Comment by moooo99
11 hours ago
It is amazing how Volkswagen keeps messing up. I am currently in the market for a new car, an EV specifically. Volkswagen brands were at the top of my list for many reasons, among them the excellent driving assist implementation.
I got an offer from a dealer three weeks ago and was going to order the car, then the API for the community integration got turned off. I decided to hold back and see what comes from it. Now this, which ultimately - since I am a GrapheneOS user - makes me completely cancel my plans.
I really do not understand VWs thinking here. It would cost them little to nothing to continue not blocking the the inofficial API and not block GrapheneOS (or other non Play Protect androids) users. It would have no adverse effects on the average Joe, but it would gain a lot of support and enthusiasm from heavy users, differentiating from other brands. Not to mention the fact that it is the USERS data in the first place
German companies, especially old school industrial ones like VW, have a very hard time understanding open platforms. The view everything through the lense of liability and compliance first. Their thinking is that if someone runs their app on a custom ROM and uses that to manipulate the app in any way, and that causes some extremely hypothetical damage, that they might be held liable for not having prevented this situation.
Obviously, the chances of that are virtually zero. But they'd rather make their product worse than assume with any kind of risk, even if it is virtually zero. That is simply the way in which German enterprises operate.
It's more about rules than hypothetical liability for Germans.
It's inconceivable that someone would want to use a car outside of it's specified rules.
If they have concerns about the security of their app on some platform, they have the choice to either put "security" into the app, or to trust the platform vendor to provide the security. The correct solution is the first way. Deferring trust to the platform provider is the lazy way.
If their APIs are done correctly, they shouldn't be afraid to expose them.
You're proving the previous commenter's point. VW doesn't want liability. They do not care about "security" just liability.
When they leave the "security" to the platform they can blame them in a lawsuit.
3 replies →
How else would you build "security" into the app (in the sense of not allowing third-party modifications of it that would open them up to liability), except relying on hardware attestation that the app has not been modified? That attestation necessarily requires the platform provider to be involved.
2 replies →
VW didn’t seem too concerned with compliance when they were rigging their pollution tests.
“Compliance” only matters when their own interests aren’t involved
They'd have you know they actually cared a bit too much about said compliance itself.
1 reply →
That was just engineers engineering their way into creating Electrify America :)
4 replies →
I mean, the only reason they did it was to be able to comply with the requirements of the test.
But the reality is that every once in a while you have a scandal like this or something like Wirecard, and it happens, because the culture is such that absolutely nobody thinks it possible. That includes officials and regulators whose first instinct will often be to come after the people trying to expose the scandal, as has happened in the case of Wirecard.
1 reply →
Them cheating the tests WAS them ensuring THAT compliance.
In fact, that's how a lot of compliance works in industries where there's little little enforcement and relies a lot on self regulation.
If I had to guess it’s liability concerns around the app-based remote unlock and parking + R155 and CRA. A lot of european companies have moved to require attestation in their apps, likely spurred on by the CRA.
But why? I'd understand (though not approve) them tightening down everything about the car firmware to the max. They are responsible for the app, sure (it's a "digital element"), but they aren't responsible for the OS the app runs on. The CRA should not be used as an excuse to enact stupid restrictions.
I wonder if they would be ok with letting users sign a waiver to gain unrestricted API access.
Yeah sure, the company behind Dieselgate and single handedly destroyed the diesel market is worried about compliance? Give me a break.
Yes? These things directly follow one another: VW are obsessed with letter-of-the-law compliance, so things like end-runs around test routines are obvious solutions.
And VW didn't single-handedly destroy the diesel market; economics and physics did. Almost every other manufacturer was also fudging the tests results in some way. But more importantly, building a passenger car diesel that meets NOx targets doesn't work; by the time a passenger car diesel meets modern NOx targets honestly, the car contains a ludicrous precious metal loading in the catalyst and is only a few percentage points more efficient in terms of consumption and CO2 emissions than a petrol car and the math doesn't add up. Diesel is just not a practical solution for passenger cars; it never was in most ways, but it took the EU a long time to restrict NOx pollution to a sustainable level and expose the physical issues at hand.
1 reply →
VW is large enough that different parts of the company can have very different opinions.
3 replies →
You don't understand, both comes from the same motivation and way of thinking: You see, compliance in Germany is about pretending to be super-compliant and not getting caught. Everyone will do the dance, make all the moves, and if you seem to make all the moves, you are assumed to be compliant. Supervisory authorities will not really check thoroughly except if you are annoying them or making them look bad. Especially if you are partially state-owned like VW.
In Dieselgate VW got caught, made the supervisory authorities and politicians look bad, which is why the authorities also weren't inclined to sweep it under the rug completely. They just shielded VW from the financial consequences in Germany (German VW customers got shafted).
Blocking GrapheneOS is the useless "pretending" part of compliance. They don't really want to do security, because that would cost money, so they pick some actions that seem drastic, harsh and don't cost them anything to implement. Later, when there is a security incident, they will point to their huge heap of pretend compliance, whine a bit about state sponsored actors, high criminal intent and other obvious deflecting bullshit. But they will get away with it, because they did the compliance dance, so they are obviously compliant and did nothing wrong. Nobody in authority will look twice als long as they are neither annoyed or made to look bad.
tl;dr: compliance in Germany is performative
Germans will talk a lot about data privacy but then do stuff like this regularly.
One is people one is companies.
1 reply →
> The view everything through the lense of liability and compliance first.
Wow, so they must really want to avoid the liability of spying after their users and keeping all that data, and to be extra sure to comply with the GDPR, they must keep only the absolute minimum of data, right?
Wrong: https://www.theregister.com/security/2025/01/06/data-describ...
https://dailysecurityreview.com/security-spotlight/volkswage...
When a company behaves as your enemy, don't invent wild justifications how they're actually not. At least leave it to their PR team.
> I got an offer from a dealer three weeks ago and was going to order the car, then the API for the community integration got turned off. I decided to hold back and see what comes from it. Now this, which ultimately - since I am a GrapheneOS user - makes me completely cancel my plans.
Make sure that dealers know why you changed your mind.
>Make sure that dealers know why you changed your mind.
"Some nerd couldn't use their nerd phone."
What incentive does a dealer have to know or care about this?
As a dealer, it would be frustrating especially because it is so silly. Basically, if they report any of this to HQ, it would be along the line of "I am losing the sale of a whole car over some stupid app block".
Net Promoter Scores is the only thing that the marketing department cares about. So fill out that customer satisfaction survey, give them a 1 out of 5, and say why. Passives (2-4) are not even considered lol.
You could make a similar argument about voting in democratic elections. It's still important to vote.
What incentive does a dealer have to know or care why a sale fell through? Bizarre question
1 reply →
What is the risk of letting them know that someone lost trust in VW's features due to a boneheaded decision of their software group and decided not to buy that brand at all?
I've had the same Golf since I bought it new in 2014. I like my Golf, so it should be an easy sale for VW to sell me a replacement.
However, VW just seem to make gaff after gaff. Collecting information they shouldn't, exposing information they shouldn't have to hackers via lax security practices.
How many rakes can a company step on?
Now, they're blocking GapheneOS? They've got two hopes of selling me another 'Dub.
(Bob and No).
> How many rakes can a company step on?
All of em.
VW is obviously not thinking that any noticable portion of the userbase uses Graphene, and someone (somewhere) is going to get a promo by making VW infra adhere to "standards" or something
Actually we need to force our European governments to use services that do not depend on foreign services (ie. Google or Apple). Then I guess it will only then become obvious to them how crazy the situation has become.
The company's have done their thing to ensure that the average guy wouldn't even try escaping their lock-in. So chances are becoming smaller and smaller to hope for a critical mass of users to complain.
Yes, the EU calls it "digital sovereignty" and is currently "in" with the EU.
which is why shaming them is a valid attempt to get them to "think". it has worked in the past (particularly with bmw!).
specially because no car really supports grapheneos, but it can be used in any car supporting regular android provided google play is installed which ensures google's certification and validation is being preserved. if i get this right bmw is actively blocking this, which would be just a dick move.
I don't use Graphene, but now I'm out of the market for a VW.
Vendor lock-in to Play services is ridiculous.
A car is a big purchase, and ideally not something I discard after a few years. I'd like it to not treat me like a second-class citizen and renter who can't make decisions over how to extend the life of my purchase.
It's ridiculous, but are we only saying that because we're on HN or is it because the portion of the userbase who thinks it's actually a bad thing is the larger one?
2 replies →
Same here. I'll be in a market soon and I had my eyes on a VW i4 or a Škoda Enyaq, but this makes me seriously reconsider. I really wanted to support local industry and buy a European product this time, but they are making it seriously difficult (no, don't get me even started on Stellantis).
I was hesitating between a VW ID.4 and Peugeot 5008 (7 seater, much space). In the end I went for the Peugeot and it's fine. The ID was much more fun to drive, but I would have lost space and paid a lot more.
Peugeot is reasonable and works. Charging could be faster and WLTP longer, and once I had the screens restart while on the motorway which thankfully did not affect driving but was pretty terrifying. All that to say - go ahead and buy European. You'll have some issues but for me all better than to get a china car with who knows what data exfiltration and hidden issues, or a Tesla that will lock you in when the car burns. EU companies are too boring to spy and too risk averse to have tesla-like issues..
Mercedes has some interesting EV options, and they have some models at the moment that are not necessarily that expensive. Through the grapevine I overheard something about surplus production due to mandate to build a certain number of EVs.
If you don’t want/need a new car, the used car market in Germany is pretty active with EQAs and EQBs.
Mercedes is terrible for EVs. Adaptive Cruise Control for example is a paid feature with a recurring subscription. Don't encourage "Car as a Service" concepts.
Renault makes good electric vans.
Not quite an SUV, but maybe fits the same use case?
Go with Dacia, though their EVs seem to have very low range.
2022 Dacia Sandero is a great car. Analog buttons, good build quality, well designed. And it’s cheap.
4 replies →
I think there was no specific thinking in that space at all. They went for attestation of the app for security reasons of the API and their testing only runs on normal android and iOS devices. Consequently, they realized later this and write a response pointing to their tested platforms.
So understanding why they drop it is IMHO easy. Understanding why they use only attestation based API despite and forcing their third party ecosystem out is stupid. Companies do not understand open communities.
Not sure if Tesla is on your list, but FWIW Tesla app works fine on GrapheneOS
Oh it’s on a list alright
Indeed it does, but Tesla is firm on my no buy list
> Volkswagen brands were at the top of my list for many reasons
You should definitely reevaluate how you constructed your list. VW has a history of being scummy (https://en.wikipedia.org/wiki/Volkswagen_emissions_scandal) and their ICE cars are notorious for being unreliable compared to the Japanese car-makers. To be fair, EVs do change the equation a bit, but given their scandal plagued past, there's no way I would put them at the top of any list.
> their ICE cars are notorious for being unreliable compared to the Japanese car-makers.
I always read this online, but my personal experience in EU doesn't match that at all in quite a sample of people and cars over the last ~15 years. At least not for older cards. The reliability after 100k km seems to be somewhat similar.
The repairability of VW-group stuff in 3rd party services is soo much better and cheaper. The WV-group is huge and many models across the brands share same parts and full engines. There exist non-OEM alternatives and people know how to fix those cars.
I have never bought new car. But driving anything but VW got expensive fast.
Toyota cars can have bespoke parts even between different months of the same year for the same model. Continuous improvement isn't really that cool for cars.
The keyword here is "in the EU".
Outside Western Europe, VW is priced like a premium upmarket brand (not quite luxury). Maintenance and general upkeep for a VW are easily two to three times the cost of an equivalent Japanese car.
Which wouldn't be an issue if the cars were actually built to their price point. But the VW cars we get here are shittier versions built in nasty factories. They break down if you look at them wrong. The build quality is nonexistent. They are absolutely an awful deal, no matter how you look at them. You also have to personally import parts from wherever they're available, because otherwise only the dealerships have parts and they are absurdly overpriced.
Also, European brands are afraid of exporting EVs. If you want an EV, you buy a Chinese car. There is no other option. It is as simple as that.
It depends which market you're in.
I currently own a 10 year old Seat Leon with not a single out of maintenance repair (if we ignore the cosmetic repair due to a wildlife encounter). My parents have owned multiple VW vehicles, with each of these lasting >15 years without major issues. I know they have a reputation of being unreliable compared to Toyota, but that hasn't been my personal experience and equally important: they do not look like a Toyota. And Mazda has awful EVs
Putting these factors aside: they are usually cheaper than their peers in insurance and they have dealerships absolutely everywhere. I've had multiple Skoda and VW EV rentals and the experience has been nothing but pleasant. Hence my priorities.
The emissions scandal is completely different, because in that case they were illicitly making the car work better for its owner.
Unless, of course, said owner cared for the environment
5 replies →
As opposed to the rest of the auto industry which has a stellar track record of adhering to emissions and fuel economy regulations /s
https://en.wikipedia.org/wiki/Diesel_emissions_scandal https://en.wikipedia.org/wiki/Defeat_device
And they lobbied governments to keep the tests a joke (e.g. test emissions on downwhill roads):
https://www.theguardian.com/environment/2015/sep/24/uk-franc...
Of course the governments probably lobbied for this stuff because it improves their car industry tax profits/employment numbers.
They all cheated and everyone knew it. It was the only way diesels could be so economical yet so powerful.
Uh the driving assist is pretty bad for north american roads. I wonder if Germany has immaculately painted and well maintained roads?
My buzz loves trying to jerk the steering wheel when it can't figure out how the lanes work.
Its simple really
VW is for people that can't afford a BMW or Audi.
BMW/Audi is for people who can't afford a Porsche
Porsche is for people that can't afford a Ferrari.
Once you understand that ladder, just stay off of it, and its all good.
I'm kinda glad that it's VW blocking GrapheneOS users in a cynical way. When my parents got a VW Jetta they never stopped complaining about it and never bought one again. So it tracks that they'd also be the car manufacturer to block GrapheneOS and stomp on their user's privacy.
It's an easy market to win at this point. The bar has been lowered so much. Already have a nice car? Just don't display utter disdain for your user's privacy and you get our $$.
What else was on your list? Haven't looked seriously but WV, kia, Polestar has been on my list.
I've test driven pretty much all VW brands (that fall within my budget) and thus far, the Cupra Born has been my favorite.
I have test driven the Kia EV4 and EV3, but I am not a huge fan. I do not enjoy the look of the EV3 and while the EV4 was a nice drive, I kept bumping my leg against the direction selector (which is below the handle for the wipers; But this is a huge nitpick since I am fairly tall, so not really an issue for 99% of drivers).
The main issue with Kia across the board is that their are so darn expensive for insurance. At my current provider, the EV4s insurance would have been 500 EUR more expensive than an roughly equally priced Cupra Born.
Not a huge SUV fan, but the Skoda Elroq and Skoda Enyaq were very nice vehicles as well
Been mostly interested in ev6. Just compared insurance cost and Polestar 2 was almost double. Born was also 50% more than kia ev4. Maybe different in the us if you are there?
[flagged]
Let me get this straight, you are considering buying an EV, or any modern car for that sake, but you care about privacy (by using GrapheneOS).
You are driving the biggest trojan horse of spyware ever created. You voluntarily drive around with that thing spying on you AND me. I hate parking at a parking lot now because every car and its 300 cameras are spying on me, putting my face, car and appearance in a database used to track everyone around you.
I genuinely don't know how people like you sleep at night knowing you're raping everyone around you by enabling mass privacy violations. Grow a spine.