The moral here is to use X- headers for evil, because people will quickly notice when you start injecting random stuff into URLs you don't manage.
Actually, current or planned location of the client is a sensible thing to provide in some standardized header, though of course not without informed consent.
I am having a hard time determining if its the vehicle making the actual request, or if the request is somehow proxied from the Nissan CARWINGS data center. If its just the CARWINGS data center, that is probably a really easy fix.....but if its the car....ugh...
Only the car can transmit its own gps and heading data. If it gets to the logs of your own web server, it came from the car somehow or another. If its glommed on to the request on its way through the CARWINGS datacenter after arriving there by another protocol, that's worse. It means they're hoarding the data in their cloud and your privacy has never even crossed their minds.
The IP number in the log is from a block in Japan, named GLOBALEV-IT, belonging to Hitachi Automotive Systems, Ltd. Traceroute shows it's reached via tokyjp01.jp.ra.gin.ntt.net, which suggests that it's actually in Japan, not just allocated to a Japanese company.
Given that the location in the article is somewhere in/around Seattle, I'd say it's pretty clear that CARWINGS is proxying the request.
Not sure about others, but on a 3G network, you're very likely to get a different IP address for each request. This makes tracking a bit more difficult, as you'd have to correlate by lat/long. Given that there doesn't seem to be any sort of uuid in the request and that the requests are likely to be ~10 minutes apart, I'd think the risk of actually being tracked are quite low.
That a feature! Seriously, imagine the possibilities. Yes, privacy is good and should be protected, however this feature enables many fancy things to be done.
Maybe the lat/lon URL parameters would be a good thing to standardize on, actually. Having feeds tailored to your location makes a lot of sense on other mobile platforms than just cars.
Aggregating the speed data is usefull too. e. g. based on lots of location and speed data, you can tell that traffic on Highway 1 is moving, but on Route B it isn't; and route incoming cars accordingly.
Or gather data on average speeds and numbers of journeys by time of day for capacity planning.
It can be used for evil; but there are legitimate uses too. it's a hard problem to get the data out to only where it can do good.
I can't see anything identifying the car or driver? And it only sends it to RSS-feeds the driver is subscribing too? It should be in the manual, so that the owner knows it's happening, but I don't see much risk in it as long as the car isn't identified. It just says "there is a car here, going there". It can be used for so many great things, like diverting traffic to low volume areas, alert the driver to accidents and so forth. Be sure to only subscribe to feeds you trust. We are alreadytracked in so many ways eith our phones and cameras all over, this doesn't add any huge disadvantage as far a I can see.
A car that always leaves the same residence at 8:00 AM and arrives at the same business at 8:35 AM is trivial to correlate with a specific driver. From there, use your imagination as to how this information can be abused.
It's not without problems, sure we will be more vulnerable to somebody attacking the datastores keeping these locations. But honestly, so much data is stored about us already, this is not a bit enough leap to provoke a big outrage. It's just another piece of the monitoring puzzle, and a small piece at that. When I check my iPhone for apps using location service, I find ones that shouldn't need it, like "cut the rope", "dropbox" and "HuffPost". I also find services that really need my location to add value, like AirBnB and Tripit. When we start sharing our location, we get access to new services that can help our lives and we also expose our selves. If you don't think location services can add value to your life, buy another car and disable location sharing in your phone. If you do like the services that enhance your life with location services, enable it and learn to live with the fact that somebody might be able to figure out your movement habits. It's a tradeoff like everything in security.
...the database of their own RSS feed webserver? By picking up the current location at the various times someone's car hits your server on that morning commute just mentioned, you could probably map out the commute in detail within a few weeks.
No need to map it out, as the LEAF provides the current or last navigation destination lat/lon in the request as well! Most LEAF drivers will probably have something programmed in, as the car provides range information and traffic re-routing functions based on destination.
And after your personal data has been extracted and sold to third parties, you go into your car to try to disable the lat/long transmitter and you go to jail because you triggered alarms which notified the authorities you were probably trying to hack into their systems and extract sensitive copyrighted software.
They have the freedom to track my locations, but I don't have the freedom to look at the source code that drives me to work.
Actually, current or planned location of the client is a sensible thing to provide in some standardized header, though of course not without informed consent.