Cars Are Delivering Tons Of Driving Data To Manufacturers With Minimal Security And Even Less Transparency
from the introducing-the-2015-Lexus-CI dept
Nothing's driving the acquisition of data faster than, well, driving. As new technology makes its way into vehicles, so does the apparent desire to harvest information about the vehicle itself. Between the outside harvesting (automatic plate readers that gather plate/location data, as well as photos of vehicle occupants) and the "inside" transmissions, there's very little any number of unknown entities won't know about a person's driving habits. And that's not even including what's transmitted and collected by drivers' omnipresent smartphones and their installed apps.
Sen. Edward Markey has expressed some alarm at the amount of data being collected (and distributed) by vehicle manufacturers. His office has produced a report [pdf link] showing that while many manufacturers are involved in collecting data, very few of them seem concerned about the attendant risks. Even worse, many respondents to his office's questionnaire seem to show very little understanding of the underlying technology and most have not made an effort to fully inform customers as to how much is being collected or how it's being distributed.
Drivers of today's connected cars aren't going to like the report's findings.
Nearly 100% of cars on the market include wireless technologies that could pose vulnerabilities to hacking or privacy intrusions.While some basic security measures have been implemented, the fact remains that transmitting data always poses a risk. Three of the 14 manufacturers that responded to Markey's questions had actually let their security measures stagnate or decrease from 2013 to 2014, even as the amount of data transmitted rose. Worse, many of the respondents deployed security measures in a "haphazard and inconsistent" fashion, and nearly all respondents seemed unable to fully process the questions posed by Markey's office.
Of the 16 automobile manufacturers that responded to the letter, 13 of them addressed these questions in some way. Chrysler, Mercedes-Benz, and Mazda did not respond to the question at all, and five other manufacturers provided general responses that addressed the question as a whole instead of providing specific responses to the questions’ sub-parts.These four-wheeled tracking devices are collecting and transmitting tons of data, including GPS location, sudden accelerations/decelerations, seatbelt usage, destinations entered into navigation systems, last location parked, distance and time traveled and a variety of information on other driving components. Almost all of this is transmitted back to the manufacturer for their own use.
[...]
Seven of the manufacturers stated that they use third-party testing to verify their security measures, while 5 stated that they do not and 4 did not respond to this part of the question.
[...]
The manufacturers were also asked about how they secure this type of software delivery [updates/patches]. Each manufacturer responded with descriptions of how they provide such software through authorized dealers with the appropriate tools. Automobile security experts consulted by Senator Markey’s staff said that all of the responses are similar in that they presume a malicious actor could not access or acquire the technologies that mechanics have. They state that software updates for systems should be cryptographically verified by the ECU being updated in order to effectively prevent intrusions.
Nearly 100% of 2014 vehicles record and transmit driving history. Most of these manufacturers could not provide a satisfactory answer as to how they secure this data during transmission and more than half store this information "off-board" at their own data centers. Manufacturers seem to consider "on-board" collections as inherently secure.
In the case of on-board storage, no manufacturer described any security system to protect that data, and several of them noted that no security measure is needed since accessing data would require a hardwire connection.But that doesn't mean they treat wireless transmissions with much more care.
Regarding security measures to protect data that is wirelessly transmitted outside the vehicle, only 6 responses were received. Of those, 5 provided vague responses naming encryption, passwords, or general IT security practices, and only 1 specifically mentioned that they designed their systems to limit the transfer of personally identifiable information.Part of this is due to the fact that automakers' security measures are purely voluntariy at this point. But the fact that it would likely take a federal mandate to improve security is disappointing. Not only are manufacturers less than forthcoming about how much data they're collecting, but they're apparently uninterested in providing a minimal level of customer service, i.e., proactively assuring these data transmissions are secure.
As for the data harvesting itself, manufacturers can't seem to find a better justification for this than "improving the customer experience" -- a phrase pretty much synonymous with "selling customers more stuff" or "collecting for collecting's sake." Most manufacturers retain this data for one to ten years, with only one manufacturer offering the option for users to delete their data at any time. But that single nod to customer agency is far outweighed by the general indifference shown by the rest.
Markey's report finds that purchasers may be allowed to "opt out" of certain collections, but this often comes at the expense of certain functions. No manufacturer presents this information up front, preferring to hide it in owner's manuals and terms of service agreements. The default should be "opt-in," with upfront explanations of what, how and why data is collected. But that would lead to a dearth of information, and automakers, like many other private companies, prefer to gather data first and deal with the fallout later.
Although it goes unmentioned in Markey's report, there's also the question of how this data is handled when the government comes looking for it. Most of what's collected would presumably fall under the Third Party Doctrine (with drivers "knowingly" turning this information over because of page 173 in the owner's manual, etc.), which means it can be acquired by law enforcement/intelligence agencies with minimal effort/paperwork. There are also other government intrusions that need to be considered as well, like California's desire to tie state-enforced emission standards to driving information already gathered by a number of manufacturers. Not only are manufacturers not guarding against having their collections hijacked by criminals, they seem equally unconcerned about safeguarding this vast amount of data from the government itself.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cars, data, privacy, smart cars, transparency
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
How is this data being collected?
[ link to this | view in chronology ]
Re: How is this data being collected?
So how do I know my car doesn't have a hidden cel antenna? I don't. Unless I want to tear the whole thing apart.
[ link to this | view in chronology ]
Re: Re: How is this data being collected?
The internet to the rescue here. You can find out whether your particular car comes with this stuff and where the antenna is pretty quickly. As well as instructions for how to disable it.
[ link to this | view in chronology ]
Re: Re: Re: How is this data being collected?
[ link to this | view in chronology ]
Re: How is this data being collected?
[ link to this | view in chronology ]
Re: Re: How is this data being collected?
But what the car manufacturers use isn't always OnStar. They have their own thing going.
[ link to this | view in chronology ]
Re: How is this data being collected?
[ link to this | view in chronology ]
Re: Re: How is this data being collected?
[ link to this | view in chronology ]
Re: Re: Re: How is this data being collected?
[ link to this | view in chronology ]
Re: How is this data being collected?
Every station you play on Pandora (main selling point of 4G in the car), every search in Google, your voice, everywheer you go, how fast you drive, how hard you corner, how hard you slam on the brakes, etc. can be sent to the manufacturer and sold to insurance companies, advertisers, and given away to Law Enforcement.
Now that car seats can record weight as well, they will be able to ID the driver in the car. Welcome to a world where cops won't even need to pull you over to give you a ticket for speeding - they will just send you one in the mail.
Also, a lot of cars have cameras that watch your face so they can beep if you close your eyes or look away and most cars now have voice recognition. They can spy on all that...
[ link to this | view in chronology ]
Re: Re: How is this data being collected?
[ link to this | view in chronology ]
Re: Re: Re: How is this data being collected?
https://media.ford.com/content/fordmedia/fna/us/ en/news/2010/01/07/ford-sync-connects-car-with-internet--new-wifi-receiver--built-i.html
That's the 2 big American companies - Chevy promises a full 4g LTE in their entire lineup within the next couple years and already has almost every 2015 car...
[ link to this | view in chronology ]
Re: Re: Re: How is this data being collected?
http://www.dailymail.co.uk/sciencetech/article-2740588/Your-car-watching-GM-roll-eye-trackin g-technology-knows-not-paying-attention-road.html
http://www.technologyreview.com/news/533801/jaguar- demos-a-car-that-keeps-an-eye-on-its-driver/
[ link to this | view in chronology ]
Re: Re: How is this data being collected?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Questions Questions
2. HOW do they get a vehicle to GOTO a station to have data gathered? Interesting? that your car has Full Ram, and starts running like CRAP, so you goto a Local dealer to have service..And CHARGED to have it read..
3. UPDATE my cars computer? CHANGE how it runs?? Without My knowledge??
4. wireless UPDATES??? NO NO NO NO NO...
5. wireless Bypass into my OWN net?? Cellphone service?? WHo is paying for this?
Odds are that it collects data, and then causes the care to hiccup, so you have to take it into the shop, then be charged $50+ to read the data to be sent...from That point, they can do alot of things to you.. Ever wonder WHy the service light goes on, every 5000 miles?
[ link to this | view in chronology ]
Re: Questions Questions
There is absolutely no reason to think that they intentionally cause and error so that they can steal data at the service station. First, reliability is important to drivers. Second, that kind of infrastructure is not at all trivial to install and manage.
The data is collected through OnStar or Sync, apparently. These services come with cellular connections.
[ link to this | view in chronology ]
Re: Questions Questions
2. They don't need to
3. Yup
4. Yup.
5. The car companies do. The expense to them is very minimal.
[ link to this | view in chronology ]
Hmmm
reliability?? not in this generation..After 5 years 1/2 the plastic in the engine are starting to fail.. Many cars you see it in the mileage changes..
And you dont pay for onstar? Sync?
You really think they only do the higher end, more expensive cars??
Im sorry, I HATE electronics in my car. And I believe the engine computer could do better, IF they didnt add restrictions to it..(yes they place restrictions in the programming)
[ link to this | view in chronology ]
CAN BUS - safety
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Assume they have it
It is almost certain that the government has already compromised the minimal security, and they already have all that data. That is much too deep a treasure trove for them to have ignored.
[ link to this | view in chronology ]
I have a Nissan Leaf (UK). The always on connectivity is merely 2G. I doubt detailed travel records are kept, only the maps I`ve sent to car. Most of these functions are two way, I can remotely put the heating on or tell it to charge. In response it lets me know what its up to.
However, setting the car to read out RSS used to return speed and location back to that server, it was highlighted almost immediately so they took it off.
Can see the eco/distances/number of trips used on the car but sadly not routes.
I have a third party apps that grabs the CANBUS data. Its better than the cars instrumentation.
There is a lot of interest in hacking cars and I`m not surprised after new German made cars have raced off and sent some politically unwanted people to their sudden and early deaths.
[ link to this | view in chronology ]
I've already witnessed first hand E911 GPS pings being sent to my cellphone and my GPS icon flashing. Despite the fact I had GPS option disabled in the phone's settings. I'm certain similar backdoor over-ride commands will be built into cars too.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Car Donation
Many people donating a car to get tax benefit so, many charity organizations offering a <A href="https://freecarshelp.com/government-car-assistance/">free car</a>
[ link to this | view in chronology ]