"where the user cannot directly access the data from the connected product or related service, the data holder must make the readily available data and necessary metadata accessible to the user without undue delay, in the same quality as available to the data holder, easily, securely, free of charge, in a structured, commonly used, machine-readable format, and continuously/in real time where relevant and technically feasible."
There is even special EU guidance for vehicle data for it: https://digital-strategy.ec.europa.eu/en/library/guidance-ve...
There doesn't seem to be much written about enforcing the Data Act, so I looked at the regulation directly. Article 39 [2] seems to require to first lodge a complaint with the competent authority as designated by the member state of your residence. Then when that authority invariably fails to act – I have no idea which timeframe we're talking about here – you can "in accordance with national law, either have the right to an effective judicial remedy or access to review by an impartial body with the appropriate expertise". But then you are suing that authority, and not the company directly (edit: I was originally unsure about who to sue under article 39, but 39(3) does clarify that it is the authority).
I would very much like to be wrong about this. I can imagine Muñoz vs. Superior Fruiticola applies [3] ("it must be possible to enforce that obligation by means of civil proceedings"), but I'm not at all sure, and it's a much weaker route than the one which the GDPR explicitly describes.
Would anyone know or have better references on how to enforce the Data Act, preferably individually?
[1] https://gdpr-info.eu/art-79-gdpr/
[2] https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:...
[3] https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELE...
It's a very cool and functional project but it is entirely dependent on companies keeping their APIs open, or, more commonly, companies not patching teh magic that makes reverse-engineered APIs possible.
Unfortunately, developments over the years have NOT gone in their favor. Tesla, Ring, MyQ, Ecobee and probably others have closed their APIs over the years. They've usually cited "security concerns" as the motivating factor for the API closures, which has some legitimacy, but IMO it's usually driven by fear of losing subscription revenue.
(Tesla charges a lot for official OAuth apps, though, to be fair, earlier hacks relied on a leaked OAuth app that they never got around to patching. Ecobee locked HomeKit and some other stuff behind their Security+ Subscription, which is a joke considering how anemic their security platform is. MyQ definitely did it to protect their $45/year subscription; jokes on them since RATGDO is infinitely better. Ring still works for some reason, but HomeKit Secure Video support is extremely dicey in part due to the fear of them turning their API off as well.)
For someone like me who primarily used HA for HomeKit integration, depending on it is a ticking timebob. When we moved into our new house, I focused on finding stuff that was natively compatible with HomeKit without workarounds. Our smart home works much better now because of it.
r/opensource_legalaid let's reply and demand access to the data.
I don't really understand it, it doesn't seem to offer a huge potential revenue stream and it pisses off the people who are most invested in your product.
This is mostly a corporate problem of risk aversion in my opinion. Some department writes down a risk assessment with a list of miniscule risks, for example of some 3rd party app backend being hacked. Or just a headline "Tinkerer hacked his car to use with his home assistant" in the local press. This list circulates, and since nobody in the middle management wants to be responsible for anything, and there is no officially approved positive use case, draconian countermeasures are drafted and constructed one by one.
Except when it’s about privacy or anything else we actually care about: then absolutely nothing is done because it would cost more than 0 to do anything.
It's pretty sad that "User used their product in a novel way we didn't expect" is seen as a risk that must be mitigated.
I hope I won't be in one of those cars when the in-memory encryption key gets bit-flipped by the unfortunate cosmic ray.
https://en.wikipedia.org/wiki/2009%E2%80%932011_Toyota_vehic...
They appear to have seen making their Home Connect platform open as at least in part a matter of compliance with EU data transparency and portability laws.
Take a look what the automotive risc-v people are working on or the requirements of the EU cyber resilience act.
https://github.com/robinostlund/homeassistant-volkswagencarn...
Why are they shooting them selves in the feet? Is this really a tangible income stream? Is it really increasing security?
They don’t. Majority of users don’t care, and some middle manager shmuck, working on MySkoda, can report how “we” prevented a huge security risk and funneled valuable ~~cattle~~ user data where it belongs.
Because people will still buy their cars. The average Joe has very little regard for their privacy. We've been trained to be numb.
> Is this really a tangible income stream?
Yep.
> Is it really increasing security?
Nope.
I have VW and I suppose We Connect, there's not a single thing that's worth paying for, not when you have CarPlay and Android Auto (or whatever that's called). If anything I'd prefer that they'd just drop the personalization they do with users. Our car will forever assume that my wife is driving, because that what the dealer configured and none of us care to mess around with it.
But yeah, people will buy the cars anyway, because all the automation is something that only an incredibly small segment has any interest in. It's just weird that those who actually care about connected cars are the only one VW is punishing with this move.
I tend to agree. But the counterpoint is Tesla. They charge for API access, and there are several businesses that exist to make that data available to customers. I don’t know how valuable it really is, but it’s working. My wife would pay Ford for the level of data she was getting from TeslaFi but instead she gives it to MileIQ. It’s not huge but that adds up.
1. They dont think anyone will stop buying their cars because of this
2. They want to make more money
3. (speculation) The drop in demand for their cars in china is leaving them fucked, they need revenue now
What's worse is that other manufacturers are starting to do the same thing. They all see unofficial integrations as lost revenue (less of your data to sell because you don't use their app), and higher costs because the usage still comes on their cloud spend bill.
I was talking to my gadget-passionate (but not techie) best friend when the company making our cars made it more difficult to authenticate using the HA integration. He looked at me like I switched to an alien language. "Who cares? Don't you use the app?".
It's practically a law of business: executives prioritize their power first and their company's profit margins second. This is one reason why outsourcing coding was so popular despite not saving money and being so commercially disastrous - execs were in the driving seat with that relationship much more than they were with us.
Despite what some people will tell you about how the home assistant consumer segment "doesn't matter" (it does) it really is more about the tangibility of control over data vs the intangibility of lost consumer goodwill.
Companies are not profit maximizing at all costs. The shareholders and the executives are not a singular body they have different and sometimes wildly divergent interests.
Same mentality behind companies who insist users have an "account" to use their otherwise-unconnected products.
I recently hit the same wall trying to directly my garage door opener's API (MyQ).
I'd be amazed if Google enabling this behavior doesn't violate some EU competition laws.
In this case, it's by Play Protect on Android, and whatever they use on iOS.
or products/companies that explicitly expose API access to their products.
Well, that and making it possible to deploy devices you own in environments where they might be physically accessible to people you don't want extracting credentials from them. Or for ensuring people can only access sensitive company information on company issued devices rather than being able to casually make a copy of any data they have access to somewhere else. Or using a phone as a credit card payment terminal without the possibility of displaying one payment amount on screen and authorising for a different amount.
I'm quite firmly in favour of anything I own giving access to the data it's generating in an open format but screaming about how there's no legitimate use for attestation is quite simply nonsense.
It only attests that the device booted normally (locked bootloader, factory firmware, etc.). Any kind of post-boot compromise (whether it's from malware or something user-initiated) goes completely undetected and does not impact attestation status.
Caught one in the wild!
so even if T&C does not make sense, usually courts are in favour of enforcing them.
unless some severe contradiction with constitution or alike, or serious harm to people or something, they would throw away T&C in cases. but AFAIK that is rare.
And there's no law demanding you get access to a proprietary system (as of right now) that would override a T&C restriction.
It's not a "law", it's always under the law like any contract. And a court will not enforce illegal terms unless something very shady is afoot. The law always takes precedence, Even "lowly" laws, not just the constitution. In case of conflict the law wins so you can't have illegal provisions in the T&C even if you agree to them. They can give you extra rights but they can't take away the ones you have legally.
The principle is simple, the company isn't allowed to ask for illegal things. Your agreement is irrelevant because you are not entitled to legitimize an illegal demand.
The problem is you need to go to court if the company won't cooperate.
Laws work like that because there's a hierarchy in the legal system too but that's about it for commonality.
They lost a lifetime customer in me - i think i have spent close to 20k on garmin gear between my wife and myself, watches, gps devices for cars, boats, and hiking gear. If they refuse to give me access to my data, i will (a) lobby for laws to be passed to make this mandatory (b) absolutely never ever buy anything garmin until i see a reversal of this policy and an apology.
More broadly though, its yet another service that blocks API access. No doubt this is caused by proliferation of amateurs armed with agentic tools building nice, personalized frontends for themselves. Companies seem to absolutely hate it when people dont go through their shitty websites with dark patterns, misleading search results and analytics.
[0]: https://github.com/cyberjunky/python-garminconnectFor now its just tls fingerprinting, not client attestation - so, I managed to implement a working solution. But I am sure they will tighten the screws still further.
The only annoyance is that Garmin requires 2FA if you enable the ECG feature on your smart watch/fitness tracker, but I have a small program that reads the 2FA codes from my Gmail inbox and supplies them to the scraper without too much trouble.
Where's the open source phone?
The open source washing machine?
That was even the norm for complex electronics for decades. But since it makes it easy to reverse engineer it, it's no longer being done due to fear of cheap clones (often inferior, and still doesn't stop anyone these days).
And people buys them because they don't care
https://steveblank.com/2009/12/21/the-elves-leave-middle-ear...
Math was never my strong point, but AFAIK the "not that many" of the US is still a greater number than the zero of Germany.
And China, well, it's a dictatorship with effectively unlimited foreign currency reserves. They can do whatever they want.
Care to elaborate? I was under impression that absolute majority of startups in US are fully funded by a (private) venture capital. There are (were?) some exceptions like tax reductions on "green" projects, but they were not restricted to startups/small companies in any way.
Tesla got a shitload of government funding, including a 465 million dollar loan [1]. SpaceX was effectively funded by NASA in its early days. In total, the Muskverse alone got 38 billion dollars [2]. Bezos' Blue Origin got at least 1.5 billion dollars [3].
Sure, by number most startups are fully privately funded. But that doesn't mean the US government isn't willing to help things along, at least for those well connected. And on top of that come government research grants to universities who then spin off companies and keep the profits from the spinoffs.
[1] https://finance.yahoo.com/news/elon-musk-paid-off-teslas-193...
[2] https://www.congress.gov/119/meeting/house/117956/documents/...
[3] https://thehill.com/lobbying/5113500-bottom-line-bezos-blue-...
How much money, grants, tax-breaks, favorable loans and regulation, etc did the German, French, Italian car companies get from their local governments?
> But that doesn't mean the US government isn't willing to help things along, at least for those well connected.
As if Schroeder, Merkel, Scholz, etc didn't roll over backwards for their private industry political backers. The CEOs of VW, BMW and Daimler had those guys on speed dial.
Please, let's not pretend only the US government is helping its giants and the Europeans never.
German auto makers were wealthier than the US auto makers. Germany's GDP is now third in the world. There is capital.
>Germans don't want taxpayer money to be spent on risky adventures
But they wanted it to be spent on Russian gas pipelines, foreign aid, anti nuclear activism, and in the pockets of politically connected multinationals like T-systems to build another "government digitalization project" while their internet speed lacks behind developing nations?
>that might bring losses
If they hate losses, why do they keep losing? Germany decline in past 15 years seems like its a self fulfilling prophecy. The more risk averse they are to avoid change or losses, the more they keep losing to economies who embraced change, disruption and risk.
The problem is, that capital is stuck in the bank accounts of the uber rich.
> But they wanted it to be spent on Russian gas pipelines, foreign aid, anti nuclear activism, and in the pockets of politically connected multinationals like T-systems to build another "government digitalization project" while their internet speed lacks behind developing nations?
- Nordstream was privately funded, half by Gazprom, half by a consortium of privately owned large utilities
- Germany has drastically cut back on foreign aid funding, which in return killed off a lot of the goodwill Germany enjoyed in the Global South, we all know that China and Russia filled the gap. The numbers go up in theory but that's only due to funding for Ukraine.
- Anti-nuclear activism never got significant amounts of funding, instead dealing with the nuclear waste costs 1.4 billion euros a year, only 400 million euros are actually going towards the environment [1].
The only point you actually got somewhat correct is
> in the pockets of politically connected multinationals like T-systems to build another "government digitalization project" while their internet speed lacks behind developing nations?
The problem is, again, risk avoidance. Public tenders are written to prefer established players like SAP, T-Systems et al that can prove decades of experience in government projects. Partially that is due to incompetence, partially it is to shrink the bidder pool and avoid the risk of getting entire projects held up for years by lawsuits of bidders who lost.
The lack of internet speed doesn't come from a lack of public investment. Telekom has been privatized for decades. The problem here is regulatory incompetence.
> Germany decline in past 15 years seems like its a self fulfilling prophecy. The more risk averse they are to avoid change or losses, the more they keep losing to economies who embraced change, disruption and risk.
Agreed. The b00mer brainrot runs heavy here.
Germany now surpassed the US as the biggest foreign aid spender in the world, in absolute terms, not per capita
A lot of the foreign aid budget is going to Ukraine [1], and the sum that goes to Ukraine isn't even including military aid.
Note, I have zero issue with aid going to Ukraine, and in fact it's still not enough - the issue I have is that a lot of other places simply fall through the gaps.
[1] https://de.statista.com/infografik/25614/groesste-empfaenger...
And do you also believe what Merkel said that "it's purely a commercial venture"?
Who chairs those "privately owned large utilities"?
What are the links between those people and "the establishment" that includes people like Merkel (earlier Shroeder - his work for Gazprom was also purely commercial venture of a private citizen, right?).
That establishment deciding its a great opportunity for Germany to be the Russian gas station of rest of Europe forced to use that gas as the only "green transition" hydrocarbon.
And not only was it a great commercial venture (that had in its profitability calculation getting rid of nuclear - including blocking countries like Poland from building it, squeezing out other countries that own pipelines again such as Poland/Ukraine/Hungary and so on and forced "transition" to gas for the EU - let's not kid ourselves, renewables will never be more than 50% of base load unless battery tech gets cheaper, so that "transition fuel" would last for 50+ years.
It also contained a humanitarian element of giving Putin huge amount of money therefore making sure the dictator will absolutely not use it to build armies to invade his neighbours (despite doing that already at the time in Georgia for example), but he will get used to that money so much he will spend it all and will not want to stop it coming therefore granting eternal peace in Europe.
Anyone who thought the public will swallow this must have been high... But the Germans did.
"nothing to see here" - right?
I for one am glad hopefully the German public realises what kind of state Russia is now, and what "doing business" with them leads to (it corrupts your own country) , but how long that knowledge remains, and why it took a full scale war in Europe to acquire it I don't know.
That's not the point here (and for what it's worth, Nord Stream should never have been started in the first place, and we should have cancelled it the day that "little green men" arrived in Ukraine).
My point was and is that Germany is traditionally very reluctant in handing out government funds and especially government-backed debt to private industry in general while the US has all but zero issues.
I hate Elon as much as the next guy, but Tesla is still playing the API game way better than the rest of the pack (even with the "not so new" Tesla Fleet API change)
I was dealing with this 6 weeks ago!
But I hate to deal with car dealerships, they are the worse kind of salespeople out there, trying to sell you what they need to sell rather what you need to buy. You need to go there with a very, very well informed opinion about it. But then they will play the discounts card...
Even Google Maps is usable without an account.
Only regulation can help.. or a revolution in case the political system in your country is broken..
I think revolutions are more successful when there is some new idea of what to replace the system with. Currently I did not see anything remotely interesting (ex: french revolution came with the new idea of equality before the law, which was not the case before), and I think is mostly due to low overall education - you can't improve a system if most of the people do not think about complex issues like laws, taxes, efficiency, etc. Everybody loves to point a finger at someone and blame them (immigrants, rich people, woke people, etc.) like that would "miraculously" solve any issue.
The anti-regulation arguments aren't framed as "market competition is bad", but rather "the market will sort itself out without intervention" and "let companies do whatever they want to avoid killing innovation".
I'm all for voting with my wallet, but it gets exhausting trying to be a few steps ahead. And then nothing guarantees that there won't be a rug pull once you bought the car.
> or petition to government to put pressure on them
Right. Not sure why you have to mention it, since everybody knows this works oh so well.
The problem is that all these T&Cs are just pages upon pages of legalese that not only nobody understands or even reads, but that also aren't exactly advertised before buying. "Buy our smart widget! It only works with its own app, and we'll only support it for a ridiculously short time! Please don't upgrade your phone, or it will stop working!"
Of course governments should do something about it, but even here in the EU, they don't seem too bothered. Hell, even people seem generally fine with it, judging by the number of crappy widgets they buy.
That maybe fine, but if something is allowed at the time I've bought the car, and then the manufacturer changes their policy such that the usage that I did is no longer allowed?
BTW, to me this is bullshit, first cars shouldn't be connected to the internet in the first place, in the case that they are, I would need to be in full control of what I can do with the API, not that I need to use special software to talk to my own car.
good point. yet, I bet in their T&C it was covered. it was just not enforced. and usually they have claim like "if we fail to enforce any part of agreement does not constitue waiver.". so most likely it was expected all along, they were not technically adept to actualyl enforce this. now they can.
but, if your claim stands, I bet you can win case against them.
> cars shouldn't be connected to the internet
yep, same with you on this one.
If you had any actual understanding—:as opposed to just hearing this little factoid in passing and have been waiting for every opportunity to whip it out— you’d know that already. It’s funny as a quip, but don’t for a a second act like it’s a legitimate point, which is exactly what you’re doing.
These two sentences seem to be completely unrelated.