- Can I turn off data collection?
- Can I corrupt data transmission and collection?
- Can I charge per kb for any data collected?
- Is the dealer obligated to disclose data collection?
I was assuming that buying a cheap non-electric car would offer some protection but I'd love to know more.
For a consumer in the US, I have no idea, but I'm guessing your question is about that since the story is US-specific?
Probably off-topic, but buying a car in 2019 in Spain, they asked me if I'm OK with data-collection during the purchase, up until car delivery, and handed me a contract to sign for "treatment of personal data". I said no, we moved on.
After buying the car (2018 Audi A3), they threw in some remote-monitoring sensor "for free" that could let me/them see metrics about the car, for "maintenance" and whatever they claimed, that they offered to install. I again said "no", but kept the device itself to pick apart at some later time.
But overall, they seem required to ask (here, EU) but no one batted an eye when I said no. The car has a SIM-card reader, but never used it, I'm guessing if I install a SIM-card the car would ask me if data collection is OK, because we'll always have the choice at least.
Electric cars seems like a no-no for now (everywhere possibly), since all of them came with a "always on connection" regardless of what I want, at least last time I checked.
Damn, that sucks. Hope my current car lasts a long time then... It even has buttons and everything.
> I don't know if it's legal or common to reuse that radio for collecting other data. I would hope not
My guess would be that when you first get it/boot it, you'll at least get a choice between accepting it or not, that would be the baseline.
You know they're not taking anything seriously when claiming with a straight face in the age of geoguesser that potentially hours of road footage, starting/ending with you literally driving into your garage, could ever be anonymous.
Gut check, sure, but I wouldn't trust the company that argued technically autopilot wasn't turned on in car crashes because they turned it off milliseconds before the sensed impact and blamed it on driver inattention as being a good, well-intentioned data steward.
Here’s one thing neither Tesla nor Hyundai have ever said: that they won’t sell the data. (EDIT: I stand corrected on Tesla, as per reply comment. “ We do not sell your personal information to anyone for any purpose, period.”)
They all do this until you press "I agree". Some do it even before.
In my 2018 Chevy Volt Premier it's not too difficult to disconnect the LTE module. You lose OnStar, remote start, and other "connected" features, but the car and CarPlay still work.
https://www.jamesxli.com/2024/chevy-volt-disable-cellular.ht...
Mazda won't permit me to use remote start because I refused to install their app and enable connected services. The man I worked with on the lease was extraordinarily aggressive with me. Almost demanding I install and register this app to complete lease agreement.
So now I don't have remote start and every time I turn the car on I have to select cancel on an infotainment prompt asking me to enable connected services.
The TOS specifically says driving data will be sold to 3rd parties including law enforcement and insurance companies.
I never installed the app and I was asked to by the leasing guy though he wasn't pushy about it - for whatever reason, the lease/sales guys are incented to have it installed though, allegedly, mazda corporate says they don't incent them - I don't trust it
also, allegedly, since I didn't install it, mazda says my TPU is disabled which is fine by me - remote start is less important than saying many thousands of dollars on bogus insurance hikes
I wonder how he would react if you were to tell him that you don't own or use a cellular phone.
That's awful, but at least it was written down, I guess.
That'd be a hard "No" for me. Or at least I'd ask for a big chunk of that revenue in exchange for MY data.
A home though? I guess it makes sense that they can sometimes inspect it, but I expect privacy in my own home even if I'm renting.
So yeah, depends. Is there some fallacy in my views or something I'm missing?
> Items people can just take and leave with, yeah I think it's OK they keep track of the thing while I'm renting it.
Is it a fallacy/bad to think that people have the right to track things they loan/rent out to others, as long as that's clear upfront?
Well, I think it’s unrealistic to not expect car rentals to track their cars. Renting gardening tools might be a different story. However, SASS subscriptions are software rentals, and GDPR makes it explicitly illegal to track what the software companies rent to EU citizens without consent.
To me it seems like the question in practice is not renting vs buying, it’s about what information is collected, what they’re allowed to do with it, and who it is sent to.
Car rentals could request or require consent as terms of rental. (They probably do, I can admit to never having read the entire contract.) One underlying issue here is whether the car rental company passes your name or identification on to the manufacturer, law enforcement, or service providers. It does seem like they should not have the right to do that automatically without informed consent (not buried in contract legalese). They probably should have the right to track where their car is until it’s returned, and then delete that data. So all depends on what they do with the data.
Have people completely lost their reading comprehension? My comment:
> Renters of what? Items people can just take and leave with [...]
A car is a item "people can just take and leave with". I literally answer the question myself, right after stating it. And not until the line below I start talking about expecting privacy in a rented home.
> Car rentals could request or require consent as terms of rental
They very much do, at least in the countries I've rented a car in. Every time they asked for consent, like the regulations require them to in my region.
You cannot shield your car (ok, you can, but then you cannot drive it). What you can do is disturb the antenna so not enough power will be available to be sent.
I like the feel of driving classic/older cars, but I really cannot justify the safety and pollution drawbacks if I wanted to use them daily.
Currently have a 2012 C350 Coupe that I love to death. Have had it since 2018. Fantastic car, I don’t think it spies on me too much
But, sooner or later it'll be a problem. What would be interesting to me is, is it possible to deactivate cellular on a modern car without losing key functionality, and, if it is ever reactivated (say, to pull updates) would it promptly push years of data upstream.
I do not know the year they started with all the tracking stuff but you can find an older car that does not have any tracking and spend the rest of the money making it mint.
There is no getting away from it though, we are all watched over by the machines of loving grace. You know with the new LoRaWAN and IoT everywhere scam they are rolling out there will be nothing you can do to escape the surveillance apparatus.
I am giving up. no sense in fighting it anymore. I am just a good little corporate boy toy now.
That makes it much easier for people to collect data. People read on the Internet, yet again, that they are powerless.
I'm glad they are moving forward on it, at least until Monday.
Protecting it is difficult since the house/senate and scotus are all determined to roll back pro-consumer laws but that's not really something the FTC can fix, only voters can fix that.
Voters don't seem to see these things as important though based on how they voted most recently. They have other priorities I suppose.
I'll also be cynical and say that voters were also lacking critical thinking in terms of how the president elect simply said he'd do things with no action plan behind it. He already went back on several "promises" even before properly stepping in as President. This is just shame on us at this point.
This is why saying "but you can elect new officials" is a canard. You only have two choices, each with thousands of consequences.
Banning non-competes, preventing Microsoft-Blizzard merger (amongst many others), enforcing the right-to-repair, filing lawsuits to lower drug prices, making cancelling subscriptions easier...
Your friendly reminder that both Amazon and Meta were openly against her taking the position, that the upcoming administration will scrap the antitrust lawsuits against both of them (the one against Meta was supposed to start in spring, the one against Amazon in 2026) and that this is why Bezos and Zuckerberg are cozying up to Trump.
- confusing consumers
- sneakily signing up consumers to “smart driver” as part of onstar
- data brokers subsequently building profiles on users and selling this data to _insurance companies_
- consumers later finding out their insurance doesn’t get renewed because of this secret driver profile that was built without their explicit consent
If GM followed the rules by disclosing this directly, allowing consumers to opt out. They probably wouldn’t be in this embarrassing position.
It’s in the FTC release: https://www.ftc.gov/news-events/news/press-releases/2025/01/...
But then this submission is explicitly about them giving a shit, and your own example shows that they do give a shit. Since GM didn't allow people a choice regarding their privacy, FTC looked into it?
I really don't understand how someone can see this story about FTC giving a shit, and then proclaim "They don't give a shit". If they didn't give a shit, why do something?
Or you're arguing against data collection as a whole? I'm not sure FTC is the right tree to bark up to if that's the case, wouldn't you need to involve lawmakers for that? It seems to me FTC would only be able to legislate against "unfair or deceptive practices", so that's why they can address people collecting data in the wrong way, but not address data collection as a whole, would be my guess.
After all, if I installed spying software on GM's computers, and sold the extracted data to, say, Toyota, I'd face hefty fines. And spend time in prison.
You're going about this all wrong. Setup a company, create a landing page and do some B2B contracts for selling that data, and you too can be a "Data Broker" fully legally. But yes, approaching this as an individual is most likely illegal, you're supposed to do it as a corporation.
Jail time? Probably not, we let health insurance companies get away with taking away critical needs from patients and delaying care in the name of delivering shareholder value. The best they get is a slap on the wrist from the government, let alone jail time.
4chan/anon was screwing with websites -> terrorism
Neo-nazis finding unsecured online printers at colleges and printing their propaganda -> terrorism
Shoot a public figure because you think they've done a tone of wrong -> terrorism.
Go on a bulldozer rampage against people who have wronged you -> terrorism
First terrorists (named so) was revolutionaries (not bolsheviks, but other parties) in Russian Empire, who go to Government official's office and shot them in the face with Nagant revolver.
Look up Vera Zasulich, Dmitry Karakozov, Narodnaya Volya (organization), etc.
It is TRUE terrorism, not bombing Christmas parade or marathon.
Besides, I'd say it's both. There is no denying it was a murder, nor that it was targeted and based on what I understand "terrorism" to be, it seems like that too.
The United Healthcare murder was basically a reverse Eric garner. Instead of the government killing someone over something petty to keep the peasants in line a crazy peasant killed a member of the ruling class to send the same message in the other direction.
Politically both of these are more like a good ol' fashioned lynching than terrorism though obviously the line between the two becomes a bit blurry. Most targeted political violence is not terrorism (though of course the statues are so broad that if you crop dust an elevator in a government building you're probably open to prosecution).
I don't see how loose targetting is required. Or was the Oklahoma City Bombing not terrorism because it targetted a specific building?
The FBI definition of domestic terrorism is only one of many, but they say:
> Violent, criminal acts committed by individuals and/or groups to further ideological goals stemming from domestic influences, such as those of a political, religious, social, racial, or environmental nature.
In my mind, the key is intent to further ideological goals. Killing a rival gang member to increase your standings in the gang leader boards isn't terrorism because there's no ideology. Killing a gang member to try to wipe out gangs could be, because it's an ideological battle. It wouldn't matter if you specifically targetted the leader of a gang, or the first gang member you saw, or someone you thought was a gang member without any investigation; it's the intent to further your ideology with violent crime.
Thanks, learned something new about the US today :) In the jurisdictions I'm familiar with, the goals/objectives behind the actions seem to take a more important role than how you seem to consider it in the US.
It is very modern meaning of the word. It is almost re-labeled, like "piracy" for copyright infringement.
And people who called themselves anarchists used to be ideologically communist-adjacent. That was well over a century ago.
Words change over time. The definition has been what is has since at least the 1970s, probably longer depending on where you measure. It is not "very modern".
But again, makes sense that the US would have different definition.
A person driving over a person with a van with explicit goal of "Jihad against Christians" would be terrorism, because of the objective, no matter how many people get hurt.
While it seems clear to me that this can be considered "terrorism", it would also seem like it isn't breaking against "anti-terrorism laws" or whatever the charge is in the US.
Most important part of this IMHO.
Either it's illegal or it isn't.
No judge ever says "I ban you from burgling houses for 5 years!", like after 5 years it would be okay again.
I think: it's illegal without consent. They can't do it for 5 years, even if they got consent, as a punitive measure. After that they will have to seek consent.
Security pentester tests someone's website before getting approval/confirmation that this is what the client (who isn't a client yet) wants.
Someone reports that, and judge says "Since you didn't do the pentest the legal way, we're banning you from doing pentests for five years"
After those five years, the pentester can continue doing tests, but legally. The five year ban is not the punishment for doing pentests, but for doing unauthorized pentests.
The analogy here is that data collection/selling is legal, but you have to follow the rules regarding how collection happens. If you break those rules, they'll ban you for N years, after that you can do the collection/selling but following the rules.
> The five-year ban prohibits G.M. from sharing information about individual drivers, but it can still share anonymous data about people’s driving with third parties, such as road safety researchers.
I know Kashmir Hill knows better than to believe in the fairy tale of "anonymous data".
Everyone has something to hide, be it as simple as your driving behavior, so you don't end up over paying for insurance or even in the situation where all company refuse to insure a 'risky' profile.
With the VW data leak I was pretty horrified that VW either doesn't understand or don't care that leaking location data isn't just privacy invading, it's potentially dangerous for victims of stalking and abuse. In the mildest cases these people may need to move, in the worst they die.
Car companies seem completely oblivious to the dangers of collecting driving data.
I don't think was ever ill intent, but when it inevitably goes wrong, then yes, everyone will be thrown under the bus if it protects the stock price.
The US really needs to strengthen the legal foundations for people's right to privacy.
That's at odds with the even higher (current) goal of "Make money". As long as those are at odds, entities in the US will always favor "making more money" above "people's right to privacy".
Or, people start preferring entities that aren't strictly for-profit, but seems unlikely to happen on the short-horizon.
What happens when the car (and its data collecting habits) is sold in the used car market? Does it still collect data, is the ownership situation "corrected" via DMV registration feeds, etc. ?
A while I read about smart TVs bypassing pihole-style blockers by using hardcoded IP addresses and DNS server addresses.
I don't even know how smart cars work. Do they have their own SIM card or something like that? Either way there are so many ways they can subvert obstacles. For example a car could scan for unprotected WiFi networks and connect to one if found.
Wow is this real?
Yeah, no shit. Why on earth would I assume the company from which I bought my car is selling my information? Why are they allowed to sell this data at all?
We can all acknowledge how ridiculous this is, right?
Sadly the answers are "if it's got a connected computer in it, it's selling your information" and "you're in America, so no GDPR because 'free speech' trumps privacy almost every time, except for video rental records".
If data is entered into a system, and you do not have not received permission to read it, then obtaining access to it is the crime of dataintrång, which can lead to two years imprisonment. So if you make a device and sell it to a customer and it phones home without permission and in phoning home provides you with information he has entered into it, then you've committed dataintrång and can go to prison for up to two years.
I see no reason why GPS data and other automatically entered data would not be regarded as having been entered into the device.
The main problem is that this sort of thing (tracking of cars and storing the data in a central database) is considered normal by corporations and is allowed by law. Would we like to have big corporations place private detectives outside our houses and when we leave they follow our every step, take photos, record audio and track our GPS position and report all that data to the corporation in realtime? That is what they do now with their cars and phones and appliances. The reason they did not do it in the past was that it was expensive to have private detectives track each of their customers, was considered spooky and abnormal and it was probably also illegal, but now it is cheap and somehow considered normal.
Not allowed by the GDPR, this violates the principle of unambiguous consent:
https://www.autoriteitpersoonsgegevens.nl/en/themes/basic-gd...
You can maybe(?) retract your answer,
Under the GDPR, retracting consent should be as easy as giving consent. Moreover, you have the right of erasure. Even if you consented, when asked, GM should remove all your personal data:
https://gdpr-info.eu/art-17-gdpr/
but maybe you don't even know you answered yes at some point when you were stressed and had to drive somewhere, while your nav/media system asked you this question.
Violates both the rules that consent should be given freely.
---
More broadly, selling non-anonymous data would never be allowed under the GDPR, because the third-parties would need to consent to use the data.
(IANAL)
If you answer yes in a popup by fat-fingering, stress, mixup whatever you are screwed. The popup typically comes up when you do not want it, i.e. when you are about to use the product's main function.
> Under the GDPR, retracting consent should be as easy as giving consent.
Well, the popup to give consent comes up all the time wether you want it or not, but there is no popup coming up to retract it. You have to search deep in the settings. It's quite unlikely people will do that on embedded hardware or cars.
And if first given consent by mistake, they have already fetched data in the meantime until you turn it off.
> Violates both the rules that consent should be given freely.
What do you even mean? Of course no one is pointing a gun to your head, but they put up the popup asking for consent and I might push the wrong button by mistake. I might also not notice I pushed the wrong button because there is never a confirmation step.
[EDIT]: And there are typically a huge bunch of switches and checkboxes asking for different kinds of approvals which makes in even easier to make mistakes.
While this is a somewhat common approach, it's not compliant. The real problem with the GDPR is enforcement; it's largely enforced by national data protection bodies of, well, varying quality, resourcing, and aggressiveness.
like real question that way they have the data and we have the data instead of we pretend they don't have the data in the name of privacy but they have the data
You may think 'we're only using it for advertising', but I don't trust you and I can't. I don't want you to obtain information about my political views, or how they differ from what I say on the internet, or who I talk to about maths, or where I buy food.
We already know that the data companies collect isn't only being used for ads, if not by the company that collects then by others who get access to that data either through sale or not. For example, Lawyers are using that data in courtrooms for things like divorce and custody hearings, and police are using it to turn innocent people into suspects.
As I interpret I don't think Swedish consumer contract law allows what you describe to matter anyway, and since the GDPR requires free consent it becomes more dubious, so obvious dataintrång.
I'd love something akin to a Bill of Data Rights here in the the states similar to the GDPR, but there is no way oligarchs would allow such legislation to happen
Basically, a program that exfiltrates data without permission is treated no different from a rootkit, legally.
An essay about such a society: https://web.archive.org/web/20030212145443/http%3A//www.wire...
why wouldn't this be possible? company x gives you y data and tells you we sold it to z and so on and you just follow the chain using some unique identifier
they sell the data openly and i get to see what they're selling win win legislation instead of annoying cookie banners
No, because I have less than zero expectation that you all <points with middle fingers at HN comment section> won't happily be complicit in something that retroactively criminalizes me or otherwise screws me (and god knows how many other people, I'm fairly unremarkable) over on the basis that doing so is X% better for Y or where X is a small value and Y is a subject that is far from an existential issue for society. Society goes off on these boondoggles from time to time, eugenics, sticking the mentally ill in prisons but with pills, etc, etc and I don't want to see that sort of stuff cranked to 11 because the public tolerated a bunch of dragnet tech that serves as a force multiplier for unaccountable decision makers.
There's a company called Carfax that I'd never heard of. Their EU site seems to provide basic reports about the VIN, whether the car has been written off, etc. Those basic "Is this car sale a scam?" checks are common in the UK.
But the site also makes a big deal about "Get the American report!" So I googled "Carfax oil change" and found people talking about the oil change history in the reports [0]
In the UK it was traditionally common to keep a car log book where you recorded all maintenance and might get the garage to put their stamp on it, to prove to a future buyer that you'd looked after the car. But having a garage enter that info into some random company's database, and maybe not telling me, would be disappointing.
[0] https://www.toyotanation.com/threads/oil-change-history-when...
Every other car maker can continue to sell collected surveillance data...
They sell targeted ads using data, not the data itself.
How do you tolerate this?
Undisclosed data collection isn't unique to the US.
If VW collected this data without consent, the data protection authorities or the EC are going to have a field day.
(By the way, the GDPR also has ramifications for data leaks of legally collected data. E.g. there is a requirement to report this to the authorities within 72 hours after becoming aware of the breach: https://gdpr-info.eu/art-33-gdpr/ )
But fair, it's probably disclosed somewhere in a 80 page EULA for the app.