Car Companies: Stop Your Huge Data Collection Programs
foundation.mozilla.orgBelow is the full-text of a Mozilla campaign email I received. Mozilla’s consumer buyer’s guide Privacy not included reviews apps and consumer electronics to help the general public choose products that better respect their privacy, and occasionally organizes petitions & campaigns to push for privacy regulation and accountability.
The bad news: major car companies say they can listen to us in our cars, collect our genetic information, track information about our sex lives, and sometimes even sell our personal information to places we don’t even know.
The good news: major car companies are also listening to our complaints about data privacy.
Last week, [Mozilla] revealed research showing that 25 global car brands are out of control when it comes to collecting, protecting, and even selling our personal information. And [Mozilla] stirred up a hornet’s nest.
Immediately, the auto industry scrambled to defend their disturbing surveillance practices: They spoke to the international press and wrote to the United States Congress, claiming that their car companies are “committed to protecting consumer privacy” and even called for regulation themselves.
As infuriating as this may be, it’s actually good news for our cause. If the auto industry is already getting so defensive, it means they are feeling the pressure from our research and all the bad press. And that means we’re making an impact.
Now is the time to use the momentum, increase public pressure and make car companies stop their intrusive data collection practices. Will you join thousands of Mozilla supporters and become part of the campaign?
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn’t great, if contents of the website are behind a paywall maybe copy them into the post
- Don’t promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
Chat rooms
-
[Matrix/Element]Dead
much thanks to @gary_host_laptop for the logo design :)
- 0 users online
- 84 users / day
- 537 users / week
- 1.5K users / month
- 6.58K users / 6 months
- 1 subscriber
- 2.3K Posts
- 53.2K Comments
- Modlog
I just sent a request to get all info they had on me and my car. Will be interesting
Every time a corporation or group of corporations ask for regulations to be placed on themselves, that’s a massive red flag that they are going to lobby to cut the legs off of that regulation, or they will make the regulation give them more power.
An optimistic interpretation is that they feel like they can’t stop data collection without being hurt in the marketplace by competitors who will make more money by continuing to collect data, so they want governmentregulations to level the playing field.
That’s being really charitable though…
It’s all about dat $$$ for the shareholders. Not a bad interpretation, though.
how do cars transmit the data they collect if they don’t have a wifi connection?
Cellular modems.
And of course disabling these modems cause the cars to throw up warnings and potentially put the car in limp mode, so you can’t even turn the damn things off without potentially bricking the car.
Depends on the car. IIRC in newer GM cars you can just pull the fuse for the cellular modem and generally just lose the connected features.
But it is also likely that the car companies have a separate system in the car’s computer that acts independently of the main infotainment system for sending data. Even if you aren’t paying for any of the “extras/add-ons”, it could still get information from your phone just being used with Bluetooth or ping your WiFi if it is on and your phone visible. Also given how much more actively these companies are all trying to get passive income from our data. I wouldn’t be shocked if the other commenter’s point about getting all kinds of “errors” popping up if disabled (especially if a fuse is pulled/modified). We already see that non-car companies like John Deere go to some big levels to remove your control over something you bought and DRM shit that has zero reason outside of forcing us to pay only them for repairs. We as people aren’t allowed to control both our physical devices or our data, and big corps are just allowed to skim everything and sell it to any other parties that pay for it. Hell even our legal system and enforcement are allowed to bypass our rights that prevent search and seizure by just going to these companies instead of us.
No, that isn’t likely. People have fully disassembled these cars. There isn’t a secret second telematics module inside the seat cushions. If you disconnect power from the telematics module it can’t transmit data. If you want to be extra sure you can also wrap the module in faraday material, disconnect the antennas, or remove it completely. Data transmission isn’t magic; it requires hardware.
At that point the most that could happen would be a mechanic dumping the data and uploading it to GM. Big corps are high resource, low motivation adversaries. They’re not going to spend tons of time and effort going after the <0.1% of people who physically disconnect telematics modules.
Slight modification to my point as I think I was meaning to say that they could have a separate system in the first sentence. Like maybe there isn’t one right now (as you point to by stating that folks have fully disassembled current cars), but they could add one or more as they gain profits from either directly using the data or (more likely) from selling the data.
As for the later point you made about them not bothering for the <0.1% of people. How long is it worth just assuming that they won’t do it as they try to find any and all ways to generate profits? They could start moving to the Apple repair tactics of requiring parts to be paired to the vehicle and require “calibration” using their tightly controlled systems in order to have very basic things work correctly. Which removing fuses to those data mining “features” could start shit like a constant system error check light or artificially disable unrelated things.
Honestly feel free to just stick to the top two paragraphs. I went down a rant rabbit hole beyond my initial point. But leaving it here as it still has some amount of value (not sure how much and to whom).
To use Apple again, if you replace a display with a third-party or even a real part but not one they sent you directly (and therefore isn’t a valid repair listed for your phone). You all of a sudden get a list of “scary” sounding warning alerts all the time about how the parts can’t be verified or calibrated. Which then leads to shit like auto-brightness, truetone colour, and even one or more cameras not working or pictures taken not saving/not being post processed with their software that makes the images look as good as they do. All that because the screen was replaced that they didn’t approve of. Sure some things like bio-metrics might make some sense to be disabled due to the non-zero chance that someone could put a hacked part on that could maybe possibly steal your shit for gaining access to your device/account/money. But shit can’t dim or do basic shit (even if the replacement is a real part).
Given how drastically so many companies of all kinds are finding it harder and harder to make numbers go up for the shareholders (which is a legal duty to do literally everything possible to do so). Especially as prices for everything are being artificially upped under the pretend guise of “inflation”. But it is really more about how they have to charge more so that those shareholders and the top level people can keep making more (but not workers). The level of data mining for passive income is invading all of our shit at levels that really should be freaking more people out. More of these car companies that were bragging about having built-in CarPlay/Android Auto a couple of years ago are now removing them in order to artificially require using rebranded access to them. Locked behind yet another subscription that they can just stop allowing to work every few years. Got to install their apps on your devices. Going to get worse as they find more and more things to “require” having their app. Even if not using your car at the time, it can try to find out what you do and where.
We at the very least need to have all that shit controlled in the interest of users/buyers with very clear legal requirements that at least it be very easy to see a full list of what is, how it is, why it is, and where it is being collected from. And it needs to be legally required that these lists or whatever are written in ways that someone with an 8th grade level of education can read and understand. So no just having an insane amount of super micro tiny legalize TOS stuff like we see with everything currently and hidden away in some cases. Each model of every car with every trim/add-on package should have that list in both print manuals in each car, and have it permanently (and very very easily to locate) on that manufacturer’s site.
Every time you take your car to be serviced by tge dealer it’s plugged into a diagnostics computer which reads the ECU, with the price of storage it is entirely possible that disabling the cell connection just causes the ECU to write it to local storage for upload at service read. The diagnostics machines are definitely connected to manufacturer servers.
Doing so is trivially easy the telematics is going to be caching before sending, all you need to do is manufacture that cache storage to be large enough (and it’s flatfiles we’re talking megs not gigs) and tell the software not to delete until it has an an acknowledged receipt of transfer.
If you’ve removed or disabled the telematics module and its antennas then your most sensitive data - your location - can’t be collected. GPS and mobile data technologies don’t work without hardware, antennas, and electricity.
At that point even if there’s a back-up collection system the most a dealer could dump would be general driving and usage data. That’s a non factor for 99.99% of people, but if that is an issue in your threat model then you should avoid dealers and work only with trusted, independent mechanics. And frankly if your average speed or odometer reading is that sensitive you’re probably on the run and have bigger issues to worry about.
I guess they could also dump your contacts or call data if you’ve synced those with your car, but you shouldn’t be doing that in the first place. Data collection isn’t magic. Don’t give the car data and it won’t have it.
Shop for cars that work fine with their telematics modules & antennas disabled or removed, disable/remove them when you buy yours, and you’ll be fine.
Like it or not, Mozilla is among the last bastions of sound, honest software.
If we are talking major software making companies/groups, then I’ll happily agree pretty much 100% with that statement because there are definitely plenty of small groups following their footsteps in one way or another.
I have friends there and have sold to their infosec team before. It’s real as fuck. The people are about it. I love them.
deleted by creator
“Gee whizz we awe vewy sowwy fow doing a pwivacy invasion” 👉👈🥺
I’m beyond sick of corporations knowing they can do whatever they want as long as they run to congress and flagrantly lie.
[…] vewy sowwy fow being cawt doing […] *
Actually it wouldn’t be outrageous for them to call for regulation. Right now they are almost forced to do what everyone else is doing to stay competitive. It there were more regulations they could all compete on a better level.
To be a fair here even though I dislike corporations just as much. In the past I have seen big corporations call for regulations in their own shady tactics. In those cases they felt like they needed those malicious practices to stay competetive with the other companies doing the same shit. Basically they want to stop but feel like they can’t since the competition is doing it too.
I’m not sure this is the case here. But that stuff sometimes happens.
Yeah but those supposed companies that “needed those malicious practices to stay competitive” also could have done the thing Mozilla is now doing. Could even use direct knowledge and proof of those practices in a big ad campaign about how they actively don’t want all your info. This “doing it because everyone is doing it” headspace is one of the many corpo versions of “just following orders.” I understand the point you are making, but it isn’t like any of these companies are too small to fight back. Allowing this kind of thing (beyond just this specific instance) just further gaslights us at a consumer level into continued abuse being normalized and okay. Which makes it even harder to do anything about it.
Just like with how we see that a major amount of voters literally just give up and see everything as pointless in doing anything (and that is assuming that they even know about any information at all). Or how we are trained to only see one or two day polite marches in protest of something as being the whole “fight” and just go home. But when people don’t just go home or “stay out of normal people’s ways” it is seen as those protesters being “unrealistic” or even “assholes in the way.” The whole point of protests is to literally be as in the way of “normal life” as possible to push whatever change they are fighting for.
I actually agree with all your points.
I just think regulation which outlaws the problematic or unethical behavior is one possible way to improve the situation. And I am not against a company calling for these kinds of regulations.
Even with Mozilla as an example. Banning or limiting data collection or web standard warping practices would strengthen Mozilla against their competition.