Previous discussion:<p><i>Internet-connected cars fail privacy and security tests conducted by Mozilla</i><p>3 days ago|632 comments<p><a href="https://news.ycombinator.com/item?id=37404413">https://news.ycombinator.com/item?id=37404413</a>
> Here's something you might not realize. The moment you sit in the passenger seat of a Subaru that uses connected services, you've consented to allow them to use -- and maybe even sell -- your personal information. According to their privacy policy, that means things like your name, location, "Audio recordings of Vehicle Occupants", and inferences they can draw about things like your "characteristics, predispositions, behavior, or attitudes." Call us bonkers, but we don't think that simply sitting in the passenger seat of someone's Subaru should mean you consent to having any of your personal information use for, well, pretty much anything at all. Let alone potentially sold to data brokers or shared with third party marketers so they can target you with ads about who knows what based on the the inferences they draw about you because you sat in the back seat of a Subaru in the mountains of Colorado. We're gonna really call out Subaru for this, because they lay it out so clearly in their privacy policy, but please know, Subaru isn't the only car company doing this sort of icky thing.<p>Am I reading this correctly? I could be a passenger in my friend's Subaru, or even in an Uber, and they claim they have a right to my personal data? Surely this isn't legal, there's no way they could claim to have consent for this...
My dad bought a new Renault EV last month. The first thing the salesman asked him:<p><pre><code> Salesman: "Do you have a Google account?"
My dad: "Yes, why?"
Salesman: "It's mandatory for purchasing a car with us."
</code></pre>
How is that even legal?
Most important sentence of the article is the first:<p>> All 25 major car brands reviewed in Mozilla’s latest edition of <i>Privacy Not Included (</i>PNI) received failing marks for consumer privacy, a first in the buyer's guide’s seven-year history.
Surveillance Economy all the way baby.<p>Until this comes to be understood et large as a basic contributing doctrine of our basic value exchange system, this type of thing will continue to be more and more pervasive.<p>Given the multiple years we’ve been at it, I think a basic doctrine of privacy as a counterweight is too squishy to really settle in the public’s mind and countermand the negative effects of the surveillance at large.<p>A new counter doctrine will need to take place. I’m not sure what it would be.
I went in there looking because of the amazing notion that car makers grant themselves the right to gather and divulge information related to (quote) your "sex life".
And indeed KIA wins the Internet of Creeps with the aforementied explicitly included in the data they somehow (how?) aim to gather and distribute to the winds. <a href="https://foundation.mozilla.org/en/privacynotincluded/kia/" rel="nofollow noreferrer">https://foundation.mozilla.org/en/privacynotincluded/kia/</a>
Genetic information is also included, but come on, does a KIA steering wheel suck up your sweat and send it to an hidden PCR machine???
I think the people at KIA who wrote that "cover our arses" legalese going through every piece of data they could possibly at one time gather needs to factor in the cost of some customers, me included, never ever getting a KIA. Anyways as I understand they are extremely easy to steal, looks like a failing brand won't be able to get parts (or private parts) for long.
> Several car brands also note that it is a driver’s responsibility to tell passengers about the vehicle's privacy policies.<p>Whoever makes these policies must get a chuckle knowing people will never do this.
Ok hackers. Tell us how to disable this crap. Surely all of this is easily defeated by removing the hardware that has the radio transmitter. Would love to see more technical articles on how all this stuff works such that it can be defeated or even better fake pumped.
These internet connected cars will eventually turn into Westinghouse Radiohubs. [1]<p>For most people, even those who don't subscribe to the internet requiring service, there is no way to disable it. Especially when the radio device is inaccessible.<p>On a separate note, I recently got a CPAP machine. It comes with a copy of the terms and conditions that i had to sign and return to the doctor. Before you connect it, you must attach an external radio device.<p>Luckily, they botched the delivery and the device was 4 months late. Then when they finally sent it, it went to the wrong address. I called and said i never received it, before the neighbors brought my package. That's when i learned that the $1000 device i got was actually a subscription for $50 a month after the insurance contribution. I never plugged the radio device and the machine works just fine.<p>I paid $1000 for a fan with a tube, but at least I'm not paying for the subscription and never connected the spying component.<p>[1]: <a href="https://news.ycombinator.com/item?id=22083759">https://news.ycombinator.com/item?id=22083759</a>
I wonder what happens when lawyers realize they can subpoena all that. My client was subject to a hit and run, please provide all data related to red Subarus in San Francisco on April first from 1 pm to 2 pm pacific. Yeesh. Seems like a lot of data to wrangle.
> The very worst offender is Nissan. The Japanese car manufacturer admits in their privacy policy to collecting a wide range of information, including sexual activity, health diagnosis data, and genetic data — but doesn’t specify how.<p>My dad just bought a Nissan Qashqai (I hate it, but wathever). For legal reference, I'm on Spain, so EU GDPR framework. Every single time you start the car it shows a consent screen for data aquisition. By memory... "Driving data, location, statistics, blablabla for the Nissan Connect program."<p><pre><code> - I haven't connected nor I have a user or anything at all in the Nissan Connect apps
- You can't disable the dialog, not even in the service menu
- I've been digging in forums and everyone says you have to bear with that for the whole life of the car
</code></pre>
That's not ethical, and probably not even legal.
I’m privacy conscious, and on the side of Mozilla here. But I wish the article showed examples of how the data is actually being shared rather than an analysis of the terms. What’s an example of my health data being used somewhere else. I know it’s hard to get proof of this but that is what would make the public more aware.
Curious how much less data these manufacturers get if I’m using CarPlay instead of their own homegrown console. It’s getting to the point where I straight up won’t purchase a new vehicle if it doesn’t offer CarPlay.<p>There’s probably other sensor gathering happening around the vehicle and obviously you can’t hide things like driving habits but it feels like staying out of the manufacturer’s homegrown OS gets rid of a good chunk of the worst privacy nightmares
Collect information about your sex life!? In what way?<p>Also, will these brand track geolocation information, etc?<p>Insane that any regulator would approve of this. A car shouldn’t be smart, it should be hardware that knows nothing about you. You can then enhance the car with something like Apple car play since you already use that phone everywhere anyway.<p>750 billion a year industry? What kind of dystopia do we live in?<p>Should we move to a system where a company can only do things or make things that are in their direct industry? So a car company can only make and sell cars and not sell data?<p>I have no idea what the solutions are, but this sounds horrible.
Humble suggestion: What if many enough people went through the motions of buying a car, and backed off at the last moment because of unacceptable data collection. That would piss off the car dealers, who might vent their frustration to the importers, who might pass a word to the factories and designers...
I assume calling out specific topics like users'sex life is a CYA move. They could very well be storing any and all audio in the car, at which point they could store info on anything said.
Connecting your phone to a rental or friends cars bluetooth will also snarf all your contacts and identifying phone data. Often times in a way that cannot be erased, even by a tech.
If it weren’t so hard to start a successful car company, I would say this is a situation ripe with opportunity. A privacy focused vehicle could probably sway enough customers for it to be a meaningful advantage, even if it wasn’t people’s number one priority.<p>I wonder if Apple saw this coming when they started their automobile program, which seems less crazy to me the more time goes on. I always figured it had more to do with screen time and entertainment for when full autonomous driving becomes available. But the more I think about it, that will probably be less of a unique feature than privacy.
14 year old script kiddies can also write a bash script and take over millions of vehicles from a home internet connection and make the crash<p>its been proven before: <a href="https://en.wikipedia.org/wiki/Chrysler#Chrysler_Uconnect" rel="nofollow noreferrer">https://en.wikipedia.org/wiki/Chrysler#Chrysler_Uconnect</a><p>and will be proven again<p>just like with all tech don't buy anything made after 1990. corporations now see your vehicle as a smart phone that just gets a stream of alpha quality software piled onto it and updated whenever they are told of their mistakes
Do the manufacturers have seperate aggrements for corporate/government fleet vehicles? Lots of confidential information would otherwise be recorded, like business deals and patient information.
Let me repeat what I have already state elsewhere : the only way the privacy nightmare ends is when we thouroughly regulate the personal data market out of existence - meaning going one step further than GDPR and just forbid any use of my personal data except in the context of fulfilling an actual purchase or specific request by me and for communicating with me to the extent I allow it. All other uses are banned.
How does any if this work for second hand cars? If I buy a car second hand, I'm not party of any agreement between the original owner and the car maker.
This is why I refuse to buy a new fancy car<p>I drove my friends Subaru with lane assist and adaptive cruise control and such. It’s nice, but I figured with the level of data collection that’s going on in these cars plus the fact that there seemed to be a cellular internet connection baked into the car there had to be some fucked up nonsense going on<p>My daily driver, a 2016 smart fortwo, is not as fancy or practical. But it is through and through a “dumb” car despite the name. It has no real modern creature comforts aside from automatic windshield wipers and headlights. Otherwise it’s like a car from 1998 with modern crash safety and I love it for that. Maybe it collects a ton of data but I’m very confident it doesn’t phone home. Plus a rear engined manual! Although a 3 cylinder one lol. At least you can park it basically anywhere
Self driving cars will be the worst offenders then.<p>You will have no choice to move freely once all cars are self driving.<p>You will be tracked even more than today with these cars.<p>Personally I think cars and freedom of movement are very important. And I do everything in my power to oppose self driving cars.
Both Nissan and Renault are under the same corporate umbrella (RNMA) and share parts and practices (including infotainment systems) quite regularly.<p>The fact that Nissan was the worst offender and Renault the least problematic is interesting and shows that GDPR has been helpful in getting European focused brands to take privacy seriously.
California has CCPA <a href="https://en.wikipedia.org/wiki/California_Consumer_Privacy_Act" rel="nofollow noreferrer">https://en.wikipedia.org/wiki/California_Consumer_Privacy_Ac...</a> Could this be used to force these companies to delete all personal data? It would have to be done periodically since after deletion the data would accumulate again. It seems like there's a potential business idea here of automatically sending out CCPA deletion notices to companies on a schedule. While this wouldn't stop the collection of data, regularly interrupting them with deletion requests could make storing personal data costly enough to at least reduce whatever profits they would get from it.<p>EDIT: Looked at a few privacy policies and the CCPA link is often hard to find. Keywords to look for: "CCPA", "California Privacy", some examples of links I found:<p><a href="https://www.honda.com/privacy/your-privacy-choices" rel="nofollow noreferrer">https://www.honda.com/privacy/your-privacy-choices</a><p><a href="https://www.tesla.com/legal/privacy#data-sharing" rel="nofollow noreferrer">https://www.tesla.com/legal/privacy#data-sharing</a><p><a href="https://www.ford.com/help/privacy/ccpa/" rel="nofollow noreferrer">https://www.ford.com/help/privacy/ccpa/</a><p><a href="https://ksupport.kiausa.com/ConsumerAffairs/PrivacyManagement" rel="nofollow noreferrer">https://ksupport.kiausa.com/ConsumerAffairs/PrivacyManagemen...</a><p>Something interesting I found is also this: <a href="https://www.honda.com/privacy/CCPA-Metrics" rel="nofollow noreferrer">https://www.honda.com/privacy/CCPA-Metrics</a> which shows how many requests Honda received. It seems not many are aware of CCPA rights and this number of requests is not enough to deter companies from gathering personal information. These metrics need to be orders of magnitude higher to make a difference in company behavior. It seems like an automated service to send these requests and more public awareness of CCPA could help here.<p>EDIT2: A lot of these forms ask whether you're submitting the request for yourself or you're an authorized agent doing it for someone else. I found more details on "authorized agents" on the CCPA FAQ: <a href="https://oag.ca.gov/privacy/ccpa" rel="nofollow noreferrer">https://oag.ca.gov/privacy/ccpa</a>. Maybe an organization like Mozilla or EFF could setup a service where you can authorize them to do this for you? Then you could just select a checkbox of companies that you want CCPA deletion requests for and it would be sent on a regular schedule (quarterly? yearly?). If such a service became popular, it could really disrupt the personal data gathering of companies.
Can anyone more familiar with the subject let us know around what year of manufacturing in cars did this trend start? I don't particularly want to keep driving a petrol car, but seriously don't want this crap either.. I might just keep my 2010 alive as long as I can.
Are commercial vehicles the same as consumer vehicles? I know there's not really a great distinction, at least in the U.S. but if I buy a cargo van and add some seats to it, is there some distinction between that and the latest super-connected consumer model sedan?
I was always skeptical of these fancy new vehicles with shiny electronics. I'm glad I still drive a 15 year old car and a 10 year old motorcycle where the most advanced tech is ABS.
although the article is mostly about in-car privacy, try querying your personal identifiable data at major auto brands online, no matter if you bought a car there or you sometimes stopped in the buying process. good luck! it's a nightmare - not only for you to file your wish, but also to get the data. and its your legal right with GDPR. tried it on two brands, it's a true nightmare.
Just buy a Tesla.<p>For those of you who think for yourselves and are still reading, I'll explain why.<p>They have the best practices of any connected car listed, it's all opt in, and they collect nothing tied to your ID. Privacy aside, also there's no haggling, and it's a better car with lower TCO and more efficient drive train and wicked fun. The leather and mahogany and built in cigar cutter is not there, but hey you have a charging network.<p>Back to privacy, to me it's a feature, not a bug, that you can view live video from your car's many cameras while you are far away from your car. I can check from the office whether my garage door is open. That's good, not bad. Mozilla is really amping up the hyperventilation to think of this as a negative.<p>If you read carefully it sounds like nobody contributing to the article actually sat in a Tesla and went through the experience of how choices are presented.<p>The way I look at it most of the negatives they tried very hard to come up with in the article for Tesla boil down to "it seems we aren't sure if we can trust them because look at us, doing business with Google, which is also a privacy nightmare, and if we posture like this, Tesla might too" which is all fair, but very weak.<p>You actually don't see Tesla posturing about privacy, although maybe they might after this article. That would be reasonable. When you do read the fine print, it is very good for consumer privacy.<p>Just buy a great car that you love, but also one that you won't regret buying later.