|
|
Subscribe / Log in / New account

Mozilla: It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy

[Posted September 6, 2023 by corbet]

The Mozilla Foundation has published a report on the data-collection and privacy practices of 25 car brands.

We reviewed 25 car brands in our research and we handed out 25 "dings" for how those companies collect and use data and personal information. That’s right: every car brand we looked at collects more personal data than necessary and uses that information for a reason other than to operate your vehicle and manage their relationship with you. For context, 63% of the mental health apps (another product category that stinks at privacy) we reviewed this year received this "ding."

Proof, once again, that running Linux does not automatically make a device privacy-friendly.

to post comments

Mozilla: It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy

Posted Sep 6, 2023 15:26 UTC (Wed) by brunowolff (guest, #71160) [Link] (2 responses)

That's one of the main reasons I currently am driving a 22 year old car. When it is too rusted out to repair any more, I'm tentatively looking at targeting something from 2006 or earlier from area of the country that doesn't have much salt on the road or in the air.

Mozilla: It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy

Posted Sep 7, 2023 13:12 UTC (Thu) by parametricpoly (subscriber, #143903) [Link] (1 responses)

Same here. Bought a 18 yo Volvo this year. Not connected in any way. Still the ECU firmware could be more open.

Mozilla: It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy

Posted Sep 8, 2023 13:58 UTC (Fri) by Wol (subscriber, #4433) [Link]

Trouble is, where I leave, the various road-charging rules mean that if my car is over 8 years old, but does not fall into an official classic/veteran/vintage category, it can be VERY expensive to run.

Our home has just been swallowed up by the new ULEZ zone, and "polluting" cars (which includes our 2014 - 64-plate Vauxhall) now get charged £12.50 every day they're seen "on the road". We've managed to get it - and father-in-law's 2012 car - a three year exemption, but still ...

I think cars need to be 40 years old to become "classics", so the first car I bought for myself (brand-new) would just be coming up to that age in about two years time.

Cheers,
Wol

Mozilla: It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy

Posted Sep 6, 2023 15:34 UTC (Wed) by rahulsundaram (subscriber, #21946) [Link] (3 responses)

This looks like useful work but it seems outside the scope of what the Mozilla foundation should be focused on. What's the thinking here?

Mozilla: It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy

Posted Sep 6, 2023 21:51 UTC (Wed) by NightMonkey (subscriber, #23051) [Link] (2 responses)

How is it out of scope? Browsers are one of the primary applications for interacting with the World Wide Web and the Internet. So, if there's going to be observations on the impacts of the Web and Internet usage on people, that's a great place to look.

See also "The Mozilla Manifesto": https://www.mozilla.org/en-US/about/manifesto/details/, specifically point four.

Cheers.

Mozilla: It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy

Posted Sep 6, 2023 21:56 UTC (Wed) by NightMonkey (subscriber, #23051) [Link] (1 responses)

P.S. I missed part of what I intended to post. Telemetry, user tracking and data mining via HTTP has also been part of the debate over the privacy of Internet users - and cars and IoT make "opt-out" the norm. There has been a LOT of discussion and debate on if "opt-in" or "opt-out" is the ethical choice. Mozilla's mission, as defined in the Mozilla Manifesto, covers privacy, security and ethics of the Internet and the Web in general, so I think it's in-scope.

Cheers, II.

Mozilla: It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy

Posted Sep 7, 2023 20:37 UTC (Thu) by rahulsundaram (subscriber, #21946) [Link]

> Mozilla's mission, as defined in the Mozilla Manifesto, covers privacy, security and ethics of the Internet and the Web in general, so I think it's in-scope.

Fair enough. With the continuous loss of Firefox marketshare, are they in a position to influence this?

Mozilla: It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy

Posted Sep 6, 2023 15:59 UTC (Wed) by dskoll (subscriber, #1630) [Link] (27 responses)

I'm a bit confused. I drive a 2015 Honda Fit and I don't see how it has collected any information about me. I bought the car second-hand, and I haven't hooked up a smartphone to it or run any apps or done anything I'm aware of that could gather personal information about me.

It's entirely possible that the sensors and on-board "black boxes" might divulge information about my driving to anyone who knows how to ask them, but what exactly are the mechanisms being used by cars to violate privacy?

Mozilla: It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy

Posted Sep 6, 2023 16:13 UTC (Wed) by brunowolff (guest, #71160) [Link] (2 responses)

Besides the automated license plate reader issue (which is tied to using visible plates rather than cars themselves), a lot of cars have cell modems built into them that regularly report data back to the manufacturer. If you have a shark fin on the top of your car you probably have one. Sometimes companies that sell or lease cars, hide cell modems in the cars to make repossession easier. Those can be misused to sell data to data brokers.
At one point supposedly the tire pressure reporting systems were being looked at as a way of doing some tracking. But given the advances in optically reading license plates, I doubt that is being used anywhere.

Mozilla: It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy

Posted Sep 6, 2023 16:21 UTC (Wed) by dskoll (subscriber, #1630) [Link] (1 responses)

I don't think my car has a cellular modem in it. No shark fin.

Mozilla: It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy

Posted Sep 7, 2023 0:14 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]

Tesla uses antennas inside both side mirror assemblies. JFYI.

Mozilla: It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy

Posted Sep 6, 2023 16:36 UTC (Wed) by pizza (subscriber, #46) [Link] (19 responses)

> I bought the car second-hand, and I haven't hooked up a smartphone to it or run any apps or done anything I'm aware of that could gather personal information about me.

If the car has the option for OnStar or equivalent, then the car has a built-in cell phone.

Even if you haven't signed up for anything or paired your phone to it, when your register your car with your government's DMV, its VIN gets associated with you in what is effectively a public record that anyone can obtain.

Also, manufacturers get informed about registrations as they need to be able to contact vehicle owners for recalls and other such thing.

So if the car has _any_ sort of builtin data reporting ability (whether or not the owner has activated anything) it's trivial to link that to the current owner.

Mozilla: It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy

Posted Sep 6, 2023 18:03 UTC (Wed) by dskoll (subscriber, #1630) [Link] (18 responses)

My car has no OnStar or equivalent. It's too low-end a model to come with fancy stuff like that.

Yes, the VIN is associated with me, but those records are not public. They are accessible to law enforcement and my insurance company, but not to average people AFAIK. (Ontario, Canada.)

It does make me think that next time I buy a car, I'll consider these issues and if necessary, try to disable any wireless communication devices embedded in the car. I don't need OnStar or cell service in my car; I have a cell phone for emergencies.

Mozilla: It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy

Posted Sep 6, 2023 18:25 UTC (Wed) by farnz (subscriber, #17727) [Link] (17 responses)

Note that there's a move, starting in the EU, to equip cars with accident emergency call systems like eCall, where if the car detects that you've been in a crash, and you don't tell it you're OK, it'll both send an SMS to the local equivalent of 911 carrying the sort of data specified in ITU-T Y.4467 (current location, 2 recent locations, each at least 5 seconds before the time of crash, and at least 5 seconds apart, direction of travel at time of crash, VIN, number of people detected in the car before crash, fuel type) and start a voice call to 911 using the in-car speakers and microphones.

The idea is that if you crash the car, it'll tell the authorities where you crashed, if the airbags (or other safety systems) deployed, and set up a voice call between the driver and the authorities, so that appropriate emergency services (ambulance, fire) can get to you quicker than possible if we were dependent either on you being uninjured enough to make the call yourself, or on a passer-by noticing the wreck and calling for help, and also get to you fully prepared to get everyone out of the car.

Mozilla: It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy

Posted Sep 6, 2023 18:54 UTC (Wed) by dsommers (subscriber, #55274) [Link] (7 responses)

All that has a valid use-case. But it still should be an opt-in feature with a disclaimer that you know what you are missing out of if disabling it. Much rather that than making it enforced.

Next thing to appear in this scope is law enforcement agencies remotely monitoring cars, where they then can track where you are, how you're driving and plausibly even listening to what's happening in the car. All such related policies will come wrapped in all the good endeavours of fighting bad criminality, etc.

Just like Australia and now recently UK with laws to enforce companies to have a backdoor to encrypted data (aka "Online Safety Bill); similar discussions are already happening in EU (aka Chat Control).

https://proton.me/blog/australia-anti-encryption-law
https://proton.me/blog/online-safety-bill-encryption
https://chatcontrol.eu

"The road to hell is paved with good intentions"

Mozilla: It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy

Posted Sep 6, 2023 19:02 UTC (Wed) by farnz (subscriber, #17727) [Link] (6 responses)

The trouble with making it opt-in is twofold:

  1. It's a life-saving feature. If you don't opt-in, then you get left to die when other people get rescued, which is bad publicity for the car maker and for the government.
  2. Most people don't get their cars in a factory-fresh state - the dealership who sells it to you does a pre-delivery inspection, where they get to opt-in to things they think you'd like. This is something that they'd always opt-in to, since if it saves your life, you might come back and buy from them again, while if you die in a serious single-vehicle crash, you're not going to buy another car.

You could make it opt-out, however. Practically, because of point 2 above, if you make it opt-in, it'll become opt-out in the marketplace, anyway (unless it's opt-in once for life of vehicle).

Mozilla: It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy

Posted Sep 6, 2023 19:10 UTC (Wed) by dsommers (subscriber, #55274) [Link] (4 responses)

These are all solvable.

If this feature is disabled: Show a 5 second warning each time you start the car, with a possibility to get to the right settings screen.

When the car is new or being factory reset, present a screen when the car is started (or after a couple of days) and ask about this setting. Or if this feature is enabled (the previous owner enabled this), the car could see that the driving pattern is quite different (different hours during the day, different routes, speed, etc) and could then re-trigger the info screen about this feature.

Even today's cars with such tracking capabilities will sometimes ask you to approve new Privacy Policies or changes in some ToS.

In regards to "bad publicity"; I don't buy that. The car manufacturer can easily use this in their market response as "Unfortunately, in this incident the rescue team got information too late since the user of the car had explicitly disabled the automatic accident reporting. We recommend car drivers to let this feature be enabled to better assist if you happen to have an accident".

Mozilla: It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy

Posted Sep 6, 2023 19:24 UTC (Wed) by farnz (subscriber, #17727) [Link] (3 responses)

None of those are solutions, and several of them are bad UX, likely to result in excess deaths.

For the first, you do not want to train drivers to ignore warnings from the car, since they are usually safety-critical. Thus, you can't put a warning up when you start the car, because the car needs to reserve warnings at this point for "do not drive the car at all"; at best, you might get a 1 second window included in the manufacturer's splash screen as the car computers boot, but before the car is started and driveable, but with EVs that window is going away.

Anything you do when the car is new is something the dealer can cover in their PDI. If you trigger it after people have been driving for some days, you have a problem - either it's a trigger for something I know is in place, and it's irritation (see previous point about not training me to ignore warnings from the car), or it's too late, because I've already been driving with the car in this case.

And this is not a "tracking capability". This is something that, per regulations, is only to deploy when the car has been in a sufficiently bad accident - typically one in which an airbag would have deployed (bearing in mind that some airbags can be turned off for child seat safety reasons).

The bad publicity is why this is coming in, and why car manufacturers brought suitable systems to market even without regulatory mandate - the grieving family of someone who died in the crash (thus can't confirm that they turned it off) saying "my son wouldn't have turned it off - the car manufacturer is lying" is a very emotive scene, and is going to override anything the manufacturer can say about the system being configurable.

Mozilla: It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy

Posted Sep 6, 2023 21:13 UTC (Wed) by brunowolff (guest, #71160) [Link] (2 responses)

Unfortunately it probably is enabling tracking. Most likely the cell modem will be on when the car is on and will be pinging cell towers even if it is not trying to make a call. Cell tower pings are logged and telcoms sell that information to data brokers.

Mozilla: It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy

Posted Sep 7, 2023 9:27 UTC (Thu) by farnz (subscriber, #17727) [Link] (1 responses)

Less likely to be happening in the EU than in the rest of the world, because such a sale of data is unlikely to meet any of the 6 tests for a lawful basis under GDPR.

Mozilla: It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy

Posted Nov 15, 2023 0:30 UTC (Wed) by Rudd-O (guest, #61155) [Link]

The sale of the data isn't the problem. The problem is the tracking. We all knew how that went during corona times — governments around the globe just gave themselves permission to use that data, because it was already being collected.

Mozilla: It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy

Posted Sep 29, 2023 1:46 UTC (Fri) by ghane (guest, #1805) [Link]

> This is something that they'd always opt-in to, since if it saves your life, you might come back
> and buy from them again, while if you die in a serious single-vehicle crash, you're not going to buy another car.

Citation needed :-)

Mozilla: It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy

Posted Sep 6, 2023 20:33 UTC (Wed) by dskoll (subscriber, #1630) [Link] (8 responses)

As long as that's all the system does (alert in a crash) then I'm fine with that. I'm not so fine with something that sends back information on a regular basis during normal operation.

Mozilla: It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy

Posted Sep 7, 2023 6:07 UTC (Thu) by oldtomas (guest, #72579) [Link] (7 responses)

Problem is, once the infrastructure is there, there is an alignment of interests between states and surveillance capitalism (Shoshana Zuboff [1] describes pretty well how Google was allowed to grow in the shadow of three-letter agencies, because the former could do things the latter were not allowed to).

Believe me -- once the "infrastructure" is allowed to (or even forced to) collect the data for the case of a crash, they'll find creative ways to sell it to a data broker. Again recommended: Zuboff

[1] https://en.wikipedia.org/wiki/Shoshana_Zuboff#Surveillanc...

Mozilla: It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy

Posted Sep 7, 2023 9:51 UTC (Thu) by farnz (subscriber, #17727) [Link] (4 responses)

This is why the GDPR, for all its faults, is a step in the right direction; by establishing that you can't collect data until there's a lawful basis to do so, and restricting the reasons that make it lawful, it prevents EU entities from extending such data.

And the infrastructure you're talking about is 112 or 911 depending on country - it's existed for a very long time. All that's new is that the car will contact 112 for you if certain conditions are met.

Mozilla: It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy

Posted Sep 7, 2023 12:05 UTC (Thu) by Wol (subscriber, #4433) [Link]

> And the infrastructure you're talking about is 112 or 911 depending on country - it's existed for a very long time. All that's new is that the car will contact 112 for you if certain conditions are met.

Don't forget 999 ... (although your two also function perfectly well in the UK.)

Cheers,
Wol

Mozilla: It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy

Posted Sep 7, 2023 14:02 UTC (Thu) by paulj (subscriber, #341) [Link] (2 responses)

We're talking about cars with GSM (or later related standards), so 112 always works - part of the standard.

Mozilla: It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy

Posted Sep 7, 2023 14:06 UTC (Thu) by farnz (subscriber, #17727) [Link] (1 responses)

I'm referring to 911 as well, simply because I've noticed that North Americans don't necessarily recognise 112, but do recognise 911.

In the actual network layer, the established call is not to a number - it's a special call type for "emergency operator", not a call to 112, 999, 911, 111, 08, or whatever the dialled number is. GSM devices recognise 112 and translate it to a special call - this translation also means that the network knows to prioritise resource allocation to the call, and (e.g.) drop other calls if needed to let the emergency call get through.

Mozilla: It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy

Posted Sep 8, 2023 14:05 UTC (Fri) by Wol (subscriber, #4433) [Link]

Not all Europeans recognise 112, I expect ...

I know it's the official Europe-wide number, but many countries still use their pre-112 number as a matter of course. I can remember being shocked when I found out that 112 worked (as did 911) over here. Back in the day of public call boxes - I just happened to notice the notice about emergency calls, and it listed all three numbers, 999, 112 and 911.

Certainly no-one in my circle ever mentions 112 should the topic come up.

Cheers,
Wol

Mozilla: It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy

Posted Sep 7, 2023 13:14 UTC (Thu) by dskoll (subscriber, #1630) [Link] (1 responses)

Public transit is looking more and more attractive.

Oh wait... we use smartcards to pay for that... D'OH!

Mozilla: It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy

Posted Sep 9, 2023 11:04 UTC (Sat) by ibukanov (subscriber, #3942) [Link]

In Norway one typically uses a smartphone to pay for a monthly public transport ticket and the smartphone is not scanned when one boards a bus. Only in the case of a rare control one is supposed to show the app. So most of the time one can travel with the smartphone off.

Mozilla: It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy

Posted Sep 6, 2023 18:05 UTC (Wed) by nickodell (subscriber, #125165) [Link] (2 responses)

Perhaps not, but a trend I've seen becoming more common is cars having built-in entertainment systems with access to streaming services. For example, a friend's car can play Spotify. That means that his car has an internet connected computer. It does not seem very far fetched that it could have a connection to the vehicle's CAN bus, and read off the vehicle's acceleration/speed. I'm not saying that manufacturers are currently doing this, but it's a little disturbing they've reserved the right to do so.

Mozilla: It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy

Posted Sep 6, 2023 18:27 UTC (Wed) by farnz (subscriber, #17727) [Link]

The factory system in my 2011 car, while not having Internet connectivity, can get current engine revs, vehicle speed, gear, and direction of travel from CAN to help with navigation and with automatic volume control (turning the volume up a little as the car gets noisier to make the perceived volume more consistent. I would be surprised if a modern vehicle gets less data from CAN.

Mozilla: It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy

Posted Sep 11, 2023 12:40 UTC (Mon) by raven667 (subscriber, #5198) [Link]

Entertainment head-end systems can read from the CAN bus to implement adaptive volume control that accounts for road noise based on speed. Some cars have multiple CAN bus for different security levels with a firewall/proxy/bridge in between, so low security systems like the entertainment system don't have write access to critical data like ABS brakes or engine timing.

Mozilla: It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy

Posted Sep 7, 2023 11:57 UTC (Thu) by eduperez (guest, #11232) [Link]

I drive a modern Renault Captur.

This car comes with a GPS and cell modem embedded. In case of an accident (no user interaction needed), the car will phone the emergency services, call for help, and share the current location of the vehicle. I can also press a button, and get in touch with the emergency services, using the car's phone (not mine). The car can also download and install firmware updates (I guess/home that just for the entertainment features), using it's own internet connection.

So, this car has both a GPS and an internet connection; it is entirely possible that it phones home regularly, and sends information about my whereabouts or my driving habits.

Mozilla: It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy

Posted Sep 6, 2023 16:41 UTC (Wed) by frostsnow (subscriber, #114957) [Link] (6 responses)

>Proof, once again, that running Linux does not automatically make a device privacy-friendly.
Possibly a good example of the difference between "Linux" and "GNU/Linux".

Mozilla: It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy

Posted Sep 6, 2023 17:26 UTC (Wed) by tao (subscriber, #17563) [Link] (5 responses)

Linux is just the kernel. TTBOMK Linux has no "phone home" functionality. I doubt that the GNU components of the userland software has either. Most likely it's the proprietary bits that phone home.

Mozilla: It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy

Posted Sep 6, 2023 19:19 UTC (Wed) by intelfx (subscriber, #130118) [Link] (4 responses)

That’s exactly, I believe, the point the GP is making. When we speak of “Linux”, it can very well mean “Linux with a non-user-respecting userland”. Thus, if we want to say “the good kind of Linux”, we should specify the userland also.

GNU doesn't make a difference here

Posted Sep 6, 2023 20:24 UTC (Wed) by ghodgkins (subscriber, #157257) [Link] (3 responses)

You can just as well put the non-user-respecting functionality on top of a GNU userland, or build it with a GNU toolchain. Tools built with good intentions can be used for bad things, especially when the tool is widely-distributed open source software.

GNU doesn't make a difference here

Posted Sep 7, 2023 16:21 UTC (Thu) by frostsnow (subscriber, #114957) [Link] (2 responses)

>You can just as well put the non-user-respecting functionality on top of a GNU userland, or build it with a GNU toolchain.
Theoretically true, but I'm not yet aware of anyone who has done that.

GNU doesn't make a difference here

Posted Sep 7, 2023 17:13 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]

If you consider DRM to be a bad intention, then there are plenty of DRM-ed hardware that uses the GNU stack. Including even GCC under GPLv3 and other utilities.

GNU doesn't make a difference here

Posted Sep 8, 2023 18:01 UTC (Fri) by xtifr (guest, #143) [Link]

Didn't Ubuntu add opt-out tracking to their system at one point?

Mozilla: It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy

Posted Sep 6, 2023 18:48 UTC (Wed) by shemminger (subscriber, #5739) [Link] (1 responses)

It won't be long until cars come with the Google model.
Car is free, but we can sell and use everything you do all the time.

Mozilla: It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy

Posted Sep 11, 2023 12:45 UTC (Mon) by raven667 (subscriber, #5198) [Link]

Cars are sometimes sold on the finance/investment model, the car vendor sells you a _loan_ to buy it and make their money on the interest, the car is just a way to get you in the door. Can also be done with insurance.

Enforced consent

Posted Sep 6, 2023 21:03 UTC (Wed) by Wol (subscriber, #4433) [Link] (6 responses)

We've got a 2019 Vauxhall (aka Peugeot). It didn't come with a built-in satnav, but what it DID come with was the ability to display the phone screen on the in-car display. "Great", we thought, display the phone sat-nav on the car display.

So we plugged the phone into the car USB port, Android-Car or whatever it's called fired up, and ...

"Allow the car to upload your contacts list" "yes" "abort"

WTF !!! NO WAY do I want the car to have my contacts in it. Especially as using a hand-held phone in a car is illegal because it's so dangerous, and using hands-free is statistically EQUALLY dangerous !!! Why does it need my contact list? Why does it DEMAND my contacts list as the price of being able to pair MY phone with MY car? !!!

Cheers,
Wol

Enforced consent

Posted Sep 7, 2023 0:30 UTC (Thu) by pizza (subscriber, #46) [Link] (4 responses)

> Why does it DEMAND my contacts list as the price of being able to pair MY phone with MY car? !!!

That's a bog-standard bluetooth feature. Just about any bluetooth-enabled headunit (and phone) has supported this since approximately forever, long before "connected cars" were anything more than a TV trope.

The reason for this is so that the headunit can display (or speak) the contact name instead of just the phone number when an incoming call comes through, since hardly anyone is likely to know the numbers of more than a couple of people.

Enforced consent

Posted Sep 7, 2023 5:52 UTC (Thu) by ssmith32 (subscriber, #72404) [Link] (3 responses)

Wol specified the connection was over USB, not bluetooth.

The reasoning behind the ask may be the same, but it is a little weird to ask when connecting over USB, and no pairing is involved, and, therefore, you're not necessarily going to be making any calls.

That said, on bluetooth, I've always been able to decline the contact share & move on. I'm curious what "abort" actually did in this scenario - if it just aborted the upload, and proceeds with the screen share, all is well.

Enforced consent

Posted Sep 7, 2023 12:04 UTC (Thu) by Wol (subscriber, #4433) [Link] (1 responses)

I will have to try again, but iirc, declining the contact share broke the connection.

The crucial point is, the driver making phone calls in cars is ****ING DANGEROUS, and the car trying to encourage and make easy the doing of something incredibly stupid, should get the designer shot !!!

If ALL I want to do is cast my phone screen to the car display, then that is a perfectly legit requirement, and the car downloading my contacts as a pre-requisite is totally unacceptable.

Cheers,
Wol

Enforced consent

Posted Sep 7, 2023 12:57 UTC (Thu) by Wol (subscriber, #4433) [Link]

Forgot to add (because it didn't cross my mind) it's quite normal for the initial connection to be wired, and part of the setup involves enabling wireless. For example, setting up an Epson printer over USB will exchange wireless credentials, the BT wi-fi extender requires you to plug in an internet cable for setup but after that it's no longer required - or usable for that matter ...

Iirc the car and phone would have negotiated bluetooth if I'd let them. And I'd've been quite happy. I just do not want ANY of my data downloaded into the car as there is absolutely no need for it.

Cheers,
Wol

Enforced consent

Posted Sep 8, 2023 0:34 UTC (Fri) by foom (subscriber, #14868) [Link]

I always say no to the contacts question in rental cars, and it never causes a problem with displaying the screen or any other functionality.

Enforced consent

Posted Sep 7, 2023 12:15 UTC (Thu) by mathstuf (subscriber, #69389) [Link]

This is where that old Cyanogenmod feature that allowed one to give "fake" data in response to permission requests (contacts, calendar, location, etc.) would be very useful.

Mozilla: It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy

Posted Sep 7, 2023 5:50 UTC (Thu) by jamesmorris (subscriber, #82698) [Link] (1 responses)

"Tesla is only the second product we have ever reviewed to receive all of our privacy 'dings.'"

Yikes.

Mozilla: It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy

Posted Sep 11, 2023 12:45 UTC (Mon) by raven667 (subscriber, #5198) [Link]

Hey, they're ahead of the curve, innovative even ;-)

Mozilla: It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy

Posted Sep 7, 2023 9:01 UTC (Thu) by madhatter (subscriber, #4665) [Link]

The issue has now made the mainstream press in the UK (no paywall); it might have some actual legs.

I quite liked Kia’s privacy policy states it may process “special categories” of data, including ... “trade union membership”. But then I don't own a Kia (or any other kind of car).

Mozilla: It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy

Posted Sep 7, 2023 14:04 UTC (Thu) by paulj (subscriber, #341) [Link] (1 responses)

As a data-point, VW ID.4 (and I guess the whole ID range?) - at least in EU - gives you the option of an "offline mode" when you start the car.

I must look into the small print as to how well that closes off privacy issues...

Mozilla: It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy

Posted Sep 11, 2023 12:47 UTC (Mon) by raven667 (subscriber, #5198) [Link]

Tesla had an offering for goverment and others where the SIM card was pulled from the LTE modem. Obviously this would require manual updates and any feature like streaming audio wouldn't work, or traffic aware routing, but that's the trade off you are making.

Mozilla: It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy

Posted Sep 11, 2023 13:23 UTC (Mon) by raven667 (subscriber, #5198) [Link] (1 responses)

I would like if the US or EU could actually audit the internal workings of service providers and ad-tech, maybe through congressional investigation, and both publish that information to the public but also use it to craft some rules about what the majority of the public finds acceptable tradeoffs for privacy and enforce that service providers don't exceed their authority. Right now, except for GDPR and a few others, it's a free-for-all with shadowy brokers paying for all sorts of data because ad agencies think that they can build psychological profiles from the crumbs they find and that it will help them in some way sell more crap. Honestly, selling crap shouldn't be a protected activity at the level it is now, as its often enormously wasteful and inefficient, at a time where there are global costs due to the pollution we should be able to come to a rough consensus on the tradeoffs for how we achieve the standard of living we want, that doesn't send the world straight to hell.

My criticism of this report is that it can be a bit hand-wavy with what these companies are actually _doing_ vs what they _could_ be doing, because we just don't have solid evidence from within the companies, partners, data brokers, etc. How much of the privacy infringing data is gathered from ambient sources, like getting an approximate location and speed based on which basemap tiles are requested and when, or getting traffic data which requires either submitting your exact route or constraining a search to a geofence that pretty much exactly correlates to your route, where the service inherently needs to handle potentially sensitive data, but there is no law requiring it be treated as such.

I'd be interested to interview the lawyers who drafted each companies privacy policy and what scenarios they ran into or imagined that inspired them to add the various clauses they did, or if its just boilerplate that they didn't seriously review. The privacy can only be as good as the laws where they operate require, so cars sold where the GDPR applies may have different policies as elsewhere, and they have to adhere to whatever the local standards are for police search requests, whether a warrant is required or not (often not for third party data), it's unreasonable to expect a company to fight local law enforcement on your behalf (which includes China where the local standards about what the government can ask for and for what purpose are probably very different then other jurisdictions).

I wonder if the clauses in the privacy policy about sex have to do with cars that have internally facing cameras which might be seen by first-party repair technicians or uploaded during a crash or some other event, as people do sometimes have sexual activity in their vehicles and their policies might need to account for it. Similar for cars with cameras and lidar and whatnot for cruise and lane-keeping, those systems may send diagnostics and error reports which include samples of data to improve the accuracy.

I just wish that this wasn't so much of a black box because I don't like reports which are just "they _could_ be doing this or that, scary scary, booga-booga", I'd like to know for sure, with evidence, what _exactly_ is being done and what the trade-offs are to make informed decisions. I know this stuff can be bad, but how bad and in which ways seems a mystery to me.

Mozilla: It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy

Posted Sep 11, 2023 21:38 UTC (Mon) by kleptog (subscriber, #1183) [Link]

> I would like if the US or EU could actually audit the internal workings of service providers and ad-tech, maybe through congressional investigation, and both publish that information to the public but also use it to craft some rules about what the majority of the public finds acceptable tradeoffs for privacy and enforce that service providers don't exceed their authority.

Dunno about the US, but the EU sort of has this. Or rather, the EU has no authority, but the GDPR directs member states to create a supervisory authority that does have the powers to audit businesses. The Data Protection Authority in NL is able to start investigations and require copies any documention relating to the running of a business that may be relevant for an investigation. In addition they give advice to government and businesses about best practices. If you have a tip that service providers are doing things they shouldn't, they absolutely have the power to investigate.

Whether they have the resources is however a different problem.

> I'd be interested to interview the lawyers who drafted each companies privacy policy and what scenarios they ran into or imagined that inspired them to add the various clauses they did, or if its just boilerplate that they didn't seriously review.

This would be very interesting indeed. Though I think most of it is because no-one asks critical questions. For a long time businesses did whatever was easy and asked and stored all sorts of information they didn't actually need. Now the law requires larger businesses to actually appoint someone whose job it is to ask critical questions that the businesses find it easier to simply not ask for info rather than try to think of some lame excuse.

As for policies about sex in cars, that's just typical Anglo-Saxon Cover-Your-Ass legalese. Anything you can do you can do in your car. There's no reason to list everything specifically. Any recorded video should be treated very very carefully no matter what.


Copyright © 2023, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds