> Plaintiff did not want OnStar services and so he did not push the blue button "to get started." The email provides no mention of OnStar's Smart Driver Program.
…
> In or around January 2024, Plaintiff received his requested LexisNexis consumer disclosure. The report, as of December 18, 2023, had 258 recorded driving events under the "Telematics" subsection. Each driving event included trip details that show the start date, end date, start time, end time, acceleration events, hard brake events, high speed events, distance, and VIN.
…
> Plaintiff had never opted into any insurance program that would have allowed his information to be shared.
Related: "Automakers are sharing consumers' driving behavior with insurance companies" - https://fcra.verisk.com/#/
I wrote about this after my gag order expired. GM was shipping all telematics data to a big data cluster processing 100gbps of data (with double the data once Cisco released 400gbps support). Originally it was to help price their used cars. A noble effort I supported. I didn’t know about the sales to insurance brokers, but should have assumed that was coming.
Anyway cat is out of the bag, they won’t undo this feature they will pay a fine, offer an opt-out to 5% of users who take up the offer and in 10 years time everyone will assume their driving habits are being monitored by their insurance company.
How do I know this? It’s been 10 years since the hoopla about realtime location data being sold. Last night I saw my home IP address reports my location with .25 mile accuracy. Guess that $5 check from Verizon was the fine they had to pay!
Some time last year I wrote a comment here on HN about my Bolt EUV and OnStar. I can’t remember exactly what I wrote and don’t want to dig for it, but I said something like being happy with the vehicle and had disabled all of the OnStar features/tracking soon after I purchased it. Somebody replied that they were intimately familiar with the OnStar/GM project, having worked on it, and that it was still tracking me despite not being subscribed to any of their services and having turned off all the features in the car that I could. They couldn’t elaborate further, I assume because of an NDA or something. I bet dollars to donuts that this is what they were talking about now.
Edit: thanks to Stavros for finding the comment below. It looks like you were in fact the person I was talking to 11 months ago. Small world!
> Anyway cat is out of the bag, they won’t undo this feature they will pay a fine, offer an opt-out to 5% of users who take up the offer and in 10 years time everyone will assume their driving habits are being monitored by their insurance company.
So can't the plaintiffs just request an order compelling GM and others to remove the feature forever as part of the remedies?
> in 10 years time everyone will assume their driving habits are being monitored by their insurance company.
And even if there continues to be an opt-out, those plans will become so prohibitively expensive that you're essentially forced to allow your insurer to spy on you. Privacy is always priced out in the free market. Regulation is the only way. It's not a net benefit to society, just outlaw egregious data collection.
How does the data leave the device? I tried to route traffic from the infotainment system into a WiFi network I was wiresharking, and I saw a lot of GM traffic but I couldn’t install a cert to MitM because I couldn’t figure out how to access the Android settings for the dash OS.
Is the traffic through there or is it totally within the CANBUS and never hits the WiFi outbound? In that case do you need to hijack the 4G?
Not that I support any of this, but why would networking speed be the bottleneck in that system? Telematics seems very much like an OLAP situation where data ingest and querying can be asynchronous.
> And if you own a car made in the last ~5 years, here's how to request your "Consumer Disclosure Report" from LexisNexis: https://consumer.risk.lexisnexis.com/ . According to NYT, LexisNexis receives at least some data from GM, Ford, Kia, Subaru, and Mitsubishi.
Appreciate this link! I don't have one of the listed brands (own a Mazda) but I am curious to see what info data brokers like this have on me in general.
Also, maybe this is a naive thought but I think data brokers like this are so used to operating in the shadows / being forgotten about so I think the more folks who request is at least a small signal to them that folks are paying attention.
Wow, I just submitted the consumer disclosure report this morning after finding out about it from somewhere else. I am VERY interested to see if anything is reported from my car since I don't have any of the addons/monthly fees.
I assume LexisNexis does not provide this report out of the goodness of their heart, it must be required by FCRA?
If I really don't like LexisNexis collecting this data, or if I really just want to stay on top of my credit status, is there any reason not to script something to request a physically mailed report every day? Not sure how much they pay per mailing, but 365 of them can't be cheap.
You can't take this as authoritative but my business has a data relationship with Toyota and they have a ton of juicy telemetry data.
Their attorneys are mad protective of the PII they have. Our relationship serves the public interest. We use the data to find people with open recalls where Toyota doesn't know who the current owner is.
I say this to say that we have other OEM relationships that are far more liberal with their encumbered data. This far Toyota seems to be playing it very straight.
• Violations of the Fair Credit Reporting Act (FCRA) due to the alleged improper sharing and reporting of plaintiffs' driving data without consent, impacting their ability to secure car insurance and leading to increased rates.
• Violations of the Florida Deceptive and Unfair Trade Practices Act, accusing the defendants of engaging in deceptive practices by sharing personal driving data without the knowledge or consent of the car owners.
• Invasions of privacy under Florida common law, arguing that the defendants' actions of tracking, collecting, and sharing personal driving data without consent intrude upon the plaintiffs' private lives and are offensive.
Unless senior managers and board members get criminal convictions and jail time it will continue and the "disturbing" will cease only by being normalized.
Hoping for a magic responsible all powerful legal daddy to come enforce a just set of laws is pure fantasy.
The people doing regulation and oversight have been bought and paid for by these "managers and board members." Citizens united codified their right to do this into law.
If you want professional ethics, you have to create a vehicle that can enforce professional ethics or wield political power -- a trade union or guild.
No congress-member is going to wake up and be like "gee, I sure wish I would get a few less bribes (campaign contributions) today," or "I sure would like my stock portfolio to decrease in value by doing real oversight on all these companies that are making me rich."
If the legal system cannot provide consequences to these people, then it's time to start thinking about where those consequences are going to come from. Hoping for consequences is not a very good strategy. A union is one such vehicle.
If the health insurance industry is several times larger than car insurance then there must be a very high financial motive for Ancestry/23&me to sell your curious aunt's DNA data which is also linked to relations.
At least the health insurance industry is legally prohibited from charging different rates to people based on DNA. So, at most, they can use it to try to get you specialized care.
No shit. Plus 23 and me is in deep financial trouble last I heard. Someone out there is drooling over that data set.
I know otherwise smart people (in the analytical sense) who paid money to hand over their most sensitive biometrics to these companies. And they’re still like “the data brokers can have it, what are they gonna do?”
Without extremely aggressive changes to how we handle situations like this, it seems unlikely
A fine is a price, and there are basically no laws that put financial, let alone criminal liability for people behind the corporate veil or seizure/dissolution of a corporation that consistently breaks the law on the table
Whenever the GDPR is mentioned here, people more or less treat it as a sign of fascism. With that attitude from us, how can our rights on privacy be respected?
I'm extremely glad that the GDPR and NOYB.eu mean that car manufacturers can't pull that shit here. If I opt out, I'm opted out, or there will be big fines for them.
How? Who will represent that viewpoint in the halls of congress? The EFF is politically ineffective and always has been for reasons I don't understand, and no one else seems to care.
A huge majority of my spam calls come from someone who bought it from ZoomInfo, Apollo, or other. I made a mistake somewhere and they got my personal number.
Now, every time I get a spam call, I insist they tell me where they're getting their info from. They'll try to so "our data team", but if you keep insisting they'll tell you.
Privacy legislation is antipartisan[0]: the US government relies on buying dox from adtech creeps to do all the spying they otherwise couldn't legally do, so nobody in power wants that loophole closed.
[0] Bipartisanly supported by the electorate and bipartisanly opposed by the elected representatives of said electorate
Nice thing is that tracking via cellular never stops working but if you are in an emergency they will not call emergency services for you if you don't pay the subscription.
It's good to read this thread and know that finally people are realizing the full extent of the surveillance. I have dealt with a Govt agency targeting me for several years and having technical knowledge, I've noticed all of this invasion of privacy and control used against me, lots of it wouldn't even be possible without technology or the internet. But it's so much more than if you gave up your phone... It's a literal surveillance state and even if you go to the suburbs away from the concrete prisons our cities have been turned into, you still have front door cameras everywhere, accessible by law enforcement.
In fact, to abuse all of this stuff and weaponize it against someone, you do not need to have a court order or a warrant. As long as you find the right people, have the right narrative, companies will do all kinds of stuff to you, even if you are a customer.
And my original reply before going off on a tangent was that even if you remove your sim card, even if you somehow disable emergency services, your phone is still pinging and leaking all these signals that are picked up by all kinds of scanners.
Very few people even accept this is happening at scale, let alone are able to reason about the implications of it all.
The public needs a better job of being informed about the consequences of all of it.
I agree with the worry about surveillance. But isn't this really a continuation of how car makers treat their customers and the public generally. Cars companies comprimise privacy in the same way that they willingly comprimise safety, public health and the environment. It is the result of a broken culture and naive to expect them to change.
GM is trying really hard to not get my business in the future. Between the no Car Play and Android Auto support in their new EVs. Now this. I'm just tired man...
GM seems to be floundering in mediocrity right now. They basically pump out generic, uninspired plastic boxes right now then try to nickel and dime their customers. In my opinion, foreign manufactures are absolutely eating their lunch right now.
Despite being children of an automotive family, with a deep loyalty for the Big 3, we've started to avoid their cars. While they can run forever, they just start failing apart.
The rebadged Commodores were a bright spot in the lineup for a while if you like that kind of thing
What are “foreign manufacturers?” Hondas and Toyotas have been built in the states for a long time. Chrysler has been a transnational merger for a while and Ford and GM have long histories of importing their overseas products.
I will never buy a GM until they stop turning their reverse lights on when they're not reversing. This one small feature has wreaked immeasurable havoc on parking lots across the world.
They've done that just fine for me by releasing... lame cars across the board. Most of their brands are shells of their former selves (especialllly Cadillac) and I can't remember the last time I saw a Chevy that I actually liked.
I mean, I get that. Part of it is irrational because my father worked for and retired from GM. So it's a bit of a family thing. But the loyalty has a limit and I believe Mary Barra has reached the limit for me.
We’ve already taken quite a few manufacturers off the list for this reason, including GM. Vote with dollars people. Take my data without permission, lose my business.
You've Japanese, German and to some extend even Korean cars that are much better. If pick up truck is what you're looking for, then Ford is much better
The brands you are thinking of also likely have telematics with similar vague language about data collection. I've seen it in Nissans, Hondas, and Toyotas, personally.
If you're in the market for a smaller, cheap(ish) EV with decent range, the Chevy Bolt (used) is basically the only option, and honestly can be had for less than any equivalent ICE vehicle of similar quality/mileage
Tesla claims not to sell or transfer the data they collect, and offer opt-outs from most of it. You can, if you are willing to void your warranty, remove the GSM/LTE module from a Tesla fairly straightforwardly.
Telematics should be disabled, preferably by way of hard cutting the modem chip's V-in. Call me a tinfoil hat lover, but when 23andme gets bought by an insurance company, the similarities with potential insurability issues are numerous when data is available to the other without a big, shining red opt-in.
I have obtained an email from GM stating that if I am an OnStar Smart Driver subscriber, I cannot opt out of my data being shared. I believe this violates at least California privacy regulations, probably some other states, which mandate opt outs. I seriously want to rip the modem out of my car.
Collecting and storing personal data needs to be exorbitantly expensive.
LexisNexis knew exactly what they were doing and probably already factored in litigation costs to the product.
Experian should have been fined out of existence when they lost all that data. The light of their funeral pyre could have warned away companies headed down the same path.
It is so enraging. Not only did they have zero consequences compared to what they should have received, they're still somehow the lone report I have to thaw for every single loan and line of credit.
I recently bought a Toyota because I was able to push the "SOS" button in the car and request that they disable telematics right after I bought it. I don't know whether they've actually stopped collecting my location information or if they can arbitrarily re-enable telematics at some time in the future for whatever reason, so I've additionally pulled a fuse that powers the transmitter. I'm mulling wrapping some components in a Faraday cage just for good measure.
The ability to prevent the car from spying on me was near the top of my list of desired features when I was shopping for a new car. This is one of the main things keeping me from buying another EV. So far as I'm aware there is nothing on the market where I live that won't constantly spy on you with no option to disable.
It's ultra annoying that "EV" seems to mean a tablet on wheels now. I just want a "dumb" car with a battery instead of petrol.
A friend of mine has a Mitsubishi EV Minivan (Japanese model) and it's about as close to a perfect "dumb EV" I've seen yet. It drives incredibly well. They just don't produce a 4x4 model yet, which is important if you live in cold snowy climates.
> So far as I'm aware there is nothing on the market where I live that won't constantly spy on you with no option to disable.
Kia EV6 has a telematics toggle in the hidden engineering menu. Vehicles sold in Massachusetts have it disabled by default to protest the state's "right to repair" law, but in other regions you can disable it yourself.
I bought a Toyota last year and the app clearly showed me a bunch of opt in/out options and I felt relatively confident they were either outright lying or I had opted out.
I never installed the app or registered an account or anything. The rep who I spoke to after pressing the SOS button mentioned that they had to create an account for me and then disable. They went ahead and at least said they did that while I waited on the line.
I'm more confident in effectiveness of pulling the DCM fuse.
I'm in the market to buy a car and have narrowed it down to 2024 prius. I've read Mozilla's papers and a few auto forums on privacy issues with some abilities to turn on/off telematics. As you say, none of what I've read is conclusive in whether this actually stops collection.
Do you have any links you followed for the physical fuse?
Is there a hardware hacking forum that would teach people how to modify their rig to use the good features of such devices regardless of manufacturer but intercept and modify telemetry data to feed them realistic looking but fake data until you press a distress button and them give real location? I ask because I do not trust the legal system to ever catch up to this globally or to have any real teeth that make companies feel real pain. I've played whack-a-mole with spammers and malware distributors. This feels the same to me. Until it becomes trivial to disable such things I personally will stick with fixing up used vehicles that I know are free of loose lips.
Leave it to data brokers and insurance companies to make the leap "ick" to outrage.
On the other hand... to all selfish, unsafe street-racing, road-hogging Cadillac XT6 drivers out there: may your insurance rates double and may you swim forever in a sea of adverse underwriting decisions.
I do think there’s an interesting future dilemma here. I’m absolutely against them sharing this data without consent. But if sharing e.g. the number of hard brakes you do was made explicit and led to lower insurance premiums… I’d be tempted. I often feel like there’s little reward for adhering to traffic laws these days.
There used to be opt-in insurance programs with many carriers. They used to send you a device, but I guess that was mooted by secret mass surveillance?
I recently requested a quote while insurance shopping, and progressive seems to have already associated driving telematics history with one of my vehicles (a 2015 Chevy product).
While I dislike how little practical enforcement there is against the pervasive surveillance by ad-tech companies, this is one of the things that GDPR works wonders against:
No sane company would want to participate in such a scheme in Europe. Both the seller and the buyers would be on the hook for massive GDPR fines, and unlike a tech company where the privacy violations might be contributing 50% of the revenue and which could thus easily consider a 4% of revenue fine once every few years a (small) cost of doing business, car companies can't afford that.
General Motors had a global revenue of $172 billion, net income $10B, and the data sales are only a small part of that.
The intermediate company that's buying the data and reselling it to car manufacturers could potentially try to get away with it, because their entire business model depends on it, so they have little to lose. Just make sure to keep no money in the company because once the DPAs learn of the business the company a) has no business model because they will prohibit continued buying/selling of the data b) is likely to be bankrupted by the fine that might well exceed their entire revenue (for smaller companies, the fine isn't capped to 4% of revenue, the limit is 20M EUR).
For the insurance companies that would be buying this data I'd imagine it's even worse.
And this sort of egregious thing is something I can see DPAs actually enforcing, because it'd be much more clear cut than tech companies using non-compliant consent banners.
Edit: And I forgot the most important thing - if they don't put it into their privacy policy they're even more screwed, and if they do put it there, a customer who finds it can get it enforced by sending an e-mail (or in Germany, letter, because some DPAs don't accept e-mail) rather than finding a lawyer willing to start a class action.
Well, I removed the telematics module from my car. But it already stopped working because it was 3G only. The car was built in 2014, shipped with a 2G modem that was replaced at Ford's expense when 2G went offline shortly after the car was sold.
My other car with telematics was built in 2016 with a 3G modem that also no longer works.
For my car (2024 GR Corolla) you can pull a fuse that goes to the telematics computer.
The car has a bad habit of calling the emergency hotline on a race track if you go over rumble strips (those painted red/white strips) because it shakes the car so violently I guess. Popping the fuse will make it stop happening.
On my 2021 Camry, the fuse is labeled `DCS` — the only caveat is, it disables the front-right tweeter (there is a bypass, but requires you to remove the front dashboard and install jumpers across the DCS connector).
How we came to a stage where your iris is being monitored in your car, including mic and video recording and all your contact being uploaded as soon as you connect to the entertainment sys... and nobody gives a fuck. It's beyond my understanding.
This is good news. I hope this serves as inspiration for future cases against app developers, Google, Microsoft, Facebook, and all who are not upfront about their data and privacy practices.
Buried in the complaint is an interesting part about why he lost his original insurance carrier, they stopped writing policies in FL. The personal injury lawyers in Florida are out of control. There are also a ton of staged accident rings that nobody is doing anything about. I’m surprised any insurance carriers exist in that state anymore.
> he lost his original insurance carrier, they stopped writing policies in FL. The personal injury lawyers in Florida are out of control.
I'm a little skeptical, this reminds me of past arguments of "blame malpractice lawsuits for exploding US medical costs, tort reform will fix it", which doesn't seem to have worked in the places where it was tried.
AFAICT most of the reasons insurers are pulling out of Florida involves the math around catastrophes like hurricanes.
But what if the automakers' solution going forward is to not make the feature optional? That the service gets baked into the price? They turn it on. They leave it on. Especially with a lease, won't they have a legal angle to protecting their property?
My concern this might become a "be careful what you wish for"?
I understand that my opinion on this matter may be controversial, but I feel compelled to share my experiences. In the past five years, I've noticed a significant increase in aggressive driving. I've been the victim of two hit-and-run incidents where I was rear-ended, and the drivers fled the scene. In a third incident, a driver collided with the side of my car as the road curved and had the audacity to tell the police that I was at fault. In Texas, I've witnessed rampant red-light running, failure to stop at stop signs, excessive speeding (more than 15 mph over the limit), tailgating, and failure to use turn signals.
I believe that telematics could be a valuable tool in addressing this issue by scoring drivers based on their driving habits and adjusting their insurance rates accordingly. This would not only encourage safer driving practices but also ensure that responsible drivers are not unfairly penalized for the actions of aggressive drivers. In my opinion, telematics should be required for operating a vehicle on public roads.
I feel like cell phones have to be more sensitive than w/e transmitter the car has, but your point holds - naively wrapping it in foil still probably won't work.
I wonder what they'd do if you contacted GM et al to report that you've sold your car to some made up person. Would they wait until they get official notice from your local government to change where the data is recorded?
The secrecy is ick, but this is the future and there’s no stopping it.
There’s ample evidence that consumers won’t pay for privacy and as most consumers opt in to data sharing programs, the non-data-sharing cohort will get seriously adverse further raising the price of privacy. The equilibrium state is that only bad actors and a handful of privacy zealots will inhabit that pool and mainstream carriers won’t even bid it.
>“What no one can tell me is how I enrolled in it,” Mr. Chicco told The Times in an interview this month. “You can tell me how many times I hard-accelerated on Jan. 30 between 6 a.m. and 8 a.m., but you can’t tell me how I enrolled in this?”
Reading this got me cheering out loud for the plaintiff. I'm so glad to see someone taking these bastards to court.
I can relate in some small way to part of his ordeal - not with GM specifically, but I don't know how many times I've been stuck in a loop with companies who have no idea what happens to your data they hoover up and can't explain or answer even the most basic questions on that topic - and are confused as to why you are even asking.
I hope this gets its class action certification and jury trial, and I'm looking forward to kicking back with a bag of popcorn and watching the show. If he started a GoFundMe or something I'd be happy to make a substantial contribution to his legal fees.
It's long past the time bad actors like this who give you no real choice or control over the products you are buying start to be brought to justice.
>The DriveView program became available to Volkswagen Car-Net subscribers starting with model year 2020. By enrolling in DriveView, Car-Net users may be eligible for discounted rates from some of the top automotive insurance companies in the country. This program can also help Car-Net users monitor their driving by tracking activities like night driving, hard braking, and idle time. These factors all contribute to an overall driving score, which is visible within the Car-Net mobile app and on vw.com/carnet. Through the agreement with CCC, VW Car-Net will leverage the newly released CCC® VIN Connect, which applies driving behavior data at the point-of-quote, making it fast and easy for eligible consumers to connect with potential insurance discounts.
From the complaint:
> Plaintiff did not want OnStar services and so he did not push the blue button "to get started." The email provides no mention of OnStar's Smart Driver Program.
…
> In or around January 2024, Plaintiff received his requested LexisNexis consumer disclosure. The report, as of December 18, 2023, had 258 recorded driving events under the "Telematics" subsection. Each driving event included trip details that show the start date, end date, start time, end time, acceleration events, hard brake events, high speed events, distance, and VIN.
…
> Plaintiff had never opted into any insurance program that would have allowed his information to be shared.
Related: "Automakers are sharing consumers' driving behavior with insurance companies" - https://fcra.verisk.com/#/
Thanks! Yes—related from yesterday:
Automakers are sharing consumers' driving behavior with insurance companies - https://news.ycombinator.com/item?id=39666976 - March 2024 (321 comments)
That one only spent 3 hours on the front page so I guess we'll let this one have a go too...
Teehee
I wrote about this after my gag order expired. GM was shipping all telematics data to a big data cluster processing 100gbps of data (with double the data once Cisco released 400gbps support). Originally it was to help price their used cars. A noble effort I supported. I didn’t know about the sales to insurance brokers, but should have assumed that was coming.
Anyway cat is out of the bag, they won’t undo this feature they will pay a fine, offer an opt-out to 5% of users who take up the offer and in 10 years time everyone will assume their driving habits are being monitored by their insurance company.
How do I know this? It’s been 10 years since the hoopla about realtime location data being sold. Last night I saw my home IP address reports my location with .25 mile accuracy. Guess that $5 check from Verizon was the fine they had to pay!
> I wrote about this after my gag order expired.
Some time last year I wrote a comment here on HN about my Bolt EUV and OnStar. I can’t remember exactly what I wrote and don’t want to dig for it, but I said something like being happy with the vehicle and had disabled all of the OnStar features/tracking soon after I purchased it. Somebody replied that they were intimately familiar with the OnStar/GM project, having worked on it, and that it was still tracking me despite not being subscribed to any of their services and having turned off all the features in the car that I could. They couldn’t elaborate further, I assume because of an NDA or something. I bet dollars to donuts that this is what they were talking about now.
Edit: thanks to Stavros for finding the comment below. It looks like you were in fact the person I was talking to 11 months ago. Small world!
27 replies →
> Anyway cat is out of the bag, they won’t undo this feature they will pay a fine, offer an opt-out to 5% of users who take up the offer and in 10 years time everyone will assume their driving habits are being monitored by their insurance company.
So can't the plaintiffs just request an order compelling GM and others to remove the feature forever as part of the remedies?
6 replies →
> in 10 years time everyone will assume their driving habits are being monitored by their insurance company.
And even if there continues to be an opt-out, those plans will become so prohibitively expensive that you're essentially forced to allow your insurer to spy on you. Privacy is always priced out in the free market. Regulation is the only way. It's not a net benefit to society, just outlaw egregious data collection.
How does the data leave the device? I tried to route traffic from the infotainment system into a WiFi network I was wiresharking, and I saw a lot of GM traffic but I couldn’t install a cert to MitM because I couldn’t figure out how to access the Android settings for the dash OS.
Is the traffic through there or is it totally within the CANBUS and never hits the WiFi outbound? In that case do you need to hijack the 4G?
Not that I support any of this, but why would networking speed be the bottleneck in that system? Telematics seems very much like an OLAP situation where data ingest and querying can be asynchronous.
1 reply →
> And if you own a car made in the last ~5 years, here's how to request your "Consumer Disclosure Report" from LexisNexis: https://consumer.risk.lexisnexis.com/ . According to NYT, LexisNexis receives at least some data from GM, Ford, Kia, Subaru, and Mitsubishi.
Appreciate this link! I don't have one of the listed brands (own a Mazda) but I am curious to see what info data brokers like this have on me in general.
Also, maybe this is a naive thought but I think data brokers like this are so used to operating in the shadows / being forgotten about so I think the more folks who request is at least a small signal to them that folks are paying attention.
Wow, I just submitted the consumer disclosure report this morning after finding out about it from somewhere else. I am VERY interested to see if anything is reported from my car since I don't have any of the addons/monthly fees.
I assume LexisNexis does not provide this report out of the goodness of their heart, it must be required by FCRA?
If I really don't like LexisNexis collecting this data, or if I really just want to stay on top of my credit status, is there any reason not to script something to request a physically mailed report every day? Not sure how much they pay per mailing, but 365 of them can't be cheap.
Interesring that Subaru is mentioned, but not Toyota. Recent Subaru models share a lot of electronic guts with Toyota.
You can't take this as authoritative but my business has a data relationship with Toyota and they have a ton of juicy telemetry data.
Their attorneys are mad protective of the PII they have. Our relationship serves the public interest. We use the data to find people with open recalls where Toyota doesn't know who the current owner is.
I say this to say that we have other OEM relationships that are far more liberal with their encumbered data. This far Toyota seems to be playing it very straight.
6 replies →
I just tried "Consumer Disclosure Report" link from LexisNexis you shared, and nothing happens when I submit the request. :(
>and nothing happens when I submit the request. :(
The site is likely overloaded by interest from HN readers. Trying again in 48 hours will likely give more performant responses.
It was very slow and gave no indication it was working but it worked for me. Try again?
The complaint is for:
• Violations of the Fair Credit Reporting Act (FCRA) due to the alleged improper sharing and reporting of plaintiffs' driving data without consent, impacting their ability to secure car insurance and leading to increased rates.
• Violations of the Florida Deceptive and Unfair Trade Practices Act, accusing the defendants of engaging in deceptive practices by sharing personal driving data without the knowledge or consent of the car owners.
• Invasions of privacy under Florida common law, arguing that the defendants' actions of tracking, collecting, and sharing personal driving data without consent intrude upon the plaintiffs' private lives and are offensive.
We are going to learn so many disturbing things that data brokers (which includes basically every large corporation) are doing in the next years.
Unless senior managers and board members get criminal convictions and jail time it will continue and the "disturbing" will cease only by being normalized.
Hoping for a magic responsible all powerful legal daddy to come enforce a just set of laws is pure fantasy.
The people doing regulation and oversight have been bought and paid for by these "managers and board members." Citizens united codified their right to do this into law.
If you want professional ethics, you have to create a vehicle that can enforce professional ethics or wield political power -- a trade union or guild.
No congress-member is going to wake up and be like "gee, I sure wish I would get a few less bribes (campaign contributions) today," or "I sure would like my stock portfolio to decrease in value by doing real oversight on all these companies that are making me rich."
If the legal system cannot provide consequences to these people, then it's time to start thinking about where those consequences are going to come from. Hoping for consequences is not a very good strategy. A union is one such vehicle.
8 replies →
If the health insurance industry is several times larger than car insurance then there must be a very high financial motive for Ancestry/23&me to sell your curious aunt's DNA data which is also linked to relations.
At least the health insurance industry is legally prohibited from charging different rates to people based on DNA. So, at most, they can use it to try to get you specialized care.
1 reply →
No shit. Plus 23 and me is in deep financial trouble last I heard. Someone out there is drooling over that data set.
I know otherwise smart people (in the analytical sense) who paid money to hand over their most sensitive biometrics to these companies. And they’re still like “the data brokers can have it, what are they gonna do?”
And hopefully rein them in.
Without extremely aggressive changes to how we handle situations like this, it seems unlikely
A fine is a price, and there are basically no laws that put financial, let alone criminal liability for people behind the corporate veil or seizure/dissolution of a corporation that consistently breaks the law on the table
Whenever the GDPR is mentioned here, people more or less treat it as a sign of fascism. With that attitude from us, how can our rights on privacy be respected?
I'm extremely glad that the GDPR and NOYB.eu mean that car manufacturers can't pull that shit here. If I opt out, I'm opted out, or there will be big fines for them.
10 replies →
How? Who will represent that viewpoint in the halls of congress? The EFF is politically ineffective and always has been for reasons I don't understand, and no one else seems to care.
13 replies →
Nah we're just here busy banning tiktok
9 replies →
Of course not. Congress and SCOTUS are all paid for.
There needs to be a new "-flation" term for this (privacyflation?). Where we're also paying in terms of our privacy
It's cyberstalking, plain and simple.
panopticoflation
https://en.wikipedia.org/wiki/Panopticon
Why normalize a weird friendly term for spying?
There’s already a word: stalking.
spyflation
Personal bubble deflation
Corporate Voyeurism
A huge majority of my spam calls come from someone who bought it from ZoomInfo, Apollo, or other. I made a mistake somewhere and they got my personal number.
Now, every time I get a spam call, I insist they tell me where they're getting their info from. They'll try to so "our data team", but if you keep insisting they'll tell you.
These data exchange companies are despicable.
How long until a US equivalent of the GDPR ?
Once there are 32 or fewer Republicans in the Senate, so never.
Privacy legislation is antipartisan[0]: the US government relies on buying dox from adtech creeps to do all the spying they otherwise couldn't legally do, so nobody in power wants that loophole closed.
[0] Bipartisanly supported by the electorate and bipartisanly opposed by the elected representatives of said electorate
[dead]
Nice thing is that tracking via cellular never stops working but if you are in an emergency they will not call emergency services for you if you don't pay the subscription.
Clearly your data are more important than you
It's good to read this thread and know that finally people are realizing the full extent of the surveillance. I have dealt with a Govt agency targeting me for several years and having technical knowledge, I've noticed all of this invasion of privacy and control used against me, lots of it wouldn't even be possible without technology or the internet. But it's so much more than if you gave up your phone... It's a literal surveillance state and even if you go to the suburbs away from the concrete prisons our cities have been turned into, you still have front door cameras everywhere, accessible by law enforcement.
In fact, to abuse all of this stuff and weaponize it against someone, you do not need to have a court order or a warrant. As long as you find the right people, have the right narrative, companies will do all kinds of stuff to you, even if you are a customer.
And my original reply before going off on a tangent was that even if you remove your sim card, even if you somehow disable emergency services, your phone is still pinging and leaking all these signals that are picked up by all kinds of scanners.
Very few people even accept this is happening at scale, let alone are able to reason about the implications of it all.
The public needs a better job of being informed about the consequences of all of it.
I agree with the worry about surveillance. But isn't this really a continuation of how car makers treat their customers and the public generally. Cars companies comprimise privacy in the same way that they willingly comprimise safety, public health and the environment. It is the result of a broken culture and naive to expect them to change.
1 reply →
>tracking via cellular never stops
Don't carry a cell phone?
Seems to work just fine =D
GM is trying really hard to not get my business in the future. Between the no Car Play and Android Auto support in their new EVs. Now this. I'm just tired man...
GM seems to be floundering in mediocrity right now. They basically pump out generic, uninspired plastic boxes right now then try to nickel and dime their customers. In my opinion, foreign manufactures are absolutely eating their lunch right now.
Despite being children of an automotive family, with a deep loyalty for the Big 3, we've started to avoid their cars. While they can run forever, they just start failing apart.
Chevy Trax got C&D's highest 10/10 which is remarkable because GM's small cars are usually terrible...
and consumer reports seems to love the cousin Buick Envista.
The rebadged Commodores were a bright spot in the lineup for a while if you like that kind of thing
What are “foreign manufacturers?” Hondas and Toyotas have been built in the states for a long time. Chrysler has been a transnational merger for a while and Ford and GM have long histories of importing their overseas products.
2 replies →
I will never buy a GM until they stop turning their reverse lights on when they're not reversing. This one small feature has wreaked immeasurable havoc on parking lots across the world.
https://www.reddit.com/r/cars/comments/rshlke/why_do_gm_vehi...
They've done that just fine for me by releasing... lame cars across the board. Most of their brands are shells of their former selves (especialllly Cadillac) and I can't remember the last time I saw a Chevy that I actually liked.
I mean, I get that. Part of it is irrational because my father worked for and retired from GM. So it's a bit of a family thing. But the loyalty has a limit and I believe Mary Barra has reached the limit for me.
We’ve already taken quite a few manufacturers off the list for this reason, including GM. Vote with dollars people. Take my data without permission, lose my business.
Voting with your vote works even better.
If we vote with our dollars then the government just bails them out when they inevitably go bankrupt, again.
1 reply →
who is left on your list?
3 replies →
why would you want GM in first place?
You've Japanese, German and to some extend even Korean cars that are much better. If pick up truck is what you're looking for, then Ford is much better
The brands you are thinking of also likely have telematics with similar vague language about data collection. I've seen it in Nissans, Hondas, and Toyotas, personally.
If you're in the market for a smaller, cheap(ish) EV with decent range, the Chevy Bolt (used) is basically the only option, and honestly can be had for less than any equivalent ICE vehicle of similar quality/mileage
6 replies →
Tesla claims not to sell or transfer the data they collect, and offer opt-outs from most of it. You can, if you are willing to void your warranty, remove the GSM/LTE module from a Tesla fairly straightforwardly.
1 reply →
Probably because they assume those companies are doing the same thing?
> Between the no Car Play and Android Auto support in their new EVs.
Wait seriously? That's a wild choice.
yeah they're doin it themselves
Telematics should be disabled, preferably by way of hard cutting the modem chip's V-in. Call me a tinfoil hat lover, but when 23andme gets bought by an insurance company, the similarities with potential insurability issues are numerous when data is available to the other without a big, shining red opt-in.
Conveniently, on most modern Toyota vehicles there is a fuse labeled `DCS` which disables power to the modem.
Luckily, GINA makes it illegal to use 23andme data for health insurance.
As this article shows, "illegal to use" doesn't always stop them from doing it.
1 reply →
I have obtained an email from GM stating that if I am an OnStar Smart Driver subscriber, I cannot opt out of my data being shared. I believe this violates at least California privacy regulations, probably some other states, which mandate opt outs. I seriously want to rip the modem out of my car.
Well you can file a CCPA violation complaint with the state AG. Especially because a "Do Not Sell or Share My Personal Information" link is mandatory.
https://oag.ca.gov/privacy/ccpa#sectionh https://oag.ca.gov/contact/consumer-complaint-against-busine...
Some lawyer at GM is reading this and saying, "No private right of action FTW, suckaaaaaaa"
Perhaps. This thing might be an easy win for a regulatory agency looking to establish itself though.
2 replies →
Collecting and storing personal data needs to be exorbitantly expensive.
LexisNexis knew exactly what they were doing and probably already factored in litigation costs to the product.
Experian should have been fined out of existence when they lost all that data. The light of their funeral pyre could have warned away companies headed down the same path.
It is so enraging. Not only did they have zero consequences compared to what they should have received, they're still somehow the lone report I have to thaw for every single loan and line of credit.
I'd like to see a HIPAA for regular data.
It's pre-frozen?
3 replies →
I recently bought a Toyota because I was able to push the "SOS" button in the car and request that they disable telematics right after I bought it. I don't know whether they've actually stopped collecting my location information or if they can arbitrarily re-enable telematics at some time in the future for whatever reason, so I've additionally pulled a fuse that powers the transmitter. I'm mulling wrapping some components in a Faraday cage just for good measure.
The ability to prevent the car from spying on me was near the top of my list of desired features when I was shopping for a new car. This is one of the main things keeping me from buying another EV. So far as I'm aware there is nothing on the market where I live that won't constantly spy on you with no option to disable.
This article from Mozilla is worth a read: https://foundation.mozilla.org/en/privacynotincluded/article...
It's ultra annoying that "EV" seems to mean a tablet on wheels now. I just want a "dumb" car with a battery instead of petrol.
A friend of mine has a Mitsubishi EV Minivan (Japanese model) and it's about as close to a perfect "dumb EV" I've seen yet. It drives incredibly well. They just don't produce a 4x4 model yet, which is important if you live in cold snowy climates.
> So far as I'm aware there is nothing on the market where I live that won't constantly spy on you with no option to disable.
Kia EV6 has a telematics toggle in the hidden engineering menu. Vehicles sold in Massachusetts have it disabled by default to protest the state's "right to repair" law, but in other regions you can disable it yourself.
I bought a Toyota last year and the app clearly showed me a bunch of opt in/out options and I felt relatively confident they were either outright lying or I had opted out.
I'll have to request my info to see for sure
I never installed the app or registered an account or anything. The rep who I spoke to after pressing the SOS button mentioned that they had to create an account for me and then disable. They went ahead and at least said they did that while I waited on the line.
I'm more confident in effectiveness of pulling the DCM fuse.
I'm in the market to buy a car and have narrowed it down to 2024 prius. I've read Mozilla's papers and a few auto forums on privacy issues with some abilities to turn on/off telematics. As you say, none of what I've read is conclusive in whether this actually stops collection.
Do you have any links you followed for the physical fuse?
> Do you have any links you followed for the physical fuse
It's different for different cars. Search for "DCM fuse" (Data Communications Module) for your model year.
Supposedly, there should be a fuse that's just for the modem. You can yank that and get rid of telematics.
I'll stick with my 24 year old Lexus, though.
We need a privacy bill of rights. The fact is that no other approach works.
Can this please include a section on things that are not allowed to be included in any ToS?!
Something like the GDPR?
Well, something like FCRA at least.
Is there a hardware hacking forum that would teach people how to modify their rig to use the good features of such devices regardless of manufacturer but intercept and modify telemetry data to feed them realistic looking but fake data until you press a distress button and them give real location? I ask because I do not trust the legal system to ever catch up to this globally or to have any real teeth that make companies feel real pain. I've played whack-a-mole with spammers and malware distributors. This feels the same to me. Until it becomes trivial to disable such things I personally will stick with fixing up used vehicles that I know are free of loose lips.
I think this is what you are looking for https://www.reddit.com/r/CarHacking/
That's a great start. Thankyou!
Leave it to data brokers and insurance companies to make the leap "ick" to outrage.
On the other hand... to all selfish, unsafe street-racing, road-hogging Cadillac XT6 drivers out there: may your insurance rates double and may you swim forever in a sea of adverse underwriting decisions.
I do think there’s an interesting future dilemma here. I’m absolutely against them sharing this data without consent. But if sharing e.g. the number of hard brakes you do was made explicit and led to lower insurance premiums… I’d be tempted. I often feel like there’s little reward for adhering to traffic laws these days.
And when your mechanic diagnoses a brake problem on an empty road behind their shop, and it raises your rates, how will you feel?
That logic quickly turns into a stupid word game.
What's the difference between a reward for sharing data on your hard stops vs a penalty for not sharing data on hard stops?
There used to be opt-in insurance programs with many carriers. They used to send you a device, but I guess that was mooted by secret mass surveillance?
1 reply →
> led to lower insurance premiums
Maybe it would be lower relative to other people's rates, but one must imagine that any insurance prices will only ever cost more to the consumer.
2 replies →
Request your data now:
https://consumer.risk.lexisnexis.com/request
Thanks for sharing this. I just submitted a request and am interested to see what they’ve collected.
Ford knows when you break the law: https://www.businessinsider.com/ford-exec-gps-2014-1
I wonder if they also share their data or if they were trying to find customers for the data.
I recently requested a quote while insurance shopping, and progressive seems to have already associated driving telematics history with one of my vehicles (a 2015 Chevy product).
How did this manifest, exactly?
While I dislike how little practical enforcement there is against the pervasive surveillance by ad-tech companies, this is one of the things that GDPR works wonders against:
No sane company would want to participate in such a scheme in Europe. Both the seller and the buyers would be on the hook for massive GDPR fines, and unlike a tech company where the privacy violations might be contributing 50% of the revenue and which could thus easily consider a 4% of revenue fine once every few years a (small) cost of doing business, car companies can't afford that.
General Motors had a global revenue of $172 billion, net income $10B, and the data sales are only a small part of that.
The intermediate company that's buying the data and reselling it to car manufacturers could potentially try to get away with it, because their entire business model depends on it, so they have little to lose. Just make sure to keep no money in the company because once the DPAs learn of the business the company a) has no business model because they will prohibit continued buying/selling of the data b) is likely to be bankrupted by the fine that might well exceed their entire revenue (for smaller companies, the fine isn't capped to 4% of revenue, the limit is 20M EUR).
For the insurance companies that would be buying this data I'd imagine it's even worse.
And this sort of egregious thing is something I can see DPAs actually enforcing, because it'd be much more clear cut than tech companies using non-compliant consent banners.
Edit: And I forgot the most important thing - if they don't put it into their privacy policy they're even more screwed, and if they do put it there, a customer who finds it can get it enforced by sending an e-mail (or in Germany, letter, because some DPAs don't accept e-mail) rather than finding a lawyer willing to start a class action.
Is there a practical way to block any outgoing communication and telemetry from getting sent? Like a Little Snitch but for your car?
Well, I removed the telematics module from my car. But it already stopped working because it was 3G only. The car was built in 2014, shipped with a 2G modem that was replaced at Ford's expense when 2G went offline shortly after the car was sold.
My other car with telematics was built in 2016 with a 3G modem that also no longer works.
I guess there's a silver lining to sunsetting 3G I hadn't considered. Thanks!
For my car (2024 GR Corolla) you can pull a fuse that goes to the telematics computer.
The car has a bad habit of calling the emergency hotline on a race track if you go over rumble strips (those painted red/white strips) because it shakes the car so violently I guess. Popping the fuse will make it stop happening.
On my 2021 Camry, the fuse is labeled `DCS` — the only caveat is, it disables the front-right tweeter (there is a bypass, but requires you to remove the front dashboard and install jumpers across the DCS connector).
6 replies →
I remember reading on HN that someone found a sim card in their vehicle and took it out.
Presumably the new ones use an e-sim instead of a physical one.
I wonder if metal tape, used for ducting, would work.
Doubtful... BUT if you try, remember that most vehicles have dual antenna (one on top, one on bottom - for roll-overs).
It's easier to just disconnect both antenna from the modem OR disable power to it entirely.
How we came to a stage where your iris is being monitored in your car, including mic and video recording and all your contact being uploaded as soon as you connect to the entertainment sys... and nobody gives a fuck. It's beyond my understanding.
In this age of cars I want dumb cars with an engine that I could optionally plug in my smart thing if I wanted.
Even Toyota has gone too smart with their in tune crap.
Give me a cockroach car that survives for 50 years. No other bells and whistles. Just some connectors for them.
This is good news. I hope this serves as inspiration for future cases against app developers, Google, Microsoft, Facebook, and all who are not upfront about their data and privacy practices.
OnStar is one of those features that has desperately tried to claim is somehow different than the features your phone already provides.
Buried in the complaint is an interesting part about why he lost his original insurance carrier, they stopped writing policies in FL. The personal injury lawyers in Florida are out of control. There are also a ton of staged accident rings that nobody is doing anything about. I’m surprised any insurance carriers exist in that state anymore.
> he lost his original insurance carrier, they stopped writing policies in FL. The personal injury lawyers in Florida are out of control.
I'm a little skeptical, this reminds me of past arguments of "blame malpractice lawsuits for exploding US medical costs, tort reform will fix it", which doesn't seem to have worked in the places where it was tried.
AFAICT most of the reasons insurers are pulling out of Florida involves the math around catastrophes like hurricanes.
But what if the automakers' solution going forward is to not make the feature optional? That the service gets baked into the price? They turn it on. They leave it on. Especially with a lease, won't they have a legal angle to protecting their property?
My concern this might become a "be careful what you wish for"?
I understand that my opinion on this matter may be controversial, but I feel compelled to share my experiences. In the past five years, I've noticed a significant increase in aggressive driving. I've been the victim of two hit-and-run incidents where I was rear-ended, and the drivers fled the scene. In a third incident, a driver collided with the side of my car as the road curved and had the audacity to tell the police that I was at fault. In Texas, I've witnessed rampant red-light running, failure to stop at stop signs, excessive speeding (more than 15 mph over the limit), tailgating, and failure to use turn signals.
I believe that telematics could be a valuable tool in addressing this issue by scoring drivers based on their driving habits and adjusting their insurance rates accordingly. This would not only encourage safer driving practices but also ensure that responsible drivers are not unfairly penalized for the actions of aggressive drivers. In my opinion, telematics should be required for operating a vehicle on public roads.
None of those people have car insurance.
Willful dangerous driving is surpassing DUI these days it seems in terms of danger.
... but I guess some of these people were on something, too.
This is at least a Florida lawsuit. I'm pretty sure the practice violates California law as well.
Is it possible to wrap “cellular connection” module in copper mesh to cut it off from sending data?
It probably won't work very well. Faraday cages attenuate, they don't block signals, and most amateur attempts don't even attenuate very much.
Wrap your phone in aluminum foil, put it in the microwave, and give it a call. It'll probably still ring.
Tried it -
1. No foil, microwave - rings
2. Foil, no microwave - rings
3. Foil, microwave - doesn't ring
I feel like cell phones have to be more sensitive than w/e transmitter the car has, but your point holds - naively wrapping it in foil still probably won't work.
2 replies →
You probably have better luck by finding some standard antenna connection and attaching a proper 50 Ohm terminator to it.
I wonder what they'd do if you contacted GM et al to report that you've sold your car to some made up person. Would they wait until they get official notice from your local government to change where the data is recorded?
I’m sure GM has a formula for this.
https://www.youtube.com/watch?v=SiB8GVMNJkE
Has Subaru been doing this as well with their STARLINK?
Yes, but maybe not to the same extent.
You can opt out here:
https://subarucustomersupport.powerappsportals.com/Consumer-...
There needs to be an unplug, not an opt-out.
I wounder if this is true for older vehicles. I have 2018 vehicle with OnStar that is definitely has cell access (I could start it remotely).
The secrecy is ick, but this is the future and there’s no stopping it.
There’s ample evidence that consumers won’t pay for privacy and as most consumers opt in to data sharing programs, the non-data-sharing cohort will get seriously adverse further raising the price of privacy. The equilibrium state is that only bad actors and a handful of privacy zealots will inhabit that pool and mainstream carriers won’t even bid it.
Consumers won't pay for safety either, which is why we have NCAP and mandatory vehicle inspections.
Right, good point. We will see if regulators take up that cause.
Basically, privacy will become a luxury that only the rich can afford.
Extremely rich, maybe. But since the value of a person's data goes up with their income just having the ability to pay extra won't save you.
How much do they actually get for this per vehicle?
I feel like the answer to the that would explain a lot.
Companion nytimes article for anyone interested: https://archive.ph/MVmoX
>“What no one can tell me is how I enrolled in it,” Mr. Chicco told The Times in an interview this month. “You can tell me how many times I hard-accelerated on Jan. 30 between 6 a.m. and 8 a.m., but you can’t tell me how I enrolled in this?”
nothing will happen until heads literally roll, everything else is just business.
Hopefully more class action lawsuits follow for other car manufacturers...
Reading this got me cheering out loud for the plaintiff. I'm so glad to see someone taking these bastards to court.
I can relate in some small way to part of his ordeal - not with GM specifically, but I don't know how many times I've been stuck in a loop with companies who have no idea what happens to your data they hoover up and can't explain or answer even the most basic questions on that topic - and are confused as to why you are even asking.
I hope this gets its class action certification and jury trial, and I'm looking forward to kicking back with a bag of popcorn and watching the show. If he started a GoFundMe or something I'd be happy to make a substantial contribution to his legal fees.
It's long past the time bad actors like this who give you no real choice or control over the products you are buying start to be brought to justice.
Anyone know where VW sitting on this general topic?
>The DriveView program became available to Volkswagen Car-Net subscribers starting with model year 2020. By enrolling in DriveView, Car-Net users may be eligible for discounted rates from some of the top automotive insurance companies in the country. This program can also help Car-Net users monitor their driving by tracking activities like night driving, hard braking, and idle time. These factors all contribute to an overall driving score, which is visible within the Car-Net mobile app and on vw.com/carnet. Through the agreement with CCC, VW Car-Net will leverage the newly released CCC® VIN Connect, which applies driving behavior data at the point-of-quote, making it fast and easy for eligible consumers to connect with potential insurance discounts.
https://media.vw.com/en-us/releases/1370
This all makes me so angry. It's so messed up.
lmfao this is why my newest car is from 1999. Computers ruin everything. Be warned.
Actually it was the Internet. I still believe my Commodore is harmless.
Actually it was profit-seeking humans. I believe Zombo.com is still harmless.
2 replies →
[dead]
[flagged]
[dead]