> Plaintiff did not want OnStar services and so he did not push the blue button "to get started." The email provides no mention of OnStar's Smart Driver Program.
…
> In or around January 2024, Plaintiff received his requested LexisNexis consumer disclosure. The report, as of December 18, 2023, had 258 recorded driving events under the "Telematics" subsection. Each driving event included trip details that show the start date, end date, start time, end time, acceleration events, hard brake events, high speed events, distance, and VIN.
…
> Plaintiff had never opted into any insurance program that would have allowed his information to be shared.
And if you own a car made in the last ~5 years, here's how to request your "Consumer Disclosure Report" from LexisNexis: https://consumer.risk.lexisnexis.com/ . According to NYT, LexisNexis receives at least some data from GM, Ford, Kia, Subaru, and Mitsubishi.
I wrote about this after my gag order expired. GM was shipping all telematics data to a big data cluster processing 100gbps of data (with double the data once Cisco released 400gbps support). Originally it was to help price their used cars. A noble effort I supported. I didn’t know about the sales to insurance brokers, but should have assumed that was coming.
Anyway cat is out of the bag, they won’t undo this feature they will pay a fine, offer an opt-out to 5% of users who take up the offer and in 10 years time everyone will assume their driving habits are being monitored by their insurance company.
How do I know this? It’s been 10 years since the hoopla about realtime location data being sold. Last night I saw my home IP address reports my location with .25 mile accuracy. Guess that $5 check from Verizon was the fine they had to pay!
Some time last year I wrote a comment here on HN about my Bolt EUV and OnStar. I can’t remember exactly what I wrote and don’t want to dig for it, but I said something like being happy with the vehicle and had disabled all of the OnStar features/tracking soon after I purchased it. Somebody replied that they were intimately familiar with the OnStar/GM project, having worked on it, and that it was still tracking me despite not being subscribed to any of their services and having turned off all the features in the car that I could. They couldn’t elaborate further, I assume because of an NDA or something. I bet dollars to donuts that this is what they were talking about now.
Edit: thanks to Stavros for finding the comment below. It looks like you were in fact the person I was talking to 11 months ago. Small world!
This is sorta unrelated, but in your previous comment you mentioned:
> least right now using CarPlay they aren’t getting all the data about which books or music I’m listening to.
CarPlay absolutely reports currently playing audio metadata back to the car. I've driven multiple cars that display the currently playing song, etc in the driving instruments cluster.
Plain old Bluetooth has supported track/caller data for many years now (ex: AVRCP 1.3) so it should be no surprise that cars were made that read and display that information.
That said, if my car persisted that information I'd be rather suspicious.
P.S.: It's also not unknown to have a certain level of address-book contact sharing over BT, since people were making hands-free calls in their car long before CarPlay/Android-Auto came around.
Yeah, I noticed that at some point last year. This is my first vehicle with CarPlay, so I’m not sure how it works in other vehicles, but with mine the CarPlay interface completely replaces the infotainment display. The car will also show the current media in the cluster, but it’s a few clicks away and not what I had configured. I finally realized that the car was still able to see what I was listening to with CarPlay when I navigated back to the car’s default Home Screen while idling one day and saw the name of my book playing in the car’s native media app.
There it is, thank you! That’s exactly the conversation I was thinking of. And I see now that the person I was talking to was in fact the very person I replied to here in this thread.
I purchased a Bolt as well. Literally the day after I drove it off the lot, I found and modified the electrical connections to the Onstar antenna system, as I'm fairly handy with electronics and work on all my own cars. If you yank the fuse you'll also lose hands free bluetooth calling and some other features, so you have to use it.
Anyway, told this story to many people, and they looked at me like I'm a conspiracy nut. Well this will be the 1000'th conspiracy I worried about that turned out to be completely true, imagine that.
I own a Bolt (bought used) and have never activated OnStar, and I'm extremely unhappy to learn that it might be spying on me.
I did some reading when the NYT article came out, and found this, which explains how to install a terminator on the antenna to disable the cell connection:
https://imgur.com/gallery/n00QKnH. If you go that route, it's probably prudent to make sure your car isn't connected to wifi, either. (Edit: looks like that guide came from here: https://www.reddit.com/r/BoltEV/comments/16h91a6/i_made_a_st...)
^ that Bolt forum thread also talks about some of the downsides of disabling the antenna (e.g. GPS won't work so your home/away charging settings don't work anymore).
Phone meta data is tracked. Car meta data is tracked. Supplement with credit card data, browsing history, the Rings in your neighborhood, etc., etc., etc.
Per, "Stand Out of Our Light", we don't stand a chance.
Remember that 10 or 20 years ago, BEFORE phone, car and doorbell camera data was tracked, people were already saying "everything is tracked, we don't stand a chance", and this defeatist attitude has since contributed to allowing phone, car an doorbell camera data to be tracked as well.
You'd have to read the book. He uses "you don't stand a chance" in the context of will power.
That is, in short, (and I'm paraphrasing): ...Some of the brightest human behavior experts in the world are being financed by some of the deepest pockets in the history of the world to influence your (read: our) behavior... Just use will power? You don't stand a chance.
The "defeatist" to me is, "I don't have anything to hide." That might be true, but those influence super powers are going to use that "nothing to hide" against you.
Read the book. It's just over 100 pages. It's on the order of "The Age of Surveillance Capitalism" but that book is 500+ pages. THoSC is great but it's a serious commitment.
> He uses "you don't stand a chance" in the context of will power.
Having taken every reasonable measure I can to stop being spied on, I can concur that it does take a lot of willpower. As in, being willing to come across as a total ass to those trying to spy on you on behalf of their employers and also willing to literally walk away from the register leaving the stuff you've collected in the hopes of buying. ("But we require your name and phone number or we won't honor any of the warranties for what you're buying.") Paying cash for everything. Avoiding specific restaurants and shops that don't accept cash. Foregoing "members discounts" at the grocery market. Buying a specific phone just to install a third-party privacy-centric ROM. Buying a specific car just to be able to pull the fuse that powers the transmitter.
You can drastically reduce the amount of information that the data brokers collect on you, but I've found it's almost as if you need to adopt a new lifestyle in a lot of ways.
Guess we live in different worlds. Pretty much everyone around me, friend, family, coworker, or neighbor is fully aware and expecting any and all devices around them to be spying. Not all care or think it's nefarious though.
Welcome to customized pricing for everything, based on how much they think you value inconvenience vs spending money.
Dark patterns are the new frontier of corporate greed. Every business model now needs a “moat” (monopoly) to be considered fundable. The antitrust skirtings are built into the whitepaper these days, and having competition in your space is a bad smell. The invisible hand of the market and all that lol.
Most cars have an integrated SIM. You can either pull the fuse, and lose a bunch of functionality, or if you're clever, throw an attenuator on the antenna rendering it useless but preserving the functionality of the rest of your car.
Do they not store it an just upload it once the car goes in for service? I have a 32 Gb mini SD card the size of a fingernail that was like $10, something like that would store a fuckload of hard braking events.
Amazon Basics SD micros are $20 for 2x 64 GB at retail. For $10 I'm sure that's a chance they're willing to take. They'll just raise the MSRP by $100 to compensate.
You are not thinking outside the box enough. The manufacturer has a specific system requirement for certain tasks such as ecu reprogramming and key replacement. You must use the manufacturer furnished tool to do such an operation. This tool will pull all data including gps entertainment etc which includes your driving style, locations, etc.
Time to pop it in a data usage heavy device for free data.
The bbc or someone has had at least one article about a bird tracking device that operated via cellular and a sim that expected 5k or less data a month suddenly started charging gigs a month in their home continent just after the last natural looking flight of the bird ended, the ornithological society involved had a few shock bills.
From what I know, this wouldn't work. I worked for a telco and the way they explained it to me is that SIMs for these purposes are not the same as consumer SIMs. They end up on a different network using a different APN and they typically go straight to a VPN or other private network for their owner. And no, you can't reconfigure them to the consumer APN (I asked). (This was not in the US btw.)
Most SIMs for such purposes are sat directly on an L2TP connection or similar. They’re often not public internet.
As a consumer you can buy similar - I know my ISP (A&A) will sell you (quite reasonably) a sim that will drop straight onto an L2TP connection of your choosing.
> Anyway cat is out of the bag, they won’t undo this feature they will pay a fine, offer an opt-out to 5% of users who take up the offer and in 10 years time everyone will assume their driving habits are being monitored by their insurance company.
So can't the plaintiffs just request an order compelling GM and others to remove the feature forever as part of the remedies?
Specific Performance. A court can order as the equitable remedy that one of the parties does a specific thing. Yes, in principle. But no in practice.
The real world use of Specific Performance is mostly in Real Property ie the ownership of land and this is because land is very obviously not fungible. The square meter of land I need to get my cows from the grazing field to the nearby milking shed is not in any way equivalent to an otherwise similar square meter of land on the far side of the field leading nowhere, and having the wrong one can't meaningfully be compensated with money whereas the court can just order Specific Performance (ie the wrongful owner hands over the land) to fix the problem.
But even beyond that in practice class actions are primarily about the lawyers getting a healthy pay day. $1M each for us as lawyers and each individual "participant" in the class action gets $1 and a 5% discount coupon that expires in six weeks? Sounds good. For the lawyers the incentive is that pay day and the only reason to care about their participants is that if they're treated too poorly a judge may not sign off on the deal.
The visceral desire for retribution is half of the problem here. Companies respond to incentives. The problem isn't generally the price. When they get caught the cost is generally more than the benefit they received.
The problem is that they often don't get caught, or find a way to weasel out of it. As a result the managers who do it will be rewarded most of the time, and even when they're on the wrong side of the gamble, half the time they'll already have left for another company. Raising the penalty wouldn't deter that.
What you need is a remedy that can address the offense. Order them to publish the source code to the system for 10 years, so that anyone can audit or modify it in case they try something similar again. Not only does it make it harder for them to reoffend, it's the kind of penalty that corporate lawyers hate, and then they'll be more likely to insist on policies to prevent that from happening to begin with, which puts pressure on preventing the problem from a different angle.
Specific performance is a contractual remedy. It is rarely granted because contracts are usually about business arrangements, and you can solve most of those problems with money. So for contracts the usual remedy is monetary damages.
Courts are more than able to order parties to do things without invoking specific performance via injunctive relief, which you’ll see from the complaint is what is being sought by the plaintiffs.
This is true of almost all equitable remedies - you have to show that money won’t make you whole. Luckily the bar for that is much lower than for contractual disputes, especially disputes like this where an ongoing violation of someone’s statutory rights is allegedly happening.
> in 10 years time everyone will assume their driving habits are being monitored by their insurance company.
And even if there continues to be an opt-out, those plans will become so prohibitively expensive that you're essentially forced to allow your insurer to spy on you. Privacy is always priced out in the free market. Regulation is the only way. It's not a net benefit to society, just outlaw egregious data collection.
How does the data leave the device? I tried to route traffic from the infotainment system into a WiFi network I was wiresharking, and I saw a lot of GM traffic but I couldn’t install a cert to MitM because I couldn’t figure out how to access the Android settings for the dash OS.
Is the traffic through there or is it totally within the CANBUS and never hits the WiFi outbound? In that case do you need to hijack the 4G?
Not that I support any of this, but why would networking speed be the bottleneck in that system? Telematics seems very much like an OLAP situation where data ingest and querying can be asynchronous.
> And if you own a car made in the last ~5 years, here's how to request your "Consumer Disclosure Report" from LexisNexis: https://consumer.risk.lexisnexis.com/ . According to NYT, LexisNexis receives at least some data from GM, Ford, Kia, Subaru, and Mitsubishi.
Appreciate this link! I don't have one of the listed brands (own a Mazda) but I am curious to see what info data brokers like this have on me in general.
Also, maybe this is a naive thought but I think data brokers like this are so used to operating in the shadows / being forgotten about so I think the more folks who request is at least a small signal to them that folks are paying attention.
Wow, I just submitted the consumer disclosure report this morning after finding out about it from somewhere else. I am VERY interested to see if anything is reported from my car since I don't have any of the addons/monthly fees.
I assume LexisNexis does not provide this report out of the goodness of their heart, it must be required by FCRA?
If I really don't like LexisNexis collecting this data, or if I really just want to stay on top of my credit status, is there any reason not to script something to request a physically mailed report every day? Not sure how much they pay per mailing, but 365 of them can't be cheap.
You can't take this as authoritative but my business has a data relationship with Toyota and they have a ton of juicy telemetry data.
Their attorneys are mad protective of the PII they have. Our relationship serves the public interest. We use the data to find people with open recalls where Toyota doesn't know who the current owner is.
I say this to say that we have other OEM relationships that are far more liberal with their encumbered data. This far Toyota seems to be playing it very straight.
You seem to be suggesting that Toyota are the good guys because they collect data but don't share it.
That's not what I want! I want them not to collect it. Then I don't have to worry about what they use it for, whether they share it, or whether it will get leaked.
> Plaintiff did not want OnStar services and so he did not push the blue button "to get started." The email provides no mention of OnStar's Smart Driver Program.
…
> In or around January 2024, Plaintiff received his requested LexisNexis consumer disclosure. The report, as of December 18, 2023, had 258 recorded driving events under the "Telematics" subsection. Each driving event included trip details that show the start date, end date, start time, end time, acceleration events, hard brake events, high speed events, distance, and VIN.
…
> Plaintiff had never opted into any insurance program that would have allowed his information to be shared.
Related: "Automakers are sharing consumers' driving behavior with insurance companies" - https://news.ycombinator.com/item?id=39666976
And if you own a car made in the last ~5 years, here's how to request your "Consumer Disclosure Report" from LexisNexis: https://consumer.risk.lexisnexis.com/ . According to NYT, LexisNexis receives at least some data from GM, Ford, Kia, Subaru, and Mitsubishi.
Or from Verisk, which receives data from at least GM, Hyundai, and Honda: https://fcra.verisk.com/#/