars report in this manner. It is formally called “telematics”. Each state’s DOI handles this differently. I agree that Tesla vehicles cross the lines in terms of privacy, but consider in this context that publicly we do not know exactly what Tesla software does. What are the telematic metrics being collected? What analytics are being drawn from this data lake? Is this information then being sold to the highest bidder or nefarious country. History also shows that disputes with Tesla could result in someone pushing a button to shutdown the car. That is too much control.
This is driver surveillance at its finest and most intrusive. And, of course, there is no legislation to protect people. All one can do is simply stop paying for any service, then demand that the service be removed entirely from the car. The ability to remove surveillance entirely needs to be part of one’s buying decision, and maybe even highlighted in the very objective Consumer Reports. We may become enough of a surveillance state even without this stuff!
Agreed
I feel like I’ll repeat this complaint until my untimely death, but this directly bumps up against the Fourth Amendment of the U.S. Constitution. “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated.” When GPS was new my concern was that someone with that enabled on their phone or car will be driving by a location where a crime is committed, in doing their due diligence, police chasing down leads will gather the data from that the users’ device and could be used to make the owner of that device a suspect simply because they were in the “wrong place at the wrong time”. If it’s actually valid evidence, or could help to uncover some, that must be collected like any other evidence – with a warrant. This brings me back to the point of this post, with any user data collected the questions of; what data is collected, how is it stored, is it encrypted during storage, is it encrypted during transport, and how long is that data retained. Car companies, or any company, will work to monetize that data, regardless of the original intent of why it was collected and saved in the first place. Additionally we’ve all been part of class action suits where companies get a fine for not following the procedures they originally promised to and their slap on the wrist includes mailing users a check years later for something like $17.00. This is all because we want the latest gadgets that our friends or co-workers have, and we blindly click past all EULAs in an effort to have that shinny new item to brag about on Facebook.
David, because I’m weird I always fall back to my early IT days when I did site QA, at the bottom of all of your posts you have the text:
“This entry was posted in digital home, security by dstrom. Bookmark the permalink.”
The link for `dstrom` rightfully points to the correct author page I believe: https://blog.strom.com/wp/?author=2 however that gives an error:
“forbidden – number in author name not allowed = 2”
This happens when I try to write my name in the comment field below as fak3r… I seems it’s a spam protection feature gone awry.
Anyway to fix this, you can re-point the link to: https://blog.strom.com/wp/?author=dstrom and then it works fine.
Also, my last day at my current role is tomorrow so I plan on taking May off and hopefully writing more on my blog, which I truly miss. In a similar “fighting against spam and bots” the security software internal in Edward Jones blocks links to my blog https://fak3r..com – dropping it in the ‘blogs’ category. Always frustrating when I’m trying to look up technical articles to do my job and do what I do at home, try and read others advice and experience online, often on their own blogs. Anyway, the shortsightedness is always a hindrance, as it is here, but I have my Linux desktop right next to my Windows work computer so I can look things up there unencumbered. Oh, and my site has been blocked by security software at other places I’ve worked, and at one time it was blocked for promoting “hacking” which I was quite proud of, not sure how I got demoted to ‘blogs’ or why a now 20 year old blog mainly focused on technology, open source and Linux is so scary, but I guess I have a different viewpoint.
Thanks as always for your posts, they make me think and help me to articulate lots of things I’m thinking about. I’m going to share a link this post of your along with some quotes from it to the EFF (Electronic Frontier Foundation) LinkedIn discussion group I founded years ago to discuss such topics. Hope you’re well, keep on fighting the good fight.
A huge service that somebody could provide is a primer on how to avoid and prevent unwanted “services” from auto dealers and other providers. And when will we have legislation setting limits on these activities. For sure, all providers should be required to make a simple, clean, decisive “opt out” choice available.