> Plaintiff did not want OnStar services and so he did not push the blue button "to get started." The email provides no mention of OnStar's Smart Driver Program.
…
> In or around January 2024, Plaintiff received his requested LexisNexis consumer disclosure. The report, as of December 18, 2023, had 258 recorded driving events under the "Telematics" subsection. Each driving event included trip details that show the start date, end date, start time, end time, acceleration events, hard brake events, high speed events, distance, and VIN.
…
> Plaintiff had never opted into any insurance program that would have allowed his information to be shared.
And if you own a car made in the last ~5 years, here's how to request your "Consumer Disclosure Report" from LexisNexis: https://consumer.risk.lexisnexis.com/ . According to NYT, LexisNexis receives at least some data from GM, Ford, Kia, Subaru, and Mitsubishi.
I wrote about this after my gag order expired. GM was shipping all telematics data to a big data cluster processing 100gbps of data (with double the data once Cisco released 400gbps support). Originally it was to help price their used cars. A noble effort I supported. I didn’t know about the sales to insurance brokers, but should have assumed that was coming.
Anyway cat is out of the bag, they won’t undo this feature they will pay a fine, offer an opt-out to 5% of users who take up the offer and in 10 years time everyone will assume their driving habits are being monitored by their insurance company.
How do I know this? It’s been 10 years since the hoopla about realtime location data being sold. Last night I saw my home IP address reports my location with .25 mile accuracy. Guess that $5 check from Verizon was the fine they had to pay!
Some time last year I wrote a comment here on HN about my Bolt EUV and OnStar. I can’t remember exactly what I wrote and don’t want to dig for it, but I said something like being happy with the vehicle and had disabled all of the OnStar features/tracking soon after I purchased it. Somebody replied that they were intimately familiar with the OnStar/GM project, having worked on it, and that it was still tracking me despite not being subscribed to any of their services and having turned off all the features in the car that I could. They couldn’t elaborate further, I assume because of an NDA or something. I bet dollars to donuts that this is what they were talking about now.
Edit: thanks to Stavros for finding the comment below. It looks like you were in fact the person I was talking to 11 months ago. Small world!
This is sorta unrelated, but in your previous comment you mentioned:
> least right now using CarPlay they aren’t getting all the data about which books or music I’m listening to.
CarPlay absolutely reports currently playing audio metadata back to the car. I've driven multiple cars that display the currently playing song, etc in the driving instruments cluster.
Plain old Bluetooth has supported track/caller data for many years now (ex: AVRCP 1.3) so it should be no surprise that cars were made that read and display that information.
That said, if my car persisted that information I'd be rather suspicious.
P.S.: It's also not unknown to have a certain level of address-book contact sharing over BT, since people were making hands-free calls in their car long before CarPlay/Android-Auto came around.
Yeah, I noticed that at some point last year. This is my first vehicle with CarPlay, so I’m not sure how it works in other vehicles, but with mine the CarPlay interface completely replaces the infotainment display. The car will also show the current media in the cluster, but it’s a few clicks away and not what I had configured. I finally realized that the car was still able to see what I was listening to with CarPlay when I navigated back to the car’s default Home Screen while idling one day and saw the name of my book playing in the car’s native media app.
There it is, thank you! That’s exactly the conversation I was thinking of. And I see now that the person I was talking to was in fact the very person I replied to here in this thread.
I purchased a Bolt as well. Literally the day after I drove it off the lot, I found and modified the electrical connections to the Onstar antenna system, as I'm fairly handy with electronics and work on all my own cars. If you yank the fuse you'll also lose hands free bluetooth calling and some other features, so you have to use it.
Anyway, told this story to many people, and they looked at me like I'm a conspiracy nut. Well this will be the 1000'th conspiracy I worried about that turned out to be completely true, imagine that.
I own a Bolt (bought used) and have never activated OnStar, and I'm extremely unhappy to learn that it might be spying on me.
I did some reading when the NYT article came out, and found this, which explains how to install a terminator on the antenna to disable the cell connection:
https://imgur.com/gallery/n00QKnH. If you go that route, it's probably prudent to make sure your car isn't connected to wifi, either. (Edit: looks like that guide came from here: https://www.reddit.com/r/BoltEV/comments/16h91a6/i_made_a_st...)
^ that Bolt forum thread also talks about some of the downsides of disabling the antenna (e.g. GPS won't work so your home/away charging settings don't work anymore).
Phone meta data is tracked. Car meta data is tracked. Supplement with credit card data, browsing history, the Rings in your neighborhood, etc., etc., etc.
Per, "Stand Out of Our Light", we don't stand a chance.
Remember that 10 or 20 years ago, BEFORE phone, car and doorbell camera data was tracked, people were already saying "everything is tracked, we don't stand a chance", and this defeatist attitude has since contributed to allowing phone, car an doorbell camera data to be tracked as well.
You'd have to read the book. He uses "you don't stand a chance" in the context of will power.
That is, in short, (and I'm paraphrasing): ...Some of the brightest human behavior experts in the world are being financed by some of the deepest pockets in the history of the world to influence your (read: our) behavior... Just use will power? You don't stand a chance.
The "defeatist" to me is, "I don't have anything to hide." That might be true, but those influence super powers are going to use that "nothing to hide" against you.
Read the book. It's just over 100 pages. It's on the order of "The Age of Surveillance Capitalism" but that book is 500+ pages. THoSC is great but it's a serious commitment.
> He uses "you don't stand a chance" in the context of will power.
Having taken every reasonable measure I can to stop being spied on, I can concur that it does take a lot of willpower. As in, being willing to come across as a total ass to those trying to spy on you on behalf of their employers and also willing to literally walk away from the register leaving the stuff you've collected in the hopes of buying. ("But we require your name and phone number or we won't honor any of the warranties for what you're buying.") Paying cash for everything. Avoiding specific restaurants and shops that don't accept cash. Foregoing "members discounts" at the grocery market. Buying a specific phone just to install a third-party privacy-centric ROM. Buying a specific car just to be able to pull the fuse that powers the transmitter.
You can drastically reduce the amount of information that the data brokers collect on you, but I've found it's almost as if you need to adopt a new lifestyle in a lot of ways.
Guess we live in different worlds. Pretty much everyone around me, friend, family, coworker, or neighbor is fully aware and expecting any and all devices around them to be spying. Not all care or think it's nefarious though.
Welcome to customized pricing for everything, based on how much they think you value inconvenience vs spending money.
Dark patterns are the new frontier of corporate greed. Every business model now needs a “moat” (monopoly) to be considered fundable. The antitrust skirtings are built into the whitepaper these days, and having competition in your space is a bad smell. The invisible hand of the market and all that lol.
Most cars have an integrated SIM. You can either pull the fuse, and lose a bunch of functionality, or if you're clever, throw an attenuator on the antenna rendering it useless but preserving the functionality of the rest of your car.
Do they not store it an just upload it once the car goes in for service? I have a 32 Gb mini SD card the size of a fingernail that was like $10, something like that would store a fuckload of hard braking events.
Amazon Basics SD micros are $20 for 2x 64 GB at retail. For $10 I'm sure that's a chance they're willing to take. They'll just raise the MSRP by $100 to compensate.
You are not thinking outside the box enough. The manufacturer has a specific system requirement for certain tasks such as ecu reprogramming and key replacement. You must use the manufacturer furnished tool to do such an operation. This tool will pull all data including gps entertainment etc which includes your driving style, locations, etc.
Time to pop it in a data usage heavy device for free data.
The bbc or someone has had at least one article about a bird tracking device that operated via cellular and a sim that expected 5k or less data a month suddenly started charging gigs a month in their home continent just after the last natural looking flight of the bird ended, the ornithological society involved had a few shock bills.
From what I know, this wouldn't work. I worked for a telco and the way they explained it to me is that SIMs for these purposes are not the same as consumer SIMs. They end up on a different network using a different APN and they typically go straight to a VPN or other private network for their owner. And no, you can't reconfigure them to the consumer APN (I asked). (This was not in the US btw.)
Most SIMs for such purposes are sat directly on an L2TP connection or similar. They’re often not public internet.
As a consumer you can buy similar - I know my ISP (A&A) will sell you (quite reasonably) a sim that will drop straight onto an L2TP connection of your choosing.
> Anyway cat is out of the bag, they won’t undo this feature they will pay a fine, offer an opt-out to 5% of users who take up the offer and in 10 years time everyone will assume their driving habits are being monitored by their insurance company.
So can't the plaintiffs just request an order compelling GM and others to remove the feature forever as part of the remedies?
Specific Performance. A court can order as the equitable remedy that one of the parties does a specific thing. Yes, in principle. But no in practice.
The real world use of Specific Performance is mostly in Real Property ie the ownership of land and this is because land is very obviously not fungible. The square meter of land I need to get my cows from the grazing field to the nearby milking shed is not in any way equivalent to an otherwise similar square meter of land on the far side of the field leading nowhere, and having the wrong one can't meaningfully be compensated with money whereas the court can just order Specific Performance (ie the wrongful owner hands over the land) to fix the problem.
But even beyond that in practice class actions are primarily about the lawyers getting a healthy pay day. $1M each for us as lawyers and each individual "participant" in the class action gets $1 and a 5% discount coupon that expires in six weeks? Sounds good. For the lawyers the incentive is that pay day and the only reason to care about their participants is that if they're treated too poorly a judge may not sign off on the deal.
The visceral desire for retribution is half of the problem here. Companies respond to incentives. The problem isn't generally the price. When they get caught the cost is generally more than the benefit they received.
The problem is that they often don't get caught, or find a way to weasel out of it. As a result the managers who do it will be rewarded most of the time, and even when they're on the wrong side of the gamble, half the time they'll already have left for another company. Raising the penalty wouldn't deter that.
What you need is a remedy that can address the offense. Order them to publish the source code to the system for 10 years, so that anyone can audit or modify it in case they try something similar again. Not only does it make it harder for them to reoffend, it's the kind of penalty that corporate lawyers hate, and then they'll be more likely to insist on policies to prevent that from happening to begin with, which puts pressure on preventing the problem from a different angle.
Specific performance is a contractual remedy. It is rarely granted because contracts are usually about business arrangements, and you can solve most of those problems with money. So for contracts the usual remedy is monetary damages.
Courts are more than able to order parties to do things without invoking specific performance via injunctive relief, which you’ll see from the complaint is what is being sought by the plaintiffs.
This is true of almost all equitable remedies - you have to show that money won’t make you whole. Luckily the bar for that is much lower than for contractual disputes, especially disputes like this where an ongoing violation of someone’s statutory rights is allegedly happening.
> in 10 years time everyone will assume their driving habits are being monitored by their insurance company.
And even if there continues to be an opt-out, those plans will become so prohibitively expensive that you're essentially forced to allow your insurer to spy on you. Privacy is always priced out in the free market. Regulation is the only way. It's not a net benefit to society, just outlaw egregious data collection.
How does the data leave the device? I tried to route traffic from the infotainment system into a WiFi network I was wiresharking, and I saw a lot of GM traffic but I couldn’t install a cert to MitM because I couldn’t figure out how to access the Android settings for the dash OS.
Is the traffic through there or is it totally within the CANBUS and never hits the WiFi outbound? In that case do you need to hijack the 4G?
Not that I support any of this, but why would networking speed be the bottleneck in that system? Telematics seems very much like an OLAP situation where data ingest and querying can be asynchronous.
> And if you own a car made in the last ~5 years, here's how to request your "Consumer Disclosure Report" from LexisNexis: https://consumer.risk.lexisnexis.com/ . According to NYT, LexisNexis receives at least some data from GM, Ford, Kia, Subaru, and Mitsubishi.
Appreciate this link! I don't have one of the listed brands (own a Mazda) but I am curious to see what info data brokers like this have on me in general.
Also, maybe this is a naive thought but I think data brokers like this are so used to operating in the shadows / being forgotten about so I think the more folks who request is at least a small signal to them that folks are paying attention.
Wow, I just submitted the consumer disclosure report this morning after finding out about it from somewhere else. I am VERY interested to see if anything is reported from my car since I don't have any of the addons/monthly fees.
I assume LexisNexis does not provide this report out of the goodness of their heart, it must be required by FCRA?
If I really don't like LexisNexis collecting this data, or if I really just want to stay on top of my credit status, is there any reason not to script something to request a physically mailed report every day? Not sure how much they pay per mailing, but 365 of them can't be cheap.
You can't take this as authoritative but my business has a data relationship with Toyota and they have a ton of juicy telemetry data.
Their attorneys are mad protective of the PII they have. Our relationship serves the public interest. We use the data to find people with open recalls where Toyota doesn't know who the current owner is.
I say this to say that we have other OEM relationships that are far more liberal with their encumbered data. This far Toyota seems to be playing it very straight.
You seem to be suggesting that Toyota are the good guys because they collect data but don't share it.
That's not what I want! I want them not to collect it. Then I don't have to worry about what they use it for, whether they share it, or whether it will get leaked.
• Violations of the Fair Credit Reporting Act (FCRA) due to the alleged improper sharing and reporting of plaintiffs' driving data without consent, impacting their ability to secure car insurance and leading to increased rates.
• Violations of the Florida Deceptive and Unfair Trade Practices Act, accusing the defendants of engaging in deceptive practices by sharing personal driving data without the knowledge or consent of the car owners.
• Invasions of privacy under Florida common law, arguing that the defendants' actions of tracking, collecting, and sharing personal driving data without consent intrude upon the plaintiffs' private lives and are offensive.
Unless senior managers and board members get criminal convictions and jail time it will continue and the "disturbing" will cease only by being normalized.
Hoping for a magic responsible all powerful legal daddy to come enforce a just set of laws is pure fantasy.
The people doing regulation and oversight have been bought and paid for by these "managers and board members." Citizens united codified their right to do this into law.
If you want professional ethics, you have to create a vehicle that can enforce professional ethics or wield political power -- a trade union or guild.
No congress-member is going to wake up and be like "gee, I sure wish I would get a few less bribes (campaign contributions) today," or "I sure would like my stock portfolio to decrease in value by doing real oversight on all these companies that are making me rich."
If the legal system cannot provide consequences to these people, then it's time to start thinking about where those consequences are going to come from. Hoping for consequences is not a very good strategy. A union is one such vehicle.
> No congress-member is going to wake up and be like "gee, I sure wish I would get a few less bribes (campaign contributions) today," or "I sure would like my stock portfolio to decrease in value by doing real oversight on all these companies that are making me rich."
Neither of these is actually applicable here.
GM makes its money from selling cars (and financing for cars). If someone offers them a little extra for the data, they might take it, but they really don't care.
Neither do the insurance companies, except that if their competitors do it then so do they. If any insurance company has the data then they raise rates on the higher risk drivers and turf them to the ones without it, which puts them out of business. But if they're all banned from using it then they're all on a level playing field and again nobody really cares.
All you'd need is a law prohibiting insurance companies from using telemetrics and that would be the end of that. The main lobby against it would be the data brokers in this specific submarket, but they're hardly Big Auto and The Banks.
That seems like the kind of law that could actually pass? It only happens if people make a stink about it, because the inertial default is the status quo, but sometimes that's what happens.
For years, I've been wondering when the data bubble was going to burst.
The whole "we'll make a TV with a $700 BOM and sell it for $600 because the viewing data is so valuable" situation. The "we'll burn valuable customer trust and loyalty for a $40k car because the insurance companies will pay us so much for the monitoring data." The grocery store desperately needing to track individual consumers rather than the aggregate "we sold 500 cans of Spam at this location today"
Civilization somehow managed to work for centuries without having to passively instrument every activity. So we can assume that what's being chased is marginal gains-- slightly better targeting and rates than we could get out of the information we were, as a society, comfortable with being public.
Does it really cover its costs? I always imagined so much of it was institutionalized FOMO-- "we must be data driven because our competitors are"-- and eventually someone's going to run the numbers.
>If you want professional ethics, you have to create a vehicle that can enforce professional ethics or wield political power -- a trade union or guild.
How's that working with police and/or teacher's unions?
Moreover, it's unclear how "professional ethics" would interact with legal and/or business decisions. If you think it's unethical and the legal department says it's A-okay, then what? For professions like engineering you could plausibly make the case that engineers should have the final say on decisions involving safety or structural soundness, but that's less convincing for business decisions. For instance would civil engineers be expected to reject building a luxury condo on "professional ethics" grounds because the the building would gentrify the neighborhood and displace marginalized groups?
I think a union is a tool like a gun. A gun can be used to steal money. A gun can be used to keep your home safe. A gun can be used to protect your country from foreign invaders. The gun is amoral.
How do you stop a bad guy with a gun? Ironically, the people generally most anti-union know the answer to that question the best.
The police union demonstrates that unions work. They have completely removed police oversight and made officers exist generally above the law and provided incredible overtime pay. That is not an anti-union argument, that's a why the hell aren't you in a union argument.
Teachers unions are more complicated because teachers care more about the children than themselves and that creates a problem because in order to act in their own self interest by exercising union power they have to harm children and maybe even a generation of them. Of course one could also cogently argue that the general undesirability of being a teacher is and has been harming children for decades.
If the health insurance industry is several times larger than car insurance then there must be a very high financial motive for Ancestry/23&me to sell your curious aunt's DNA data which is also linked to relations.
At least the health insurance industry is legally prohibited from charging different rates to people based on DNA. So, at most, they can use it to try to get you specialized care.
No shit. Plus 23 and me is in deep financial trouble last I heard. Someone out there is drooling over that data set.
I know otherwise smart people (in the analytical sense) who paid money to hand over their most sensitive biometrics to these companies. And they’re still like “the data brokers can have it, what are they gonna do?”
Without extremely aggressive changes to how we handle situations like this, it seems unlikely
A fine is a price, and there are basically no laws that put financial, let alone criminal liability for people behind the corporate veil or seizure/dissolution of a corporation that consistently breaks the law on the table
Whenever the GDPR is mentioned here, people more or less treat it as a sign of fascism. With that attitude from us, how can our rights on privacy be respected?
I'm extremely glad that the GDPR and NOYB.eu mean that car manufacturers can't pull that shit here. If I opt out, I'm opted out, or there will be big fines for them.
The problem with the GDPR is the overhead. If it was one line that said "you can't sell data on people without their explicit freely given consent" then anybody could comply with it by simply not selling data on people.
But it's a long piece of legislation and some of the requirements are time-consuming to implement even if you're not doing anything nefarious. "It is bad for innocent people to incur uncompensated costs" should be a primary principle in creating legislation.
> If I opt out, I'm opted out, or there will be big fines for them.
They're getting sued. If the plaintiffs win they'll have to pay. It's not obvious why this is worse or any less of a deterrent.
"Every contract, combination in the form of trust or otherwise, or conspiracy, in restraint of trade or commerce among the several States, or with foreign nations, is declared to be illegal."
> What's a contract? What's trust, or conspiracy? What's trade, or commerce, or a foreign nation? What does "declared" mean?
These have established meanings in existing law. What are you proposing as a plausible ambiguous interpretation of "declared"?
> This is the legal equivalent of "I can write Doom in one line, import doom; doom.start()".
That's two lines.
Also, it's not equivalent, because the original is actually a composition and not just a tautology. It's like saying that this one liner to find word frequencies in a file:
> What are you proposing as a plausible ambiguous interpretation of "declared"?
Is your argument that the GDPR can be one line because "data" already has an established meaning in existing law? The GDPR is large because all these things needed to be defined, and there are tons of edge cases, not because the lawmaker figured they'd add some extra fluff in there.
It's not being verbose or well-defined which is the problem. It's that the law isn't a single well-specified requirement but rather many independent ones that each have to be complied with separately, including by people who weren't doing anything untoward to begin with.
If you weren't doing anything harmful then your preexisting behavior shouldn't become unlawful.
Here's the GDPR in one sentence for you: "do not process data from people that haven't consented to that processing".
The rest of the text is about specifying the terms of art processing, data, people, and consent.
> If you weren't doing anything harmful then your preexisting behavior shouldn't become unlawful.
Exactly. Except that you do not get to define harmful, the law does. If you weren't processing any PII, then your preexisting behaviour did not suddenly become unlawful.
> It's not obvious why this is worse or any less of a deterrent.
I'd say it may not be obvious why, but it's obvious that it is less of a deterrent, because this sort of data trading seems to be commonplace and semi-overt in the US, and much less common (and hush-hush in the rare cases where it does happen) in Europe.
I'd also hazard a guess why it's less of a deterrent: the risk, i.e. probability of successfully getting sued * cost of successfully getting sued, is likely much lower compared to the relatively high probability of a DPA going "WTF no" in Europe as soon as someone reports it.
> I'd say it may not be obvious why, but it's obvious that it is less of a deterrent, because this sort of data trading seems to be commonplace and semi-overt in the US
But that's because the US doesn't even have the law requiring express and freely given consent, so they just stick the consent in some agreement nobody reads next to a box you have to check. You could have that rule without having the whole GDPR.
In this case they apparently collected the data even if you never checked the box, which is just egregious and now they're getting sued.
> the risk, i.e. probability of successfully getting sued * cost of successfully getting sued, is likely much lower
Certainly this is not because plaintiffs would be unwilling to file claims if they could.
How? Who will represent that viewpoint in the halls of congress? The EFF is politically ineffective and always has been for reasons I don't understand, and no one else seems to care.
> The EFF is politically ineffective and always has been for reasons I don't understand, and no one else seems to care.
Going by the EFF's latest published financials (2022), they took in $23 million vs $16.6 million in expenses. Vs literal billionaires and nation states. Some of the billionaires have more money than the nation states do. David, meet Goliath.
I care. I give them my money. They seem to do a better job at advancing these interests than anyone else. I'm more in awe of their attempts to take on issues of this magnitude given their meager resources than anything else.
Let’s think outside the box a little. What we need is a general process whereby the public gets to decide if a business should exist. Too often companies just form, abuse us, and there is no way to stop them. What if, once a year, companies had to justify their existence in front of a citizen panel or a jury of random people or something? They’d need to demonstrate what good the public receives from their existence, or their assets get sold and the company dissolved. Why do we believe that companies simply have a natural right to exist as long as they can survive? Where did this come from? Companies should answer to the public!
> They’d need to demonstrate what good the public receives from their existence, or their assets get sold and the company dissolved.
If their assets get sold and one entity buys all of them then they could just carry on operating the same company with them. The most likely buyer for something like that would be a competitor. That seems bad.
Maybe we could require the opposite. Their assets get sold, but can't all be sold to the same party. You split the company up, e.g. by delaminating vertically integrated components into separate companies. That way it's easier to enter the market and compete with any of them because you don't have to replicate the whole stack, only that one component.
You might not even need to have a vote, just some rules for when this happens automatically, like when a company has more than e.g. 35% market share, because that's too close to a monopoly and you wouldn't want a trust to form. We could call this anti-trust.
> What we need is a general process whereby the public gets to decide if a business should exist.
So if I want to start a small business, say a mom and pop restaurant, the public has to approve it first? You must be joking. Most businesses are small businesses. Hamstringing them is a recipe for disaster. Our regulatory system already disadvantages small businesses in countless ways. Indeed, that's part of the reason why large businesses can get away with so much.
The public already has a way to disapprove a business: don't buy from it. If nobody buys what the business is selling, it goes out of business.
The real oversight the public should be exercising, but isn't, is to vote out of office politicians that allow large businesses to buy their way out of trouble.
> The public already has a way to disapprove a business: don't buy from it. If nobody buys what the business is selling, it goes out of business.
This “let the market decide” approach is clearly not working. It assumes that only the direct customers of a business are the stakeholders that matter, because they have the wallets to vote with. There are many, many companies that the general public do not buy things from yet suffer their harms. There are a lot of terrible businesses, large and small, that I don’t purchase from which I’d vote in a heartbeat to get rid of if I had the opportunity.
> There are many, many companies that the general public do not buy things from yet suffer their harms.
Examples, please? I find this claim extremely dubious.
> There are a lot of terrible businesses, large and small, that I don’t purchase from which I’d vote in a heartbeat to get rid of if I had the opportunity.
Of course, because you personally don't depend on those business for anything. (At least you appear to be assuming you don't--though you might indirectly. But let's assume you don't even indirectly.) What about the people who do?
You have to use a service that harvests your data for that to happen. That's your choice. Nobody is forcing you. There is certainly no need to have a public vote to outlaw the companies. (Now, if you were to propose that our lawmakers outlaw the ad-supported business model, so that companies providing the services that now harvest data to make money would have to make the users of their services paying customers instead...)
Also, do you buy anything that the advertisers who buy your data are selling?
All change is destructive. No matter how bad something is, someone depends on how it is right now. Someone will at the very least be inconvenienced by it changing
The fact is, no company actually primarily exists to employ people, and people lose their jobs to this basic fact all the time, sometimes for no reason other than that some investor expects extremely marginal gains from signaling that they are serious about cutting costs
Also, the dissolution of a company and dispersal of its assets could include allocations for severance pay to cushion the blow if that's a concern, which is not always available to people who are hit by random layoffs
Perhaps the threat of actual extreme punishment would incentivize companies to behave such that the punishment never gets invoked?
Currently the worst thing companies ever face is a little itty bitty fine and maybe a toothless regulator telling them “Pretty please would you mind not doing that again? If it’s not too inconvenient to shareholders that is…”
If con-gress was serious, theyd ban/restrict any social media that relied on tracking. Or better yet, they'd pass a bill restricting data brokers of any sort ala GDPR.
I agree data brokering of any kind should be completely illegal. I don't think tiktok is only being banned because of china though. I just think it's a bonus compared to bytedance legitimately being a malicious data-harvesting nightmare that also happens to own one of the most mentally damaging social networks of the decade
This is funny, but sadly true... I just told someone yesterday if lawmakers truly cared about all of this they'd ban all social media. Lobbyists and lawmakers will be eating well until then.
A huge majority of my spam calls come from someone who bought it from ZoomInfo, Apollo, or other. I made a mistake somewhere and they got my personal number.
Now, every time I get a spam call, I insist they tell me where they're getting their info from. They'll try to so "our data team", but if you keep insisting they'll tell you.
Privacy legislation is antipartisan[0]: the US government relies on buying dox from adtech creeps to do all the spying they otherwise couldn't legally do, so nobody in power wants that loophole closed.
[0] Bipartisanly supported by the electorate and bipartisanly opposed by the elected representatives of said electorate
Nice thing is that tracking via cellular never stops working but if you are in an emergency they will not call emergency services for you if you don't pay the subscription.
It's good to read this thread and know that finally people are realizing the full extent of the surveillance. I have dealt with a Govt agency targeting me for several years and having technical knowledge, I've noticed all of this invasion of privacy and control used against me, lots of it wouldn't even be possible without technology or the internet. But it's so much more than if you gave up your phone... It's a literal surveillance state and even if you go to the suburbs away from the concrete prisons our cities have been turned into, you still have front door cameras everywhere, accessible by law enforcement.
In fact, to abuse all of this stuff and weaponize it against someone, you do not need to have a court order or a warrant. As long as you find the right people, have the right narrative, companies will do all kinds of stuff to you, even if you are a customer.
And my original reply before going off on a tangent was that even if you remove your sim card, even if you somehow disable emergency services, your phone is still pinging and leaking all these signals that are picked up by all kinds of scanners.
Very few people even accept this is happening at scale, let alone are able to reason about the implications of it all.
The public needs a better job of being informed about the consequences of all of it.
I agree with the worry about surveillance. But isn't this really a continuation of how car makers treat their customers and the public generally. Cars companies comprimise privacy in the same way that they willingly comprimise safety, public health and the environment. It is the result of a broken culture and naive to expect them to change.
I think it's a mistake to frame it that way. Collecting and selling data is essentially ubiquitous among companies with access to harvestable data. ISPs, cell providers, smart tv manufacturers, and so on are not broadly associated with some specific historic cultural or urban planning failing. They're companies with access to an additional revenue stream, and nearly any company that can will make the same decision.
GM is trying really hard to not get my business in the future. Between the no Car Play and Android Auto support in their new EVs. Now this. I'm just tired man...
GM seems to be floundering in mediocrity right now. They basically pump out generic, uninspired plastic boxes right now then try to nickel and dime their customers. In my opinion, foreign manufactures are absolutely eating their lunch right now.
Despite being children of an automotive family, with a deep loyalty for the Big 3, we've started to avoid their cars. While they can run forever, they just start failing apart.
The rebadged Commodores were a bright spot in the lineup for a while if you like that kind of thing
What are “foreign manufacturers?” Hondas and Toyotas have been built in the states for a long time. Chrysler has been a transnational merger for a while and Ford and GM have long histories of importing their overseas products.
I will never buy a GM until they stop turning their reverse lights on when they're not reversing. This one small feature has wreaked immeasurable havoc on parking lots across the world.
They've done that just fine for me by releasing... lame cars across the board. Most of their brands are shells of their former selves (especialllly Cadillac) and I can't remember the last time I saw a Chevy that I actually liked.
I mean, I get that. Part of it is irrational because my father worked for and retired from GM. So it's a bit of a family thing. But the loyalty has a limit and I believe Mary Barra has reached the limit for me.
We’ve already taken quite a few manufacturers off the list for this reason, including GM. Vote with dollars people. Take my data without permission, lose my business.
My counterargument to this ideology is that US States are currently on a banning spree to prevent ranked-choice voting, which allows more candidates to participate in elections, but without anybody "wasting their vote on 3rd parties."
First past the post voting, which is how US dual-party system prefers to elect, is a sham/joke/embarassment.
I am eyeing up Hyundai Ioniq 5/6. Any comments. Irony is keeping the dumb old Toyota is cheaper even with the crazy tax breaks in Australia! I could hand over $10k to carbon offset company instead and still be ahead with the ol banger. And have the convenience of what they call service stations :-)
Current Chevy Volt driver, have now written off GM from my list. Was considering an Ioniq 5 for my next car until I heard about the issues where a minor scrape on the bottom could require a $60K (Canadian dollars) battery replacement: https://youtu.be/EEXieo06ta8
Right now I’m just driving an old Toyota and don’t plan on buying another car. I expect all of this to explode at some point and resolve itself, or I’ll just keep rebuilding my old Toyota until I die.
You've Japanese, German and to some extend even Korean cars that are much better. If pick up truck is what you're looking for, then Ford is much better
The brands you are thinking of also likely have telematics with similar vague language about data collection. I've seen it in Nissans, Hondas, and Toyotas, personally.
If you're in the market for a smaller, cheap(ish) EV with decent range, the Chevy Bolt (used) is basically the only option, and honestly can be had for less than any equivalent ICE vehicle of similar quality/mileage
I just looked and that is some wild depreciation. In 2020 that went for 37k snd goes for 13k now. A 2020 Prius started lower and will go for 19k today.
It limited to 50Kw fast charging and the battery fires have put a damper on its reputation. Also its shaped like an egg. The EUV does not look much better (in my opinion)
Air cooled battery can really destroy long term reliability on these cars and also throttle charging if the battery is too hot.
The car is a 10+ year old design that was the brainchild of a CEO that is no longer there. The company does not really have a mentality of being an EV leader.
Defective by design. Still using essentially the same battery pack they designed in 2008 for the 2010 LEAF -- no cooling system whatsoever, emergency resistive heater that keeps it from freezing but doesn't otherwise warm it, obsolete CHAdeMO charging port -- just with more capacity. They had their first class action lawsuit about unacceptable levels of battery degradation in new LEAFs in 2012, yet didn't change the design, just the warranty. The larger packs are now having high defect rates for cell-level failures. They are only able to sell a few hundred of them a month in North America for good reason.
Tesla claims not to sell or transfer the data they collect, and offer opt-outs from most of it. You can, if you are willing to void your warranty, remove the GSM/LTE module from a Tesla fairly straightforwardly.
Telematics should be disabled, preferably by way of hard cutting the modem chip's V-in. Call me a tinfoil hat lover, but when 23andme gets bought by an insurance company, the similarities with potential insurability issues are numerous when data is available to the other without a big, shining red opt-in.
Agreed, but acquisitions of public companies typically get regulatory attention up-front. An insurer buying 23andme would be an obvious red flag from day one.
I have obtained an email from GM stating that if I am an OnStar Smart Driver subscriber, I cannot opt out of my data being shared. I believe this violates at least California privacy regulations, probably some other states, which mandate opt outs. I seriously want to rip the modem out of my car.
The coda to the story is hilarious. CCPA apparently has an exemption (I'd say loophole) for the sale of personal information to consumer reporting agencies, as long as the use of that data is covered by the Fair Credit Reporting Act. So if FCRA allows it, CCPA says go right ahead!
Collecting and storing personal data needs to be exorbitantly expensive.
LexisNexis knew exactly what they were doing and probably already factored in litigation costs to the product.
Experian should have been fined out of existence when they lost all that data. The light of their funeral pyre could have warned away companies headed down the same path.
It is so enraging. Not only did they have zero consequences compared to what they should have received, they're still somehow the lone report I have to thaw for every single loan and line of credit.
After Equifax I have to assume my SSN and address are public. I froze everything and it will stay frozen forever. I think everyone should freeze all their accounts. It's tedious but easy.
You find the right area of each agency's website to initiate a freeze. IIRC you have to make an account with them. You will have to prove your identity, which involves answering multiple choice questions about loans and residences you've had.
My hang ups were mostly that I have a terrible memory so I had to look up info on loans to answer those questions. I was also full of rage that I have to give them my current info, but they 100% already have that from my bank, so whatever.
When thawing you log in to the account and choose what days you want it thawed for. If you apply for loans or lines of credit it's smoother to do ahead of time, but IME nobody cares if you have to thaw and then reapply.
I recently bought a Toyota because I was able to push the "SOS" button in the car and request that they disable telematics right after I bought it. I don't know whether they've actually stopped collecting my location information or if they can arbitrarily re-enable telematics at some time in the future for whatever reason, so I've additionally pulled a fuse that powers the transmitter. I'm mulling wrapping some components in a Faraday cage just for good measure.
The ability to prevent the car from spying on me was near the top of my list of desired features when I was shopping for a new car. This is one of the main things keeping me from buying another EV. So far as I'm aware there is nothing on the market where I live that won't constantly spy on you with no option to disable.
It's ultra annoying that "EV" seems to mean a tablet on wheels now. I just want a "dumb" car with a battery instead of petrol.
A friend of mine has a Mitsubishi EV Minivan (Japanese model) and it's about as close to a perfect "dumb EV" I've seen yet. It drives incredibly well. They just don't produce a 4x4 model yet, which is important if you live in cold snowy climates.
> So far as I'm aware there is nothing on the market where I live that won't constantly spy on you with no option to disable.
Kia EV6 has a telematics toggle in the hidden engineering menu. Vehicles sold in Massachusetts have it disabled by default to protest the state's "right to repair" law, but in other regions you can disable it yourself.
I bought a Toyota last year and the app clearly showed me a bunch of opt in/out options and I felt relatively confident they were either outright lying or I had opted out.
I never installed the app or registered an account or anything. The rep who I spoke to after pressing the SOS button mentioned that they had to create an account for me and then disable. They went ahead and at least said they did that while I waited on the line.
I'm more confident in effectiveness of pulling the DCM fuse.
I'm in the market to buy a car and have narrowed it down to 2024 prius. I've read Mozilla's papers and a few auto forums on privacy issues with some abilities to turn on/off telematics. As you say, none of what I've read is conclusive in whether this actually stops collection.
Do you have any links you followed for the physical fuse?
Is there a hardware hacking forum that would teach people how to modify their rig to use the good features of such devices regardless of manufacturer but intercept and modify telemetry data to feed them realistic looking but fake data until you press a distress button and them give real location? I ask because I do not trust the legal system to ever catch up to this globally or to have any real teeth that make companies feel real pain. I've played whack-a-mole with spammers and malware distributors. This feels the same to me. Until it becomes trivial to disable such things I personally will stick with fixing up used vehicles that I know are free of loose lips.
Leave it to data brokers and insurance companies to make the leap "ick" to outrage.
On the other hand... to all selfish, unsafe street-racing, road-hogging Cadillac XT6 drivers out there: may your insurance rates double and may you swim forever in a sea of adverse underwriting decisions.
I do think there’s an interesting future dilemma here. I’m absolutely against them sharing this data without consent. But if sharing e.g. the number of hard brakes you do was made explicit and led to lower insurance premiums… I’d be tempted. I often feel like there’s little reward for adhering to traffic laws these days.
There used to be opt-in insurance programs with many carriers. They used to send you a device, but I guess that was mooted by secret mass surveillance?
Not really. Accidents are a function of driver and environment. You can't control the other drivers. If you think of the primary purpose of insurance as to make sure that the party not at fault is made whole, then perfectly priced insurance becomes like posting a bond in order to drive. Which isn't unreasonable.
(Plus uninsured motorist coverage for the other parts you can't control, which really is an insurance function.)
I recently requested a quote while insurance shopping, and progressive seems to have already associated driving telematics history with one of my vehicles (a 2015 Chevy product).
While I dislike how little practical enforcement there is against the pervasive surveillance by ad-tech companies, this is one of the things that GDPR works wonders against:
No sane company would want to participate in such a scheme in Europe. Both the seller and the buyers would be on the hook for massive GDPR fines, and unlike a tech company where the privacy violations might be contributing 50% of the revenue and which could thus easily consider a 4% of revenue fine once every few years a (small) cost of doing business, car companies can't afford that.
General Motors had a global revenue of $172 billion, net income $10B, and the data sales are only a small part of that.
The intermediate company that's buying the data and reselling it to car manufacturers could potentially try to get away with it, because their entire business model depends on it, so they have little to lose. Just make sure to keep no money in the company because once the DPAs learn of the business the company a) has no business model because they will prohibit continued buying/selling of the data b) is likely to be bankrupted by the fine that might well exceed their entire revenue (for smaller companies, the fine isn't capped to 4% of revenue, the limit is 20M EUR).
For the insurance companies that would be buying this data I'd imagine it's even worse.
And this sort of egregious thing is something I can see DPAs actually enforcing, because it'd be much more clear cut than tech companies using non-compliant consent banners.
Edit: And I forgot the most important thing - if they don't put it into their privacy policy they're even more screwed, and if they do put it there, a customer who finds it can get it enforced by sending an e-mail (or in Germany, letter, because some DPAs don't accept e-mail) rather than finding a lawyer willing to start a class action.
Well, I removed the telematics module from my car. But it already stopped working because it was 3G only. The car was built in 2014, shipped with a 2G modem that was replaced at Ford's expense when 2G went offline shortly after the car was sold.
My other car with telematics was built in 2016 with a 3G modem that also no longer works.
For my car (2024 GR Corolla) you can pull a fuse that goes to the telematics computer.
The car has a bad habit of calling the emergency hotline on a race track if you go over rumble strips (those painted red/white strips) because it shakes the car so violently I guess. Popping the fuse will make it stop happening.
On my 2021 Camry, the fuse is labeled `DCS` — the only caveat is, it disables the front-right tweeter (there is a bypass, but requires you to remove the front dashboard and install jumpers across the DCS connector).
worse in subaru's... both front speakers AND the mic. bluetooth phone calls no longer work, and, your music only comes from the back.
similarly it is /possible/ though a giant PITA to take apart the front of your car and make those work again, per some blog post i saw 4 years ago and can no longer find.
I think this is also true on the Toyotas, but I do not carry a phone with me so it's just me streaming tunes on the XM radio [don't think this tracks/listens].
>your music only comes from the back
However, you barely notice the single missing tweeter, and it is *but a small item on my car-care maintenance list [to add back the sound via harness jumpter/bypass].
How we came to a stage where your iris is being monitored in your car, including mic and video recording and all your contact being uploaded as soon as you connect to the entertainment sys... and nobody gives a fuck. It's beyond my understanding.
This is good news. I hope this serves as inspiration for future cases against app developers, Google, Microsoft, Facebook, and all who are not upfront about their data and privacy practices.
Buried in the complaint is an interesting part about why he lost his original insurance carrier, they stopped writing policies in FL. The personal injury lawyers in Florida are out of control. There are also a ton of staged accident rings that nobody is doing anything about. I’m surprised any insurance carriers exist in that state anymore.
> he lost his original insurance carrier, they stopped writing policies in FL. The personal injury lawyers in Florida are out of control.
I'm a little skeptical, this reminds me of past arguments of "blame malpractice lawsuits for exploding US medical costs, tort reform will fix it", which doesn't seem to have worked in the places where it was tried.
AFAICT most of the reasons insurers are pulling out of Florida involves the math around catastrophes like hurricanes.
But what if the automakers' solution going forward is to not make the feature optional? That the service gets baked into the price? They turn it on. They leave it on. Especially with a lease, won't they have a legal angle to protecting their property?
My concern this might become a "be careful what you wish for"?
I understand that my opinion on this matter may be controversial, but I feel compelled to share my experiences. In the past five years, I've noticed a significant increase in aggressive driving. I've been the victim of two hit-and-run incidents where I was rear-ended, and the drivers fled the scene. In a third incident, a driver collided with the side of my car as the road curved and had the audacity to tell the police that I was at fault. In Texas, I've witnessed rampant red-light running, failure to stop at stop signs, excessive speeding (more than 15 mph over the limit), tailgating, and failure to use turn signals.
I believe that telematics could be a valuable tool in addressing this issue by scoring drivers based on their driving habits and adjusting their insurance rates accordingly. This would not only encourage safer driving practices but also ensure that responsible drivers are not unfairly penalized for the actions of aggressive drivers. In my opinion, telematics should be required for operating a vehicle on public roads.
I feel like cell phones have to be more sensitive than w/e transmitter the car has, but your point holds - naively wrapping it in foil still probably won't work.
Nice! I've done a bunch of RF attenuation experiments with friends, and foil+microwave was the best result we found using stuff lying around any of our houses. With foil+microwave we were able to attenuate the signal enough to seriously degrade service, but never quite enough to block all traffic. In our experiments, the microwave was doing the majority of the work, based on the signal strength we observed. Results also varied a good bit by carrier, presumably because of the different bands used.
I wonder what they'd do if you contacted GM et al to report that you've sold your car to some made up person. Would they wait until they get official notice from your local government to change where the data is recorded?
The secrecy is ick, but this is the future and there’s no stopping it.
There’s ample evidence that consumers won’t pay for privacy and as most consumers opt in to data sharing programs, the non-data-sharing cohort will get seriously adverse further raising the price of privacy. The equilibrium state is that only bad actors and a handful of privacy zealots will inhabit that pool and mainstream carriers won’t even bid it.
>“What no one can tell me is how I enrolled in it,” Mr. Chicco told The Times in an interview this month. “You can tell me how many times I hard-accelerated on Jan. 30 between 6 a.m. and 8 a.m., but you can’t tell me how I enrolled in this?”
Reading this got me cheering out loud for the plaintiff. I'm so glad to see someone taking these bastards to court.
I can relate in some small way to part of his ordeal - not with GM specifically, but I don't know how many times I've been stuck in a loop with companies who have no idea what happens to your data they hoover up and can't explain or answer even the most basic questions on that topic - and are confused as to why you are even asking.
I hope this gets its class action certification and jury trial, and I'm looking forward to kicking back with a bag of popcorn and watching the show. If he started a GoFundMe or something I'd be happy to make a substantial contribution to his legal fees.
It's long past the time bad actors like this who give you no real choice or control over the products you are buying start to be brought to justice.
>The DriveView program became available to Volkswagen Car-Net subscribers starting with model year 2020. By enrolling in DriveView, Car-Net users may be eligible for discounted rates from some of the top automotive insurance companies in the country. This program can also help Car-Net users monitor their driving by tracking activities like night driving, hard braking, and idle time. These factors all contribute to an overall driving score, which is visible within the Car-Net mobile app and on vw.com/carnet. Through the agreement with CCC, VW Car-Net will leverage the newly released CCC® VIN Connect, which applies driving behavior data at the point-of-quote, making it fast and easy for eligible consumers to connect with potential insurance discounts.
Many were increasingly of the opinion that they’d all made a big mistake in coming down from the trees in the first place. And some said that even the trees had been a bad move, and that no one should ever have left the oceans.
> Plaintiff did not want OnStar services and so he did not push the blue button "to get started." The email provides no mention of OnStar's Smart Driver Program.
…
> In or around January 2024, Plaintiff received his requested LexisNexis consumer disclosure. The report, as of December 18, 2023, had 258 recorded driving events under the "Telematics" subsection. Each driving event included trip details that show the start date, end date, start time, end time, acceleration events, hard brake events, high speed events, distance, and VIN.
…
> Plaintiff had never opted into any insurance program that would have allowed his information to be shared.
Related: "Automakers are sharing consumers' driving behavior with insurance companies" - https://news.ycombinator.com/item?id=39666976
And if you own a car made in the last ~5 years, here's how to request your "Consumer Disclosure Report" from LexisNexis: https://consumer.risk.lexisnexis.com/ . According to NYT, LexisNexis receives at least some data from GM, Ford, Kia, Subaru, and Mitsubishi.
Or from Verisk, which receives data from at least GM, Hyundai, and Honda: https://fcra.verisk.com/#/