What can be done about this as a consumer looking to buy a new car?
- Can I turn off data collection?
- Can I corrupt data transmission and collection?
- Can I charge per kb for any data collected?
- Is the dealer obligated to disclose data collection?
I'll be in the market for a new car in the next few years but I do not want to buy anything that tracks or collects ANY data about me.
I was assuming that buying a cheap non-electric car would offer some protection but I'd love to know more.
> What can be done about this as a consumer looking to buy a new car?
For a consumer in the US, I have no idea, but I'm guessing your question is about that since the story is US-specific?
Probably off-topic, but buying a car in 2019 in Spain, they asked me if I'm OK with data-collection during the purchase, up until car delivery, and handed me a contract to sign for "treatment of personal data". I said no, we moved on.
After buying the car (2018 Audi A3), they threw in some remote-monitoring sensor "for free" that could let me/them see metrics about the car, for "maintenance" and whatever they claimed, that they offered to install. I again said "no", but kept the device itself to pick apart at some later time.
But overall, they seem required to ask (here, EU) but no one batted an eye when I said no. The car has a SIM-card reader, but never used it, I'm guessing if I install a SIM-card the car would ask me if data collection is OK, because we'll always have the choice at least.
Electric cars seems like a no-no for now (everywhere possibly), since all of them came with a "always on connection" regardless of what I want, at least last time I checked.
For a few years now, every new car sold in the EU needs a cellular connection for e-call (when airbags are deployed, the car calls 112 itself) functionality. I don't know if it's legal or common to reuse that radio for collecting other data. I would hope not.
Unfortunately, a car like Tesla collects so much data. And it's only a matter of time before they start selling it. I don't know if any other car company that collects more data than Tesla.
Tesla state they don't sell "personal information" but they also explicitly say that "Tesla may also collect, use, and share information that does not, on its own, personally identify you" (so "anonymized" data) and also that "personal information" is subject to be processed to "fulfill contractual obligations with third parties, agents and affiliates", whatever that means. https://www.tesla.com/legal/privacy#how-we-may-use-your-info...
> Tesla states in its online “Customer Privacy Notice” that its “camera recordings remain anonymous and are not linked to you or your vehicle.” But seven former employees told Reuters the computer program they used at work could show the location of recordings – which potentially could reveal where a Tesla owner lived.
You know they're not taking anything seriously when claiming with a straight face in the age of geoguesser that potentially hours of road footage, starting/ending with you literally driving into your garage, could ever be anonymous.
Tesla states a lot of things, like that their second generation 2020 roadster is going to be ready next year (tm). I wouldn't put a lot of faith in anything they say, all it takes is Musk changing his mind down the line and then anything goes.
I think I’d pick Tesla, even if it’s more data, because they have never sold that data or indicated they ever would. Unlike literally every other manufacturer that has and does
lol has any OEM ever indicated they would sell data? Or was the truth pulled out of them after an extended legal fight where lawyers quibbled over whether weasel-words like "maintenance and quality assurance purposes" covered "selling technically anonymous information to a data broker but everyone knows there's enough metadata in there that the data broker attaches an identity when they resell it to the insurance companies"?
Gut check, sure, but I wouldn't trust the company that argued technically autopilot wasn't turned on in car crashes because they turned it off milliseconds before the sensed impact and blamed it on driver inattention as being a good, well-intentioned data steward.
I bought a Hyundai Ioniq 5. Hyundai never indicated that they’d sell the data, either. But guess what?
Here’s one thing neither Tesla nor Hyundai have ever said: that they won’t sell the data. (EDIT: I stand corrected on Tesla, as per reply comment. “ We do not sell your personal information to anyone for any purpose, period.”)
I agree if only because Tesla seems so vertically integrated and dedicated to their vision. Nowhere in their vision is "establish a side hustle of selling user data for extra cash".
In my 2018 Chevy Volt Premier it's not too difficult to disconnect the LTE module. You lose OnStar, remote start, and other "connected" features, but the car and CarPlay still work.
Sometimes I feel bad for repeating myself but relevant threads keep appearing.
Mazda won't permit me to use remote start because I refused to install their app and enable connected services. The man I worked with on the lease was extraordinarily aggressive with me. Almost demanding I install and register this app to complete lease agreement.
So now I don't have remote start and every time I turn the car on I have to select cancel on an infotainment prompt asking me to enable connected services.
The TOS specifically says driving data will be sold to 3rd parties including law enforcement and insurance companies.
I never installed the app and I was asked to by the leasing guy though he wasn't pushy about it - for whatever reason, the lease/sales guys are incented to have it installed though, allegedly, mazda corporate says they don't incent them - I don't trust it
also, allegedly, since I didn't install it, mazda says my TPU is disabled which is fine by me - remote start is less important than saying many thousands of dollars on bogus insurance hikes
Renters of cars. Was that not clear from the context? Question was whether data collection and loss of privacy on rental cars should be expected by renters of cars.
Oh, so why did you ask ‘renters of what?’ and start talking about home rental?
Well, I think it’s unrealistic to not expect car rentals to track their cars. Renting gardening tools might be a different story. However, SASS subscriptions are software rentals, and GDPR makes it explicitly illegal to track what the software companies rent to EU citizens without consent.
To me it seems like the question in practice is not renting vs buying, it’s about what information is collected, what they’re allowed to do with it, and who it is sent to.
Car rentals could request or require consent as terms of rental. (They probably do, I can admit to never having read the entire contract.) One underlying issue here is whether the car rental company passes your name or identification on to the manufacturer, law enforcement, or service providers. It does seem like they should not have the right to do that automatically without informed consent (not buried in contract legalese). They probably should have the right to track where their car is until it’s returned, and then delete that data. So all depends on what they do with the data.
> Oh, so why did you ask ‘renters of what?’ and start talking about home rental?
Have people completely lost their reading comprehension? My comment:
> Renters of what? Items people can just take and leave with [...]
A car is a item "people can just take and leave with". I literally answer the question myself, right after stating it. And not until the line below I start talking about expecting privacy in a rented home.
> Car rentals could request or require consent as terms of rental
They very much do, at least in the countries I've rented a car in. Every time they asked for consent, like the regulations require them to in my region.
> I am deeply interested in better understanding faraday cages that can block transmission.
You cannot shield your car (ok, you can, but then you cannot drive it). What you can do is disturb the antenna so not enough power will be available to be sent.
Quick search seems to reveal Indium Tin Oxide (ITO) coated glass is transparent enough to let through visible light, but blocks transmissions. One could theoretically build a car with that for the windows. The rest seems easier.
There are more recent cars than going back to the 70s that doesn't force data collection on you... My car is from 2018 and has none of that stuff, and it even has buttons for all controls, no touchscreen (2018 Audi A3).
I like the feel of driving classic/older cars, but I really cannot justify the safety and pollution drawbacks if I wanted to use them daily.
Probably not the kind of car you are looking for, but my friend's 2015 honda odyssey (which he just traded in) had no smarts. No cellular, no GPS, console used knobs instead of a touchscreen... Whatever Deadpool's opinion of it was, it did make a great van for cargo and humans with good fuel economy for that class...
But, sooner or later it'll be a problem. What would be interesting to me is, is it possible to deactivate cellular on a modern car without losing key functionality, and, if it is ever reactivated (say, to pull updates) would it promptly push years of data upstream.
If you’re willing to do a little bit of work you can often remove the cellular radio from some modern cars to remove the data collection connectivity, not sure if it’d still be buffered on the device still but it’s a step in the correct direction. I’ve read about this in some modern BMWs so it might be worth a bit of googling if you have a particular modern car you are interested in. Or if no one else has done it with a particular model you could also blaze your own path here.
As mentioned elsewhere in the subthreads somewhere here, I got a 2018 Audi A3 in 2019, wrote about the experience re data collection + that purchase here: https://news.ycombinator.com/item?id=42736918
My second hand Citroën C3 originally sold on 2016 doesn't collect data AFAIK and has button and wheel controls. There is a small touchscreen (7 inches?) for configuration, trip data, radio stations etc but all controls are also on the wheel or around it.
many cars now have a TPU, used for connectivity and GPS, which will send telematics data when you start and stop the car. This tracking is not typically easy or possible to opt out of, in my experience.
I own a 2001 Dodge Grand Caravan. No tracking. Runs Great. I just keep fixing it, much cheaper than a new car. Plus I can live in it as well.
I do not know the year they started with all the tracking stuff but you can find an older car that does not have any tracking and spend the rest of the money making it mint.
There is no getting away from it though, we are all watched over by the machines of loving grace. You know with the new LoRaWAN and IoT everywhere scam they are rolling out there will be nothing you can do to escape the surveillance apparatus.
I am giving up. no sense in fighting it anymore. I am just a good little corporate boy toy now.
That is one of the worst cars to own. You will continue to fix it more frequently at an accelerated rate mark my words. So much cheap plastic parts the parts are right at that point where they will fail molecularly and you see an increased rate of failure. To top it off the replacement parts are mostly the same age and those 2 will look new but also fail quickly. Lastly Dodge sucks. They are basically the last car I would ever buy.
I don't understand the FTC. Why and how did they start protecting consumer privacy? Could they have done it before? Do they have an overall systematic plan for protecting it comprehensively? Do they have a guiding principle?
I'm glad they are moving forward on it, at least until Monday.
This is largely the work of Lina Khan and the people reporting to her. She's fairly new to the FTC still (Biden appointee) and has been intentionally pushing on all of this.
Protecting it is difficult since the house/senate and scotus are all determined to roll back pro-consumer laws but that's not really something the FTC can fix, only voters can fix that.
Voters don't seem to see these things as important though based on how they voted most recently. They have other priorities I suppose.
I'll be generous and say that voters are distracted by other things. easy unsubscribe is great, but it's never going to win an election.
I'll also be cynical and say that voters were also lacking critical thinking in terms of how the president elect simply said he'd do things with no action plan behind it. He already went back on several "promises" even before properly stepping in as President. This is just shame on us at this point.
Banning non-competes, preventing Microsoft-Blizzard merger (amongst many others), enforcing the right-to-repair, filing lawsuits to lower drug prices, making cancelling subscriptions easier...
Your friendly reminder that both Amazon and Meta were openly against her taking the position, that the upcoming administration will scrap the antitrust lawsuits against both of them (the one against Meta was supposed to start in spring, the one against Amazon in 2026) and that this is why Bezos and Zuckerberg are cozying up to Trump.
Please allow me to be cynical and see here no embarrassment whatsoever. They cashed on this for years and will surely find other ways (and have some already) to further cash on people. It's only one of the schemes which got foiled, and only for a while. Yes, I have zero trust and the presumption is of guilt.
Did they really "cash" in on it? When I saw the prior articles on GM it sounded like a very minor revenue stream that did not scratch their overall revenue from vehicle sales.
But then this submission is explicitly about them giving a shit, and your own example shows that they do give a shit. Since GM didn't allow people a choice regarding their privacy, FTC looked into it?
I really don't understand how someone can see this story about FTC giving a shit, and then proclaim "They don't give a shit". If they didn't give a shit, why do something?
They would ban illegal data collection? Seems it's already banned, and this case proves they don't let automakers hide it with dark patterns, then you get banned from dealing with data at all.
Or you're arguing against data collection as a whole? I'm not sure FTC is the right tree to bark up to if that's the case, wouldn't you need to involve lawmakers for that? It seems to me FTC would only be able to legislate against "unfair or deceptive practices", so that's why they can address people collecting data in the wrong way, but not address data collection as a whole, would be my guess.
How about monetary compensation? People lost real money, damages can be calculated.
After all, if I installed spying software on GM's computers, and sold the extracted data to, say, Toyota, I'd face hefty fines. And spend time in prison.
> After all, if I installed spying software on GM's computers, and sold the extracted data to, say, Toyota, I'd face hefty fines. And spend time in prison.
You're going about this all wrong. Setup a company, create a landing page and do some B2B contracts for selling that data, and you too can be a "Data Broker" fully legally. But yes, approaching this as an individual is most likely illegal, you're supposed to do it as a corporation.
What if in this case it was about keeping the accident rate low by incentivizing safe driving? Don't know if I agree with them doing it, but it's probably not an argument that any side would win, and we don't even truly know if it would be a negative or a positive for society when looking at it from every angle.
Probably a class action lawsuit in the future, if one does not already exist.
Jail time? Probably not, we let health insurance companies get away with taking away critical needs from patients and delaying care in the name of delivering shareholder value. The best they get is a slap on the wrist from the government, let alone jail time.
Terrorism is simpoly what the government/establishment calls any politically motivated public action that includes crime or violence when anyone other than them does it.
4chan/anon was screwing with websites -> terrorism
Neo-nazis finding unsecured online printers at colleges and printing their propaganda -> terrorism
Shoot a public figure because you think they've done a tone of wrong -> terrorism.
Go on a bulldozer rampage against people who have wronged you -> terrorism
To be honest, it IS terrorism, by the very first definition.
First terrorists (named so) was revolutionaries (not bolsheviks, but other parties) in Russian Empire, who go to Government official's office and shot them in the face with Nagant revolver.
Look up Vera Zasulich, Dmitry Karakozov, Narodnaya Volya (organization), etc.
It is TRUE terrorism, not bombing Christmas parade or marathon.
I mean, it is. Just because you agree with it doesn't mean the label changes. And I don't necessarily hate what happened either, nor would I probably personally prosecute the guy. But lets not mince words, if you (try to) use violence against civilians for political/ideological/religious motives, that's pretty much the agree-upon definition of "terrorism".
Could you provide what definition you use for "terrorism"? Otherwise your comment might as well just say "No" and it contributes the same amount to the discussion.
Besides, I'd say it's both. There is no denying it was a murder, nor that it was targeted and based on what I understand "terrorism" to be, it seems like that too.
One of the key components of terrorism is random or at least very loose targeting and some degree of disregard for collateral damage.
The United Healthcare murder was basically a reverse Eric garner. Instead of the government killing someone over something petty to keep the peasants in line a crazy peasant killed a member of the ruling class to send the same message in the other direction.
Politically both of these are more like a good ol' fashioned lynching than terrorism though obviously the line between the two becomes a bit blurry. Most targeted political violence is not terrorism (though of course the statues are so broad that if you crop dust an elevator in a government building you're probably open to prosecution).
> One of the key components of terrorism is random or at least very loose targeting and some degree of disregard for collateral damage.
I don't see how loose targetting is required. Or was the Oklahoma City Bombing not terrorism because it targetted a specific building?
The FBI definition of domestic terrorism is only one of many, but they say:
> Violent, criminal acts committed by individuals and/or groups to further ideological goals stemming from domestic influences, such as those of a political, religious, social, racial, or environmental nature.
In my mind, the key is intent to further ideological goals. Killing a rival gang member to increase your standings in the gang leader boards isn't terrorism because there's no ideology. Killing a gang member to try to wipe out gangs could be, because it's an ideological battle. It wouldn't matter if you specifically targetted the leader of a gang, or the first gang member you saw, or someone you thought was a gang member without any investigation; it's the intent to further your ideology with violent crime.
> One of the key components of terrorism is random or at least very loose targeting and some degree of disregard for collateral damage.
Thanks, learned something new about the US today :) In the jurisdictions I'm familiar with, the goals/objectives behind the actions seem to take a more important role than how you seem to consider it in the US.
>It is very modern meaning of the word. It is almost re-labeled, like "piracy" for copyright infringement.
And people who called themselves anarchists used to be ideologically communist-adjacent. That was well over a century ago.
Words change over time. The definition has been what is has since at least the 1970s, probably longer depending on where you measure. It is not "very modern".
There is a legal distinction and definition, Legal Eagle on YouTube had an episode on exactly this a few weeks ago, about that the DA might have picked a more difficult crime to prove than murder. IANAL but IIRC the terrorism charge has to prove there is an intent to intimidate larger swaths of government or bodies of people. Just "other CEOs of Health Companies are now scared" is not enough.
Yeah, I guess it kind of make sense the US has a somewhat different definition of terrorism that the rest of the world I suppose. I think in most jurisdictions I'm familiar with, the amount of victims isn't the consideration if it's "terrorism" or not, but rather if there is a objective to destabilize the state, gravely disturb public peace or provoke a state of error in a specific segment of the population. Basically, the purpose/objective takes a vital importance in seeing if something is terrorism or not.
But again, makes sense that the US would have different definition.
According to your given examples/definition, under which one would this act fall? Because it's very much not clear to me how they would apply, but to you it seems obvious, so please do explain.
> if you (try to) use violence against civilians for political/ideological/religious motives
A person driving over a person with a van with explicit goal of "Jihad against Christians" would be terrorism, because of the objective, no matter how many people get hurt.
While it seems clear to me that this can be considered "terrorism", it would also seem like it isn't breaking against "anti-terrorism laws" or whatever the charge is in the US.
The jihad driver chooses usually a person at random. If it ran over some army general who led an attack in Iraq would it still be terrorism? Because that's the difference here.
Yeah and it’s simple to reidentify anonymous location traces. The simplest way is to buy cell phone location data from apps, which is generally intermittent, but even with just 5-6 location/time pairs, you’re going to be able to positively identify someone, with the small caveat that there will be some ambiguity with members of a household that share a car.
Collecting and selling the data is legal if they give you the chance to opt out. They went out of their way to avoid giving you that chance, and that’s what they got in trouble for. So the five year ban is a penalty for breaking the actual law, which is just that the consumer should have a chance to say no.
I think: it's illegal without consent. They can't do it for 5 years, even if they got consent, as a punitive measure. After that they will have to seek consent.
Security pentester tests someone's website before getting approval/confirmation that this is what the client (who isn't a client yet) wants.
Someone reports that, and judge says "Since you didn't do the pentest the legal way, we're banning you from doing pentests for five years"
After those five years, the pentester can continue doing tests, but legally. The five year ban is not the punishment for doing pentests, but for doing unauthorized pentests.
The analogy here is that data collection/selling is legal, but you have to follow the rules regarding how collection happens. If you break those rules, they'll ban you for N years, after that you can do the collection/selling but following the rules.
How about a permanent ban from collecting it in the first place? And you can apply that to the rest of them, while you're at it.
> The five-year ban prohibits G.M. from sharing information about individual drivers, but it can still share anonymous data about people’s driving with third parties, such as road safety researchers.
I know Kashmir Hill knows better than to believe in the fairy tale of "anonymous data".
Everyone has something to hide, be it as simple as your driving behavior, so you don't end up over paying for insurance or even in the situation where all company refuse to insure a 'risky' profile.
There's also things that are private, but not necessarily deeply secret. There's also things that are completely legal, but morally questionable, at least in your social circles, and if that information was to leak out it would be harmful.
With the VW data leak I was pretty horrified that VW either doesn't understand or don't care that leaking location data isn't just privacy invading, it's potentially dangerous for victims of stalking and abuse. In the mildest cases these people may need to move, in the worst they die.
Car companies seem completely oblivious to the dangers of collecting driving data.
Naming this "oblivious" hides ill intent. And by that I mean, I assume they knew and know exactly the possible implications and decided to throw everybody under the bus for shareholder value. Am I wrong to assume this?
Hard to say. I'm sure that in some 100 page report somewhere under the list of concerns is the risk of information leaks and potential damage. Then someone decided that the company just spend $50M on "cyber" and in their summation change the text to "potential risk of data lose is offset by investments in cyber security", then they push the new 40 page up the stack. The security risk is now perceived as low, so it's removed from the executive summary and a 3 page memo on the revenue and share price benefits is created.
I don't think was ever ill intent, but when it inevitably goes wrong, then yes, everyone will be thrown under the bus if it protects the stock price.
This is a great outcome. These types of data interchanges ossify innovation and lock in policy. Insurance is supposed to share risk -- there is too much noise to microsegment. "Big Brother" doesn't have to be only a government, and the outcomes of using this sort of information is solely punitive for a 3rd party forced into the interchange.
The US really needs to strengthen the legal foundations for people's right to privacy.
> The US really needs to strengthen the legal foundations for people's right to privacy.
That's at odds with the even higher (current) goal of "Make money". As long as those are at odds, entities in the US will always favor "making more money" above "people's right to privacy".
Or, people start preferring entities that aren't strictly for-profit, but seems unlikely to happen on the short-horizon.
Not strictly on topic, but I see these articles & discussions with the focus on new car sales.
What happens when the car (and its data collecting habits) is sold in the used car market? Does it still collect data, is the ownership situation "corrected" via DMV registration feeds, etc. ?
What I am wondering if to what extent (if any) I can protect myself as an end user from this kind of spying by just not connecting these smart devices to the internet.
A while I read about smart TVs bypassing pihole-style blockers by using hardcoded IP addresses and DNS server addresses.
I don't even know how smart cars work. Do they have their own SIM card or something like that? Either way there are so many ways they can subvert obstacles. For example a car could scan for unprotected WiFi networks and connect to one if found.
Every new car has a SIM card. Apparently in Europe used for emergency automatic calls. But having SIM card in the car is not mandatory. All the information in other cases is saved in the car. And when you bring the car to the dealership the information is transferred over the wire in old fashioned way. Safest thing is to have an older car without much electronics, that can be repaired outside dealership network. Some cars like a Teslas have very normal cameras filming interior. Apparently to monitor the driver. But who knows.
my understanding is for things like eCall that the phone only gets activated when it's actually needed (i.e: an emergency), but never found a check/analysis of this on cars (though i only looked for 2 mins when i checked)
Cars that offer driver assistance have to have some way of determining that the driver is awake and paying attention. One way is to monitor steering wheel input which is how older Teslas do it another is to use a camera to monitor the driver's face and that is done by several brands not just new Teslas.
I intentionally bought a used car with only a 3G network connection, knowing (at the time, almost 3 years ago) it would soon shut down in the US. I smiled at the "Your OnStar will soon stop working" messages, and intend to hold onto it for a good long time.
> An investigation by the Federal Trade Commission determined that consumers had not been aware that the automaker was providing their driving information to data brokers.
Yeah, no shit. Why on earth would I assume the company from which I bought my car is selling my information? Why are they allowed to sell this data at all?
We can all acknowledge how ridiculous this is, right?
Tiktok's being banned while Meta is more or less able to do the same thing but worse. It's pretty much about who can line pockets rather than the fact that selling user data is wrong.
> Why on earth would I assume the company from which I bought my car is selling my information? Why are they allowed to sell this data at all?
Sadly the answers are "if it's got a connected computer in it, it's selling your information" and "you're in America, so no GDPR because 'free speech' trumps privacy almost every time, except for video rental records".
Now, please do Hyundai (and others). Their in-built map's knowledge of speed limits and the speed sign recognition is so awful that any "speeding" data is guaranteed to be wildly inaccurate.
Some (like the Hyundai) have their own in-built maps and speed limit data (not very accurate in Australia). They can even warn about traffic build-ups because they're "connected".
Hyundai has a "camera speed limit recognition" system, which can identify road signs and recognise what speed they indicate. That's all well and good, except when it picks up a sign for an off-ramp and thinks it applies to you, or when you pass a large truck/bus with a speed limit sign on the back of it and thinks that's the new speed limit.
On every journey of over 2km, it gets something wrong and sounds a warning tone at you that can't be turned off.
It also reads car park speed signs, which are typically "5", so you often hear a "bong bong bong bong" warning from the car in a car park.
If you're thinking that this is good (and it is), you should love the GDPR which bans this sort of thing entirely without needing an investigation beforehand.
If data is entered into a system, and you do not have not received permission to read it, then obtaining access to it is the crime of dataintrång, which can lead to two years imprisonment. So if you make a device and sell it to a customer and it phones home without permission and in phoning home provides you with information he has entered into it, then you've committed dataintrång and can go to prison for up to two years.
I see no reason why GPS data and other automatically entered data would not be regarded as having been entered into the device.
I guess GDPR is a good idea, but in practice it has limited value. I suppose all that is needed is that the user accepts (consents) by answering yes to a popup question. It can be asked over and over. If you answer yes by accident at some point you are screwed. You can maybe(?) retract your answer, but maybe you don't even know you answered yes at some point when you were stressed and had to drive somewhere, while your nav/media system asked you this question.
The main problem is that this sort of thing (tracking of cars and storing the data in a central database) is considered normal by corporations and is allowed by law. Would we like to have big corporations place private detectives outside our houses and when we leave they follow our every step, take photos, record audio and track our GPS position and report all that data to the corporation in realtime? That is what they do now with their cars and phones and appliances. The reason they did not do it in the past was that it was expensive to have private detectives track each of their customers, was considered spooky and abnormal and it was probably also illegal, but now it is cheap and somehow considered normal.
I guess GDPR is a good idea, but in practice it has limited value. I suppose all that is needed is that the user accepts (consents) by answering yes to a popup question. It can be asked over and over. If you answer yes by accident at some point you are screwed.
Not allowed by the GDPR, this violates the principle of unambiguous consent:
Under the GDPR, retracting consent should be as easy as giving consent. Moreover, you have the right of erasure. Even if you consented, when asked, GM should remove all your personal data:
but maybe you don't even know you answered yes at some point when you were stressed and had to drive somewhere, while your nav/media system asked you this question.
Violates both the rules that consent should be given freely.
---
More broadly, selling non-anonymous data would never be allowed under the GDPR, because the third-parties would need to consent to use the data.
In theory it all sounds nice, but in reality I have never seen any website or product adhere to what you (or GDPR) states.
If you answer yes in a popup by fat-fingering, stress, mixup whatever you are screwed. The popup typically comes up when you do not want it, i.e. when you are about to use the product's main function.
> Under the GDPR, retracting consent should be as easy as giving consent.
Well, the popup to give consent comes up all the time wether you want it or not, but there is no popup coming up to retract it. You have to search deep in the settings. It's quite unlikely people will do that on embedded hardware or cars.
And if first given consent by mistake, they have already fetched data in the meantime until you turn it off.
> Violates both the rules that consent should be given freely.
What do you even mean? Of course no one is pointing a gun to your head, but they put up the popup asking for consent and I might push the wrong button by mistake. I might also not notice I pushed the wrong button because there is never a confirmation step.
[EDIT]: And there are typically a huge bunch of switches and checkboxes asking for different kinds of approvals which makes in even easier to make mistakes.
> I guess GDPR is a good idea, but in practice it has limited value. I suppose all that is needed is that the user accepts (consents) by answering yes to a popup question. It can be asked over and over.
While this is a somewhat common approach, it's not compliant. The real problem with the GDPR is enforcement; it's largely enforced by national data protection bodies of, well, varying quality, resourcing, and aggressiveness.
anyone ever want to drop the guise of privacy and have the surveillance is out in the open?
like real question that way they have the data and we have the data instead of we pretend they don't have the data in the name of privacy but they have the data
No, because it'd be incredibly dangerous to me to have all these groups storing data about me and allowing them to determine my comings and goings.
You may think 'we're only using it for advertising', but I don't trust you and I can't. I don't want you to obtain information about my political views, or how they differ from what I say on the internet, or who I talk to about maths, or where I buy food.
> You may think 'we're only using it for advertising', but I don't trust you and I can't.
We already know that the data companies collect isn't only being used for ads, if not by the company that collects then by others who get access to that data either through sale or not. For example, Lawyers are using that data in courtrooms for things like divorce and custody hearings, and police are using it to turn innocent people into suspects.
A major problem is, that even if I don't click "agree" to EULAs, I have no idea if the companies think I did or not. Also, what prevents someone else from "agreeing" on my behalf without my permission; which apparently happens often when sales people set for their new owners (which I witnessed when I was with my mother when she purchased a new car).
As I interpret I don't think Swedish consumer contract law allows what you describe to matter anyway, and since the GDPR requires free consent it becomes more dubious, so obvious dataintrång.
There is no such protection in the US, and I'd imagine some other non-EU states.
I'd love something akin to a Bill of Data Rights here in the the states similar to the GDPR, but there is no way oligarchs would allow such legislation to happen
This isn't data rights though, this is that the same law that prohibits people from hacking into your computer is applicable to people doing other things with it in unpermitted ways.
Basically, a program that exfiltrates data without permission is treated no different from a rootkit, legally.
I think you might have misunderstood my meaning. I don't mean a right to use my own data. I mean a right to actually own that data in the sense that others cannot collect and sell it without my consent and proper compensation based on revenue generated by the collector.
There isn't an end to that, what is "all the data"? Someone will always want to record more data, and then sell it to someone. How do you force people to always reveal all the data they have. I think if you start peeling back the onion on what you're suggesting you will realize that it's not really possible or practical in any sense.
You deter them with risk that is too high for what they gain. For example, if consumers are awarded considerable fines for violations, then they would stop.
good point it does seem ambiguous in this context any data generated by me or any device I am using and any downstream data derived from that
why wouldn't this be possible? company x gives you y data and tells you we sold it to z and so on and you just follow the chain using some unique identifier
they sell the data openly and i get to see what they're selling win win legislation instead of annoying cookie banners
>anyone ever want to drop the guise of privacy and have the surveillance is out in the open?
No, because I have less than zero expectation that you all <points with middle fingers at HN comment section> won't happily be complicit in something that retroactively criminalizes me or otherwise screws me (and god knows how many other people, I'm fairly unremarkable) over on the basis that doing so is X% better for Y or where X is a small value and Y is a subject that is far from an existential issue for society. Society goes off on these boondoggles from time to time, eugenics, sticking the mentally ill in prisons but with pills, etc, etc and I don't want to see that sort of stuff cranked to 11 because the public tolerated a bunch of dragnet tech that serves as a force multiplier for unaccountable decision makers.
Maybe this is well know and this is about auto insurance but mine just went up $50 a month because of a national database about each of our cars ... the tiniest details are recorded into it and all auto insurance companies then use to jack up your current rate. If you try to go elsewhere they point to oh you used your Allstate towing benefit a lot so it's $200 a month vs. $140 (cant get a deal from others). Jiffy Lube enters the frequency of your oil changes and the amount of miles in this database too. If you start a new temp job that's further away then usual and start to have more oil changes your insurance could / will go up cause they see you are driving more then you were. I understand entering my car's accident record into this database but I was surprised the tiniest details are entered into this database and Allstate & Jiffy Lube say they do not sell this data they just enter it into this national database...
I'll confess I was sceptical about this but, at minimum, the database seems to exist.
There's a company called Carfax that I'd never heard of. Their EU site seems to provide basic reports about the VIN, whether the car has been written off, etc. Those basic "Is this car sale a scam?" checks are common in the UK.
But the site also makes a big deal about "Get the American report!" So I googled "Carfax oil change" and found people talking about the oil change history in the reports [0]
In the UK it was traditionally common to keep a car log book where you recorded all maintenance and might get the garage to put their stamp on it, to prove to a future buyer that you'd looked after the car. But having a garage enter that info into some random company's database, and maybe not telling me, would be disappointing.
For me as a consumer, whether they’re selling it or giving it away for free or expose it via a data breach, the impact on me is the same. All three deserve fines and jail time for executives. It is strange to me that attention is given to this data but not to the leaking of medical records of literally over 100 million Americans by Change Healthcare last year (a subsidiary of United Health). Most of those victims never were customers of Change or United, but somehow their records were with this company.
At exactly 2:14 while listening to the political oriented podcast fsckboy laughed, punched the dashboard of their car, and exclaimed "right on, that's what I've always said!"
If they didn't leak vast data through bid requests that others could de-anonymize, the marketplace and whole ad tech ecosystem would not exist in such a profitable fashion for them. They and others depend on people not digging deeper beyond lack of direct transactions for de-anonymized data to really understand the trade.
Once again, glad to be European (covered by GDPR, everywhere). It's funny and sad at the same time, to see Americans be happy with this yellow card when it should definitely be a red one.
That is about a data leak. How do you know if the data wasn't collected with(out) consent?
If VW collected this data without consent, the data protection authorities or the EC are going to have a field day.
(By the way, the GDPR also has ramifications for data leaks of legally collected data. E.g. there is a requirement to report this to the authorities within 72 hours after becoming aware of the breach: https://gdpr-info.eu/art-33-gdpr/ )
What can be done about this as a consumer looking to buy a new car?
I'll be in the market for a new car in the next few years but I do not want to buy anything that tracks or collects ANY data about me.I was assuming that buying a cheap non-electric car would offer some protection but I'd love to know more.
> What can be done about this as a consumer looking to buy a new car?
For a consumer in the US, I have no idea, but I'm guessing your question is about that since the story is US-specific?
Probably off-topic, but buying a car in 2019 in Spain, they asked me if I'm OK with data-collection during the purchase, up until car delivery, and handed me a contract to sign for "treatment of personal data". I said no, we moved on.
After buying the car (2018 Audi A3), they threw in some remote-monitoring sensor "for free" that could let me/them see metrics about the car, for "maintenance" and whatever they claimed, that they offered to install. I again said "no", but kept the device itself to pick apart at some later time.
But overall, they seem required to ask (here, EU) but no one batted an eye when I said no. The car has a SIM-card reader, but never used it, I'm guessing if I install a SIM-card the car would ask me if data collection is OK, because we'll always have the choice at least.
Electric cars seems like a no-no for now (everywhere possibly), since all of them came with a "always on connection" regardless of what I want, at least last time I checked.
For a few years now, every new car sold in the EU needs a cellular connection for e-call (when airbags are deployed, the car calls 112 itself) functionality. I don't know if it's legal or common to reuse that radio for collecting other data. I would hope not.
> For a few years now, every new car sold in the EU needs a cellular connection for e-call
Damn, that sucks. Hope my current car lasts a long time then... It even has buttons and everything.
> I don't know if it's legal or common to reuse that radio for collecting other data. I would hope not
My guess would be that when you first get it/boot it, you'll at least get a choice between accepting it or not, that would be the baseline.
Unfortunately, a car like Tesla collects so much data. And it's only a matter of time before they start selling it. I don't know if any other car company that collects more data than Tesla.
Tesla also states unequivocally that they do not sell user data: https://www.tesla.com/support/privacy
Tesla state they don't sell "personal information" but they also explicitly say that "Tesla may also collect, use, and share information that does not, on its own, personally identify you" (so "anonymized" data) and also that "personal information" is subject to be processed to "fulfill contractual obligations with third parties, agents and affiliates", whatever that means. https://www.tesla.com/legal/privacy#how-we-may-use-your-info...
Anonymous data is fairly well established to be a myth. https://www.eff.org/deeplinks/2023/11/debunking-myth-anonymo...
Employees are also sharing videos and photos of people in/around their cars with each other and I'm sure they end up in the hands of friends/family members as well. https://www.reuters.com/technology/tesla-workers-shared-sens...
> Tesla states in its online “Customer Privacy Notice” that its “camera recordings remain anonymous and are not linked to you or your vehicle.” But seven former employees told Reuters the computer program they used at work could show the location of recordings – which potentially could reveal where a Tesla owner lived.
You know they're not taking anything seriously when claiming with a straight face in the age of geoguesser that potentially hours of road footage, starting/ending with you literally driving into your garage, could ever be anonymous.
Any unfaltering language a company uses is always one bizdev meeting away from "lol just update the contract of adhesion."
Tesla states a lot of things, like that their second generation 2020 roadster is going to be ready next year (tm). I wouldn't put a lot of faith in anything they say, all it takes is Musk changing his mind down the line and then anything goes.
I think I’d pick Tesla, even if it’s more data, because they have never sold that data or indicated they ever would. Unlike literally every other manufacturer that has and does
lol has any OEM ever indicated they would sell data? Or was the truth pulled out of them after an extended legal fight where lawyers quibbled over whether weasel-words like "maintenance and quality assurance purposes" covered "selling technically anonymous information to a data broker but everyone knows there's enough metadata in there that the data broker attaches an identity when they resell it to the insurance companies"?
Gut check, sure, but I wouldn't trust the company that argued technically autopilot wasn't turned on in car crashes because they turned it off milliseconds before the sensed impact and blamed it on driver inattention as being a good, well-intentioned data steward.
I bought a Hyundai Ioniq 5. Hyundai never indicated that they’d sell the data, either. But guess what?
Here’s one thing neither Tesla nor Hyundai have ever said: that they won’t sell the data. (EDIT: I stand corrected on Tesla, as per reply comment. “ We do not sell your personal information to anyone for any purpose, period.”)
Tesla has said that, right on their privacy page. https://www.tesla.com/support/privacy
I agree if only because Tesla seems so vertically integrated and dedicated to their vision. Nowhere in their vision is "establish a side hustle of selling user data for extra cash".
"I'd pick Tesla because they're pretty cool guy and don't afraid of anything."
> because they have never sold that data or indicated they ever would.
They all do this until you press "I agree". Some do it even before.
> Can I corrupt data transmission and collection?
In my 2018 Chevy Volt Premier it's not too difficult to disconnect the LTE module. You lose OnStar, remote start, and other "connected" features, but the car and CarPlay still work.
https://www.jamesxli.com/2024/chevy-volt-disable-cellular.ht...
Sometimes I feel bad for repeating myself but relevant threads keep appearing.
Mazda won't permit me to use remote start because I refused to install their app and enable connected services. The man I worked with on the lease was extraordinarily aggressive with me. Almost demanding I install and register this app to complete lease agreement.
So now I don't have remote start and every time I turn the car on I have to select cancel on an infotainment prompt asking me to enable connected services.
The TOS specifically says driving data will be sold to 3rd parties including law enforcement and insurance companies.
I had a similar experience with a Mazda lease
I never installed the app and I was asked to by the leasing guy though he wasn't pushy about it - for whatever reason, the lease/sales guys are incented to have it installed though, allegedly, mazda corporate says they don't incent them - I don't trust it
also, allegedly, since I didn't install it, mazda says my TPU is disabled which is fine by me - remote start is less important than saying many thousands of dollars on bogus insurance hikes
> Almost demanding I install and register this app to complete lease agreement.
I wonder how he would react if you were to tell him that you don't own or use a cellular phone.
> The TOS specifically says driving data will be sold to 3rd parties including law enforcement and insurance companies.
That's awful, but at least it was written down, I guess.
That'd be a hard "No" for me. Or at least I'd ask for a big chunk of that revenue in exchange for MY data.
Doesn't that kind of make sense when leasing though, you're essentially doing "long renting" and you don't actually own the car?
I find it amusing that you think privacy rights should only be for buyers and not renters.
Renters of what? Items people can just take and leave with, yeah I think it's OK they keep track of the thing while I'm renting it.
A home though? I guess it makes sense that they can sometimes inspect it, but I expect privacy in my own home even if I'm renting.
So yeah, depends. Is there some fallacy in my views or something I'm missing?
Renters of cars. Was that not clear from the context? Question was whether data collection and loss of privacy on rental cars should be expected by renters of cars.
Yeah, no that was clear, that's why I already answered that in my previous comment:
> Items people can just take and leave with, yeah I think it's OK they keep track of the thing while I'm renting it.
Is it a fallacy/bad to think that people have the right to track things they loan/rent out to others, as long as that's clear upfront?
Oh, so why did you ask ‘renters of what?’ and start talking about home rental?
Well, I think it’s unrealistic to not expect car rentals to track their cars. Renting gardening tools might be a different story. However, SASS subscriptions are software rentals, and GDPR makes it explicitly illegal to track what the software companies rent to EU citizens without consent.
To me it seems like the question in practice is not renting vs buying, it’s about what information is collected, what they’re allowed to do with it, and who it is sent to.
Car rentals could request or require consent as terms of rental. (They probably do, I can admit to never having read the entire contract.) One underlying issue here is whether the car rental company passes your name or identification on to the manufacturer, law enforcement, or service providers. It does seem like they should not have the right to do that automatically without informed consent (not buried in contract legalese). They probably should have the right to track where their car is until it’s returned, and then delete that data. So all depends on what they do with the data.
> Oh, so why did you ask ‘renters of what?’ and start talking about home rental?
Have people completely lost their reading comprehension? My comment:
> Renters of what? Items people can just take and leave with [...]
A car is a item "people can just take and leave with". I literally answer the question myself, right after stating it. And not until the line below I start talking about expecting privacy in a rented home.
> Car rentals could request or require consent as terms of rental
They very much do, at least in the countries I've rented a car in. Every time they asked for consent, like the regulations require them to in my region.
I am deeply interested in better understanding faraday cages that can block transmission.
> I am deeply interested in better understanding faraday cages that can block transmission.
You cannot shield your car (ok, you can, but then you cannot drive it). What you can do is disturb the antenna so not enough power will be available to be sent.
Quick search seems to reveal Indium Tin Oxide (ITO) coated glass is transparent enough to let through visible light, but blocks transmissions. One could theoretically build a car with that for the windows. The rest seems easier.
The antenna doesn't have to be in the passenger cabin. You can make the passenger cabin a perfect faraday cage and it won't do anything.
My plan is to buy an old 1960-1970 280SL (or, really, any somewhat reliable vintage car) and stubbornly refuse to drive anything else.
There are more recent cars than going back to the 70s that doesn't force data collection on you... My car is from 2018 and has none of that stuff, and it even has buttons for all controls, no touchscreen (2018 Audi A3).
I like the feel of driving classic/older cars, but I really cannot justify the safety and pollution drawbacks if I wanted to use them daily.
For sure. I just really like the SL!
Currently have a 2012 C350 Coupe that I love to death. Have had it since 2018. Fantastic car, I don’t think it spies on me too much
More recent cars probably have onstar systems installed that need to be removed.
What do you recommend? I thought everything 2015 forward collected data.
Probably not the kind of car you are looking for, but my friend's 2015 honda odyssey (which he just traded in) had no smarts. No cellular, no GPS, console used knobs instead of a touchscreen... Whatever Deadpool's opinion of it was, it did make a great van for cargo and humans with good fuel economy for that class...
But, sooner or later it'll be a problem. What would be interesting to me is, is it possible to deactivate cellular on a modern car without losing key functionality, and, if it is ever reactivated (say, to pull updates) would it promptly push years of data upstream.
Ironically, we're replacing a 2011 Honda Odyssey!
If you’re willing to do a little bit of work you can often remove the cellular radio from some modern cars to remove the data collection connectivity, not sure if it’d still be buffered on the device still but it’s a step in the correct direction. I’ve read about this in some modern BMWs so it might be worth a bit of googling if you have a particular modern car you are interested in. Or if no one else has done it with a particular model you could also blaze your own path here.
I worry that removal or faraday caging might cause bricking.
As mentioned elsewhere in the subthreads somewhere here, I got a 2018 Audi A3 in 2019, wrote about the experience re data collection + that purchase here: https://news.ycombinator.com/item?id=42736918
My second hand Citroën C3 originally sold on 2016 doesn't collect data AFAIK and has button and wheel controls. There is a small touchscreen (7 inches?) for configuration, trip data, radio stations etc but all controls are also on the wheel or around it.
many cars now have a TPU, used for connectivity and GPS, which will send telematics data when you start and stop the car. This tracking is not typically easy or possible to opt out of, in my experience.
Research the car ahead of time and figure out how to disconnect the telematics control unit (or whatever that manufacturer calls it).
I own a 2001 Dodge Grand Caravan. No tracking. Runs Great. I just keep fixing it, much cheaper than a new car. Plus I can live in it as well.
I do not know the year they started with all the tracking stuff but you can find an older car that does not have any tracking and spend the rest of the money making it mint.
There is no getting away from it though, we are all watched over by the machines of loving grace. You know with the new LoRaWAN and IoT everywhere scam they are rolling out there will be nothing you can do to escape the surveillance apparatus.
I am giving up. no sense in fighting it anymore. I am just a good little corporate boy toy now.
This might be the way forward - buy a well-built older car and learn to DIY basic maintenance and repairs.
> there will be nothing you can do
That makes it much easier for people to collect data. People read on the Internet, yet again, that they are powerless.
That is one of the worst cars to own. You will continue to fix it more frequently at an accelerated rate mark my words. So much cheap plastic parts the parts are right at that point where they will fail molecularly and you see an increased rate of failure. To top it off the replacement parts are mostly the same age and those 2 will look new but also fail quickly. Lastly Dodge sucks. They are basically the last car I would ever buy.
I don't understand the FTC. Why and how did they start protecting consumer privacy? Could they have done it before? Do they have an overall systematic plan for protecting it comprehensively? Do they have a guiding principle?
I'm glad they are moving forward on it, at least until Monday.
This is largely the work of Lina Khan and the people reporting to her. She's fairly new to the FTC still (Biden appointee) and has been intentionally pushing on all of this.
Protecting it is difficult since the house/senate and scotus are all determined to roll back pro-consumer laws but that's not really something the FTC can fix, only voters can fix that.
Voters don't seem to see these things as important though based on how they voted most recently. They have other priorities I suppose.
I'll be generous and say that voters are distracted by other things. easy unsubscribe is great, but it's never going to win an election.
I'll also be cynical and say that voters were also lacking critical thinking in terms of how the president elect simply said he'd do things with no action plan behind it. He already went back on several "promises" even before properly stepping in as President. This is just shame on us at this point.
> Voters don't seem to see these things as important though based on how they voted most recently. They have other priorities I suppose.
This is why saying "but you can elect new officials" is a canard. You only have two choices, each with thousands of consequences.
Harris wouldn't even commit to keeping Lina Khan on.
Lina Khan deserves all the praise and then some.
Banning non-competes, preventing Microsoft-Blizzard merger (amongst many others), enforcing the right-to-repair, filing lawsuits to lower drug prices, making cancelling subscriptions easier...
Your friendly reminder that both Amazon and Meta were openly against her taking the position, that the upcoming administration will scrap the antitrust lawsuits against both of them (the one against Meta was supposed to start in spring, the one against Amazon in 2026) and that this is why Bezos and Zuckerberg are cozying up to Trump.
She did not prevent the Microsoft-Blizzard merger. The FTC lost that case.
[flagged]
They don’t give a shit about privacy directly but GM was egregious in collecting this data
- confusing consumers
- sneakily signing up consumers to “smart driver” as part of onstar
- data brokers subsequently building profiles on users and selling this data to _insurance companies_
- consumers later finding out their insurance doesn’t get renewed because of this secret driver profile that was built without their explicit consent
If GM followed the rules by disclosing this directly, allowing consumers to opt out. They probably wouldn’t be in this embarrassing position.
It’s in the FTC release: https://www.ftc.gov/news-events/news/press-releases/2025/01/...
Please allow me to be cynical and see here no embarrassment whatsoever. They cashed on this for years and will surely find other ways (and have some already) to further cash on people. It's only one of the schemes which got foiled, and only for a while. Yes, I have zero trust and the presumption is of guilt.
Did they really "cash" in on it? When I saw the prior articles on GM it sounded like a very minor revenue stream that did not scratch their overall revenue from vehicle sales.
So they did it for the fun of it? Because "minor" is still not zero.
> They don’t give a shit about privacy directly
But then this submission is explicitly about them giving a shit, and your own example shows that they do give a shit. Since GM didn't allow people a choice regarding their privacy, FTC looked into it?
I really don't understand how someone can see this story about FTC giving a shit, and then proclaim "They don't give a shit". If they didn't give a shit, why do something?
If they gave a shit they would ban it from all cars and not let the automakers hide it with dark patterns.
They would ban illegal data collection? Seems it's already banned, and this case proves they don't let automakers hide it with dark patterns, then you get banned from dealing with data at all.
Or you're arguing against data collection as a whole? I'm not sure FTC is the right tree to bark up to if that's the case, wouldn't you need to involve lawmakers for that? It seems to me FTC would only be able to legislate against "unfair or deceptive practices", so that's why they can address people collecting data in the wrong way, but not address data collection as a whole, would be my guess.
They have instituted broader regulations. (I wish I knew where a systematic evaluation is.)
Lmao. They were too cartoonish in their villainous behavior.
It's surprising since usually nowadays that gets you a cabinet position or a seat in the House.
[flagged]
How about monetary compensation? People lost real money, damages can be calculated.
After all, if I installed spying software on GM's computers, and sold the extracted data to, say, Toyota, I'd face hefty fines. And spend time in prison.
> After all, if I installed spying software on GM's computers, and sold the extracted data to, say, Toyota, I'd face hefty fines. And spend time in prison.
You're going about this all wrong. Setup a company, create a landing page and do some B2B contracts for selling that data, and you too can be a "Data Broker" fully legally. But yes, approaching this as an individual is most likely illegal, you're supposed to do it as a corporation.
IANAL but you’ll want a cofounder. Piercing the veil is a lot easier with a single founder company.
But not if you sold GM software that had a clause deep in the license agreement saying you'd sell the data to Toyota.
What if in this case it was about keeping the accident rate low by incentivizing safe driving? Don't know if I agree with them doing it, but it's probably not an argument that any side would win, and we don't even truly know if it would be a negative or a positive for society when looking at it from every angle.
Probably a class action lawsuit in the future, if one does not already exist.
Jail time? Probably not, we let health insurance companies get away with taking away critical needs from patients and delaying care in the name of delivering shareholder value. The best they get is a slap on the wrist from the government, let alone jail time.
Health insurance abuses got a quite different slap recently.
And they are calling it 'terrorism'. What a joke our country is.
Terrorism is simpoly what the government/establishment calls any politically motivated public action that includes crime or violence when anyone other than them does it.
4chan/anon was screwing with websites -> terrorism
Neo-nazis finding unsecured online printers at colleges and printing their propaganda -> terrorism
Shoot a public figure because you think they've done a tone of wrong -> terrorism.
Go on a bulldozer rampage against people who have wronged you -> terrorism
To be honest, it IS terrorism, by the very first definition.
First terrorists (named so) was revolutionaries (not bolsheviks, but other parties) in Russian Empire, who go to Government official's office and shot them in the face with Nagant revolver.
Look up Vera Zasulich, Dmitry Karakozov, Narodnaya Volya (organization), etc.
It is TRUE terrorism, not bombing Christmas parade or marathon.
I mean, it is. Just because you agree with it doesn't mean the label changes. And I don't necessarily hate what happened either, nor would I probably personally prosecute the guy. But lets not mince words, if you (try to) use violence against civilians for political/ideological/religious motives, that's pretty much the agree-upon definition of "terrorism".
It was a targeted murder, it was not terrorism.
Could you provide what definition you use for "terrorism"? Otherwise your comment might as well just say "No" and it contributes the same amount to the discussion.
Besides, I'd say it's both. There is no denying it was a murder, nor that it was targeted and based on what I understand "terrorism" to be, it seems like that too.
One of the key components of terrorism is random or at least very loose targeting and some degree of disregard for collateral damage.
The United Healthcare murder was basically a reverse Eric garner. Instead of the government killing someone over something petty to keep the peasants in line a crazy peasant killed a member of the ruling class to send the same message in the other direction.
Politically both of these are more like a good ol' fashioned lynching than terrorism though obviously the line between the two becomes a bit blurry. Most targeted political violence is not terrorism (though of course the statues are so broad that if you crop dust an elevator in a government building you're probably open to prosecution).
> One of the key components of terrorism is random or at least very loose targeting and some degree of disregard for collateral damage.
I don't see how loose targetting is required. Or was the Oklahoma City Bombing not terrorism because it targetted a specific building?
The FBI definition of domestic terrorism is only one of many, but they say:
> Violent, criminal acts committed by individuals and/or groups to further ideological goals stemming from domestic influences, such as those of a political, religious, social, racial, or environmental nature.
In my mind, the key is intent to further ideological goals. Killing a rival gang member to increase your standings in the gang leader boards isn't terrorism because there's no ideology. Killing a gang member to try to wipe out gangs could be, because it's an ideological battle. It wouldn't matter if you specifically targetted the leader of a gang, or the first gang member you saw, or someone you thought was a gang member without any investigation; it's the intent to further your ideology with violent crime.
> One of the key components of terrorism is random or at least very loose targeting and some degree of disregard for collateral damage.
Thanks, learned something new about the US today :) In the jurisdictions I'm familiar with, the goals/objectives behind the actions seem to take a more important role than how you seem to consider it in the US.
> One of the key components of terrorism is random or at least very loose targeting and some degree of disregard for collateral damage.
It is very modern meaning of the word. It is almost re-labeled, like "piracy" for copyright infringement.
>It is very modern meaning of the word. It is almost re-labeled, like "piracy" for copyright infringement.
And people who called themselves anarchists used to be ideologically communist-adjacent. That was well over a century ago.
Words change over time. The definition has been what is has since at least the 1970s, probably longer depending on where you measure. It is not "very modern".
There is a legal distinction and definition, Legal Eagle on YouTube had an episode on exactly this a few weeks ago, about that the DA might have picked a more difficult crime to prove than murder. IANAL but IIRC the terrorism charge has to prove there is an intent to intimidate larger swaths of government or bodies of people. Just "other CEOs of Health Companies are now scared" is not enough.
Yeah, I guess it kind of make sense the US has a somewhat different definition of terrorism that the rest of the world I suppose. I think in most jurisdictions I'm familiar with, the amount of victims isn't the consideration if it's "terrorism" or not, but rather if there is a objective to destabilize the state, gravely disturb public peace or provoke a state of error in a specific segment of the population. Basically, the purpose/objective takes a vital importance in seeing if something is terrorism or not.
But again, makes sense that the US would have different definition.
According to your given examples/definition, under which one would this act fall? Because it's very much not clear to me how they would apply, but to you it seems obvious, so please do explain.
> if you (try to) use violence against civilians for political/ideological/religious motives
A person driving over a person with a van with explicit goal of "Jihad against Christians" would be terrorism, because of the objective, no matter how many people get hurt.
While it seems clear to me that this can be considered "terrorism", it would also seem like it isn't breaking against "anti-terrorism laws" or whatever the charge is in the US.
The jihad driver chooses usually a person at random. If it ran over some army general who led an attack in Iraq would it still be terrorism? Because that's the difference here.
but it can still share anonymous data about people’s driving with third parties
Most important part of this IMHO.
Yeah and it’s simple to reidentify anonymous location traces. The simplest way is to buy cell phone location data from apps, which is generally intermittent, but even with just 5-6 location/time pairs, you’re going to be able to positively identify someone, with the small caveat that there will be some ambiguity with members of a household that share a car.
Is it anonymous aggregated data or just anonymized data? Anonymized data can easily be de-anonymized, as you stated.
Assuming the worst in these cases is always a good idea.
Even aggregated has been and can be de-anonymized
Yeah, super anonymized if only my car leaves from my house every day to go to work and comes back every night...
That's what "aggregated" is for.
As an European, this is weird. Just 5 years? Why were they allowed to do this in the first place?
Collecting and selling the data is legal if they give you the chance to opt out. They went out of their way to avoid giving you that chance, and that’s what they got in trouble for. So the five year ban is a penalty for breaking the actual law, which is just that the consumer should have a chance to say no.
[dead]
Yes I don't understand the "5 Years" part at all.
Either it's illegal or it isn't.
No judge ever says "I ban you from burgling houses for 5 years!", like after 5 years it would be okay again.
> Either it's illegal or it isn't.
I think: it's illegal without consent. They can't do it for 5 years, even if they got consent, as a punitive measure. After that they will have to seek consent.
Imagine this:
Security pentester tests someone's website before getting approval/confirmation that this is what the client (who isn't a client yet) wants.
Someone reports that, and judge says "Since you didn't do the pentest the legal way, we're banning you from doing pentests for five years"
After those five years, the pentester can continue doing tests, but legally. The five year ban is not the punishment for doing pentests, but for doing unauthorized pentests.
The analogy here is that data collection/selling is legal, but you have to follow the rules regarding how collection happens. If you break those rules, they'll ban you for N years, after that you can do the collection/selling but following the rules.
No burglar has the resources of GM.
Isn't that jail time?
How about a permanent ban from collecting it in the first place? And you can apply that to the rest of them, while you're at it.
> The five-year ban prohibits G.M. from sharing information about individual drivers, but it can still share anonymous data about people’s driving with third parties, such as road safety researchers.
I know Kashmir Hill knows better than to believe in the fairy tale of "anonymous data".
Privacy ? But I have nothing to hide.
Everyone has something to hide, be it as simple as your driving behavior, so you don't end up over paying for insurance or even in the situation where all company refuse to insure a 'risky' profile.
There's also things that are private, but not necessarily deeply secret. There's also things that are completely legal, but morally questionable, at least in your social circles, and if that information was to leak out it would be harmful.
With the VW data leak I was pretty horrified that VW either doesn't understand or don't care that leaking location data isn't just privacy invading, it's potentially dangerous for victims of stalking and abuse. In the mildest cases these people may need to move, in the worst they die.
Car companies seem completely oblivious to the dangers of collecting driving data.
Naming this "oblivious" hides ill intent. And by that I mean, I assume they knew and know exactly the possible implications and decided to throw everybody under the bus for shareholder value. Am I wrong to assume this?
Hard to say. I'm sure that in some 100 page report somewhere under the list of concerns is the risk of information leaks and potential damage. Then someone decided that the company just spend $50M on "cyber" and in their summation change the text to "potential risk of data lose is offset by investments in cyber security", then they push the new 40 page up the stack. The security risk is now perceived as low, so it's removed from the executive summary and a 3 page memo on the revenue and share price benefits is created.
I don't think was ever ill intent, but when it inevitably goes wrong, then yes, everyone will be thrown under the bus if it protects the stock price.
They were trying to warn us by naming it “Smart Driver”. Come on yall.
https://archive.is/PW0ng
This is a great outcome. These types of data interchanges ossify innovation and lock in policy. Insurance is supposed to share risk -- there is too much noise to microsegment. "Big Brother" doesn't have to be only a government, and the outcomes of using this sort of information is solely punitive for a 3rd party forced into the interchange.
The US really needs to strengthen the legal foundations for people's right to privacy.
> The US really needs to strengthen the legal foundations for people's right to privacy.
That's at odds with the even higher (current) goal of "Make money". As long as those are at odds, entities in the US will always favor "making more money" above "people's right to privacy".
Or, people start preferring entities that aren't strictly for-profit, but seems unlikely to happen on the short-horizon.
Aye, but they already made money from the consumer. Ergo this is extractive after the exchange.
Not strictly on topic, but I see these articles & discussions with the focus on new car sales.
What happens when the car (and its data collecting habits) is sold in the used car market? Does it still collect data, is the ownership situation "corrected" via DMV registration feeds, etc. ?
What I am wondering if to what extent (if any) I can protect myself as an end user from this kind of spying by just not connecting these smart devices to the internet.
A while I read about smart TVs bypassing pihole-style blockers by using hardcoded IP addresses and DNS server addresses.
I don't even know how smart cars work. Do they have their own SIM card or something like that? Either way there are so many ways they can subvert obstacles. For example a car could scan for unprotected WiFi networks and connect to one if found.
Every new car has a SIM card. Apparently in Europe used for emergency automatic calls. But having SIM card in the car is not mandatory. All the information in other cases is saved in the car. And when you bring the car to the dealership the information is transferred over the wire in old fashioned way. Safest thing is to have an older car without much electronics, that can be repaired outside dealership network. Some cars like a Teslas have very normal cameras filming interior. Apparently to monitor the driver. But who knows.
Yes a mobile as a government tracking device in your car is mandated in Europe.
my understanding is for things like eCall that the phone only gets activated when it's actually needed (i.e: an emergency), but never found a check/analysis of this on cars (though i only looked for 2 mins when i checked)
Not yet. But soon, when cars are required to transmit data about emissions.
Which directive is that, and what's the point of it vs emissions point monitoring at annual inspection time?
> Some cars like a Teslas have very normal cameras filming interior.
Wow is this real?
Cars that offer driver assistance have to have some way of determining that the driver is awake and paying attention. One way is to monitor steering wheel input which is how older Teslas do it another is to use a camera to monitor the driver's face and that is done by several brands not just new Teslas.
Absolutely! As well as 1€ camera covers from AliExpress.
I intentionally bought a used car with only a 3G network connection, knowing (at the time, almost 3 years ago) it would soon shut down in the US. I smiled at the "Your OnStar will soon stop working" messages, and intend to hold onto it for a good long time.
> An investigation by the Federal Trade Commission determined that consumers had not been aware that the automaker was providing their driving information to data brokers.
Yeah, no shit. Why on earth would I assume the company from which I bought my car is selling my information? Why are they allowed to sell this data at all?
We can all acknowledge how ridiculous this is, right?
Tiktok's being banned while Meta is more or less able to do the same thing but worse. It's pretty much about who can line pockets rather than the fact that selling user data is wrong.
> Why on earth would I assume the company from which I bought my car is selling my information? Why are they allowed to sell this data at all?
Sadly the answers are "if it's got a connected computer in it, it's selling your information" and "you're in America, so no GDPR because 'free speech' trumps privacy almost every time, except for video rental records".
They keep all the profits and can still sell "anonymized" data. Surely this chilling precedent will have other corporations shivering in fear.
Now, please do Hyundai (and others). Their in-built map's knowledge of speed limits and the speed sign recognition is so awful that any "speeding" data is guaranteed to be wildly inaccurate.
I drove a new Kia as a rental... It just uses Google Auto/Apple equivalent, and just uses Google Maps, no? Or do they also have their own maps app?
Some (like the Hyundai) have their own in-built maps and speed limit data (not very accurate in Australia). They can even warn about traffic build-ups because they're "connected".
I drive in a very populous urban area, and the Google Maps/Auto speed limit data is often inaccurate.
Not saying it's not inaccurate, saying it's not Hyundai gathering the inaccurate info.
Hyundai has a "camera speed limit recognition" system, which can identify road signs and recognise what speed they indicate. That's all well and good, except when it picks up a sign for an off-ramp and thinks it applies to you, or when you pass a large truck/bus with a speed limit sign on the back of it and thinks that's the new speed limit.
On every journey of over 2km, it gets something wrong and sounds a warning tone at you that can't be turned off.
It also reads car park speed signs, which are typically "5", so you often hear a "bong bong bong bong" warning from the car in a car park.
If you're thinking that this is good (and it is), you should love the GDPR which bans this sort of thing entirely without needing an investigation beforehand.
In Sweden it is also a crime, dataintrång.
If data is entered into a system, and you do not have not received permission to read it, then obtaining access to it is the crime of dataintrång, which can lead to two years imprisonment. So if you make a device and sell it to a customer and it phones home without permission and in phoning home provides you with information he has entered into it, then you've committed dataintrång and can go to prison for up to two years.
I see no reason why GPS data and other automatically entered data would not be regarded as having been entered into the device.
I guess GDPR is a good idea, but in practice it has limited value. I suppose all that is needed is that the user accepts (consents) by answering yes to a popup question. It can be asked over and over. If you answer yes by accident at some point you are screwed. You can maybe(?) retract your answer, but maybe you don't even know you answered yes at some point when you were stressed and had to drive somewhere, while your nav/media system asked you this question.
The main problem is that this sort of thing (tracking of cars and storing the data in a central database) is considered normal by corporations and is allowed by law. Would we like to have big corporations place private detectives outside our houses and when we leave they follow our every step, take photos, record audio and track our GPS position and report all that data to the corporation in realtime? That is what they do now with their cars and phones and appliances. The reason they did not do it in the past was that it was expensive to have private detectives track each of their customers, was considered spooky and abnormal and it was probably also illegal, but now it is cheap and somehow considered normal.
I guess GDPR is a good idea, but in practice it has limited value. I suppose all that is needed is that the user accepts (consents) by answering yes to a popup question. It can be asked over and over. If you answer yes by accident at some point you are screwed.
Not allowed by the GDPR, this violates the principle of unambiguous consent:
https://www.autoriteitpersoonsgegevens.nl/en/themes/basic-gd...
You can maybe(?) retract your answer,
Under the GDPR, retracting consent should be as easy as giving consent. Moreover, you have the right of erasure. Even if you consented, when asked, GM should remove all your personal data:
https://gdpr-info.eu/art-17-gdpr/
but maybe you don't even know you answered yes at some point when you were stressed and had to drive somewhere, while your nav/media system asked you this question.
Violates both the rules that consent should be given freely.
---
More broadly, selling non-anonymous data would never be allowed under the GDPR, because the third-parties would need to consent to use the data.
(IANAL)
In theory it all sounds nice, but in reality I have never seen any website or product adhere to what you (or GDPR) states.
If you answer yes in a popup by fat-fingering, stress, mixup whatever you are screwed. The popup typically comes up when you do not want it, i.e. when you are about to use the product's main function.
> Under the GDPR, retracting consent should be as easy as giving consent.
Well, the popup to give consent comes up all the time wether you want it or not, but there is no popup coming up to retract it. You have to search deep in the settings. It's quite unlikely people will do that on embedded hardware or cars.
And if first given consent by mistake, they have already fetched data in the meantime until you turn it off.
> Violates both the rules that consent should be given freely.
What do you even mean? Of course no one is pointing a gun to your head, but they put up the popup asking for consent and I might push the wrong button by mistake. I might also not notice I pushed the wrong button because there is never a confirmation step.
[EDIT]: And there are typically a huge bunch of switches and checkboxes asking for different kinds of approvals which makes in even easier to make mistakes.
> I guess GDPR is a good idea, but in practice it has limited value. I suppose all that is needed is that the user accepts (consents) by answering yes to a popup question. It can be asked over and over.
While this is a somewhat common approach, it's not compliant. The real problem with the GDPR is enforcement; it's largely enforced by national data protection bodies of, well, varying quality, resourcing, and aggressiveness.
That's not how the GDPR works
[dead]
anyone ever want to drop the guise of privacy and have the surveillance is out in the open?
like real question that way they have the data and we have the data instead of we pretend they don't have the data in the name of privacy but they have the data
No, because it'd be incredibly dangerous to me to have all these groups storing data about me and allowing them to determine my comings and goings.
You may think 'we're only using it for advertising', but I don't trust you and I can't. I don't want you to obtain information about my political views, or how they differ from what I say on the internet, or who I talk to about maths, or where I buy food.
> You may think 'we're only using it for advertising', but I don't trust you and I can't.
We already know that the data companies collect isn't only being used for ads, if not by the company that collects then by others who get access to that data either through sale or not. For example, Lawyers are using that data in courtrooms for things like divorce and custody hearings, and police are using it to turn innocent people into suspects.
but they already do wouldn't you rather know what they have stored instead of pretend they don't have the data?
That's not what the EULAs that you have (probably, and if not, good on you) signed indicate...
A major problem is, that even if I don't click "agree" to EULAs, I have no idea if the companies think I did or not. Also, what prevents someone else from "agreeing" on my behalf without my permission; which apparently happens often when sales people set for their new owners (which I witnessed when I was with my mother when she purchased a new car).
What's consideration in EULA?
As I interpret I don't think Swedish consumer contract law allows what you describe to matter anyway, and since the GDPR requires free consent it becomes more dubious, so obvious dataintrång.
There is no such protection in the US, and I'd imagine some other non-EU states.
I'd love something akin to a Bill of Data Rights here in the the states similar to the GDPR, but there is no way oligarchs would allow such legislation to happen
This isn't data rights though, this is that the same law that prohibits people from hacking into your computer is applicable to people doing other things with it in unpermitted ways.
Basically, a program that exfiltrates data without permission is treated no different from a rootkit, legally.
I think you might have misunderstood my meaning. I don't mean a right to use my own data. I mean a right to actually own that data in the sense that others cannot collect and sell it without my consent and proper compensation based on revenue generated by the collector.
But then we're talking about website tracking, things like that, not actual exfiltration of stored data?
> anyone ever want to drop the guise of privacy and have the surveillance is out in the open?
An essay about such a society: https://web.archive.org/web/20030212145443/http%3A//www.wire...
There isn't an end to that, what is "all the data"? Someone will always want to record more data, and then sell it to someone. How do you force people to always reveal all the data they have. I think if you start peeling back the onion on what you're suggesting you will realize that it's not really possible or practical in any sense.
You deter them with risk that is too high for what they gain. For example, if consumers are awarded considerable fines for violations, then they would stop.
good point it does seem ambiguous in this context any data generated by me or any device I am using and any downstream data derived from that
why wouldn't this be possible? company x gives you y data and tells you we sold it to z and so on and you just follow the chain using some unique identifier
they sell the data openly and i get to see what they're selling win win legislation instead of annoying cookie banners
>anyone ever want to drop the guise of privacy and have the surveillance is out in the open?
No, because I have less than zero expectation that you all <points with middle fingers at HN comment section> won't happily be complicit in something that retroactively criminalizes me or otherwise screws me (and god knows how many other people, I'm fairly unremarkable) over on the basis that doing so is X% better for Y or where X is a small value and Y is a subject that is far from an existential issue for society. Society goes off on these boondoggles from time to time, eugenics, sticking the mentally ill in prisons but with pills, etc, etc and I don't want to see that sort of stuff cranked to 11 because the public tolerated a bunch of dragnet tech that serves as a force multiplier for unaccountable decision makers.
Maybe this is well know and this is about auto insurance but mine just went up $50 a month because of a national database about each of our cars ... the tiniest details are recorded into it and all auto insurance companies then use to jack up your current rate. If you try to go elsewhere they point to oh you used your Allstate towing benefit a lot so it's $200 a month vs. $140 (cant get a deal from others). Jiffy Lube enters the frequency of your oil changes and the amount of miles in this database too. If you start a new temp job that's further away then usual and start to have more oil changes your insurance could / will go up cause they see you are driving more then you were. I understand entering my car's accident record into this database but I was surprised the tiniest details are entered into this database and Allstate & Jiffy Lube say they do not sell this data they just enter it into this national database...
I'll confess I was sceptical about this but, at minimum, the database seems to exist.
There's a company called Carfax that I'd never heard of. Their EU site seems to provide basic reports about the VIN, whether the car has been written off, etc. Those basic "Is this car sale a scam?" checks are common in the UK.
But the site also makes a big deal about "Get the American report!" So I googled "Carfax oil change" and found people talking about the oil change history in the reports [0]
In the UK it was traditionally common to keep a car log book where you recorded all maintenance and might get the garage to put their stamp on it, to prove to a future buyer that you'd looked after the car. But having a garage enter that info into some random company's database, and maybe not telling me, would be disappointing.
[0] https://www.toyotanation.com/threads/oil-change-history-when...
So, only GM is banned.
Every other car maker can continue to sell collected surveillance data...
Please make an article about this on this Consumer Protection wiki: https://wiki.rossmanngroup.com/index.php/How_to_help
For me as a consumer, whether they’re selling it or giving it away for free or expose it via a data breach, the impact on me is the same. All three deserve fines and jail time for executives. It is strange to me that attention is given to this data but not to the leaking of medical records of literally over 100 million Americans by Change Healthcare last year (a subsidiary of United Health). Most of those victims never were customers of Change or United, but somehow their records were with this company.
how about we trade, General Motors can sell our data, and Google cannot
At exactly 2:14 while listening to the political oriented podcast fsckboy laughed, punched the dashboard of their car, and exclaimed "right on, that's what I've always said!"
There's literally zero evidence Google sells data.
They sell targeted ads using data, not the data itself.
If they didn't leak vast data through bid requests that others could de-anonymize, the marketplace and whole ad tech ecosystem would not exist in such a profitable fashion for them. They and others depend on people not digging deeper beyond lack of direct transactions for de-anonymized data to really understand the trade.
Once again, glad to be European (covered by GDPR, everywhere). It's funny and sad at the same time, to see Americans be happy with this yellow card when it should definitely be a red one.
How do you tolerate this?
This was VW last month: https://www.bleepingcomputer.com/news/security/customer-data...
Undisclosed data collection isn't unique to the US.
That is about a data leak. How do you know if the data wasn't collected with(out) consent?
If VW collected this data without consent, the data protection authorities or the EC are going to have a field day.
(By the way, the GDPR also has ramifications for data leaks of legally collected data. E.g. there is a requirement to report this to the authorities within 72 hours after becoming aware of the breach: https://gdpr-info.eu/art-33-gdpr/ )
Apparently it was disclosed well enough for it to not come as a surprise to people, including German politicians (https://www.spiegel.de/netzwelt/web/volkswagen-konzern-daten...)
But fair, it's probably disclosed somewhere in a 80 page EULA for the app.
5 years? Why not forever? WTF, FTC?!
[dead]
[dead]