Below is the full-text of a Mozilla campaign email I received. Mozilla’s consumer buyer’s guide Privacy not included reviews apps and consumer electronics to help the general public choose products that better respect their privacy, and occasionally organizes petitions & campaigns to push for privacy regulation and accountability.
The bad news: major car companies say they can listen to us in our cars, collect our genetic information, track information about our sex lives, and sometimes even sell our personal information to places we don’t even know.
The good news: major car companies are also listening to our complaints about data privacy.
Last week, [Mozilla] revealed research showing that 25 global car brands are out of control when it comes to collecting, protecting, and even selling our personal information. And [Mozilla] stirred up a hornet’s nest.
Immediately, the auto industry scrambled to defend their disturbing surveillance practices: They spoke to the international press and wrote to the United States Congress, claiming that their car companies are “committed to protecting consumer privacy” and even called for regulation themselves.
As infuriating as this may be, it’s actually good news for our cause. If the auto industry is already getting so defensive, it means they are feeling the pressure from our research and all the bad press. And that means we’re making an impact.
Now is the time to use the momentum, increase public pressure and make car companies stop their intrusive data collection practices. Will you join thousands of Mozilla supporters and become part of the campaign?
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
much thanks to @gary_host_laptop for the logo design :)
Cellular modems.
And of course disabling these modems cause the cars to throw up warnings and potentially put the car in limp mode, so you can’t even turn the damn things off without potentially bricking the car.
Depends on the car. IIRC in newer GM cars you can just pull the fuse for the cellular modem and generally just lose the connected features.
But it is also likely that the car companies have a separate system in the car’s computer that acts independently of the main infotainment system for sending data. Even if you aren’t paying for any of the “extras/add-ons”, it could still get information from your phone just being used with Bluetooth or ping your WiFi if it is on and your phone visible. Also given how much more actively these companies are all trying to get passive income from our data. I wouldn’t be shocked if the other commenter’s point about getting all kinds of “errors” popping up if disabled (especially if a fuse is pulled/modified). We already see that non-car companies like John Deere go to some big levels to remove your control over something you bought and DRM shit that has zero reason outside of forcing us to pay only them for repairs. We as people aren’t allowed to control both our physical devices or our data, and big corps are just allowed to skim everything and sell it to any other parties that pay for it. Hell even our legal system and enforcement are allowed to bypass our rights that prevent search and seizure by just going to these companies instead of us.
No, that isn’t likely. People have fully disassembled these cars. There isn’t a secret second telematics module inside the seat cushions. If you disconnect power from the telematics module it can’t transmit data. If you want to be extra sure you can also wrap the module in faraday material, disconnect the antennas, or remove it completely. Data transmission isn’t magic; it requires hardware.
At that point the most that could happen would be a mechanic dumping the data and uploading it to GM. Big corps are high resource, low motivation adversaries. They’re not going to spend tons of time and effort going after the <0.1% of people who physically disconnect telematics modules.
Slight modification to my point as I think I was meaning to say that they could have a separate system in the first sentence. Like maybe there isn’t one right now (as you point to by stating that folks have fully disassembled current cars), but they could add one or more as they gain profits from either directly using the data or (more likely) from selling the data.
As for the later point you made about them not bothering for the <0.1% of people. How long is it worth just assuming that they won’t do it as they try to find any and all ways to generate profits? They could start moving to the Apple repair tactics of requiring parts to be paired to the vehicle and require “calibration” using their tightly controlled systems in order to have very basic things work correctly. Which removing fuses to those data mining “features” could start shit like a constant system error check light or artificially disable unrelated things.
Honestly feel free to just stick to the top two paragraphs. I went down a rant rabbit hole beyond my initial point. But leaving it here as it still has some amount of value (not sure how much and to whom).
To use Apple again, if you replace a display with a third-party or even a real part but not one they sent you directly (and therefore isn’t a valid repair listed for your phone). You all of a sudden get a list of “scary” sounding warning alerts all the time about how the parts can’t be verified or calibrated. Which then leads to shit like auto-brightness, truetone colour, and even one or more cameras not working or pictures taken not saving/not being post processed with their software that makes the images look as good as they do. All that because the screen was replaced that they didn’t approve of. Sure some things like bio-metrics might make some sense to be disabled due to the non-zero chance that someone could put a hacked part on that could maybe possibly steal your shit for gaining access to your device/account/money. But shit can’t dim or do basic shit (even if the replacement is a real part).
Given how drastically so many companies of all kinds are finding it harder and harder to make numbers go up for the shareholders (which is a legal duty to do literally everything possible to do so). Especially as prices for everything are being artificially upped under the pretend guise of “inflation”. But it is really more about how they have to charge more so that those shareholders and the top level people can keep making more (but not workers). The level of data mining for passive income is invading all of our shit at levels that really should be freaking more people out. More of these car companies that were bragging about having built-in CarPlay/Android Auto a couple of years ago are now removing them in order to artificially require using rebranded access to them. Locked behind yet another subscription that they can just stop allowing to work every few years. Got to install their apps on your devices. Going to get worse as they find more and more things to “require” having their app. Even if not using your car at the time, it can try to find out what you do and where.
We at the very least need to have all that shit controlled in the interest of users/buyers with very clear legal requirements that at least it be very easy to see a full list of what is, how it is, why it is, and where it is being collected from. And it needs to be legally required that these lists or whatever are written in ways that someone with an 8th grade level of education can read and understand. So no just having an insane amount of super micro tiny legalize TOS stuff like we see with everything currently and hidden away in some cases. Each model of every car with every trim/add-on package should have that list in both print manuals in each car, and have it permanently (and very very easily to locate) on that manufacturer’s site.
Every time you take your car to be serviced by tge dealer it’s plugged into a diagnostics computer which reads the ECU, with the price of storage it is entirely possible that disabling the cell connection just causes the ECU to write it to local storage for upload at service read. The diagnostics machines are definitely connected to manufacturer servers.
Doing so is trivially easy the telematics is going to be caching before sending, all you need to do is manufacture that cache storage to be large enough (and it’s flatfiles we’re talking megs not gigs) and tell the software not to delete until it has an an acknowledged receipt of transfer.
If you’ve removed or disabled the telematics module and its antennas then your most sensitive data - your location - can’t be collected. GPS and mobile data technologies don’t work without hardware, antennas, and electricity.
At that point even if there’s a back-up collection system the most a dealer could dump would be general driving and usage data. That’s a non factor for 99.99% of people, but if that is an issue in your threat model then you should avoid dealers and work only with trusted, independent mechanics. And frankly if your average speed or odometer reading is that sensitive you’re probably on the run and have bigger issues to worry about.
I guess they could also dump your contacts or call data if you’ve synced those with your car, but you shouldn’t be doing that in the first place. Data collection isn’t magic. Don’t give the car data and it won’t have it.
Shop for cars that work fine with their telematics modules & antennas disabled or removed, disable/remove them when you buy yours, and you’ll be fine.