It's perfectly legal for cars to harvest your texts, call logs

I dug into the technical details here over the last few days and as usual it&#x27;s not quite as sinister as the hand wringing:<p>* Automotive head units are just embedded computers. Most run Linux, QNX, or Windows CE, with some proprietary UI system on top.<p>* These machines usually store data in an onboard database in flash (sometimes just SQLite).<p>* Sometimes, phone data is captured using standard Bluetooth mechanisms (Message Access Protocol MAP and Phone Book Access Protocol PBAP) which require authorization on the phone side. Some vendors implement an additional &quot;are you sure you want to share your information&quot; check on the head unit side, and others don&#x27;t.<p>* This data is cached on the head unit so that finding a contact to call or reading a text message doesn&#x27;t require 10 minutes worth of Bluetooth nonsense.<p>* Some vendors inadequately purge this cached data when a Bluetooth pairing is removed from the head unit.<p>* Berla sell data extraction exploits to law enforcement, just like other forensics vendors do for mobile phones. Sometimes this can extract latent data and sometimes active data.<p>My advice:<p>* Never authorize a head unit to download your contacts or SMS.<p>* If you use a rental car, Factory Reset the head unit when you leave.<p>That&#x27;s decent protection for most people. I didn&#x27;t find any evidence pointing to a central server upload, a conspiracy to build an LE database, etc. It&#x27;s just typical crappy hardware manufacturer-made software leaving data around that shouldn&#x27;t be left around, creating an opening for forensic vendor exploits to slurp the data.

&gt; In other words, it&#x27;s A-OK for your car to &quot;automatically and <i>without authorization</i>, instantaneously intercept, record, download, store, and [be] capable of transmitting&quot; text messages and call logs since the privacy violation is potential, but the injury not necessarily actual.<p>So it&#x27;s effectively legal to sell backdoored hardware and software to spy on people. I wonder what would happen if I sold backdoored phones to Volkswagen employees, execs, and their children. To judges and politicians and lawyers. A-OK until there was &quot;actual injury&quot;, and even then, it is only the injury that would be wrong?

&gt; &quot;To succeed at the pleading stage of a WPA claim, a plaintiff must allege an injury to &#x27;his or her business, his or her person, or his or her reputation,&#x27;&quot; the judges ruled. &quot;Contrary to Plaintiffs&#x27; argument, a bare violation of the WPA is insufficient to satisfy the statutory injury requirement.&quot;<p>I think the title is misleading. Unless I&#x27;m missing something, it sounds like the decision wasn&#x27;t that it&#x27;s legal to harvest text and call logs, it was that these cases did not demonstrate an injury was caused as a result of doing so. Presumably if the plaintiffs proved some injury other than not wanting it to happen, things could have been different.

Reading these stories makes me love my shitty old 16 year old Civic. It&#x27;s modern enough to have cruise control, AC and a fairly decent engine. But not so modern that reliability is compromised in the name of fuel economy and it&#x27;s also not a &quot;rude-ass car&quot; with dumb features nobody asked for. I could afford a better car of course but I don&#x27;t drive much and I&#x27;m not inspired by these rude-ass features.

I&#x27;ve been trying to figure out how to disable my trucks cellular antenna without disabling any other systems. It&#x27;s proven more difficult than I thought.

Another reason to prefer Apple CarPlay and Android Auto.

This is why I would not consider connecting my phone to anything other than CarPlay&#x2F;Android Auto.

I can believe iOS doesn’t offer protection against this garbage. There’s no way to connect a phone to something and on the device side say “this is an untrusted connection; don’t give it shit”.<p>It’s especially frustrating with rental cars. But I don’t even trust my own personal car!

&gt; &quot;To succeed at the pleading stage of a WPA claim, a plaintiff must allege an injury to &#x27;his or her business, his or her person, or his or her reputation,&#x27;&quot; the judges ruled.<p>So.. It&#x27;s okay if I record private conversation from high ranking states officials as long as I don&#x27;t harm their reputation with it?<p>It&#x27;s okay if I stole state intelligence as long as I don&#x27;t harm my country with it?

If you read the original lawsuit, the issue is that the car&#x27;s infotainment system is set to forward&#x2F;display messages and calls from your phone, and that that information is stored or logged persistently, and that can&#x27;t be deleted&#x2F;cleared by the user.<p>The claimed invasion of privacy is that a person with the diagnostic tools and physical access to your car can extract those logs.<p>Presenting this as &quot;car manufacturers can steal your text and call logs&quot; is disingenuous.<p>Don&#x27;t get me wrong, it&#x27;s clearly not a great thing for the car to be doing (especially in the context of rental cars for instance) but it isn&#x27;t the catastrophe people are claiming.

My Toyota asks for permission and if I grant it then it&#x27;ll &quot;harvest&quot; my texts and calls. How horrible and unexpected.<p>The title and the conclusion are biased and of poor quality. It should be &quot;car manufacturers didn&#x27;t get fined for the way their old head units worked&quot;.

One more reason to use the bicycle.

&gt; store each intercepted, recorded, and downloaded copy of text messages in non-temporary computer memory in such a manner that the vehicle owner cannot access it or delete it,<p>You might think why care if its your own car. But if you rent cars this can become an issue where if poorly implemented the next driver could access the information.<p>It is such an easy feature to implement and suppliers in Europe already do this due to GDPR. I remember working for an automotive supplier where we implemented this feature. The whole phonebook was actually downloaded onto the unit in an encrypted Database. The system would decrypt it on the fly as needed. When GDPR came around we had to implement a wipe feature that would allow the user to delete their profile which included that database.<p>I feel like GDPR for all its flaws had a positive impact in that it forced the supplier to actually care about this use case.

It’s perfectly legal for your car to taunt and harass you. What are you going to do ? sue your car!?

Not in eu

They do ask first as far as I know