Automakers Like TOTALLY Promise Not To Abuse The Ocean Of Location Data Their Cars Now Collect

from the trust-us,-we're-the-auto-industry dept

Hoping to assuage growing fears that vehicle data won’t be abused, nineteen automakers recently got together and agreed to a set of voluntary principles they insist will protect consumer privacy in the new smart car age. Automakers promise that the principles, delivered in a letter to the FTC (pdf), require that they “implement reasonable measures” to protect collected consumer data, both now and as the industry works toward car-to-car communications. The principles “demonstrate the industry’s commitment to its customers” and “reflect a major step in protecting consumer information” insists the industry.

Should you bother to actually read the principles, the promised revolution in privacy protection quickly become less apparent. While the principles do require that automakers clearly communicate with customers (and by clear they mean “hey, here’s some fine print saying we’re selling your location data now”), many don’t appear to actually do much of anything. Like this particular gem:

“Data Minimization, De-Identification & Retention: Participating Members commit to collecting Covered Information only as needed for legitimate business purposes. Participating Members commit to retaining Covered Information no longer than they determine necessary for legitimate business purposes.”

With “legitimate business purposes” being whatever they see fit, that doesn’t mean much. Similarly, the industry’s “groundbreaking” promises are also heavily peppered with the ambiguous word “reasonable,” which can of course mean whatever they’d like it to mean:

“Participating Members commit to implementing reasonable measures to protect Covered Information against unauthorized access or use.”

Aka, we’ll make some kind of ambiguous effort to secure your data. As with most efforts of this type, the goal is to preempt government from crafting new (or enforcing existing) privacy protections as the industry moves into more aggressive ways of monetizing location data. Said promises unsurprisingly aren’t easing the worries of both safety and privacy advocates as we move into the vehicle black box age, notes the Associated Press:

“Industry officials say they oppose federal legislation to require privacy protections, saying that would be too “prescriptive.” But Marc Rotenberg, executive director of the Electronic Privacy Information Center, said legislation is needed to ensure automakers don’t back off the principles when they become inconvenient. “You just don’t want your car spying on you,” he said. “That’s the practical consequence of a lot of the new technologies that are being built into cars.”

With many parts of this technology DRM locked, users won’t have much control over or access to their own data (something the EFF is trying to fix with their latest slate of DMCA exemption requests). It’s also worth noting this supposed circle of automotive trust was already quite rusted before cars became more intelligent; most car dealerships and garages are paid by Carfax to report vehicle mileage and accident repair, with Carfax in turn being paid for that data by insurance companies. Similarly most of the in-car infotainment systems rely on cellular chipsets from companies like AT&T and Verizon, who quite happily sell any and all location data that isn’t nailed down, and consistently experiment with creative new privacy violations (despite very similar promises they’d be on their best behavior).

So while it’s very sweet that the auto industry is promising to respect your privacy as they push into brave new data snoopvertising and location data tracking territory, like so many self-regulatory promises before it they likely aren’t worth the paper they’re printed on.

Filed Under: , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Automakers Like TOTALLY Promise Not To Abuse The Ocean Of Location Data Their Cars Now Collect”

Subscribe: RSS Leave a comment
48 Comments
Anonymous Coward says:

I’m happy this is being covered on Techdirt.

This continuing creep toward collect-it-all needs more attention. There is no reason everything needs to be ‘smart’ and phone-home every detail of my person, house, papers, and effects.

I feel as if nearly every moment of my day is subject to wiretaps, and other forms of surveillance.

It no longer appears that “each man’s home is his castle”, as the government turns a blind eye to corporations filling in the moat, tearing down the buttresses, and raiding the larders. I suppose that makes perfect sense given the government ultimately gets an inventory of what was contained within, if not buying the scraped material outright.

Digging into the online marketing hierarchy of companies such as the primary crediting agencies which collect it all, sell the raw non-anonymized information to data aggregators for analysis / bucketing, who put access up to bid for ‘targeted marketing’ opportunities makes this all the more unnerving.

We need a massive public push toward recognition of fourth-amendment rights to our digital footprint. This unrestricted data grab creates enormous liability risk for everyone rolled into the database.

Not to mention value to appending DROP TABLES somewhere in childrens’ name. https://xkcd.com/327/

tqk (profile) says:

Re: OT: xkcd & Bobby Tables

Not to mention value to appending DROP TABLES somewhere in childrens’ name.

I’m also an xkcd fan, but I’ve got to say he got that one wrong. The last line is about sanitizing database inputs. That’s not the lesson that should be learned from this. What should be learned is the utility of regular and ongoing testing of backup procedures.

If you can pull it off the backup tapes, it won’t matter that there are still umpteen billion programmers out there who’ve never heard of input data sanitization. If you can’t pull it off the backups, all the data sanitization in the universe won’t save you from any number of just as bad practices as failing to sanitize data, such as failing to regularly make and test backups.

This also means that any failure to pull data off backups should lead to instant job termination for everyone involved, and likely law suits.

Mason Wheeler (profile) says:

Re: Re: OT: xkcd & Bobby Tables

What actually surprises me about that is that he made a serious technical error: if you are sanitizing inputs at all, you are Doing It Wrong. (Just look at the myriad iterations of PHP’s escape_sql_properly_no_really_we_swear_we_got_it_right_this_time functions!)

The only way to do it right is with parametrized queries, which don’t require any escaping.

Michael Warhurst (profile) says:

Re: Automakers abuse info.

In NOT trusting corporations and their political pets you are less protected from them than if you really trusted them…. that is, to be exactly what they are! I do trust them to lie, cheat and steal whenever it is in their financial benefit to do so. It is more than ‘in their nature’ to lie steal and cheat. It is necessary if they are to maximize their profits. Corporations are completely amoral. Corporations are the organizational vehicles through which the 5% wealthiest (economic criminals) individuals, who own 80% of all corporate shares and control corporations, operate to plunder the working class. In the case of the American government, Wall Street now owns the legislators (operational fascism), the media, the agenda and the outcomes. Democratic government is not the problem; corporate controlled fascist government is the problem. The solution is not to throw out democratic government and directly throw ourselves completely at the mercy of elitist fascist corporations. The answer is to have democratic governance in the first place. The elites of the thirteen colonies promised democracy but delivered and created a form of governance which had the trappings of democracy (what were they going to promise? Reality?! Corporate elitist control of government and government tyranny which benefits the wealthiest and leaves the bills to be paid by workers???) but was really a fascist government controlled by the ultra wealth few! If one had real democratic governance and divided democratic power up into 50- to-hundreds of pieces and have elections every two years, the political system becomes incapable of governing in the interests of the vast majority and far easier to control by the elite few in their own interests. If America had perhaps a dozen states and governance where the political victor (as determined by a majority of votes) has say five years with which to respond to the majority of voters interests, democracy could have the ability to change the outcomes to be far less elite serving and produce outcomes which actually benefit the vast majority. The current system gives effective governance over to Wall Street whose interests greatly diverge from those of the vast majority of Americans. So when you cry out for economic justice do not rail against real democratic governance, rail against the elite controlled fascist government currently afflicting Americans. In addition corporations should not be “people” and should be disallowed from participating in politics in any way to truly achieve insulation from elitist corporate dictatorship.

Anonymous Coward says:

Re: Re:

The difference is that it’s pretty easy to avoid Google. Don’t open an account there. Don’t use their search engine. Don’t allow their domains to run Javascript (NoScript). Don’t allow their ads. (AdBlock). Heck, firewall their network allocations out, it’s not hard.

But it’s getting more and more difficult to avoid having a car that spies on you.

Anonymous Coward says:

Sure, just like Uber has "legitimate business practices"

It seems that Uber is staffed by vengeful stalkers who like spying on their customers and threatening journalists:

http://www.cnet.com/news/god-view-under-spotlight-as-uber-investigation-intensifies/#ftag=CAD590a51e

http://techcrunch.com/2014/11/19/we-are-watching-too/?ncid=rss

http://www.buzzfeed.com/johanabhuiyan/uber-is-investigating-its-top-new-york-executive-for-privacy

http://www.buzzfeed.com/bensmith/uber-executive-suggests-digging-up-dirt-on-journalists

Of course no car company would ever do such a thing. It’s unthinkable. Just like they would never cover up known engineering or manufacturing defects that kill people. No, their extremely high ethical standards absolutely prevent this from ever happening at a car company.

Mason Wheeler (profile) says:

Re: Re: Sure, just like Uber has "legitimate business practices"

Left field? This is exactly the sort of stuff people with their feet firmly on the ground have been warning about ever since a few people started getting carried away singing Uber’s praises. The company’s run by an Objectivist, which alone is essentially prima facie evidence that it’s going to be sleazy and abusive. We’ve known about their illegal price gouging in crises (coming down straight from the top!) since Sandy hit New York, and now this.

Anonymous Coward says:

I suppose they will not mind if I make some kind of ambiguous effort to secure my data. Electronics are not flawless – shit happens.

I assume that if the vehicle is taken in for servicing, one can decline to have the part replaced. They may whine about some silly DRM violations but I do not feel compelled to fix failed parts on my vehicle that I do not need. Proper maintenance of vehicle function, safety and emissions is understandable – however, I doubt one can be compelled to spend money in the maintenance of these needless intrusion devices.

tqk (profile) says:

Re: Re: Re: Re:

You only need to disable the communications link. That’s easy to do and won’t stop the car from operating.

Do that and the next you’ll see is you need to be connected to the mother ship for the car to operate, as many computer games are doing now. After all, they’ve signed agreements to give your data to their partners, and if they can’t do that you’re stealing from them. They’ll also void your warranty, and your insurance rate will skyrocket.

What a great century this is turning out to be.

Anonymous Coward says:

Participating Members commit to offering Owners and Registered Users with
certain choices regarding the collection, use, and sharing of Covered Information.

Oh, well being able to of out of their data collection program seems pretty good…

Certain safety, operations, compliance, and warranty
information may be collected by necessity without choice.

Nevermind

When Participating Members provide notices consistent with the
Transparency principle, an Owner’s or Registered User’s acceptance and use
of Vehicle Technologies and Services constitutes consent
to the associated
information practices, subject to the Affirmative Consent provisions below.

“Use our cars and you agree to allow us to scoop up your data.”

Someone please tell me I’m reading this wrong.

Participating Members understand that the sharing and use of Geolocation
Information, Biometrics, and Driver Behavior Information can raise concerns
in some situations, therefore Participating Members also commit to obtaining
Affirmative Consent expeditiously for the following practices:
• using Geolocation Information, Biometrics, or Driver Behavior
Information as a basis for marketing; and
• sharing Geolocation Information, Biometrics, or Driver Behavior
Information with unaffiliated third parties for their own purposes,
including marketing.

“Use our cars and you agree to allow us to scoop up your data AND share it
with other companies to do with as they please.”

Please, please, please… someone… tell me I’m reading this wrong.
This is all on Page 8 just encase you want to check to see if I missed anything.

Anonymous Coward says:

Re: Re:

“Use our cars”

Is what they want you to believe you are doing when you buy and use one.

“Own my car”

Is the reality of the situation.

Until the technology companies get it rammed through their heads that they do not own the device once they sell it, this mentality is going to lead us to a very dark place.

Anonymous Coward says:

Re: Re:

Please, please, please… someone… tell me I’m reading this wrong.

You’re reading this wrong. I think.

When they say certain things require “affirmative consent,” that means they can’t just scoop it up – they need your permission first. (Anything NOT covered by the affirmative consent, on the other hand, they WILL just scoop up.)

RR says:

data security

Even if you trust the car companies (I don’t), you can’t trust them to keep the data secure. It will be intercepted in flight, or hacked away as part of the protocol.

If you car has to share travel data with other cars for safety (e.g. “look ahead traffic jam avoidance”) then there will be fake “stingray” devices along the roads pretending to be cars, collecting your info.

If the data travels back to the car companies over the network, it will be lifted via the existing taps.

TheResidentSkeptic says:

Calling Holley!

Introduce a “retro-fit” (pun intended) kit to remove all electronics and put a Holley Carb back on OUR cars…

Then we need long-life 12v batteries – plug in the gear, and ship it UPS to friends around the country (or overseas). Ship it back and forth while you enjoy driving the car – then put it back in when you take the car in for service.

Let’s see ’em figure out how we were driving across the Atlantic.. or travelling cross-country at 500MPH …

Anonymous Coward says:

Re: Re: Re: Calling Holley!

“Yes, that is coming soon. Who needs photo radar when the cops can simply run a weekly report on all cars and simply mail out speeding infractions for EVERY SINGLE TIME YOU EXCEED THE SPEED LIMIT no matter how minimal.”

Then don’t break the law! If you have nothing to hide, then you have nothing to fear!

Anonymous Coward says:

Re: Re: Re: Calling Holley!

“Yes, that is coming soon. Who needs photo radar when the cops can simply run a weekly report on all cars and simply mail out speeding infractions for EVERY SINGLE TIME YOU EXCEED THE SPEED LIMIT no matter how minimal.”

Or everytime you fail to come to a complete stop for a full 3 seconds. Each and every trip could end up costing you many hundreds of dollars!!

Anonymous Coward says:

Re: Your car?

Yes, because not divulging data is exactly like not having brake lights. They may attempt such lame arguments but they will be laughed out of the county.

Even better than cutting off the data stream would be sending fake data. It would be fun to send them location data that shows you driving across the Atlantic outlining dickbutt figures.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...