What can be done about this as a consumer looking to buy a new car?
- Can I turn off data collection?
- Can I corrupt data transmission and collection?
- Can I charge per kb for any data collected?
- Is the dealer obligated to disclose data collection?
I'll be in the market for a new car in the next few years but I do not want to buy anything that tracks or collects ANY data about me.
I was assuming that buying a cheap non-electric car would offer some protection but I'd love to know more.
> What can be done about this as a consumer looking to buy a new car?
For a consumer in the US, I have no idea, but I'm guessing your question is about that since the story is US-specific?
Probably off-topic, but buying a car in 2019 in Spain, they asked me if I'm OK with data-collection during the purchase, up until car delivery, and handed me a contract to sign for "treatment of personal data". I said no, we moved on.
After buying the car (2018 Audi A3), they threw in some remote-monitoring sensor "for free" that could let me/them see metrics about the car, for "maintenance" and whatever they claimed, that they offered to install. I again said "no", but kept the device itself to pick apart at some later time.
But overall, they seem required to ask (here, EU) but no one batted an eye when I said no. The car has a SIM-card reader, but never used it, I'm guessing if I install a SIM-card the car would ask me if data collection is OK, because we'll always have the choice at least.
Electric cars seems like a no-no for now (everywhere possibly), since all of them came with a "always on connection" regardless of what I want, at least last time I checked.
For a few years now, every new car sold in the EU needs a cellular connection for e-call (when airbags are deployed, the car calls 112 itself) functionality. I don't know if it's legal or common to reuse that radio for collecting other data. I would hope not.
Unfortunately, a car like Tesla collects so much data. And it's only a matter of time before they start selling it. I don't know if any other car company that collects more data than Tesla.
I think I’d pick Tesla, even if it’s more data, because they have never sold that data or indicated they ever would. Unlike literally every other manufacturer that has and does
In my 2018 Chevy Volt Premier it's not too difficult to disconnect the LTE module. You lose OnStar, remote start, and other "connected" features, but the car and CarPlay still work.
Sometimes I feel bad for repeating myself but relevant threads keep appearing.
Mazda won't permit me to use remote start because I refused to install their app and enable connected services. The man I worked with on the lease was extraordinarily aggressive with me. Almost demanding I install and register this app to complete lease agreement.
So now I don't have remote start and every time I turn the car on I have to select cancel on an infotainment prompt asking me to enable connected services.
The TOS specifically says driving data will be sold to 3rd parties including law enforcement and insurance companies.
I never installed the app and I was asked to by the leasing guy though he wasn't pushy about it - for whatever reason, the lease/sales guys are incented to have it installed though, allegedly, mazda corporate says they don't incent them - I don't trust it
also, allegedly, since I didn't install it, mazda says my TPU is disabled which is fine by me - remote start is less important than saying many thousands of dollars on bogus insurance hikes
> I am deeply interested in better understanding faraday cages that can block transmission.
You cannot shield your car (ok, you can, but then you cannot drive it). What you can do is disturb the antenna so not enough power will be available to be sent.
There are more recent cars than going back to the 70s that doesn't force data collection on you... My car is from 2018 and has none of that stuff, and it even has buttons for all controls, no touchscreen (2018 Audi A3).
I like the feel of driving classic/older cars, but I really cannot justify the safety and pollution drawbacks if I wanted to use them daily.
many cars now have a TPU, used for connectivity and GPS, which will send telematics data when you start and stop the car. This tracking is not typically easy or possible to opt out of, in my experience.
I own a 2001 Dodge Grand Caravan. No tracking. Runs Great. I just keep fixing it, much cheaper than a new car. Plus I can live in it as well.
I do not know the year they started with all the tracking stuff but you can find an older car that does not have any tracking and spend the rest of the money making it mint.
There is no getting away from it though, we are all watched over by the machines of loving grace. You know with the new LoRaWAN and IoT everywhere scam they are rolling out there will be nothing you can do to escape the surveillance apparatus.
I am giving up. no sense in fighting it anymore. I am just a good little corporate boy toy now.
That is one of the worst cars to own. You will continue to fix it more frequently at an accelerated rate mark my words. So much cheap plastic parts the parts are right at that point where they will fail molecularly and you see an increased rate of failure. To top it off the replacement parts are mostly the same age and those 2 will look new but also fail quickly. Lastly Dodge sucks. They are basically the last car I would ever buy.
I don't understand the FTC. Why and how did they start protecting consumer privacy? Could they have done it before? Do they have an overall systematic plan for protecting it comprehensively? Do they have a guiding principle?
I'm glad they are moving forward on it, at least until Monday.
This is largely the work of Lina Khan and the people reporting to her. She's fairly new to the FTC still (Biden appointee) and has been intentionally pushing on all of this.
Protecting it is difficult since the house/senate and scotus are all determined to roll back pro-consumer laws but that's not really something the FTC can fix, only voters can fix that.
Voters don't seem to see these things as important though based on how they voted most recently. They have other priorities I suppose.
I'll be generous and say that voters are distracted by other things. easy unsubscribe is great, but it's never going to win an election.
I'll also be cynical and say that voters were also lacking critical thinking in terms of how the president elect simply said he'd do things with no action plan behind it. He already went back on several "promises" even before properly stepping in as President. This is just shame on us at this point.
Banning non-competes, preventing Microsoft-Blizzard merger (amongst many others), enforcing the right-to-repair, filing lawsuits to lower drug prices, making cancelling subscriptions easier...
Your friendly reminder that both Amazon and Meta were openly against her taking the position, that the upcoming administration will scrap the antitrust lawsuits against both of them (the one against Meta was supposed to start in spring, the one against Amazon in 2026) and that this is why Bezos and Zuckerberg are cozying up to Trump.
Please allow me to be cynical and see here no embarrassment whatsoever. They cashed on this for years and will surely find other ways (and have some already) to further cash on people. It's only one of the schemes which got foiled, and only for a while. Yes, I have zero trust and the presumption is of guilt.
But then this submission is explicitly about them giving a shit, and your own example shows that they do give a shit. Since GM didn't allow people a choice regarding their privacy, FTC looked into it?
I really don't understand how someone can see this story about FTC giving a shit, and then proclaim "They don't give a shit". If they didn't give a shit, why do something?
How about monetary compensation? People lost real money, damages can be calculated.
After all, if I installed spying software on GM's computers, and sold the extracted data to, say, Toyota, I'd face hefty fines. And spend time in prison.
> After all, if I installed spying software on GM's computers, and sold the extracted data to, say, Toyota, I'd face hefty fines. And spend time in prison.
You're going about this all wrong. Setup a company, create a landing page and do some B2B contracts for selling that data, and you too can be a "Data Broker" fully legally. But yes, approaching this as an individual is most likely illegal, you're supposed to do it as a corporation.
What if in this case it was about keeping the accident rate low by incentivizing safe driving? Don't know if I agree with them doing it, but it's probably not an argument that any side would win, and we don't even truly know if it would be a negative or a positive for society when looking at it from every angle.
Probably a class action lawsuit in the future, if one does not already exist.
Jail time? Probably not, we let health insurance companies get away with taking away critical needs from patients and delaying care in the name of delivering shareholder value. The best they get is a slap on the wrist from the government, let alone jail time.
Yeah and it’s simple to reidentify anonymous location traces. The simplest way is to buy cell phone location data from apps, which is generally intermittent, but even with just 5-6 location/time pairs, you’re going to be able to positively identify someone, with the small caveat that there will be some ambiguity with members of a household that share a car.
Collecting and selling the data is legal if they give you the chance to opt out. They went out of their way to avoid giving you that chance, and that’s what they got in trouble for. So the five year ban is a penalty for breaking the actual law, which is just that the consumer should have a chance to say no.
I think: it's illegal without consent. They can't do it for 5 years, even if they got consent, as a punitive measure. After that they will have to seek consent.
Security pentester tests someone's website before getting approval/confirmation that this is what the client (who isn't a client yet) wants.
Someone reports that, and judge says "Since you didn't do the pentest the legal way, we're banning you from doing pentests for five years"
After those five years, the pentester can continue doing tests, but legally. The five year ban is not the punishment for doing pentests, but for doing unauthorized pentests.
The analogy here is that data collection/selling is legal, but you have to follow the rules regarding how collection happens. If you break those rules, they'll ban you for N years, after that you can do the collection/selling but following the rules.
How about a permanent ban from collecting it in the first place? And you can apply that to the rest of them, while you're at it.
> The five-year ban prohibits G.M. from sharing information about individual drivers, but it can still share anonymous data about people’s driving with third parties, such as road safety researchers.
I know Kashmir Hill knows better than to believe in the fairy tale of "anonymous data".
Everyone has something to hide, be it as simple as your driving behavior, so you don't end up over paying for insurance or even in the situation where all company refuse to insure a 'risky' profile.
There's also things that are private, but not necessarily deeply secret. There's also things that are completely legal, but morally questionable, at least in your social circles, and if that information was to leak out it would be harmful.
With the VW data leak I was pretty horrified that VW either doesn't understand or don't care that leaking location data isn't just privacy invading, it's potentially dangerous for victims of stalking and abuse. In the mildest cases these people may need to move, in the worst they die.
Car companies seem completely oblivious to the dangers of collecting driving data.
Naming this "oblivious" hides ill intent. And by that I mean, I assume they knew and know exactly the possible implications and decided to throw everybody under the bus for shareholder value. Am I wrong to assume this?
This is a great outcome. These types of data interchanges ossify innovation and lock in policy. Insurance is supposed to share risk -- there is too much noise to microsegment. "Big Brother" doesn't have to be only a government, and the outcomes of using this sort of information is solely punitive for a 3rd party forced into the interchange.
The US really needs to strengthen the legal foundations for people's right to privacy.
> The US really needs to strengthen the legal foundations for people's right to privacy.
That's at odds with the even higher (current) goal of "Make money". As long as those are at odds, entities in the US will always favor "making more money" above "people's right to privacy".
Or, people start preferring entities that aren't strictly for-profit, but seems unlikely to happen on the short-horizon.
Not strictly on topic, but I see these articles & discussions with the focus on new car sales.
What happens when the car (and its data collecting habits) is sold in the used car market? Does it still collect data, is the ownership situation "corrected" via DMV registration feeds, etc. ?
What I am wondering if to what extent (if any) I can protect myself as an end user from this kind of spying by just not connecting these smart devices to the internet.
A while I read about smart TVs bypassing pihole-style blockers by using hardcoded IP addresses and DNS server addresses.
I don't even know how smart cars work. Do they have their own SIM card or something like that? Either way there are so many ways they can subvert obstacles. For example a car could scan for unprotected WiFi networks and connect to one if found.
Every new car has a SIM card. Apparently in Europe used for emergency automatic calls. But having SIM card in the car is not mandatory. All the information in other cases is saved in the car. And when you bring the car to the dealership the information is transferred over the wire in old fashioned way. Safest thing is to have an older car without much electronics, that can be repaired outside dealership network. Some cars like a Teslas have very normal cameras filming interior. Apparently to monitor the driver. But who knows.
I intentionally bought a used car with only a 3G network connection, knowing (at the time, almost 3 years ago) it would soon shut down in the US. I smiled at the "Your OnStar will soon stop working" messages, and intend to hold onto it for a good long time.
> An investigation by the Federal Trade Commission determined that consumers had not been aware that the automaker was providing their driving information to data brokers.
Yeah, no shit. Why on earth would I assume the company from which I bought my car is selling my information? Why are they allowed to sell this data at all?
We can all acknowledge how ridiculous this is, right?
Tiktok's being banned while Meta is more or less able to do the same thing but worse. It's pretty much about who can line pockets rather than the fact that selling user data is wrong.
> Why on earth would I assume the company from which I bought my car is selling my information? Why are they allowed to sell this data at all?
Sadly the answers are "if it's got a connected computer in it, it's selling your information" and "you're in America, so no GDPR because 'free speech' trumps privacy almost every time, except for video rental records".
Now, please do Hyundai (and others). Their in-built map's knowledge of speed limits and the speed sign recognition is so awful that any "speeding" data is guaranteed to be wildly inaccurate.
Some (like the Hyundai) have their own in-built maps and speed limit data (not very accurate in Australia). They can even warn about traffic build-ups because they're "connected".
If you're thinking that this is good (and it is), you should love the GDPR which bans this sort of thing entirely without needing an investigation beforehand.
If data is entered into a system, and you do not have not received permission to read it, then obtaining access to it is the crime of dataintrång, which can lead to two years imprisonment. So if you make a device and sell it to a customer and it phones home without permission and in phoning home provides you with information he has entered into it, then you've committed dataintrång and can go to prison for up to two years.
I see no reason why GPS data and other automatically entered data would not be regarded as having been entered into the device.
I guess GDPR is a good idea, but in practice it has limited value. I suppose all that is needed is that the user accepts (consents) by answering yes to a popup question. It can be asked over and over. If you answer yes by accident at some point you are screwed. You can maybe(?) retract your answer, but maybe you don't even know you answered yes at some point when you were stressed and had to drive somewhere, while your nav/media system asked you this question.
The main problem is that this sort of thing (tracking of cars and storing the data in a central database) is considered normal by corporations and is allowed by law. Would we like to have big corporations place private detectives outside our houses and when we leave they follow our every step, take photos, record audio and track our GPS position and report all that data to the corporation in realtime? That is what they do now with their cars and phones and appliances. The reason they did not do it in the past was that it was expensive to have private detectives track each of their customers, was considered spooky and abnormal and it was probably also illegal, but now it is cheap and somehow considered normal.
I guess GDPR is a good idea, but in practice it has limited value. I suppose all that is needed is that the user accepts (consents) by answering yes to a popup question. It can be asked over and over. If you answer yes by accident at some point you are screwed.
Not allowed by the GDPR, this violates the principle of unambiguous consent:
Under the GDPR, retracting consent should be as easy as giving consent. Moreover, you have the right of erasure. Even if you consented, when asked, GM should remove all your personal data:
but maybe you don't even know you answered yes at some point when you were stressed and had to drive somewhere, while your nav/media system asked you this question.
Violates both the rules that consent should be given freely.
---
More broadly, selling non-anonymous data would never be allowed under the GDPR, because the third-parties would need to consent to use the data.
> I guess GDPR is a good idea, but in practice it has limited value. I suppose all that is needed is that the user accepts (consents) by answering yes to a popup question. It can be asked over and over.
While this is a somewhat common approach, it's not compliant. The real problem with the GDPR is enforcement; it's largely enforced by national data protection bodies of, well, varying quality, resourcing, and aggressiveness.
anyone ever want to drop the guise of privacy and have the surveillance is out in the open?
like real question that way they have the data and we have the data instead of we pretend they don't have the data in the name of privacy but they have the data
No, because it'd be incredibly dangerous to me to have all these groups storing data about me and allowing them to determine my comings and goings.
You may think 'we're only using it for advertising', but I don't trust you and I can't. I don't want you to obtain information about my political views, or how they differ from what I say on the internet, or who I talk to about maths, or where I buy food.
> You may think 'we're only using it for advertising', but I don't trust you and I can't.
We already know that the data companies collect isn't only being used for ads, if not by the company that collects then by others who get access to that data either through sale or not. For example, Lawyers are using that data in courtrooms for things like divorce and custody hearings, and police are using it to turn innocent people into suspects.
There isn't an end to that, what is "all the data"? Someone will always want to record more data, and then sell it to someone. How do you force people to always reveal all the data they have. I think if you start peeling back the onion on what you're suggesting you will realize that it's not really possible or practical in any sense.
You deter them with risk that is too high for what they gain. For example, if consumers are awarded considerable fines for violations, then they would stop.
good point it does seem ambiguous in this context any data generated by me or any device I am using and any downstream data derived from that
why wouldn't this be possible? company x gives you y data and tells you we sold it to z and so on and you just follow the chain using some unique identifier
they sell the data openly and i get to see what they're selling win win legislation instead of annoying cookie banners
>anyone ever want to drop the guise of privacy and have the surveillance is out in the open?
No, because I have less than zero expectation that you all <points with middle fingers at HN comment section> won't happily be complicit in something that retroactively criminalizes me or otherwise screws me (and god knows how many other people, I'm fairly unremarkable) over on the basis that doing so is X% better for Y or where X is a small value and Y is a subject that is far from an existential issue for society. Society goes off on these boondoggles from time to time, eugenics, sticking the mentally ill in prisons but with pills, etc, etc and I don't want to see that sort of stuff cranked to 11 because the public tolerated a bunch of dragnet tech that serves as a force multiplier for unaccountable decision makers.
Maybe this is well know and this is about auto insurance but mine just went up $50 a month because of a national database about each of our cars ... the tiniest details are recorded into it and all auto insurance companies then use to jack up your current rate. If you try to go elsewhere they point to oh you used your Allstate towing benefit a lot so it's $200 a month vs. $140 (cant get a deal from others). Jiffy Lube enters the frequency of your oil changes and the amount of miles in this database too. If you start a new temp job that's further away then usual and start to have more oil changes your insurance could / will go up cause they see you are driving more then you were. I understand entering my car's accident record into this database but I was surprised the tiniest details are entered into this database and Allstate & Jiffy Lube say they do not sell this data they just enter it into this national database...
I'll confess I was sceptical about this but, at minimum, the database seems to exist.
There's a company called Carfax that I'd never heard of. Their EU site seems to provide basic reports about the VIN, whether the car has been written off, etc. Those basic "Is this car sale a scam?" checks are common in the UK.
But the site also makes a big deal about "Get the American report!" So I googled "Carfax oil change" and found people talking about the oil change history in the reports [0]
In the UK it was traditionally common to keep a car log book where you recorded all maintenance and might get the garage to put their stamp on it, to prove to a future buyer that you'd looked after the car. But having a garage enter that info into some random company's database, and maybe not telling me, would be disappointing.
For me as a consumer, whether they’re selling it or giving it away for free or expose it via a data breach, the impact on me is the same. All three deserve fines and jail time for executives. It is strange to me that attention is given to this data but not to the leaking of medical records of literally over 100 million Americans by Change Healthcare last year (a subsidiary of United Health). Most of those victims never were customers of Change or United, but somehow their records were with this company.
At exactly 2:14 while listening to the political oriented podcast fsckboy laughed, punched the dashboard of their car, and exclaimed "right on, that's what I've always said!"
If they didn't leak vast data through bid requests that others could de-anonymize, the marketplace and whole ad tech ecosystem would not exist in such a profitable fashion for them. They and others depend on people not digging deeper beyond lack of direct transactions for de-anonymized data to really understand the trade.
Once again, glad to be European (covered by GDPR, everywhere). It's funny and sad at the same time, to see Americans be happy with this yellow card when it should definitely be a red one.
That is about a data leak. How do you know if the data wasn't collected with(out) consent?
If VW collected this data without consent, the data protection authorities or the EC are going to have a field day.
(By the way, the GDPR also has ramifications for data leaks of legally collected data. E.g. there is a requirement to report this to the authorities within 72 hours after becoming aware of the breach: https://gdpr-info.eu/art-33-gdpr/ )
What can be done about this as a consumer looking to buy a new car?
I'll be in the market for a new car in the next few years but I do not want to buy anything that tracks or collects ANY data about me.
I was assuming that buying a cheap non-electric car would offer some protection but I'd love to know more.
> What can be done about this as a consumer looking to buy a new car?
For a consumer in the US, I have no idea, but I'm guessing your question is about that since the story is US-specific?
Probably off-topic, but buying a car in 2019 in Spain, they asked me if I'm OK with data-collection during the purchase, up until car delivery, and handed me a contract to sign for "treatment of personal data". I said no, we moved on.
After buying the car (2018 Audi A3), they threw in some remote-monitoring sensor "for free" that could let me/them see metrics about the car, for "maintenance" and whatever they claimed, that they offered to install. I again said "no", but kept the device itself to pick apart at some later time.
But overall, they seem required to ask (here, EU) but no one batted an eye when I said no. The car has a SIM-card reader, but never used it, I'm guessing if I install a SIM-card the car would ask me if data collection is OK, because we'll always have the choice at least.
Electric cars seems like a no-no for now (everywhere possibly), since all of them came with a "always on connection" regardless of what I want, at least last time I checked.
For a few years now, every new car sold in the EU needs a cellular connection for e-call (when airbags are deployed, the car calls 112 itself) functionality. I don't know if it's legal or common to reuse that radio for collecting other data. I would hope not.
1 reply →
Unfortunately, a car like Tesla collects so much data. And it's only a matter of time before they start selling it. I don't know if any other car company that collects more data than Tesla.
Tesla also states unequivocally that they do not sell user data: https://www.tesla.com/support/privacy
6 replies →
I think I’d pick Tesla, even if it’s more data, because they have never sold that data or indicated they ever would. Unlike literally every other manufacturer that has and does
6 replies →
> Can I corrupt data transmission and collection?
In my 2018 Chevy Volt Premier it's not too difficult to disconnect the LTE module. You lose OnStar, remote start, and other "connected" features, but the car and CarPlay still work.
https://www.jamesxli.com/2024/chevy-volt-disable-cellular.ht...
Sometimes I feel bad for repeating myself but relevant threads keep appearing.
Mazda won't permit me to use remote start because I refused to install their app and enable connected services. The man I worked with on the lease was extraordinarily aggressive with me. Almost demanding I install and register this app to complete lease agreement.
So now I don't have remote start and every time I turn the car on I have to select cancel on an infotainment prompt asking me to enable connected services.
The TOS specifically says driving data will be sold to 3rd parties including law enforcement and insurance companies.
I had a similar experience with a Mazda lease
I never installed the app and I was asked to by the leasing guy though he wasn't pushy about it - for whatever reason, the lease/sales guys are incented to have it installed though, allegedly, mazda corporate says they don't incent them - I don't trust it
also, allegedly, since I didn't install it, mazda says my TPU is disabled which is fine by me - remote start is less important than saying many thousands of dollars on bogus insurance hikes
> Almost demanding I install and register this app to complete lease agreement.
I wonder how he would react if you were to tell him that you don't own or use a cellular phone.
> The TOS specifically says driving data will be sold to 3rd parties including law enforcement and insurance companies.
That's awful, but at least it was written down, I guess.
That'd be a hard "No" for me. Or at least I'd ask for a big chunk of that revenue in exchange for MY data.
Doesn't that kind of make sense when leasing though, you're essentially doing "long renting" and you don't actually own the car?
6 replies →
I am deeply interested in better understanding faraday cages that can block transmission.
> I am deeply interested in better understanding faraday cages that can block transmission.
You cannot shield your car (ok, you can, but then you cannot drive it). What you can do is disturb the antenna so not enough power will be available to be sent.
2 replies →
My plan is to buy an old 1960-1970 280SL (or, really, any somewhat reliable vintage car) and stubbornly refuse to drive anything else.
There are more recent cars than going back to the 70s that doesn't force data collection on you... My car is from 2018 and has none of that stuff, and it even has buttons for all controls, no touchscreen (2018 Audi A3).
I like the feel of driving classic/older cars, but I really cannot justify the safety and pollution drawbacks if I wanted to use them daily.
9 replies →
many cars now have a TPU, used for connectivity and GPS, which will send telematics data when you start and stop the car. This tracking is not typically easy or possible to opt out of, in my experience.
Research the car ahead of time and figure out how to disconnect the telematics control unit (or whatever that manufacturer calls it).
I own a 2001 Dodge Grand Caravan. No tracking. Runs Great. I just keep fixing it, much cheaper than a new car. Plus I can live in it as well.
I do not know the year they started with all the tracking stuff but you can find an older car that does not have any tracking and spend the rest of the money making it mint.
There is no getting away from it though, we are all watched over by the machines of loving grace. You know with the new LoRaWAN and IoT everywhere scam they are rolling out there will be nothing you can do to escape the surveillance apparatus.
I am giving up. no sense in fighting it anymore. I am just a good little corporate boy toy now.
This might be the way forward - buy a well-built older car and learn to DIY basic maintenance and repairs.
> there will be nothing you can do
That makes it much easier for people to collect data. People read on the Internet, yet again, that they are powerless.
That is one of the worst cars to own. You will continue to fix it more frequently at an accelerated rate mark my words. So much cheap plastic parts the parts are right at that point where they will fail molecularly and you see an increased rate of failure. To top it off the replacement parts are mostly the same age and those 2 will look new but also fail quickly. Lastly Dodge sucks. They are basically the last car I would ever buy.
I don't understand the FTC. Why and how did they start protecting consumer privacy? Could they have done it before? Do they have an overall systematic plan for protecting it comprehensively? Do they have a guiding principle?
I'm glad they are moving forward on it, at least until Monday.
This is largely the work of Lina Khan and the people reporting to her. She's fairly new to the FTC still (Biden appointee) and has been intentionally pushing on all of this.
Protecting it is difficult since the house/senate and scotus are all determined to roll back pro-consumer laws but that's not really something the FTC can fix, only voters can fix that.
Voters don't seem to see these things as important though based on how they voted most recently. They have other priorities I suppose.
I'll be generous and say that voters are distracted by other things. easy unsubscribe is great, but it's never going to win an election.
I'll also be cynical and say that voters were also lacking critical thinking in terms of how the president elect simply said he'd do things with no action plan behind it. He already went back on several "promises" even before properly stepping in as President. This is just shame on us at this point.
> Voters don't seem to see these things as important though based on how they voted most recently. They have other priorities I suppose.
This is why saying "but you can elect new officials" is a canard. You only have two choices, each with thousands of consequences.
Harris wouldn't even commit to keeping Lina Khan on.
Lina Khan deserves all the praise and then some.
Banning non-competes, preventing Microsoft-Blizzard merger (amongst many others), enforcing the right-to-repair, filing lawsuits to lower drug prices, making cancelling subscriptions easier...
Your friendly reminder that both Amazon and Meta were openly against her taking the position, that the upcoming administration will scrap the antitrust lawsuits against both of them (the one against Meta was supposed to start in spring, the one against Amazon in 2026) and that this is why Bezos and Zuckerberg are cozying up to Trump.
1 reply →
[flagged]
They don’t give a shit about privacy directly but GM was egregious in collecting this data
- confusing consumers
- sneakily signing up consumers to “smart driver” as part of onstar
- data brokers subsequently building profiles on users and selling this data to _insurance companies_
- consumers later finding out their insurance doesn’t get renewed because of this secret driver profile that was built without their explicit consent
If GM followed the rules by disclosing this directly, allowing consumers to opt out. They probably wouldn’t be in this embarrassing position.
It’s in the FTC release: https://www.ftc.gov/news-events/news/press-releases/2025/01/...
Please allow me to be cynical and see here no embarrassment whatsoever. They cashed on this for years and will surely find other ways (and have some already) to further cash on people. It's only one of the schemes which got foiled, and only for a while. Yes, I have zero trust and the presumption is of guilt.
2 replies →
> They don’t give a shit about privacy directly
But then this submission is explicitly about them giving a shit, and your own example shows that they do give a shit. Since GM didn't allow people a choice regarding their privacy, FTC looked into it?
I really don't understand how someone can see this story about FTC giving a shit, and then proclaim "They don't give a shit". If they didn't give a shit, why do something?
3 replies →
Lmao. They were too cartoonish in their villainous behavior.
1 reply →
[flagged]
How about monetary compensation? People lost real money, damages can be calculated.
After all, if I installed spying software on GM's computers, and sold the extracted data to, say, Toyota, I'd face hefty fines. And spend time in prison.
> After all, if I installed spying software on GM's computers, and sold the extracted data to, say, Toyota, I'd face hefty fines. And spend time in prison.
You're going about this all wrong. Setup a company, create a landing page and do some B2B contracts for selling that data, and you too can be a "Data Broker" fully legally. But yes, approaching this as an individual is most likely illegal, you're supposed to do it as a corporation.
IANAL but you’ll want a cofounder. Piercing the veil is a lot easier with a single founder company.
But not if you sold GM software that had a clause deep in the license agreement saying you'd sell the data to Toyota.
What if in this case it was about keeping the accident rate low by incentivizing safe driving? Don't know if I agree with them doing it, but it's probably not an argument that any side would win, and we don't even truly know if it would be a negative or a positive for society when looking at it from every angle.
Probably a class action lawsuit in the future, if one does not already exist.
Jail time? Probably not, we let health insurance companies get away with taking away critical needs from patients and delaying care in the name of delivering shareholder value. The best they get is a slap on the wrist from the government, let alone jail time.
Health insurance abuses got a quite different slap recently.
16 replies →
but it can still share anonymous data about people’s driving with third parties
Most important part of this IMHO.
Yeah and it’s simple to reidentify anonymous location traces. The simplest way is to buy cell phone location data from apps, which is generally intermittent, but even with just 5-6 location/time pairs, you’re going to be able to positively identify someone, with the small caveat that there will be some ambiguity with members of a household that share a car.
Is it anonymous aggregated data or just anonymized data? Anonymized data can easily be de-anonymized, as you stated.
4 replies →
As an European, this is weird. Just 5 years? Why were they allowed to do this in the first place?
Collecting and selling the data is legal if they give you the chance to opt out. They went out of their way to avoid giving you that chance, and that’s what they got in trouble for. So the five year ban is a penalty for breaking the actual law, which is just that the consumer should have a chance to say no.
[dead]
Yes I don't understand the "5 Years" part at all.
Either it's illegal or it isn't.
No judge ever says "I ban you from burgling houses for 5 years!", like after 5 years it would be okay again.
> Either it's illegal or it isn't.
I think: it's illegal without consent. They can't do it for 5 years, even if they got consent, as a punitive measure. After that they will have to seek consent.
Imagine this:
Security pentester tests someone's website before getting approval/confirmation that this is what the client (who isn't a client yet) wants.
Someone reports that, and judge says "Since you didn't do the pentest the legal way, we're banning you from doing pentests for five years"
After those five years, the pentester can continue doing tests, but legally. The five year ban is not the punishment for doing pentests, but for doing unauthorized pentests.
The analogy here is that data collection/selling is legal, but you have to follow the rules regarding how collection happens. If you break those rules, they'll ban you for N years, after that you can do the collection/selling but following the rules.
No burglar has the resources of GM.
Isn't that jail time?
How about a permanent ban from collecting it in the first place? And you can apply that to the rest of them, while you're at it.
> The five-year ban prohibits G.M. from sharing information about individual drivers, but it can still share anonymous data about people’s driving with third parties, such as road safety researchers.
I know Kashmir Hill knows better than to believe in the fairy tale of "anonymous data".
Privacy ? But I have nothing to hide.
Everyone has something to hide, be it as simple as your driving behavior, so you don't end up over paying for insurance or even in the situation where all company refuse to insure a 'risky' profile.
There's also things that are private, but not necessarily deeply secret. There's also things that are completely legal, but morally questionable, at least in your social circles, and if that information was to leak out it would be harmful.
With the VW data leak I was pretty horrified that VW either doesn't understand or don't care that leaking location data isn't just privacy invading, it's potentially dangerous for victims of stalking and abuse. In the mildest cases these people may need to move, in the worst they die.
Car companies seem completely oblivious to the dangers of collecting driving data.
Naming this "oblivious" hides ill intent. And by that I mean, I assume they knew and know exactly the possible implications and decided to throw everybody under the bus for shareholder value. Am I wrong to assume this?
1 reply →
They were trying to warn us by naming it “Smart Driver”. Come on yall.
https://archive.is/PW0ng
This is a great outcome. These types of data interchanges ossify innovation and lock in policy. Insurance is supposed to share risk -- there is too much noise to microsegment. "Big Brother" doesn't have to be only a government, and the outcomes of using this sort of information is solely punitive for a 3rd party forced into the interchange.
The US really needs to strengthen the legal foundations for people's right to privacy.
> The US really needs to strengthen the legal foundations for people's right to privacy.
That's at odds with the even higher (current) goal of "Make money". As long as those are at odds, entities in the US will always favor "making more money" above "people's right to privacy".
Or, people start preferring entities that aren't strictly for-profit, but seems unlikely to happen on the short-horizon.
Aye, but they already made money from the consumer. Ergo this is extractive after the exchange.
Not strictly on topic, but I see these articles & discussions with the focus on new car sales.
What happens when the car (and its data collecting habits) is sold in the used car market? Does it still collect data, is the ownership situation "corrected" via DMV registration feeds, etc. ?
What I am wondering if to what extent (if any) I can protect myself as an end user from this kind of spying by just not connecting these smart devices to the internet.
A while I read about smart TVs bypassing pihole-style blockers by using hardcoded IP addresses and DNS server addresses.
I don't even know how smart cars work. Do they have their own SIM card or something like that? Either way there are so many ways they can subvert obstacles. For example a car could scan for unprotected WiFi networks and connect to one if found.
Every new car has a SIM card. Apparently in Europe used for emergency automatic calls. But having SIM card in the car is not mandatory. All the information in other cases is saved in the car. And when you bring the car to the dealership the information is transferred over the wire in old fashioned way. Safest thing is to have an older car without much electronics, that can be repaired outside dealership network. Some cars like a Teslas have very normal cameras filming interior. Apparently to monitor the driver. But who knows.
Yes a mobile as a government tracking device in your car is mandated in Europe.
3 replies →
> Some cars like a Teslas have very normal cameras filming interior.
Wow is this real?
2 replies →
I intentionally bought a used car with only a 3G network connection, knowing (at the time, almost 3 years ago) it would soon shut down in the US. I smiled at the "Your OnStar will soon stop working" messages, and intend to hold onto it for a good long time.
> An investigation by the Federal Trade Commission determined that consumers had not been aware that the automaker was providing their driving information to data brokers.
Yeah, no shit. Why on earth would I assume the company from which I bought my car is selling my information? Why are they allowed to sell this data at all?
We can all acknowledge how ridiculous this is, right?
Tiktok's being banned while Meta is more or less able to do the same thing but worse. It's pretty much about who can line pockets rather than the fact that selling user data is wrong.
> Why on earth would I assume the company from which I bought my car is selling my information? Why are they allowed to sell this data at all?
Sadly the answers are "if it's got a connected computer in it, it's selling your information" and "you're in America, so no GDPR because 'free speech' trumps privacy almost every time, except for video rental records".
They keep all the profits and can still sell "anonymized" data. Surely this chilling precedent will have other corporations shivering in fear.
Now, please do Hyundai (and others). Their in-built map's knowledge of speed limits and the speed sign recognition is so awful that any "speeding" data is guaranteed to be wildly inaccurate.
I drove a new Kia as a rental... It just uses Google Auto/Apple equivalent, and just uses Google Maps, no? Or do they also have their own maps app?
Some (like the Hyundai) have their own in-built maps and speed limit data (not very accurate in Australia). They can even warn about traffic build-ups because they're "connected".
I drive in a very populous urban area, and the Google Maps/Auto speed limit data is often inaccurate.
2 replies →
If you're thinking that this is good (and it is), you should love the GDPR which bans this sort of thing entirely without needing an investigation beforehand.
In Sweden it is also a crime, dataintrång.
If data is entered into a system, and you do not have not received permission to read it, then obtaining access to it is the crime of dataintrång, which can lead to two years imprisonment. So if you make a device and sell it to a customer and it phones home without permission and in phoning home provides you with information he has entered into it, then you've committed dataintrång and can go to prison for up to two years.
I see no reason why GPS data and other automatically entered data would not be regarded as having been entered into the device.
I guess GDPR is a good idea, but in practice it has limited value. I suppose all that is needed is that the user accepts (consents) by answering yes to a popup question. It can be asked over and over. If you answer yes by accident at some point you are screwed. You can maybe(?) retract your answer, but maybe you don't even know you answered yes at some point when you were stressed and had to drive somewhere, while your nav/media system asked you this question.
The main problem is that this sort of thing (tracking of cars and storing the data in a central database) is considered normal by corporations and is allowed by law. Would we like to have big corporations place private detectives outside our houses and when we leave they follow our every step, take photos, record audio and track our GPS position and report all that data to the corporation in realtime? That is what they do now with their cars and phones and appliances. The reason they did not do it in the past was that it was expensive to have private detectives track each of their customers, was considered spooky and abnormal and it was probably also illegal, but now it is cheap and somehow considered normal.
I guess GDPR is a good idea, but in practice it has limited value. I suppose all that is needed is that the user accepts (consents) by answering yes to a popup question. It can be asked over and over. If you answer yes by accident at some point you are screwed.
Not allowed by the GDPR, this violates the principle of unambiguous consent:
https://www.autoriteitpersoonsgegevens.nl/en/themes/basic-gd...
You can maybe(?) retract your answer,
Under the GDPR, retracting consent should be as easy as giving consent. Moreover, you have the right of erasure. Even if you consented, when asked, GM should remove all your personal data:
https://gdpr-info.eu/art-17-gdpr/
but maybe you don't even know you answered yes at some point when you were stressed and had to drive somewhere, while your nav/media system asked you this question.
Violates both the rules that consent should be given freely.
---
More broadly, selling non-anonymous data would never be allowed under the GDPR, because the third-parties would need to consent to use the data.
(IANAL)
1 reply →
> I guess GDPR is a good idea, but in practice it has limited value. I suppose all that is needed is that the user accepts (consents) by answering yes to a popup question. It can be asked over and over.
While this is a somewhat common approach, it's not compliant. The real problem with the GDPR is enforcement; it's largely enforced by national data protection bodies of, well, varying quality, resourcing, and aggressiveness.
That's not how the GDPR works
[dead]
anyone ever want to drop the guise of privacy and have the surveillance is out in the open?
like real question that way they have the data and we have the data instead of we pretend they don't have the data in the name of privacy but they have the data
No, because it'd be incredibly dangerous to me to have all these groups storing data about me and allowing them to determine my comings and goings.
You may think 'we're only using it for advertising', but I don't trust you and I can't. I don't want you to obtain information about my political views, or how they differ from what I say on the internet, or who I talk to about maths, or where I buy food.
> You may think 'we're only using it for advertising', but I don't trust you and I can't.
We already know that the data companies collect isn't only being used for ads, if not by the company that collects then by others who get access to that data either through sale or not. For example, Lawyers are using that data in courtrooms for things like divorce and custody hearings, and police are using it to turn innocent people into suspects.
but they already do wouldn't you rather know what they have stored instead of pretend they don't have the data?
That's not what the EULAs that you have (probably, and if not, good on you) signed indicate...
6 replies →
> anyone ever want to drop the guise of privacy and have the surveillance is out in the open?
An essay about such a society: https://web.archive.org/web/20030212145443/http%3A//www.wire...
There isn't an end to that, what is "all the data"? Someone will always want to record more data, and then sell it to someone. How do you force people to always reveal all the data they have. I think if you start peeling back the onion on what you're suggesting you will realize that it's not really possible or practical in any sense.
You deter them with risk that is too high for what they gain. For example, if consumers are awarded considerable fines for violations, then they would stop.
good point it does seem ambiguous in this context any data generated by me or any device I am using and any downstream data derived from that
why wouldn't this be possible? company x gives you y data and tells you we sold it to z and so on and you just follow the chain using some unique identifier
they sell the data openly and i get to see what they're selling win win legislation instead of annoying cookie banners
>anyone ever want to drop the guise of privacy and have the surveillance is out in the open?
No, because I have less than zero expectation that you all <points with middle fingers at HN comment section> won't happily be complicit in something that retroactively criminalizes me or otherwise screws me (and god knows how many other people, I'm fairly unremarkable) over on the basis that doing so is X% better for Y or where X is a small value and Y is a subject that is far from an existential issue for society. Society goes off on these boondoggles from time to time, eugenics, sticking the mentally ill in prisons but with pills, etc, etc and I don't want to see that sort of stuff cranked to 11 because the public tolerated a bunch of dragnet tech that serves as a force multiplier for unaccountable decision makers.
Maybe this is well know and this is about auto insurance but mine just went up $50 a month because of a national database about each of our cars ... the tiniest details are recorded into it and all auto insurance companies then use to jack up your current rate. If you try to go elsewhere they point to oh you used your Allstate towing benefit a lot so it's $200 a month vs. $140 (cant get a deal from others). Jiffy Lube enters the frequency of your oil changes and the amount of miles in this database too. If you start a new temp job that's further away then usual and start to have more oil changes your insurance could / will go up cause they see you are driving more then you were. I understand entering my car's accident record into this database but I was surprised the tiniest details are entered into this database and Allstate & Jiffy Lube say they do not sell this data they just enter it into this national database...
I'll confess I was sceptical about this but, at minimum, the database seems to exist.
There's a company called Carfax that I'd never heard of. Their EU site seems to provide basic reports about the VIN, whether the car has been written off, etc. Those basic "Is this car sale a scam?" checks are common in the UK.
But the site also makes a big deal about "Get the American report!" So I googled "Carfax oil change" and found people talking about the oil change history in the reports [0]
In the UK it was traditionally common to keep a car log book where you recorded all maintenance and might get the garage to put their stamp on it, to prove to a future buyer that you'd looked after the car. But having a garage enter that info into some random company's database, and maybe not telling me, would be disappointing.
[0] https://www.toyotanation.com/threads/oil-change-history-when...
So, only GM is banned.
Every other car maker can continue to sell collected surveillance data...
Please make an article about this on this Consumer Protection wiki: https://wiki.rossmanngroup.com/index.php/How_to_help
For me as a consumer, whether they’re selling it or giving it away for free or expose it via a data breach, the impact on me is the same. All three deserve fines and jail time for executives. It is strange to me that attention is given to this data but not to the leaking of medical records of literally over 100 million Americans by Change Healthcare last year (a subsidiary of United Health). Most of those victims never were customers of Change or United, but somehow their records were with this company.
how about we trade, General Motors can sell our data, and Google cannot
At exactly 2:14 while listening to the political oriented podcast fsckboy laughed, punched the dashboard of their car, and exclaimed "right on, that's what I've always said!"
There's literally zero evidence Google sells data.
They sell targeted ads using data, not the data itself.
If they didn't leak vast data through bid requests that others could de-anonymize, the marketplace and whole ad tech ecosystem would not exist in such a profitable fashion for them. They and others depend on people not digging deeper beyond lack of direct transactions for de-anonymized data to really understand the trade.
Once again, glad to be European (covered by GDPR, everywhere). It's funny and sad at the same time, to see Americans be happy with this yellow card when it should definitely be a red one.
How do you tolerate this?
This was VW last month: https://www.bleepingcomputer.com/news/security/customer-data...
Undisclosed data collection isn't unique to the US.
That is about a data leak. How do you know if the data wasn't collected with(out) consent?
If VW collected this data without consent, the data protection authorities or the EC are going to have a field day.
(By the way, the GDPR also has ramifications for data leaks of legally collected data. E.g. there is a requirement to report this to the authorities within 72 hours after becoming aware of the breach: https://gdpr-info.eu/art-33-gdpr/ )
1 reply →
5 years? Why not forever? WTF, FTC?!
[dead]
[dead]