It's hard to not want to throw your hands in the air screaming "whatever" when almost everything you use in public is somehow used to track you either as you move around, or in the future.
The FUD spouted on here by the scummy adtech industry about legislation to protect YOUR privacy is mind boggling. These are the people doing the digital equivalent of sniffing your underwear to work out what you had for breakfast.
(And before somebody shouts FUD about the UK/EU vehicle eCall 112 system, that certainly doesn't track you or seek to invade your privacy on any level!)
Maybe if you buy the car with cash, but if you finance it you are leasing from a company that has definetly accepted all the terms and conditions to capture and sell all the telemetry to various parties
>without an explicit opt-in
check out at a modern volvo/audi/whatever, they are making it so difficult to say no every single time the screen is powered on
No it isn't. Stop spreading FUD.
It is illegal in the UK/EU to make provision of a service dependent on allowing your personal data to be sold to third parties. This is BASIC data protection law here. You should be embarrassed for not understanding this.
https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-re...
> modern volvo/audi/whatever, they are making it so difficult to say no every single time the screen is powered on
More FUD.
The nagware is for "safety" features such as lane assist which must turn on every time by default (yes, this is a PITA). This has nothing whatsoever to do with data privacy requests.
nagware is absolutely not for safety features. Deny the terms and conditions and every time you start the car you have at least three screens you have to scroll and click buttons. It is a very recent feature, have seen it on models from january onwards.
BTW: You also want to deny that because if you agree you also agree to update the system at their will (many cases on the press of them fucking it up, bricking cars requiring ECU replacement. A couple of manufactures i won't mention fucked that up as badly as using two different ECU makes for the same car model, and sending the wrong binary and the bootloader happily accepting it. All without user approving the update beforehand. All happening in the background. Car stops at the sign, ECU reboots and dies.)
You also have constant nagware when you disable the tracking features in software.
Your trust in the law (EU law! Haha) to do the enforcing itself is nice, but history and lived experience tell me that these laws are going to be skirted if there’s money in it.
Honestly, the number of people on here spreading FUD and defending the 'right' for the adtech industry to invade their private lives and treat them like shit is unreal. One could almost think their salaries are dependent on it!
Nobody seems to care and this isn't enforced at all.
It is very hard to live in Germany without having a google account. Many services are only offered via phone-app that is only available through play-store. I'd have to use apks from questionable, untrusted third-party websites.
Good luck finding an employer that doesn't require you to have a microsoft account.
The EU is not the privacy paradise some make it seem to be. It's a corrupt, bureaucratic, exploitive nightmare with some splashes of democracy here and there.
Von der Leyen is the perfectly ridiculous representative, she left nothing but corruption, collusion and incompetence in her wake.
Which in the EU/UK, is subject to data protection law; including compulsory opt-in for sharing personal data!
Granted, the scummy adtech industry push the law to the limit ("legitimate use"), meaning we need better regulation, not less.
> The EU is not the privacy paradise some make it seem to be
Nobody said anything about paradise, though considering the unrestrained nature of adtech in the USA, I certainly know under which laws I'd rather my (and others) personal data is kept.
The data is anonymized and you can opt out, but many people probably don't know it's collected in the first place.
How do you know?
BTW, the checking all the opt-ins is usually the first thing the sales person does when selling a new car.
And the FUD has started. Maybe try reading the law?
https://europa.eu/youreurope/citizens/travel/security-and-em...
But based on my experiece:
- GPS cold start requires 1-2 minutes to get a fix. That's too long in case of a crash. That means GPS is started at the same time as the car.
- A-GPS is better, but not sufficiently fast in case of a crash either.
- The cheapest way to implement an eCall module is to use a phone chip that includes both phone and GPS functions. I'm sure we can agree that all manufacturers will choose the cheapest. That means the telephony is started at the same time as GPS - when the car is started.
- Let's assume that telephony chip is separated. A phone boots in ... 30s? Too slow even if the eCall module doesn't include a full OS.
- A phone in airplane mode still takes 5-10 seconds to connect to the network and 3-5 seconds to dial. If you press the ecall button on your car, how fast does the call connect? If it's less than 5s, the ecall module was already registered on the network. If it's registered on the network, the car leaves a metadata trail on at least one of the local phone operators' servers. That metadata includes the time and the cell towers = full tracking data.
- GSM networks since the beginning mandate that the SIM card can execute commands received from the network. A SIM card is a full independent embedded processor. You should really watch the Defcon and BackHat presentations about SIM cards. Anyone that can send binary SMSs (and most operators are very ignorant/permissive) can track it, start calls, listen on the mic, etc.
So what is the point in having laws then?
No doubt you believe any adtech request for personal data should be met by the subject promptly bending over and grabbing their ankles with both hands?
But maybe it IS true. I know it's legally mandated.
So do you think UK/EU vehicle manufactures are deliberately in mass breach of data privacy law... fully knowing the cost of a consumer backlash, fines and vehicle recall costs to fix any law breach?
Really?
It's genuinely amazing how many Americans on here (a tech news site!) are unaware of data privacy law and expectations outside their homeland.
Of course, I can't or won't prove it.
And yes, I am _intimately_ familiar with the GDPR and other laws and regulations. The US also had (has) wiretapping laws that would have prevented snooping on Americans.
I'm not claiming the EU is no better than the US, it clearly has better intentions. But fundamentally, I think the EU will end up in the same place as the US sooner or later, simply because the same forces are at play: desire for security >> desire for privacy for most people if the rubber hits the road.
Here's some fun read for those who seek more info:
https://www.politico.eu/article/germany-privacy-watchdog-sid... https://www.bnd.bund.de/EN/Service/PrivacyPolicy/privacypoli... https://www.lexxion.eu/?newsletters_method=newsletter&id=477
Or, more succinctly - they are likely following the law but have figured out a way to avoid it as written using consumer opt-in and dark patterns.
You call it FUD, but this is hacker news and with overwhelming incentives it is not unreasonable to ask for verification that data isn’t being exfiltrated.
They were also in mass breach of vehicle emission laws. The fact that there was some backlash (although people didn't really stop buying VAG cars), people got prosecuted, the company got fined, didn't really change their decisions while they were pumping out fraudulent cars.
Yes, we should have privacy laws like this in the EU, this is a good thing! But thinking that, when these laws are in place, all companies magically will follow them is naive. To them it's still a cost/benefit analysis, and history has shown short term benefit trumps many other things for these companies.
I'd also suggest the backlash from breaches in data privacy would be much larger than from fiddling emissions tests (as evil as the latter was, it actually saved many customers money on a (more polluting) car with higher performance).
> After news broke out of Volkswagen cheating on diesel emissions, multiple other vehicle manufacturers got caught falsifying emissions data, as well as exceeding legal emission limits. This uncovered a greater industry-wide issue that goes far beyond only Volkswagen Group.
Doesn't that depend on the company though? Not all companies are focused in the same amount on short vs long term benefits.
There are costs of not following the regulation (example, did not check in detail: https://www.enforcementtracker.com/) and I do not hear (media, social network, etc.) anybody complaining about fines so I think it will just continue ad hopefully will change their opinion at some point.
Then let us hire different leaders into government. Public servants, not overlords.
I fear that only blackmail-able people with the potential to win elections, get the support, so that they are beholden to someone who ultimately gives them the job (e.g. funding their campaign) and has to return the favor x10 when elected, so promises go out the window and new reality sets in.
So it's not just that the primary process will crush anyone who will seriously roll back government powers. They won't even let anyone peacefully create an entirely new fucking island to try and get away from the tyrants and do it while leaving everyone else alone and not messing with the powers that be.
America did have a period of relatively small government intervention at the beginning, but that took a war with Britain. It also had some periods of it during the pre-founding (some of 1600s Pennsylvania and Rhode Island while Britain was occupied elsewhere). Pennsylvania (before it was a state) in particular was basically straight up anarchist for I want to say, about 20 years.
When forced off the reef, the founders went back to places like Australia, Manhattan, and London with considerable wealth. Pretty easy to see why that was preferable to possibly dying by firing on the armed forces of another country.
Somaliland and Rojava don't have that option.
Yes, the women, slaves, non-land-owners and native Americans all loved that phase! It was paradise on earth and the embodiment of the eternal liberty to which all (*) humans are entitled.
(*) your experience may vary, depending on your membership of various demographics. Some restrictions apply. Please see package for details.
I have no option other than to lay down my intellectual tools before you and declare you the winner of this battle of the ages. I am humbled by my idiocy in even bringing up the fundamental economic engine of the early American republic, as if it actually mattered at all in the face of the noble, if perhaps a little selfish, goals of those proud young Americans.
I'd also note slavery was also influenced by how land distribution happened in the colonial era. Lands dispersed under more feudal models lent themselves more to slavery and indentured servitude. Lands that for various reasons that were rapidly sold were more likely to end in the hands of small holders without slaves or fewer slaves.
Not only that. Them and the point-of-sale vendors (aptly shortened PoS), sell that data. They tend to attempt to do this anonymized. How successful they are in anonymizing that is very much so up for debate.
The websites (and even their retail locations) you buy from send your purchase data to meta and other advertisers directly via APIs so they can better track their marketing conversion rates. You can browse their APIs [1][2] to see what kind of data they like to get, but it tends to be every piece of identification they have on you. Rewards programs make this a much richer data set. You don't need to be a user of Google/Meta for them to build a marketing profile based on this. Google links your physical conversion from ads based on your maps data. Facebook does the same if you give them your location data. Many retailers attempt to use the bluetooth/wifi signals from your phone to track the same data even if you pay in cash [3].
There's no legal framework preventing this outside of the EU and California.
1: https://developers.facebook.com/documentation/ads-commerce/c... 2: https://developers.google.com/google-ads/api/docs/conversion... 3: https://www.nytimes.com/interactive/2019/06/14/opinion/bluet...
Yeah I think the big thing to push or talk about is that there is no such thing as "anonymized".
There's only such as a thing as "can only be identified as X many people". Like for a given dataset you can make any data point correlated to 1 of say 50 people. If somebody is anonymizing data and they don't provide a k-anonmizity [1] you should just assume it's 1:1 and effectively not anonmized.
let anon_id = md5(SSN);But now it's so convenient and discreet and common, we think nothing of it. Plus, Google and Apple and Facebook and their partners and everyone they sell data to are our friends, not enemies :)
My car is old, so no gps/trackers there, but this is troubling of course. I think that if/when I buy a new one, it has to be either some vintage car, or I have to find a workshop who can rip out all the tracking.
CC payments can be mitigated by paying cash, when available. But yes, CC and bank are a concern and so is CCTV.
An agent will be shortly with you to assist in that endeavor.
In some parts of the world that's a death sentence for the target. In other parts, it's one for the agent.
Maybe, but what happens without the mod described is that Google and Apple track you in addition to the telecom company. That, of course, assumes that you carry a cell phone tied to your identity. Some people refuse to carry cell phones altogether because of the privacy implications, or use them mostly in airplane mode with an anonymous SIM for backup.
You can also buy an older car that doesn't come with a SIM card installed.
Should that happen, I will move to a VoIP provider. Not perfect, but better than a smartphone.
Did you know ... in many countries government tracks car number plates and the data is stored for many years.
And if the competitor doesn't? Ouch.
I think there should be a "digital equivalency act" or something to hamper full digital capture, but my feelings aside, there's a few powers that dislike cash:
Free people like cash, but businesses with low-skill/low-trust workers dislike cash because despite the CC fees, there is less theft, less overhead with cash reconciliation, cameras to watch cash with, less safes to manage, less cash pickup services.
The IRS hates it because there is a cash industry (as there should be, imo, but I'm injecting too much opinion already) that doesn't report earnings. I personally know barbers, housecleaners, handymen that admit to reporting no or few earnings, and synthesize a living off cash and benefits. If you stop paying taxes, this actually works pretty well compared to a low-end tax-paying job. My housecleaner takes overseas vacations (like, thrifty ones in hostels) 2-3 times a year this way.
Banks (arguably the IRS again, deputizing them with KYC) squint at you when you deposit or withdraw significant cash - ask any weed industry participants. Untrackable currency is a natural catch-all for people they don't want to bank with, so it's just friction and headache naturally.
If there was a posted notice that no cash is accepted it's unlikely you'll get a criminal charge, but you can get civilly sued. Most places will just accept the cash then put up a picture saying "If this asshole shows up again, trespass him"
I worked at the gym in college and we sold like one item a day and it was still a whole bunch of work and pain to keep up on the cash counts correct.
I definitely believe that all businesses should take cash as much as is reasonable, but logistically it is understandable why some choose not to
If your operating costs are some percentage higher for accepting cash versus the coffee shop across the street that doesn't, you're more likely to fail.
Assuming you’re talking about the US here: there is no such requirement, at least not at the federal level. Individual states may have their own laws, but see for example this notice [0] from a Texas federal court that they will no longer accept cash as of May 21, 2021.
[0] https://www.txnb.uscourts.gov/news/notice-court-will-no-long...
If you wish to make an apple pie shop from scratch, you must first invent an economy that isn't hamstrung by legacy obligations from ventures that people who are long-dead somehow were allowed to finance with your paycheck. (Somewhere, a middle-aged nepo-baby is clutching her pearls at the thought, and I just think we should cherish, rather than shy from, the opportunity to throw her and her siblings under the bus.)
Anecdotally via friends in law enforcement.
I know the laws are far from perfect, but isn't there some legislation compelling them to disclose what they collect?
What specifically would be the most relevant law/regulation? (If it varies by geography, pick any major market, eg. California, that is big enough to impact their engineering design and the content of published material). You mentioned they're cagey, and my aim is to examine if there's a gap between what they're supposed to disclose and what they do, which could be rectified by litigation. Eg. If they just say "vehicle telemetry" that doesn't tell you much, and I'd happily contribute to an EFF effort to get them to elaborate.
Alternatively someone who works close to this code could provide some examples of what a "typical" smartphone OS platform collects these days.
The author seems unaware that in iOS you can uncheck nearly every single location usage the OS and Apple Apps themselves collect.
On iOS not only can you shut off things like traffic reporting while using Maps and cellular/WiFI/Bluetooth data collection...unlike Google, Apple will let you use those services without requiring you contribute to them.
The author provides links at the top to credible reporting on relatively well-known privacy concerns.
No, not really - at least not apple. They are very clear on what CarPlay’s privacy stance is, and they’ve got privacy white papers on pretty much everything:
Eg. https://www.apple.com/privacy/docs/Location_Services_White_P...
Again, at least on the apple front this comes off as a ton of “stated without evidence “
Allowing it to connect over Bluetooth requires granting AA plenty of additional permissions which I didn't want to do (but hey, on GOS at least you can muzzle that thing).
Another possibility is to keep an old/cheap, stock Android phone at home with WiFi only for apps like this.
What's more concerning is that it's entirely unclear exactly what information is shared over the Android Auto link, in my case, over Bluetooth.
A lot of this has obvious use within the AA interface; for example, the parking brake position is used to prevent scrolling too far through lists, and the car's GPS is usually much more accurate than the phone's and better on the phone battery.
0: https://github.com/f1xpl/aasdk/tree/development/aasdk_proto (pretty old reverse-engineering effort)
EDIT, previously "does not" above said "doe snot", which explains the reply below
Source? Can bluetooth devices do that without the user's knowledge?
How?
While the car has a sim card already, I can't use it for general purpose apps without a subscription. Only updates, remote control and I suppose telemetry.
I usually opt for choosing a bluetooth tether instead of wifi since I already establish a connection for calls, or music / audio books.
It isn't hard to imagine Android being able to transmit vehicle telemetry via the same means.
You can also "firewall" AA via something like TrackerControl, this would let you block connections to eg. Google Analytics servers without denying network access altogether (which would likely cause AA to stop working). I've only used AA with short-term rentals so I didn't spend too much time exploring these options.
not sure if this was caused by an OS update or an AA update because im certain it used to work fine
(not graphene, but friends otherwise stock samsung android)
Do you have evidence or a citation for this? Or is it just the sort of statement that’s made in the pretty certain expectation of upvotes on HN?
I guess it's fine in an emergency, but I wouldn't want to use it day-by-day, the live traffic/road closure information in my case ends up saving us tons of time over the year.
So I bought an Android auto / Car play module that integrates with the car touch screen. Now I have up to date maps and navigation for ever. :)
This option is also disabled in the UK - an intentionally preserved backdoor for government access.
I would be concerned that a passenger connecting their phone to it while I was driving.
In other cars I've been successful picking up the relevant modules for peanuts from surplus/scrap then just desoldering the RF-active components (like bt radios, etc) and swapping them in. YMMV but if it doesn't work you're just out the cost of a junk part.
Even if some radio feature is benign its existence means that its hard to be confident that there isn't some other telemetry feature you missed. With no connectivity at all you don't need to worry that you missed something because you can monitor the car with a spectrum analyzer and observe its never transmitting.
Unfortunately in some newer cars you can't swap any modules without a dealer tool to pair the module to the car, presumably in a bid to prevent third parties from fixing the car (presumably preventing people from lobotomizing their surveillance isn't on their radar yet).
https://www.toyota.com/configurator/build/step/summary/year/...
...maybe there is a lot of dealer markup in your area?
I think the inital point was that car manufacturers/dealers are double dipping through initial cost/interest AND data harvesting.
A free 55 inch tv supported by ads would be subsidized. A big ticket item price likely does not change even if it intrudes on your privacy and the manufacturer makes additional income on your data. In that sense it’s not subsidized it’s just greedy business practices.
Most (all?) ordinary TVs, plus things like Roku streaming devices, are sold essentially at-cost. The profit comes from ads and information-brokering stuff. This makes it basically impossible to break into the market without doing the same thing.
Different products exist at different price points to cater to different customers.
If you want to sell a subsidized product with the implication that there will be ads, that’s one business strategy, but to say that it’s not viable to have a higher end product that will not sell the user data because it’s not commercially viable is something I’ll have disagree with.
Computer monitors with no smart features wouldn’t viable if that was the case.