Report: Connected Cars Already Know Everything About You
Vehicular privacy is one of those things we never thought we’d have to gripe about but, as automotive connectivity becomes the norm, it’s become one of the most nagging issues in the industry.
Taking a cue from tech giants like Google, Facebook, and pretty much every other website you’ve ever connected to, automakers have begun leveraging customer data on a massive scale. Always-on internet connections exacerbated this problem (feature?), but it’s extremely difficult to tell exactly what kind of information is being shot up into the cloud before ending up at a manufacturer’s data center.
While we’ve seen cars hacked for the purpose of assessing how they’d stand up to malicious entities bent on wreaking havoc, few have attempted to decode the surplus of information emitted by your vehicle. We know this because people would probably be pretty upset to learn of the pathetic level of anonymity currently afforded to them. Despite spending tens of thousands of dollars on a new vehicle, privacy is rarely considered standard equipment.
Borrowing some techniques from crime scene investigators, The Washington Post recently attempted to figure out what kind of information automakers are most interested in. It contacted Jim Mason, an ARCCA engineer that helps reconstruct vehicle accidents, and chose a 2017 Chevrolet Volt.
General Motors has a substantial lead in data acquisition, and it’s been pretty open about its interest in vehicular connectivity. (We’ve covered the evolution of OnStar, the rise of Marketplace, and GM’s research into customer behavior before.) And that background is why The Post went with a Chevy for its tests.
Mason gave the outlet a rundown on how modern vehicles utilize multiple computers and often have an array of sensors (thanks to advanced driving aids) that can store information on internal hard drives in order to be transmitted back to base when convenient. Getting that data as the manufacturer is easy. However, doing so at home requires loads of expertise, time, special equipment, and enough sweat to disassemble part of the car.
From The Washington Post:
It was worth the trouble when Mason showed me my data. There on a map was the precise location where I’d driven to take apart the Chevy. There were my other destinations, like the hardware store I’d stopped at to buy some tape.
Among the trove of data points were unique identifiers for my and
For a broader view, Mason also extracted the data from a Chevrolet infotainment computer that I bought used on eBay for $375. It contained enough data to reconstruct the Upstate New York travels and relationships of a total stranger. We know he or she frequently called someone listed as “Sweetie,” whose photo we also have. We could see the exact Gulf station where they bought gas, the restaurant where they ate (called Taste China) and the unique identifiers for their Samsung Galaxy Note phones.
Mason said he’s also hacked into Fords that recorded positional data every few minutes, regardless of whether you’re using the navigation system, and German models with 300 gigabyte hard drives exclusively used for data storage. He also referenced Tesla Model 3s that collected video clips from the cameras used for Autopilot. Creepily, Mason added that, in most instances, he’s really only able to get a fraction of the data these cars collect.
The vehicle’s owner, Doug, contacted GM to see what kind of data was being transmitted from his vehicle and was simply directed to examine the company’s privacy policy. Following up with dual written request to see his data under California’s “Shine the Light” law (passed in 2003), he was reportedly met with silence.
GM spokesman David Caldwell declined to offer specifics on Doug’s Chevy but said the data GM collects generally falls into three categories: vehicle location, vehicle performance and driver behavior. “Much of this data is highly technical, not linkable to individuals and doesn’t leave the vehicle itself,” he said.
The company, he said, collects real-time data to monitor vehicle performance to improve safety and to help design future products and services.
While we absolutely believe the latter claim, the former borders on a bald-faced lie. “Not linkable to individuals?” Get real. Not only does this hacking experiment prove that the data GM is shifting is personal data (names, addresses, emails, locations, etc.), its corporate privacy policy explicitly says it can do this. The OnStar privacy statement claims GM can store and share your information “for as long as necessary.”
But there were clues to what more GM knows on its website and app. It offers a Smart Driver score — a measure of good driving — based on how hard you brake and turn and how often you drive late at night. They’ll share that with insurance companies, if you want. With paid OnStar service, I could, on demand, locate the car’s exact location. It also offers in-vehicle WiFi and remote key access for Amazon package deliveries. An OnStar Marketplace connects the vehicle directly with third-party apps for Domino’s, IHOP, Shell and others.
This would feel a lot less ominous if automakers kept their promises. In 2014, twenty of the world’s largest automotive manufacturers collectively agreed to meet or exceed commitments contained in the Automotive Consumer Privacy Protection Principles and protect personal information collected through in-car technologies. Unfortunately, it hasn’t amounted to much. Carmakers are collecting more data than ever and feverishly attempting to find ways to monazite it in the coming years.
Many automakers, including General Motors, claim they’ve found a way to protect customers by using “anonymized data.” But it’s practically meaningless when all the information being collected is building a user profile as distinct as a fingerprint — which is then shared with third parties GM can’t tell you about.
The Washington Post article goes into additional detail about how these changes are impacting right-to-repair laws, government surveillance concerns, targeted advertising, unsavory insurance programs, and a bunch of other stuff we’ve already complained about. It wants you to be weary of data acquisition and address the need for more transparency within the industry. Right now, we’ve basically given automakers the ability to access the same information phone carriers and social media firms do with less protection.
Mason recommended those interested in maintaining their privacy simply drive an older vehicle assembled before connectivity was a concern. More realistically, one could purchase a lighter adaptor to charge their phone — as simply connecting it to a USB port would be enough for most vehicles to sweep up every scrap of data you had on it. He also suggested telling the dealer you want to become an expert on turning off connected services. However, this would only stop automakers from collecting certain kinds of data (usually location) and isn’t a feature most newer models possess.
[Images: General Motors]
Comments
Join the conversation
On any given day, there are thousands of cars built between 1965 and 1995 that are relatively rust-free and in good shape, or serviceable. As others mentioned, that is your best bet if closing this gaping loophole to your privacy is imoportant to you. If you live in a salt-free area, you can get another 20-40 years out of it, if parts remain available (and the more people who have old cars, the more likely this is). If not, if you have the means and garage space, get two. The Air Force is still flying B-52s and KC-135s that predate the Ford Mustang. Of course, their resources are greater, but keeping an aircraft going is very challenging. We lived in a 'golden era', in North America, from 1945 till now. Especially 1945-1973, the golden summer, which I missed out on, as I was not an adult, with an Indian summer of sort from 1983-2001 Times change, and people's increasing wants, driven by personal attitudes and more importantly, the demographics of aging, at the same time as the economy/society's ability to provide for them is declining is not a happy combination. Technology has helped mitigate the gap, but with side effects. Now, technology will be explicitly hailed as the 'savior' of our world, if only we accept it (and the big entities than usually control it), and adopt certain changes. Data tracking is one way to 'optimize', or 'control' depending on one's perspective. "Traffic calming" is another one....in the name of 'pedestrian' and 'bicyclist' 'road access', let's strangle the traffic. In the USA, a suburban society, where much of the country has snow and cold 3-5 months a year, this is pretty stupid, but is is happening. Even in Michigan! Even our money is being used to keep things going! We are drowning in debt, yet things are going well. Some countries have negative interest rates, we have near zero in the US. It's all good! Or is it? As a side note, it's interesting to observe that of the major carmakers, GM is at the forefront of the drive to gather your personal data, monetize it, get you into an electric car, and ultimately into an autonomous vehicle.
Good thing I keep the ear flaps on my tin foil hat well adjusted =8-) . "This is exactly why national legislation is necessary." So then, more big gub'mint is the solution ? . The GM bailout was begun by President Bush, not that uppity guy you're still afraid of.... I'm glad I don't live in the rust belt, "thousands of serviceable vehicles" isn't going to help the millions of Americans who apparently need data free transportation . -Nate