Wyden Tells FTC: Unchecked Automakers Are Still Spying On Their Customers At Massive Scale
from the monetizing-your-every-fart dept
Automakers are among the worst “tech” companies in America when it comes to your privacy. They hoover up an ocean of contact, location and behavior data from your car and phone, don’t really clearly tell you they’re doing it, then sell access to that data to a rotating crop of super dodgy and largely unregulated data brokers who routinely fail to secure it properly.
Last March the New York Times revealed that automakers like GM also routinely sell access to driver behavior data to insurance companies, which then use that data to justify jacking up your rates. The practice isn’t clearly disclosed to consumers, and resulted in 11 federal lawsuits in less than a month.
An update from Senator Ron Wyden’s office indicates automakers haven’t changed their habits yet. His office took a specific look at GM, Honda, and Hyundai, who use “dark patterns” (read: deception) to trick users into sharing access to all manner of sensitive data. The companies then turn around and sell access to data brokers like Verisk for less money than you’d think:
“Hyundai shared data from 1.7 million cars with Verisk, which paid Hyundai $1,043,315.69, or 61 cents per car…Honda shared data from 97,000 cars with the data broker Verisk, which paid Honda $25,920, or 26 cents per car.”
Again, this data includes everything from the way you drive and where you drive, to data gleaned from your phone. This data is then openly sold to data brokers who often fail to secure it. Wyden’s office recently found that one data broker sold the location data of abortion clinic visitors to right wing activists, who then used the data to target vulnerable women with health care misinformation.
To be clear: (and this is something that routinely gets lost in press coverage and analysis) this is all made possible because the U.S. is too corrupt to pass even a baseline privacy law for the internet era. Companies and their executives know there’s no real punishment for lax security and privacy standards outside of the occasional wrist slap fine, so nothing really changes.
Last year Mozilla released a report showcasing how the auto industry has some of the worst privacy practices of any tech industry in America (no small feat). Massive amounts of driver behavior is collected by your car, and even more is hoovered up from your smartphone every time you connect. This data isn’t secured, often isn’t encrypted, and is sold to a long list of dodgy, unregulated middlemen. It’s only a matter of time before we see a scandal that makes all past scandals look quaint in comparison.
Wyden’s office is clear to note that what’s been uncovered so far is likely only the “tip of the iceberg” when it comes to the sloppy collection and monetization of user data, and urged the FTC to hold automakers, data brokers, and company executives accountable.
Filed Under: automakers, data brokers, location data, privacy, ron wyden, security, surveillance
Companies: gm, honda, hyundai
Comments on “Wyden Tells FTC: Unchecked Automakers Are Still Spying On Their Customers At Massive Scale”
The government won’t care until someone hacks this data and uses it to kill someone important.
Re:
And then, they will only pass a law stating that the important peoples privacy must be respected.
Re:
Dick Cheney got a non-networked cardiac pacemaker because of exactly that concern, but the government’s still approving pacemakers with wireless networking with no regard for their security.
I don’t know if I should be insulted that my data is being sold for so little or upset over it being sold at all.
Unfortunately, until it affects lawmakers directly (in a way they notice), nothing will change.
Unplug your car so it can’t phone home.
Re:
Easier said than done, on many cars. When the Mozilla report came out last year I was smug ’cause I was driving a 12 year old car w/o so much as a backup camera, much less any connected features.
Now we have a new family car with Toyota’s connected features. It has its own gsm radio and an AT&T cellular connection. Even if we don’t subscribe to any connected features (We almost certainly won’t once the free trial expires. Maybe Sirius XM, but I really don’t need to pay Toyota $15/mo to unlock my doors with my phone.), there’s nothing preventing that gsm module from being active and transmitting all sorts of data back to Toyota.
Sure I could track it down and cut the wires or whatever, but I suspect that would probably disable all sorts of other desired features, if not bork the head unit completely, and likely invalidate the warranty.
I might be able to locate the antenna and disable that w/o breaking anything, but I really shouldn’t have to tear apart the console of my brand new car and muck about in its electronics to prevent it from spying on me.
This is on congress and their utter failure to enact any sort of consumer privacy protections.
Re: Re:
I removed the modem on my 2021 Tesla. It works fine. I can even use navigation, although not with live traffic or road updates. Removing the antenna probably isn’t enough because the car could still get a bit of reception near a tower.
Re: Re: Re:
People think i’m weird because i drive around in a car that’s wrapped in brass screen held on by plastic standoffs, but i’m hoping to set a trend.
Re: Re: Re:2
Re: Re:
Umm… normally, that’s an initialism, “GSM”—presumably because writing it as a pronouncable acronym, as you did, could lead to a rather unfortunate pronunciation. (Although maybe that was intentional, given the context of someone shooting your private material into the air without consent…)
Anyway, don’t make assumptions about what might break. If you care, look it up online, and probably people will tell you how to do it and what will break. Many have found odd “fallout”—like maybe the back-left speaker stops working—but have been able to live with it. While I fully agree that you shouldn’t have to, “consumer privacy protections” won’t fix this, unless they actually forbid non-consensual cellular connections; there are always too many legal exceptions otherwise.
GM is doing their best to dissuade buyers from purchasing their cars.
Re:
Thatt’s okay. They made sure to ruin public transportation first, and are “boiling the frogs” at about the same speed as their competitors. So what’re you gonna do, ride a bicycle? Walk? Car companies are also making their motor vehicles more dangerous to cyclists and pedestrians (via increased mass, among other things). In practice, you might have to move to get decent infrastructure, and there are probably only a few suitable target cities within the USA.
Re: Re:
.. and then local business people start complaining about how no one wants to work anymore.
Fact is, no potential minimum wage employees can live within walking distance of your business, nor are they able to afford a vehicle and public transport is useless.
Brilliant!
Turning people’s cars into 1984 for profit.
Congress: We banned TikTok, what the hell else do you want us to do?
My favorite part of this is the privacy forms these masters of the fucking world offer.
Let’s take Kia, for example. They have a privacy page where you can request all information gathered about you.
The issue?
It’s valid in about 7 states. If you don’t live in any of those states, these fuckwits have the fucking gall to say they cannot provide this info unless you live in one of the special states, as if the state government has written a law stating they cannot provide this. The reality is that it’s actually the opposite, being no state law requires this, so fuck off.
smfh.
Re:
Which 7 states? If this is just another thing where blue states are solving the problem while red states roll around in their own shit, I’m not actually inclined to care. We’ve spent way too much time, effort, and money over the decades protecting conservatives from the results of their own voting patterns.
Re: Re:
At this time, under applicable law, privacy requests relating to personal information are not provided to residents in your state.
If you have any questions, you may call our Customer Assistance Center at 800-333-4KIA (4542).
For information on our general business practices regarding the collection, maintenance, and sharing of personal information, please see our Privacy Policy.
Re: Re:
Sorry for the multiple replies. Techdirt just eats my fucking comments sometimes for reasons unknown.
The states are:
Calif, Colorado, Connecticut, Montana, Oregon, Texas, Virginia, Utah.
Picking Other, gives the text in my other reply, repeated here:
(highlighting mine)
At this time, under applicable law, privacy requests relating to personal information are not provided to residents in your state.
If you have any questions, you may call our Customer Assistance Center at 800-333-4KIA (4542).
For information on our general business practices regarding the collection, maintenance, and sharing of personal information, please see our Privacy Policy.
Most automakers sell to Europeans as well as Americans. That means, they’re required to have data handling policies in place. This includes having them in place for Europeans driving US vehicles.
The data handling being reported is very obviously NOT aligned with the GDPR. So… what’s the EU doing about it? The penalties for current behaviour could be rather… significant.
Re:
Most likely they use a dark pattern to trick users into accepting/allowing it, because assholery.
Next most likely, they turn that shit off in EU, because of those very protections you mentioned.
Re:
That’s rather dubious in terms of jurisdiction. I doubt that US hotels, for example, are following GDPR for people with European citizenships. If they do, though, maybe it’s time to check whether you had an Irish grandparent…
I expect the EU are doing nothing about this, and will stick to more straightforward cases. Like the car-makers violating the GDPR in Europe.
'I can about privacy! ... so long as I don't like the company in question.'
As always any time a politician tells you that they are super concerned about privacy and that’s why they’re going after the likes of social media one need only look at the other industries/companies they are happily turning a blind eye to in order to expose their actions and claims as nothing more than self-serving, dishonest publicity stunts.
I’ve spoken with a Congressional staffer of a Congresswoman deeply interested in car privacy, but I didn’t have more than Mozilla’s writeup on car privacy and the various articles written on GM’s OnStar->LexisNexis->Insurance Company fiasco to go off of.
If Wyden has more info, why does he not release it publicly instead of being coy with this “tip of the iceberg” comments? How can anyone else paying attention take action if they don’t know what to take action on?
I’ve said it before and I’ll say it again: this practice will only lead to drivers simply running over the kid who dashes into the street without looking and hope to get away with it rather than do the decent thing and slam on the brakes because they know that stopping suddenly like that will only cause their premiums to go up.