Senators Franken And Coons Question OnStar Over New Policies

Edward Niedermeyer
by Edward Niedermeyer

Editor’s note: When I wrote about OnStar’s latest round of privacy concerns, I didn’t realize that the chairman of the Senate Judiciary subcommittee on privacy, technology and the law had voiced his own concerns in a letter published just the day before. Here is the letter, as published at Senator Franken’s website. OnStar has already said it will respond to specifically to the concerns of Senators Franken and Coons.

Ms. Linda Marshall, President

OnStar Corporation

400 Renaissance Center

Detroit, MI 48265

Dear Ms. Marshall:

We are writing to express our serious concern with OnStar’s announcement earlier this week that it would continue to track the GPS locations of its customers’ vehicles even if those customers have affirmatively ended their contractual plans with OnStar. In this email announcement, OnStar informs its current and former subscribers that it reserves the right to track their locations “for any purpose, at any time.” It appears that the only way to stop this tracking is to actually call OnStar and request that the data connection between OnStar and the vehicle be terminated; this service is not available online. OnStar further reserves the right to share or sell location data with “credit card processors,” “data management companies,” OnStar’s “affiliates,” or “any third party” provided that OnStar is satisfied that the data cannot be traced back to individual customers. See OnStar, Privacy Statement: Effective as of December 2011. In a nutshell, OnStar is telling its current and former customers that it can track their location anywhere, anytime—even if they cancel their subscriptions—and then give or sell that information to anyone as long as OnStar deems it safe to do so.

OnStar’s actions appear to violate basic principles of privacy and fairness for OnStar’s approximately six million customers—especially for those customers who have already ended their relationships with your company. OnStar’s assurances that it will protect its customers by “anonymizing” precise GPS records of their location are undermined by a broad body of research showing that it is extraordinarily difficult to successfully anonymize highly personal data like location. See generally Paul Ohm, Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization, 5 UCLA Law Review 1701 (2010) and Marco Gruteser and Baik Hoh, On the Anonymity of Periodic Location Samples, in Second International Conference on Security in Pervasive Computing, Boppard, Germany (2005) at 179-192. If a data set shows the exact location where a car starts every morning, the roads that car travels on its morning commute, the office where it is parked during business hours, and the schools where it stops on its way home, it is unnecessary for that data set to include a name or license plate for it to be connected to an individual and his or her family.

We urge you to reconsider these decisions. We also urge you to better inform your customers of their ramifications. To that end, we request that you provide answers to the following questions:

1. Does OnStar believe that its actions comply with federal law?

2. Will OnStar allow its customers to deactivate their data connections online?

3. If a customer deactivates their data connection, will OnStar delete the existing location information they have gathered for that customer? Or does OnStar reserve the right to store and sell that information regardless of deactivation?

4. Has OnStar ever suffered a breach of its customers’ location data?

5. Has OnStar ever suffered a breach of any of its customers’ private information?

6. How will OnStar protect non-anonymized data on its servers in light of recent breaches at major institutions like Citibank, Sony and the International Monetary Fund?

7. How exactly will OnStar anonymize its location data?

8. Will OnStar seek its customers’ consent before sharing or selling their location data to third parties? Does OnStar believe it is legally required to do so?

9. Will OnStar inform its customers of the entities to whom it sells location data?

10. Has OnStar already disclosed or sold any of its customers’ location data with third parties? Which third parties?

11. Will OnStar agree to stop the tracking, sharing, and sale of location data for customers that have ended their subscriptions to OnStar services?

We believe that OnStar’s actions underscore the urgent need for prompt congressional action to enact privacy laws that protect private, sensitive information like location. In the meantime, we believe that it is the responsibility of corporate citizens like OnStar to take every step possible to safeguard the privacy of their customers.

We appreciate your prompt attention to this matter.

Sincerely,

Al Franken Christopher A. Coons

Chairman, Subcommittee on United States Senator

Privacy, Technology and the Law


Edward Niedermeyer
Edward Niedermeyer

More by Edward Niedermeyer

Comments
Join the conversation
2 of 50 comments
  • 30-mile fetch 30-mile fetch on Sep 26, 2011

    Okey dokey, you don't like Al Franken. Most of us care about that as much as the typical Massachusetts resident cares that you won't grace the state with your presence. But how do you feel about Franken's stance on the OnStar issue above?

  • Bunkie Bunkie on Sep 26, 2011

    Personally, I'll take a smart comedian over a dumb newscaster any day. Last year on Celebrity Jeopardy, Wolf Blitzer faced off against Andy Richter. There was no contest. Blitzer blew questions about current affairs and history left and right. Richter, on the other hand, didn't miss a trick, scoring well on those same questions as well as much of the more obscure stuff. Without his cue cards, Blitzer is an empty suit. Franken is a smart comedian. I attended a lecture he gave at Ohio State back in the '90s. I was expecting jokes, but what I got was a thoughtful, well-reasoned analysis of the then-current political situation. He's a very well-educated, smart guy.

  • Varezhka Of all the countries to complain about WTO rules violation, especially that related to battery business…
  • Carson D At 1:24 AM, the voyage data recorder (VDR) stopped recording the vessel’s system data, but it was able to continue taping audio. At 1:26 AM, the VDR resumed recording vessel system data. Three minutes later, the Dali collided with the bridge. Nothing suspicious at all. Let's go get some booster shots!
  • Darren Mertz Where's the heater control? Where's the Radio control? Where the bloody speedometer?? In a menu I suppose. How safe is that??? Volvo....
  • Lorenzo Are they calling it a K4? That's a mountain in the Himalayas! Stick with names!
  • MaintenanceCosts It's going to have to go downmarket a bit not to step on the Land Cruiser's toes.
Next