We are going to learn so many disturbing things that data brokers (which includes basically every large corporation) are doing in the next years.
From the complaint:
Plaintiff did not want OnStar services and so he did not push the blue button "to get started." The email provides no mention of OnStar's Smart Driver Program.
…
In or around January 2024, Plaintiff received his requested LexisNexis consumer disclosure. The report, as of December 18, 2023, had 258 recorded driving events under the "Telematics" subsection. Each driving event included trip details that show the start date, end date, start time, end time, acceleration events, hard brake events, high speed events, distance, and VIN.
…
Plaintiff had never opted into any insurance program that would have allowed his information to be shared.
Related: "Automakers are sharing consumers' driving behavior with insurance companies" - https://news.ycombinator.com/item?id=39666976
And if you own a car made in the last ~5 years, here's how to request your "Consumer Disclosure Report" from LexisNexis: https://consumer.risk.lexisnexis.com/ . According to NYT, LexisNexis receives at least some data from GM, Ford, Kia, Subaru, and Mitsubishi.
Or from Verisk, which receives data from at least GM, Hyundai, and Honda: https://fcra.verisk.com/#/
Teehee
I wrote about this after my gag order expired. GM was shipping all telematics data to a big data cluster processing 100gbps of data (with double the data once Cisco released 400gbps support). Originally it was to help price their used cars. A noble effort I supported. I didn’t know about the sales to insurance brokers, but should have assumed that was coming.
Anyway cat is out of the bag, they won’t undo this feature they will pay a fine, offer an opt-out to 5% of users who take up the offer and in 10 years time everyone will assume their driving habits are being monitored by their insurance company.
How do I know this? It’s been 10 years since the hoopla about realtime location data being sold. Last night I saw my home IP address reports my location with .25 mile accuracy. Guess that $5 check from Verizon was the fine they had to pay!
I wrote about this after my gag order expired.
Some time last year I wrote a comment here on HN about my Bolt EUV and OnStar. I can’t remember exactly what I wrote and don’t want to dig for it, but I said something like being happy with the vehicle and had disabled all of the OnStar features/tracking soon after I purchased it. Somebody replied that they were intimately familiar with the OnStar/GM project, having worked on it, and that it was still tracking me despite not being subscribed to any of their services and having turned off all the features in the car that I could. They couldn’t elaborate further, I assume because of an NDA or something. I bet dollars to donuts that this is what they were talking about now.
Edit: thanks to Stavros for finding the comment below. It looks like you were in fact the person I was talking to 11 months ago. Small world!
Time to find the ATT SIM card and gut it from both of my vehicles.
Most cars have an integrated SIM. You can either pull the fuse, and lose a bunch of functionality, or if you're clever, throw an attenuator on the antenna rendering it useless but preserving the functionality of the rest of your car.
Do they not store it an just upload it once the car goes in for service? I have a 32 Gb mini SD card the size of a fingernail that was like $10, something like that would store a fuckload of hard braking events.
There's no guarantee anyone would bring the car to the manufacturer for service though.
Amazon Basics SD micros are $20 for 2x 64 GB at retail. For $10 I'm sure that's a chance they're willing to take. They'll just raise the MSRP by $100 to compensate.
Time to pop it in a data usage heavy device for free data.
The bbc or someone has had at least one article about a bird tracking device that operated via cellular and a sim that expected 5k or less data a month suddenly started charging gigs a month in their home continent just after the last natural looking flight of the bird ended, the ornithological society involved had a few shock bills.
From what I know, this wouldn't work. I worked for a telco and the way they explained it to me is that SIMs for these purposes are not the same as consumer SIMs. They end up on a different network using a different APN and they typically go straight to a VPN or other private network for their owner. And no, you can't reconfigure them to the consumer APN (I asked). (This was not in the US btw.)
Most SIMs for such purposes are sat directly on an L2TP connection or similar. They’re often not public internet.
As a consumer you can buy similar - I know my ISP (A&A) will sell you (quite reasonably) a sim that will drop straight onto an L2TP connection of your choosing.
I purchased a Bolt as well. Literally the day after I drove it off the lot, I found and modified the electrical connections to the Onstar antenna system, as I'm fairly handy with electronics and work on all my own cars. If you yank the fuse you'll also lose hands free bluetooth calling and some other features, so you have to use it.
Anyway, told this story to many people, and they looked at me like I'm a conspiracy nut. Well this will be the 1000'th conspiracy I worried about that turned out to be completely true, imagine that.
Phone meta data is tracked. Car meta data is tracked. Supplement with credit card data, browsing history, the Rings in your neighborhood, etc., etc., etc.
Per, "Stand Out of Our Light", we don't stand a chance.
https://www.theguardian.com/us-news/2019/jul/20/stand-out-of...
Remember that 10 or 20 years ago, BEFORE phone, car and doorbell camera data was tracked, people were already saying "everything is tracked, we don't stand a chance", and this defeatist attitude has since contributed to allowing phone, car an doorbell camera data to be tracked as well.
You'd have to read the book. He uses "you don't stand a chance" in the context of will power.
That is, in short, (and I'm paraphrasing): ...Some of the brightest human behavior experts in the world are being financed by some of the deepest pockets in the history of the world to influence your (read: our) behavior... Just use will power? You don't stand a chance.
The "defeatist" to me is, "I don't have anything to hide." That might be true, but those influence super powers are going to use that "nothing to hide" against you.
Read the book. It's just over 100 pages. It's on the order of "The Age of Surveillance Capitalism" but that book is 500+ pages. THoSC is great but it's a serious commitment.
Guess we live in different worlds. Pretty much everyone around me, friend, family, coworker, or neighbor is fully aware and expecting any and all devices around them to be spying. Not all care or think it's nefarious though.
I own a Bolt (bought used) and have never activated OnStar, and I'm extremely unhappy to learn that it might be spying on me.
I did some reading when the NYT article came out, and found this, which explains how to install a terminator on the antenna to disable the cell connection: https://imgur.com/gallery/n00QKnH. If you go that route, it's probably prudent to make sure your car isn't connected to wifi, either. (Edit: looks like that guide came from here: https://www.reddit.com/r/BoltEV/comments/16h91a6/i_made_a_st...)
Apparently some Bolts newer than mine have a different fuse configuration that puts Bluetooth and OnStar on separate fuses: https://www.chevybolt.org/threads/remove-mobile-data-chip.33...
^ that Bolt forum thread also talks about some of the downsides of disabling the antenna (e.g. GPS won't work so your home/away charging settings don't work anymore).
There it is, thank you! That’s exactly the conversation I was thinking of. And I see now that the person I was talking to was in fact the very person I replied to here in this thread.
You're welcome! For next time, searching for "nozzlegear onstar" only returned two comments, today's and this one from a year ago.
It was the same commenter!
This is sorta unrelated, but in your previous comment you mentioned:
least right now using CarPlay they aren’t getting all the data about which books or music I’m listening to.
CarPlay absolutely reports currently playing audio metadata back to the car. I've driven multiple cars that display the currently playing song, etc in the driving instruments cluster.
Yeah, I noticed that at some point last year. This is my first vehicle with CarPlay, so I’m not sure how it works in other vehicles, but with mine the CarPlay interface completely replaces the infotainment display. The car will also show the current media in the cluster, but it’s a few clicks away and not what I had configured. I finally realized that the car was still able to see what I was listening to with CarPlay when I navigated back to the car’s default Home Screen while idling one day and saw the name of my book playing in the car’s native media app.
CarPlay absolutely reports currently playing audio metadata back to the car.
Regular Bluetooth (newer generations, at least) already reports current track/caller information along with the audio-stream, regardless of whether CarPlay/Android-Auto are being used.
So I don't see "the car knows what I'm listening to" as much of a surprise.
You should request your LexisNexis Risk consumer disclosure report.
Edit: please report back!
I just did! Very interested in seeing what’s in it.
Anyway cat is out of the bag, they won’t undo this feature they will pay a fine, offer an opt-out to 5% of users who take up the offer and in 10 years time everyone will assume their driving habits are being monitored by their insurance company.
So can't the plaintiffs just request an order compelling GM and others to remove the feature forever as part of the remedies?
Specific Performance. A court can order as the equitable remedy that one of the parties does a specific thing. Yes, in principle. But no in practice.
The real world use of Specific Performance is mostly in Real Property ie the ownership of land and this is because land is very obviously not fungible. The square meter of land I need to get my cows from the grazing field to the nearby milking shed is not in any way equivalent to an otherwise similar square meter of land on the far side of the field leading nowhere, and having the wrong one can't meaningfully be compensated with money whereas the court can just order Specific Performance (ie the wrongful owner hands over the land) to fix the problem.
But even beyond that in practice class actions are primarily about the lawyers getting a healthy pay day. $1M each for us as lawyers and each individual "participant" in the class action gets $1 and a 5% discount coupon that expires in six weeks? Sounds good. For the lawyers the incentive is that pay day and the only reason to care about their participants is that if they're treated too poorly a judge may not sign off on the deal.
Specific performance is a contractual remedy. It is rarely granted because contracts are usually about business arrangements, and you can solve most of those problems with money. So for contracts the usual remedy is monetary damages.
Courts are more than able to order parties to do things without invoking specific performance via injunctive relief, which you’ll see from the complaint is what is being sought by the plaintiffs.
Injunctive relief requires that you show that unless the court provides this relief the harm is irreparable. I guess we'll see.
This is true of almost all equitable remedies - you have to show that money won’t make you whole. Luckily the bar for that is much lower than for contractual disputes, especially disputes like this where an ongoing violation of someone’s statutory rights is allegedly happening.
We really need something with fangs that actually hurts companies. These “kid gloves” solutions in the USA do not incentivize good behavior.
The visceral desire for retribution is half of the problem here. Companies respond to incentives. The problem isn't generally the price. When they get caught the cost is generally more than the benefit they received.
The problem is that they often don't get caught, or find a way to weasel out of it. As a result the managers who do it will be rewarded most of the time, and even when they're on the wrong side of the gamble, half the time they'll already have left for another company. Raising the penalty wouldn't deter that.
What you need is a remedy that can address the offense. Order them to publish the source code to the system for 10 years, so that anyone can audit or modify it in case they try something similar again. Not only does it make it harder for them to reoffend, it's the kind of penalty that corporate lawyers hate, and then they'll be more likely to insist on policies to prevent that from happening to begin with, which puts pressure on preventing the problem from a different angle.
Not that I support any of this, but why would networking speed be the bottleneck in that system? Telematics seems very much like an OLAP situation where data ingest and querying can be asynchronous.
I read it as they are continually generating so much telemetry data that they’re saturating the link to the storage layer.
in 10 years time everyone will assume their driving habits are being monitored by their insurance company.
And even if there continues to be an opt-out, those plans will become so prohibitively expensive that you're essentially forced to allow your insurer to spy on you. Privacy is always priced out in the free market. Regulation is the only way. It's not a net benefit to society, just outlaw egregious data collection.
How does the data leave the device? I tried to route traffic from the infotainment system into a WiFi network I was wiresharking, and I saw a lot of GM traffic but I couldn’t install a cert to MitM because I couldn’t figure out how to access the Android settings for the dash OS.
Is the traffic through there or is it totally within the CANBUS and never hits the WiFi outbound? In that case do you need to hijack the 4G?
Interesring that Subaru is mentioned, but not Toyota. Recent Subaru models share a lot of electronic guts with Toyota.
You can't take this as authoritative but my business has a data relationship with Toyota and they have a ton of juicy telemetry data.
Their attorneys are mad protective of the PII they have. Our relationship serves the public interest. We use the data to find people with open recalls where Toyota doesn't know who the current owner is.
I say this to say that we have other OEM relationships that are far more liberal with their encumbered data. This far Toyota seems to be playing it very straight.
You seem to be suggesting that Toyota are the good guys because they collect data but don't share it.
That's not what I want! I want them not to collect it. Then I don't have to worry about what they use it for, whether they share it, or whether it will get leaked.
But will you sue them if you get hurt and you find out the part was a known failure mode and eligible for a recall?
This is somewhat reassuring, but it also makes me question what exactly they're sharing that could facilitate the service you describe.
It sounds like an interesting business though, and one of only a couple examples I can think of where telematics could be used in the public interest.
I just tried "Consumer Disclosure Report" link from LexisNexis you shared, and nothing happens when I submit the request. :(
and nothing happens when I submit the request. :(
The site is likely overloaded by interest from HN readers. Trying again in 48 hours will likely give more performant responses.
It was very slow and gave no indication it was working but it worked for me. Try again?
And if you own a car made in the last ~5 years, here's how to request your "Consumer Disclosure Report" from LexisNexis: https://consumer.risk.lexisnexis.com/ . According to NYT, LexisNexis receives at least some data from GM, Ford, Kia, Subaru, and Mitsubishi.
Appreciate this link! I don't have one of the listed brands (own a Mazda) but I am curious to see what info data brokers like this have on me in general.
Also, maybe this is a naive thought but I think data brokers like this are so used to operating in the shadows / being forgotten about so I think the more folks who request is at least a small signal to them that folks are paying attention.
Wow, I just submitted the consumer disclosure report this morning after finding out about it from somewhere else. I am VERY interested to see if anything is reported from my car since I don't have any of the addons/monthly fees.
Thanks! Yes—related from yesterday:
Automakers are sharing consumers' driving behavior with insurance companies - https://news.ycombinator.com/item?id=39666976 - March 2024 (321 comments)
That one only spent 3 hours on the front page so I guess we'll let this one have a go too...
I assume LexisNexis does not provide this report out of the goodness of their heart, it must be required by FCRA?
If I really don't like LexisNexis collecting this data, or if I really just want to stay on top of my credit status, is there any reason not to script something to request a physically mailed report every day? Not sure how much they pay per mailing, but 365 of them can't be cheap.
GM is trying really hard to not get my business in the future. Between the no Car Play and Android Auto support in their new EVs. Now this. I'm just tired man...
why would you want GM in first place?
You've Japanese, German and to some extend even Korean cars that are much better. If pick up truck is what you're looking for, then Ford is much better
If you're in the market for a smaller, cheap(ish) EV with decent range, the Chevy Bolt (used) is basically the only option, and honestly can be had for less than any equivalent ICE vehicle of similar quality/mileage
Nissan Leaf?
Air cooled battery can really destroy long term reliability on these cars and also throttle charging if the battery is too hot.
The car is a 10+ year old design that was the brainchild of a CEO that is no longer there. The company does not really have a mentality of being an EV leader.
Defective by design. Still using essentially the same battery pack they designed in 2008 for the 2010 LEAF -- no cooling system whatsoever, emergency resistive heater that keeps it from freezing but doesn't otherwise warm it, obsolete CHAdeMO charging port -- just with more capacity. They had their first class action lawsuit about unacceptable levels of battery degradation in new LEAFs in 2012, yet didn't change the design, just the warranty. The larger packs are now having high defect rates for cell-level failures. They are only able to sell a few hundred of them a month in North America for good reason.
I just looked and that is some wild depreciation. In 2020 that went for 37k snd goes for 13k now. A 2020 Prius started lower and will go for 19k today.
It limited to 50Kw fast charging and the battery fires have put a damper on its reputation. Also its shaped like an egg. The EUV does not look much better (in my opinion)
That charge rate definitely makes it a commute/overnight charge uni-tasker. I wonder what the insurance table looks like for it.
Tesla claims not to sell or transfer the data they collect, and offer opt-outs from most of it. You can, if you are willing to void your warranty, remove the GSM/LTE module from a Tesla fairly straightforwardly.
Tesla is an absolute no-fly zone for me, due to their stupid leader.
The brands you are thinking of also likely have telematics with similar vague language about data collection. I've seen it in Nissans, Hondas, and Toyotas, personally.
Probably because they assume those companies are doing the same thing?
We’ve already taken quite a few manufacturers off the list for this reason, including GM. Vote with dollars people. Take my data without permission, lose my business.
who is left on your list?
I am eyeing up Hyundai Ioniq 5/6. Any comments. Irony is keeping the dumb old Toyota is cheaper even with the crazy tax breaks in Australia! I could hand over $10k to carbon offset company instead and still be ahead with the ol banger. And have the convenience of what they call service stations :-)
Current Chevy Volt driver, have now written off GM from my list. Was considering an Ioniq 5 for my next car until I heard about the issues where a minor scrape on the bottom could require a $60K (Canadian dollars) battery replacement: https://youtu.be/EEXieo06ta8
Right now I’m just driving an old Toyota and don’t plan on buying another car. I expect all of this to explode at some point and resolve itself, or I’ll just keep rebuilding my old Toyota until I die.
It’s a shit show.
https://foundation.mozilla.org/en/privacynotincluded/article...
Voting with your vote works even better.
If we vote with our dollars then the government just bails them out when they inevitably go bankrupt, again.
GM seems to be floundering in mediocrity right now. They basically pump out generic, uninspired plastic boxes right now then try to nickel and dime their customers. In my opinion, foreign manufactures are absolutely eating their lunch right now.
Despite being children of an automotive family, with a deep loyalty for the Big 3, we've started to avoid their cars. While they can run forever, they just start failing apart.
The rebadged Commodores were a bright spot in the lineup for a while if you like that kind of thing
What are “foreign manufacturers?” Hondas and Toyotas have been built in the states for a long time. Chrysler has been a transnational merger for a while and Ford and GM have long histories of importing their overseas products.
Generally anything outside of the big 3 is considered foreign. It’s no longer fully accurate, but that’s how I’ve typically viewed it
How much of that foreign/domestic distinction do you think is marketing/propaganda?
Chevy Trax got C&D's highest 10/10 which is remarkable because GM's small cars are usually terrible...
and consumer reports seems to love the cousin Buick Envista.
They've done that just fine for me by releasing... lame cars across the board. Most of their brands are shells of their former selves (especialllly Cadillac) and I can't remember the last time I saw a Chevy that I actually liked.
I mean, I get that. Part of it is irrational because my father worked for and retired from GM. So it's a bit of a family thing. But the loyalty has a limit and I believe Mary Barra has reached the limit for me.
Between the no Car Play and Android Auto support in their new EVs.
Wait seriously? That's a wild choice.
yeah they're doin it themselves
I will never buy a GM until they stop turning their reverse lights on when they're not reversing. This one small feature has wreaked immeasurable havoc on parking lots across the world.
https://www.reddit.com/r/cars/comments/rshlke/why_do_gm_vehi...
Is there a practical way to block any outgoing communication and telemetry from getting sent? Like a Little Snitch but for your car?
For my car (2024 GR Corolla) you can pull a fuse that goes to the telematics computer.
The car has a bad habit of calling the emergency hotline on a race track if you go over rumble strips (those painted red/white strips) because it shakes the car so violently I guess. Popping the fuse will make it stop happening.
On my 2021 Camry, the fuse is labeled `DCS` — the only caveat is, it disables the front-right tweeter (there is a bypass, but requires you to remove the front dashboard and install jumpers across the DCS connector).
Those are the two randomest things to couple together in a single fuse.
The tracking module uses this speaker for Emergency Communications in the event of a crash.
Right, but it doesn't have to be powered by the same fuse, no?
I guess the point is that if the emergency module is powered the speaker by nature would also have to be powered. A fail safe of sorts.
worse in subaru's... both front speakers AND the mic. bluetooth phone calls no longer work, and, your music only comes from the back.
similarly it is /possible/ though a giant PITA to take apart the front of your car and make those work again, per some blog post i saw 4 years ago and can no longer find.
Well, I removed the telematics module from my car. But it already stopped working because it was 3G only. The car was built in 2014, shipped with a 2G modem that was replaced at Ford's expense when 2G went offline shortly after the car was sold.
My other car with telematics was built in 2016 with a 3G modem that also no longer works.
I guess there's a silver lining to sunsetting 3G I hadn't considered. Thanks!
I remember reading on HN that someone found a sim card in their vehicle and took it out.
Presumably the new ones use an e-sim instead of a physical one.
I wonder if metal tape, used for ducting, would work.
Doubtful... BUT if you try, remember that most vehicles have dual antenna (one on top, one on bottom - for roll-overs).
It's easier to just disconnect both antenna from the modem OR disable power to it entirely.
Leave it to data brokers and insurance companies to make the leap "ick" to outrage.
On the other hand... to all selfish, unsafe street-racing, road-hogging Cadillac XT6 drivers out there: may your insurance rates double and may you swim forever in a sea of adverse underwriting decisions.
I do think there’s an interesting future dilemma here. I’m absolutely against them sharing this data without consent. But if sharing e.g. the number of hard brakes you do was made explicit and led to lower insurance premiums… I’d be tempted. I often feel like there’s little reward for adhering to traffic laws these days.
led to lower insurance premiums
Maybe it would be lower relative to other people's rates, but one must imagine that any insurance prices will only ever cost more to the consumer.
This is not how capitalism works. However, if insurance were priced perfectly, it would cease to be useful!
Not really. Accidents are a function of driver and environment. You can't control the other drivers. If you think of the primary purpose of insurance as to make sure that the party not at fault is made whole, then perfectly priced insurance becomes like posting a bond in order to drive. Which isn't unreasonable.
(Plus uninsured motorist coverage for the other parts you can't control, which really is an insurance function.)
There used to be opt-in insurance programs with many carriers. They used to send you a device, but I guess that was mooted by secret mass surveillance?
I hear ads regularly for Progressive's version of this.
I believe Allstate has one that uses your mobile phone to do it.
That logic quickly turns into a stupid word game.
What's the difference between a reward for sharing data on your hard stops vs a penalty for not sharing data on hard stops?
And when your mechanic diagnoses a brake problem on an empty road behind their shop, and it raises your rates, how will you feel?
I recently bought a Toyota because I was able to push the "SOS" button in the car and request that they disable telematics right after I bought it. I don't know whether they've actually stopped collecting my location information or if they can arbitrarily re-enable telematics at some time in the future for whatever reason, so I've additionally pulled a fuse that powers the transmitter. I'm mulling wrapping some components in a Faraday cage just for good measure.
The ability to prevent the car from spying on me was near the top of my list of desired features when I was shopping for a new car. This is one of the main things keeping me from buying another EV. So far as I'm aware there is nothing on the market where I live that won't constantly spy on you with no option to disable.
This article from Mozilla is worth a read: https://foundation.mozilla.org/en/privacynotincluded/article...
I bought a Toyota last year and the app clearly showed me a bunch of opt in/out options and I felt relatively confident they were either outright lying or I had opted out.
I'll have to request my info to see for sure
I never installed the app or registered an account or anything. The rep who I spoke to after pressing the SOS button mentioned that they had to create an account for me and then disable. They went ahead and at least said they did that while I waited on the line.
I'm more confident in effectiveness of pulling the DCM fuse.
I'm in the market to buy a car and have narrowed it down to 2024 prius. I've read Mozilla's papers and a few auto forums on privacy issues with some abilities to turn on/off telematics. As you say, none of what I've read is conclusive in whether this actually stops collection.
Do you have any links you followed for the physical fuse?
Do you have any links you followed for the physical fuse
It's different for different cars. Search for "DCM fuse" (Data Communications Module) for your model year.
Supposedly, there should be a fuse that's just for the modem. You can yank that and get rid of telematics.
I'll stick with my 24 year old Lexus, though.
So far as I'm aware there is nothing on the market where I live that won't constantly spy on you with no option to disable.
Kia EV6 has a telematics toggle in the hidden engineering menu. Vehicles sold in Massachusetts have it disabled by default to protest the state's "right to repair" law, but in other regions you can disable it yourself.
It's ultra annoying that "EV" seems to mean a tablet on wheels now. I just want a "dumb" car with a battery instead of petrol.
A friend of mine has a Mitsubishi EV Minivan (Japanese model) and it's about as close to a perfect "dumb EV" I've seen yet. It drives incredibly well. They just don't produce a 4x4 model yet, which is important if you live in cold snowy climates.
Is it possible to wrap “cellular connection” module in copper mesh to cut it off from sending data?
It probably won't work very well. Faraday cages attenuate, they don't block signals, and most amateur attempts don't even attenuate very much.
Wrap your phone in aluminum foil, put it in the microwave, and give it a call. It'll probably still ring.
Tried it -
1. No foil, microwave - rings
2. Foil, no microwave - rings
3. Foil, microwave - doesn't ring
I feel like cell phones have to be more sensitive than w/e transmitter the car has, but your point holds - naively wrapping it in foil still probably won't work.
Nice! I've done a bunch of RF attenuation experiments with friends, and foil+microwave was the best result we found using stuff lying around any of our houses. With foil+microwave we were able to attenuate the signal enough to seriously degrade service, but never quite enough to block all traffic. In our experiments, the microwave was doing the majority of the work, based on the signal strength we observed. Results also varied a good bit by carrier, presumably because of the different bands used.
Tin-foil hat wearers beware.
Cell phones are less sensitive than the transmitter in your car, usually. Think about how much power budget you have in a car vs. A phone.
You probably have better luck by finding some standard antenna connection and attaching a proper 50 Ohm terminator to it.
Collecting and storing personal data needs to be exorbitantly expensive.
LexisNexis knew exactly what they were doing and probably already factored in litigation costs to the product.
Experian should have been fined out of existence when they lost all that data. The light of their funeral pyre could have warned away companies headed down the same path.
It is so enraging. Not only did they have zero consequences compared to what they should have received, they're still somehow the lone report I have to thaw for every single loan and line of credit.
I'd like to see a HIPAA for regular data.
It's pre-frozen?
After Equifax I have to assume my SSN and address are public. I froze everything and it will stay frozen forever. I think everyone should freeze all their accounts. It's tedious but easy.
Could you briefly explain the process and any hang ups you have to deal with?
The secrecy is ick, but this is the future and there’s no stopping it.
There’s ample evidence that consumers won’t pay for privacy and as most consumers opt in to data sharing programs, the non-data-sharing cohort will get seriously adverse further raising the price of privacy. The equilibrium state is that only bad actors and a handful of privacy zealots will inhabit that pool and mainstream carriers won’t even bid it.
Basically, privacy will become a luxury that only the rich can afford.
Extremely rich, maybe. But since the value of a person's data goes up with their income just having the ability to pay extra won't save you.
Consumers won't pay for safety either, which is why we have NCAP and mandatory vehicle inspections.
Right, good point. We will see if regulators take up that cause.
Telematics should be disabled, preferably by way of hard cutting the modem chip's V-in. Call me a tinfoil hat lover, but when 23andme gets bought by an insurance company, the similarities with potential insurability issues are numerous when data is available to the other without a big, shining red opt-in.
Luckily, GINA makes it illegal to use 23andme data for health insurance.
As this article shows, "illegal to use" doesn't always stop them from doing it.
Agreed, but acquisitions of public companies typically get regulatory attention up-front. An insurer buying 23andme would be an obvious red flag from day one.
Conveniently, on most modern Toyota vehicles there is a fuse labeled `DCS` which disables power to the modem.
I have obtained an email from GM stating that if I am an OnStar Smart Driver subscriber, I cannot opt out of my data being shared. I believe this violates at least California privacy regulations, probably some other states, which mandate opt outs. I seriously want to rip the modem out of my car.
Some lawyer at GM is reading this and saying, "No private right of action FTW, suckaaaaaaa"
Perhaps. This thing might be an easy win for a regulatory agency looking to establish itself though.
Well you can file a CCPA violation complaint with the state AG. Especially because a "Do Not Sell or Share My Personal Information" link is mandatory.
https://oag.ca.gov/privacy/ccpa#sectionh https://oag.ca.gov/contact/consumer-complaint-against-busine...
Nice thing is that tracking via cellular never stops working but if you are in an emergency they will not call emergency services for you if you don't pay the subscription.
Clearly your data are more important than you
It's good to read this thread and know that finally people are realizing the full extent of the surveillance. I have dealt with a Govt agency targeting me for several years and having technical knowledge, I've noticed all of this invasion of privacy and control used against me, lots of it wouldn't even be possible without technology or the internet. But it's so much more than if you gave up your phone... It's a literal surveillance state and even if you go to the suburbs away from the concrete prisons our cities have been turned into, you still have front door cameras everywhere, accessible by law enforcement.
In fact, to abuse all of this stuff and weaponize it against someone, you do not need to have a court order or a warrant. As long as you find the right people, have the right narrative, companies will do all kinds of stuff to you, even if you are a customer.
And my original reply before going off on a tangent was that even if you remove your sim card, even if you somehow disable emergency services, your phone is still pinging and leaking all these signals that are picked up by all kinds of scanners.
Very few people even accept this is happening at scale, let alone are able to reason about the implications of it all.
The public needs a better job of being informed about the consequences of all of it.
I agree with the worry about surveillance. But isn't this really a continuation of how car makers treat their customers and the public generally. Cars companies comprimise privacy in the same way that they willingly comprimise safety, public health and the environment. It is the result of a broken culture and naive to expect them to change.
I think it's a mistake to frame it that way. Collecting and selling data is essentially ubiquitous among companies with access to harvestable data. ISPs, cell providers, smart tv manufacturers, and so on are not broadly associated with some specific historic cultural or urban planning failing. They're companies with access to an additional revenue stream, and nearly any company that can will make the same decision.
lmfao this is why my newest car is from 1999. Computers ruin everything. Be warned.
Actually it was the Internet. I still believe my Commodore is harmless.
Actually it was profit-seeking humans. I believe Zombo.com is still harmless.
All of the above in combination, I suppose.
We need a privacy bill of rights. The fact is that no other approach works.
Something like the GDPR?
Well, something like FCRA at least.
Can this please include a section on things that are not allowed to be included in any ToS?!
Has Subaru been doing this as well with their STARLINK?
Yes, but maybe not to the same extent.
You can opt out here:
https://subarucustomersupport.powerappsportals.com/Consumer-...
There needs to be an unplug, not an opt-out.
I understand that my opinion on this matter may be controversial, but I feel compelled to share my experiences. In the past five years, I've noticed a significant increase in aggressive driving. I've been the victim of two hit-and-run incidents where I was rear-ended, and the drivers fled the scene. In a third incident, a driver collided with the side of my car as the road curved and had the audacity to tell the police that I was at fault. In Texas, I've witnessed rampant red-light running, failure to stop at stop signs, excessive speeding (more than 15 mph over the limit), tailgating, and failure to use turn signals.
I believe that telematics could be a valuable tool in addressing this issue by scoring drivers based on their driving habits and adjusting their insurance rates accordingly. This would not only encourage safer driving practices but also ensure that responsible drivers are not unfairly penalized for the actions of aggressive drivers. In my opinion, telematics should be required for operating a vehicle on public roads.
None of those people have car insurance.
Willful dangerous driving is surpassing DUI these days it seems in terms of danger.
... but I guess some of these people were on something, too.
Is there a hardware hacking forum that would teach people how to modify their rig to use the good features of such devices regardless of manufacturer but intercept and modify telemetry data to feed them realistic looking but fake data until you press a distress button and them give real location? I ask because I do not trust the legal system to ever catch up to this globally or to have any real teeth that make companies feel real pain. I've played whack-a-mole with spammers and malware distributors. This feels the same to me. Until it becomes trivial to disable such things I personally will stick with fixing up used vehicles that I know are free of loose lips.
I think this is what you are looking for https://www.reddit.com/r/CarHacking/
That's a great start. Thankyou!
Buried in the complaint is an interesting part about why he lost his original insurance carrier, they stopped writing policies in FL. The personal injury lawyers in Florida are out of control. There are also a ton of staged accident rings that nobody is doing anything about. I’m surprised any insurance carriers exist in that state anymore.
he lost his original insurance carrier, they stopped writing policies in FL. The personal injury lawyers in Florida are out of control.
I'm a little skeptical, this reminds me of past arguments of "blame malpractice lawsuits for exploding US medical costs, tort reform will fix it", which doesn't seem to have worked in the places where it was tried.
AFAICT most of the reasons insurers are pulling out of Florida involves the math around catastrophes like hurricanes.
I recently requested a quote while insurance shopping, and progressive seems to have already associated driving telematics history with one of my vehicles (a 2015 Chevy product).
How did this manifest, exactly?
Request your data now:
Thanks for sharing this. I just submitted a request and am interested to see what they’ve collected.
Anyone know where VW sitting on this general topic?
The DriveView program became available to Volkswagen Car-Net subscribers starting with model year 2020. By enrolling in DriveView, Car-Net users may be eligible for discounted rates from some of the top automotive insurance companies in the country. This program can also help Car-Net users monitor their driving by tracking activities like night driving, hard braking, and idle time. These factors all contribute to an overall driving score, which is visible within the Car-Net mobile app and on vw.com/carnet. Through the agreement with CCC, VW Car-Net will leverage the newly released CCC® VIN Connect, which applies driving behavior data at the point-of-quote, making it fast and easy for eligible consumers to connect with potential insurance discounts.
Companion nytimes article for anyone interested: https://archive.ph/MVmoX
“What no one can tell me is how I enrolled in it,” Mr. Chicco told The Times in an interview this month. “You can tell me how many times I hard-accelerated on Jan. 30 between 6 a.m. and 8 a.m., but you can’t tell me how I enrolled in this?”
This is at least a Florida lawsuit. I'm pretty sure the practice violates California law as well.
While I dislike how little practical enforcement there is against the pervasive surveillance by ad-tech companies, this is one of the things that GDPR works wonders against:
No sane company would want to participate in such a scheme in Europe. Both the seller and the buyers would be on the hook for massive GDPR fines, and unlike a tech company where the privacy violations might be contributing 50% of the revenue and which could thus easily consider a 4% of revenue fine once every few years a (small) cost of doing business, car companies can't afford that.
General Motors had a global revenue of $172 billion, net income $10B, and the data sales are only a small part of that.
The intermediate company that's buying the data and reselling it to car manufacturers could potentially try to get away with it, because their entire business model depends on it, so they have little to lose. Just make sure to keep no money in the company because once the DPAs learn of the business the company a) has no business model because they will prohibit continued buying/selling of the data b) is likely to be bankrupted by the fine that might well exceed their entire revenue (for smaller companies, the fine isn't capped to 4% of revenue, the limit is 20M EUR).
For the insurance companies that would be buying this data I'd imagine it's even worse.
And this sort of egregious thing is something I can see DPAs actually enforcing, because it'd be much more clear cut than tech companies using non-compliant consent banners.
Edit: And I forgot the most important thing - if they don't put it into their privacy policy they're even more screwed, and if they do put it there, a customer who finds it can get it enforced by sending an e-mail (or in Germany, letter, because some DPAs don't accept e-mail) rather than finding a lawyer willing to start a class action.
OnStar is one of those features that has desperately tried to claim is somehow different than the features your phone already provides.
The complaint is for:
• Violations of the Fair Credit Reporting Act (FCRA) due to the alleged improper sharing and reporting of plaintiffs' driving data without consent, impacting their ability to secure car insurance and leading to increased rates.
• Violations of the Florida Deceptive and Unfair Trade Practices Act, accusing the defendants of engaging in deceptive practices by sharing personal driving data without the knowledge or consent of the car owners.
• Invasions of privacy under Florida common law, arguing that the defendants' actions of tracking, collecting, and sharing personal driving data without consent intrude upon the plaintiffs' private lives and are offensive.
Reading this got me cheering out loud for the plaintiff. I'm so glad to see someone taking these bastards to court.
I can relate in some small way to part of his ordeal - not with GM specifically, but I don't know how many times I've been stuck in a loop with companies who have no idea what happens to your data they hoover up and can't explain or answer even the most basic questions on that topic - and are confused as to why you are even asking.
I hope this gets its class action certification and jury trial, and I'm looking forward to kicking back with a bag of popcorn and watching the show. If he started a GoFundMe or something I'd be happy to make a substantial contribution to his legal fees.
It's long past the time bad actors like this who give you no real choice or control over the products you are buying start to be brought to justice.
In this age of cars I want dumb cars with an engine that I could optionally plug in my smart thing if I wanted.
Even Toyota has gone too smart with their in tune crap.
Give me a cockroach car that survives for 50 years. No other bells and whistles. Just some connectors for them.
I wounder if this is true for older vehicles. I have 2018 vehicle with OnStar that is definitely has cell access (I could start it remotely).
How much do they actually get for this per vehicle?
I feel like the answer to the that would explain a lot.
How we came to a stage where your iris is being monitored in your car, including mic and video recording and all your contact being uploaded as soon as you connect to the entertainment sys... and nobody gives a fuck. It's beyond my understanding.
I’m sure GM has a formula for this.
But what if the automakers' solution going forward is to not make the feature optional? That the service gets baked into the price? They turn it on. They leave it on. Especially with a lease, won't they have a legal angle to protecting their property?
My concern this might become a "be careful what you wish for"?
nothing will happen until heads literally roll, everything else is just business.
Hopefully more class action lawsuits follow for other car manufacturers...
Ford knows when you break the law: https://www.businessinsider.com/ford-exec-gps-2014-1
I wonder if they also share their data or if they were trying to find customers for the data.
This is good news. I hope this serves as inspiration for future cases against app developers, Google, Microsoft, Facebook, and all who are not upfront about their data and privacy practices.
This all makes me so angry. It's so messed up.
And hopefully rein them in.
How? Who will represent that viewpoint in the halls of congress? The EFF is politically ineffective and always has been for reasons I don't understand, and no one else seems to care.
Let’s think outside the box a little. What we need is a general process whereby the public gets to decide if a business should exist. Too often companies just form, abuse us, and there is no way to stop them. What if, once a year, companies had to justify their existence in front of a citizen panel or a jury of random people or something? They’d need to demonstrate what good the public receives from their existence, or their assets get sold and the company dissolved. Why do we believe that companies simply have a natural right to exist as long as they can survive? Where did this come from? Companies should answer to the public!
What about all the employees of the company that don’t set policy, aka the vast majority of the employees?
Perhaps the threat of actual extreme punishment would incentivize companies to behave such that the punishment never gets invoked?
Currently the worst thing companies ever face is a little itty bitty fine and maybe a toothless regulator telling them “Pretty please would you mind not doing that again? If it’s not too inconvenient to shareholders that is…”
All change is destructive. No matter how bad something is, someone depends on how it is right now. Someone will at the very least be inconvenienced by it changing
The fact is, no company actually primarily exists to employ people, and people lose their jobs to this basic fact all the time, sometimes for no reason other than that some investor expects extremely marginal gains from signaling that they are serious about cutting costs
Also, the dissolution of a company and dispersal of its assets could include allocations for severance pay to cushion the blow if that's a concern, which is not always available to people who are hit by random layoffs
> What we need is a general process whereby the public gets to decide if a business should exist.
So if I want to start a small business, say a mom and pop restaurant, the public has to approve it first? You must be joking. Most businesses are small businesses. Hamstringing them is a recipe for disaster. Our regulatory system already disadvantages small businesses in countless ways. Indeed, that's part of the reason why large businesses can get away with so much.
The public already has a way to disapprove a business: don't buy from it. If nobody buys what the business is selling, it goes out of business.
The real oversight the public should be exercising, but isn't, is to vote out of office politicians that allow large businesses to buy their way out of trouble.
This “let the market decide” approach is clearly not working. It assumes that only the direct customers of a business are the stakeholders that matter, because they have the wallets to vote with. There are many, many companies that the general public do not buy things from yet suffer their harms. There are a lot of terrible businesses, large and small, that I don’t purchase from which I’d vote in a heartbeat to get rid of if I had the opportunity.
If their assets get sold and one entity buys all of them then they could just carry on operating the same company with them. The most likely buyer for something like that would be a competitor. That seems bad.
Maybe we could require the opposite. Their assets get sold, but can't all be sold to the same party. You split the company up, e.g. by delaminating vertically integrated components into separate companies. That way it's easier to enter the market and compete with any of them because you don't have to replicate the whole stack, only that one component.
You might not even need to have a vote, just some rules for when this happens automatically, like when a company has more than e.g. 35% market share, because that's too close to a monopoly and you wouldn't want a trust to form. We could call this anti-trust.
Going by the EFF's latest published financials (2022), they took in $23 million vs $16.6 million in expenses. Vs literal billionaires and nation states. Some of the billionaires have more money than the nation states do. David, meet Goliath.
I care. I give them my money. They seem to do a better job at advancing these interests than anyone else. I'm more in awe of their attempts to take on issues of this magnitude given their meager resources than anything else.
I'm sorry, but what nation-state or billionaire is fighting against the EFF? In fact, the EFF is funded by billionaires and nation-states.
https://www.eff.org/legal-victories
Whenever the GDPR is mentioned here, people more or less treat it as a sign of fascism. With that attitude from us, how can our rights on privacy be respected?
I'm extremely glad that the GDPR and NOYB.eu mean that car manufacturers can't pull that shit here. If I opt out, I'm opted out, or there will be big fines for them.
The problem with the GDPR is the overhead. If it was one line that said "you can't sell data on people without their explicit freely given consent" then anybody could comply with it by simply not selling data on people.
But it's a long piece of legislation and some of the requirements are time-consuming to implement even if you're not doing anything nefarious. "It is bad for innocent people to incur uncompensated costs" should be a primary principle in creating legislation.
They're getting sued. If the plaintiffs win they'll have to pay. It's not obvious why this is worse or any less of a deterrent.
What piece of regulating legislation have you seen that's one line?
"Every contract, combination in the form of trust or otherwise, or conspiracy, in restraint of trade or commerce among the several States, or with foreign nations, is declared to be illegal."
https://www.law.cornell.edu/uscode/text/15/1
What's a contract? What's trust, or conspiracy? What's trade, or commerce, or a foreign nation? What does "declared" mean?
This is the legal equivalent of "I can write Doom in one line, import doom; doom.start()".
These have established meanings in existing law. What are you proposing as a plausible ambiguous interpretation of "declared"?
That's two lines.
Also, it's not equivalent, because the original is actually a composition and not just a tautology. It's like saying that this one liner to find word frequencies in a file:
(from https://old.reddit.com/r/linuxadmin/comments/nq45r/what_are_...)...isn't a single line of bash because you haven't defined fmt or sort or uniq or '|'.
Is your argument that the GDPR can be one line because "data" already has an established meaning in existing law? The GDPR is large because all these things needed to be defined, and there are tons of edge cases, not because the lawmaker figured they'd add some extra fluff in there.
It's not being verbose or well-defined which is the problem. It's that the law isn't a single well-specified requirement but rather many independent ones that each have to be complied with separately, including by people who weren't doing anything untoward to begin with.
If you weren't doing anything harmful then your preexisting behavior shouldn't become unlawful.
I'd say it may not be obvious why, but it's obvious that it is less of a deterrent, because this sort of data trading seems to be commonplace and semi-overt in the US, and much less common (and hush-hush in the rare cases where it does happen) in Europe.
I'd also hazard a guess why it's less of a deterrent: the risk, i.e. probability of successfully getting sued * cost of successfully getting sued, is likely much lower compared to the relatively high probability of a DPA going "WTF no" in Europe as soon as someone reports it.
But that's because the US doesn't even have the law requiring express and freely given consent, so they just stick the consent in some agreement nobody reads next to a box you have to check. You could have that rule without having the whole GDPR.
In this case they apparently collected the data even if you never checked the box, which is just egregious and now they're getting sued.
Certainly this is not because plaintiffs would be unwilling to file claims if they could.
Nah we're just here busy banning tiktok
China bad whirrrrrrrrr.
If con-gress was serious, theyd ban/restrict any social media that relied on tracking. Or better yet, they'd pass a bill restricting data brokers of any sort ala GDPR.
Nope. China bad. USA good!
I agree data brokering of any kind should be completely illegal. I don't think tiktok is only being banned because of china though. I just think it's a bonus compared to bytedance legitimately being a malicious data-harvesting nightmare that also happens to own one of the most mentally damaging social networks of the decade
But Meta/Google isn't?
Is Meta and Google even allowed in Communist China?
Why would we reciprocate on a Communist plot against our children?
Red scare all over again
Lets ignore the red scare comments.
Would China allow an American social media company to capture 75% of their children?
Never said anything of the sort.
This is funny, but sadly true... I just told someone yesterday if lawmakers truly cared about all of this they'd ban all social media. Lobbyists and lawmakers will be eating well until then.
Of course not. Congress and SCOTUS are all paid for.
Without extremely aggressive changes to how we handle situations like this, it seems unlikely
A fine is a price, and there are basically no laws that put financial, let alone criminal liability for people behind the corporate veil or seizure/dissolution of a corporation that consistently breaks the law on the table
Unless senior managers and board members get criminal convictions and jail time it will continue and the "disturbing" will cease only by being normalized.
Hoping for a magic responsible all powerful legal daddy to come enforce a just set of laws is pure fantasy.
The people doing regulation and oversight have been bought and paid for by these "managers and board members." Citizens united codified their right to do this into law.
If you want professional ethics, you have to create a vehicle that can enforce professional ethics or wield political power -- a trade union or guild.
No congress-member is going to wake up and be like "gee, I sure wish I would get a few less bribes (campaign contributions) today," or "I sure would like my stock portfolio to decrease in value by doing real oversight on all these companies that are making me rich."
If the legal system cannot provide consequences to these people, then it's time to start thinking about where those consequences are going to come from. Hoping for consequences is not a very good strategy. A union is one such vehicle.
Neither of these is actually applicable here.
GM makes its money from selling cars (and financing for cars). If someone offers them a little extra for the data, they might take it, but they really don't care.
Neither do the insurance companies, except that if their competitors do it then so do they. If any insurance company has the data then they raise rates on the higher risk drivers and turf them to the ones without it, which puts them out of business. But if they're all banned from using it then they're all on a level playing field and again nobody really cares.
All you'd need is a law prohibiting insurance companies from using telemetrics and that would be the end of that. The main lobby against it would be the data brokers in this specific submarket, but they're hardly Big Auto and The Banks.
Start asking 5 whys here and see where it takes you. I'm pretty curious what your model of reality is that "5 whys" doesn't make you feel hopeless.
That seems like the kind of law that could actually pass? It only happens if people make a stink about it, because the inertial default is the status quo, but sometimes that's what happens.
Not to me. Sounds like hope as a strategy to me.
As opposed to despair as a strategy?
How's that working with police and/or teacher's unions?
Moreover, it's unclear how "professional ethics" would interact with legal and/or business decisions. If you think it's unethical and the legal department says it's A-okay, then what? For professions like engineering you could plausibly make the case that engineers should have the final say on decisions involving safety or structural soundness, but that's less convincing for business decisions. For instance would civil engineers be expected to reject building a luxury condo on "professional ethics" grounds because the the building would gentrify the neighborhood and displace marginalized groups?
I think a union is a tool like a gun. A gun can be used to steal money. A gun can be used to keep your home safe. A gun can be used to protect your country from foreign invaders. The gun is amoral.
How do you stop a bad guy with a gun? Ironically, the people generally most anti-union know the answer to that question the best.
The police union demonstrates that unions work. They have completely removed police oversight and made officers exist generally above the law and provided incredible overtime pay. That is not an anti-union argument, that's a why the hell aren't you in a union argument.
Teachers unions are more complicated because teachers care more about the children than themselves and that creates a problem because in order to act in their own self interest by exercising union power they have to harm children and maybe even a generation of them. Of course one could also cogently argue that the general undesirability of being a teacher is and has been harming children for decades.
There needs to be a new "-flation" term for this (privacyflation?). Where we're also paying in terms of our privacy
Corporate Voyeurism
Why normalize a weird friendly term for spying?
spyflation
Personal bubble deflation
It's cyberstalking, plain and simple.
panopticoflation
https://en.wikipedia.org/wiki/Panopticon
There’s already a word: stalking.
If the health insurance industry is several times larger than car insurance then there must be a very high financial motive for Ancestry/23&me to sell your curious aunt's DNA data which is also linked to relations.
At least the health insurance industry is legally prohibited from charging different rates to people based on DNA. So, at most, they can use it to try to get you specialized care.
They'll sell the data to potential employers so they can avoid hiring people that may have expensive diseases to treat.
No shit. Plus 23 and me is in deep financial trouble last I heard. Someone out there is drooling over that data set.
I know otherwise smart people (in the analytical sense) who paid money to hand over their most sensitive biometrics to these companies. And they’re still like “the data brokers can have it, what are they gonna do?”
How long until a US equivalent of the GDPR ?
Privacy legislation is antipartisan[0]: the US government relies on buying dox from adtech creeps to do all the spying they otherwise couldn't legally do, so nobody in power wants that loophole closed.
[0] Bipartisanly supported by the electorate and bipartisanly opposed by the elected representatives of said electorate
Once there are 32 or fewer Republicans in the Senate, so never.
A huge majority of my spam calls come from someone who bought it from ZoomInfo, Apollo, or other. I made a mistake somewhere and they got my personal number.
Now, every time I get a spam call, I insist they tell me where they're getting their info from. They'll try to so "our data team", but if you keep insisting they'll tell you.
These data exchange companies are despicable.