Report: Connected Cars Already Know Everything About You

Vehicular privacy is one of those things we never thought we’d have to gripe about but, as automotive connectivity becomes the norm, it’s become one of the most nagging issues in the industry.

Taking a cue from tech giants like Google, Facebook, and pretty much every other website you’ve ever connected to, automakers have begun leveraging customer data on a massive scale. Always-on internet connections exacerbated this problem (feature?), but it’s extremely difficult to tell exactly what kind of information is being shot up into the cloud before ending up at a manufacturer’s data center.

While we’ve seen cars hacked for the purpose of assessing how they’d stand up to malicious entities bent on wreaking havoc, few have attempted to decode the surplus of information emitted by your vehicle. We know this because people would probably be pretty upset to learn of the pathetic level of anonymity currently afforded to them. Despite spending tens of thousands of dollars on a new vehicle, privacy is rarely considered standard equipment. 

Borrowing some techniques from crime scene investigators, The Washington Post recently attempted to figure out what kind of information automakers are most interested in. It contacted Jim Mason, an ARCCA engineer that helps reconstruct vehicle accidents, and chose a 2017 Chevrolet Volt.

General Motors has a substantial lead in data acquisition, and it’s been pretty open about its interest in vehicular connectivity. (We’ve covered the evolution of OnStar, the rise of Marketplace, and GM’s research into customer behavior before.) And that background is why The Post went with a Chevy for its tests.

Mason gave the outlet a rundown on how modern vehicles utilize multiple computers and often have an array of sensors (thanks to advanced driving aids) that can store information on internal hard drives in order to be transmitted back to base when convenient. Getting that data as the manufacturer is easy. However, doing so at home requires loads of expertise, time, special equipment, and enough sweat to disassemble part of the car.

From The Washington Post:

It was worth the trouble when Mason showed me my data. There on a map was the precise location where I’d driven to take apart the Chevy. There were my other destinations, like the hardware store I’d stopped at to buy some tape.

Among the trove of data points were unique identifiers for my and [the Volt’s owner] Doug’s phones, and a detailed log of phone calls from the previous week. There was a long list of contacts, right down to people’s address, emails and even photos.

For a broader view, Mason also extracted the data from a Chevrolet infotainment computer that I bought used on eBay for $375. It contained enough data to reconstruct the Upstate New York travels and relationships of a total stranger. We know he or she frequently called someone listed as “Sweetie,” whose photo we also have. We could see the exact Gulf station where they bought gas, the restaurant where they ate (called Taste China) and the unique identifiers for their Samsung Galaxy Note phones.

Mason said he’s also hacked into Fords that recorded positional data every few minutes, regardless of whether you’re using the navigation system, and German models with 300 gigabyte hard drives exclusively used for data storage. He also referenced Tesla Model 3s that collected video clips from the cameras used for Autopilot. Creepily, Mason added that, in most instances, he’s really only able to get a fraction of the data these cars collect.

The vehicle’s owner, Doug, contacted GM to see what kind of data was being transmitted from his vehicle and was simply directed to examine the company’s privacy policy. Following up with dual written request to see his data under California’s “Shine the Light” law (passed in 2003), he was reportedly met with silence.

GM spokesman David Caldwell declined to offer specifics on Doug’s Chevy but said the data GM collects generally falls into three categories: vehicle location, vehicle performance and driver behavior. “Much of this data is highly technical, not linkable to individuals and doesn’t leave the vehicle itself,” he said.

The company, he said, collects real-time data to monitor vehicle performance to improve safety and to help design future products and services.

While we absolutely believe the latter claim, the former borders on a bald-faced lie. “Not linkable to individuals?” Get real. Not only does this hacking experiment prove that the data GM is shifting is personal data (names, addresses, emails, locations, etc.), its corporate privacy policy explicitly says it can do this. The OnStar privacy statement claims GM can store and share your information “for as long as necessary.”

But there were clues to what more GM knows on its website and app. It offers a Smart Driver score — a measure of good driving — based on how hard you brake and turn and how often you drive late at night. They’ll share that with insurance companies, if you want. With paid OnStar service, I could, on demand, locate the car’s exact location. It also offers in-vehicle WiFi and remote key access for Amazon package deliveries. An OnStar Marketplace connects the vehicle directly with third-party apps for Domino’s, IHOP, Shell and others.

This would feel a lot less ominous if automakers kept their promises. In 2014, twenty of the world’s largest automotive manufacturers collectively agreed to meet or exceed commitments contained in the Automotive Consumer Privacy Protection Principles and protect personal information collected through in-car technologies. Unfortunately, it hasn’t amounted to much. Carmakers are collecting more data than ever and feverishly attempting to find ways to monazite it in the coming years.

Many automakers, including General Motors, claim they’ve found a way to protect customers by using “anonymized data.” But it’s practically meaningless when all the information being collected is building a user profile as distinct as a fingerprint — which is then shared with third parties GM can’t tell you about.

The Washington Post article goes into additional detail about how these changes are impacting right-to-repair laws, government surveillance concerns, targeted advertising, unsavory insurance programs, and a bunch of other stuff we’ve already complained about. It wants you to be weary of data acquisition and address the need for more transparency within the industry. Right now, we’ve basically given automakers the ability to access the same information phone carriers and social media firms do with less protection.

Mason recommended those interested in maintaining their privacy simply drive an older vehicle assembled before connectivity was a concern. More realistically, one could purchase a lighter adaptor to charge their phone — as simply connecting it to a USB port would be enough for most vehicles to sweep up every scrap of data you had on it. He also suggested telling the dealer you want to become an expert on turning off connected services. However, this would only stop automakers from collecting certain kinds of data (usually location) and isn’t a feature most newer models possess.

first published by TTAC

Comments