It's perfectly legal for cars to harvest your texts, call logs
theregister.comI dug into the technical details here over the last few days and as usual it's not quite as sinister as the hand wringing:
* Automotive head units are just embedded computers. Most run Linux, QNX, or Windows CE, with some proprietary UI system on top.
* These machines usually store data in an onboard database in flash (sometimes just SQLite).
* Sometimes, phone data is captured using standard Bluetooth mechanisms (Message Access Protocol MAP and Phone Book Access Protocol PBAP) which require authorization on the phone side. Some vendors implement an additional "are you sure you want to share your information" check on the head unit side, and others don't.
* This data is cached on the head unit so that finding a contact to call or reading a text message doesn't require 10 minutes worth of Bluetooth nonsense.
* Some vendors inadequately purge this cached data when a Bluetooth pairing is removed from the head unit.
* Berla sell data extraction exploits to law enforcement, just like other forensics vendors do for mobile phones. Sometimes this can extract latent data and sometimes active data.
My advice:
* Never authorize a head unit to download your contacts or SMS.
* If you use a rental car, Factory Reset the head unit when you leave.
That's decent protection for most people. I didn't find any evidence pointing to a central server upload, a conspiracy to build an LE database, etc. It's just typical crappy hardware manufacturer-made software leaving data around that shouldn't be left around, creating an opening for forensic vendor exploits to slurp the data.
> This data is cached on the head unit so that finding a contact to call or reading a text message doesn't require 10 minutes worth of Bluetooth nonsense.
This is such an early 2000s idea. I'd much rather my car act as a dumb display that shows a copy of my phone screen then an intelligent agent that tries to replicate functionality already extant in my phone.
I spent some time around 2012 working on in car "infotainment" units at a large tech company for a large car company.
I was told that the infotainment systems were where a large chunk of their profit came from and differentiating their experience was important to the car company.
Of course, they wanted to use decade old CPUs and touchscreens to save money, so the experience was horrible. I left shortly after CarPlay was announced and our response was "That will never catch on."
>I was told that the infotainment systems were where a large chunk of their profit came from and differentiating their experience was important to the car company.
I wonder how that could be true. Most car companies have pretty terrible infotainment systems, and I've never met anyone who genuinely loved the infotainment system in their car. (Most people I know tend feel that it ranges from "somewhat annoying" to "good enough".)
I think the important point is that the comment you are responding to was talking about 2012. CarPlay didn't come out until 2014, Android Auto in 2015. So before that, the only option for infotainment systems was various levels of suckage, and I think it was a differentiator among people wanting the "least sucky" system.
These days, even when I see the rate infotainment system that is pretty good, people still want CarPlay/Android Auto because that's what they're used to, and it already integrates with settings and data that have already been configured on the user's phone.
It used to be a standard $1k - $2k upgrade to get the navigation system which I imagine was highly profitable. It certainly didn't seem like any car manufacturer put much effort into it. Sometimes they could even get you to buy $300 map updates! With Car Play and Android Auto I don't know who's paying for that any more.
Once you bought the car they now have a monopoly on the software that is available. There should be laws against this type of monopoly.
Many cars can be modified even now with increasingly integrated entertainment systems. Beatsonic or its various Chinese copies are an example of this, it’s a box that hijacks the video stream and lets you add CarPlay functionality and stuff.
Car manufacturers have money. They can and will lobby the monopoly status quo.
Money talks. I know it's hard when you want that nice car, but considering the above, the only way is just not buying the car with software lock-in. Only this stimulus can have some effect.
There is. You can swap out the head unit with an aftermarket one.
Most modern cars I've seen don't seem to have old DIN sized head units these days.
You used to be able to. It’s becoming increasingly difficult.
Yes, Carplay is the correct way to implement this.
EXACTLY. This "infotainment" BS harks back to vastly overpriced stock car radios of years gone by.
All we need is a place in the dashboard to mount our phones. Phones already have big-ass touchscreens and anything else we want... except of course now the audio outputs have been removed.
We should simply have a well in the dashboard with replaceable inserts that snap in to accommodate different-sized phone models, which would connect to the audio system and power. But no... we still have phones bouncing around in the cabin or attached to hokey third-party claws, and janky-ass Bluetooth which (how many years in now?) can't handle simple music playback reliably.
Every car in my household has an auxiliary input for audio and no support for audio over Bluetooth. One is a 2013 Mini, so it's not as if they're ancient.
And that's just fine. And if it MUST be overcomplicated, then yes... AirPlay seems to be the way.
> All we need is a place in the dashboard to mount our phones. Phones already have big-ass touchscreens and anything else we want...
That might be your personal prefernece, I particularly abhor the phone-centric world not to mention that a 5 inch “big-ass” touch screen becomes tiny when driving and that its UI is meant to be operated sitting down paying 100% attention to it not while operating a machine at 60mph down in the road surrounded by hundreds of people in the same situation.
I can respect that. To some extent, though, that's down to the phone UI. iOS, ummm, 6 if I remember correctly was supposed to be more "car-friendly." Of course, that was another Jony Ive failure... it actually changed the system font to a spindly outline that was hard enough to see in normal conditions, let alone in a car. There was absolutely nothing in that OS that offered a "car-friendlier" experience. I was so glad to see that pompous hack leave Apple.
If you look at CarPlay, it chunks the functionality down to a few big icons on the screen at a time. No reason that can't be done on the phone itself in a "car mode."
Anyway, this is what I ended up doing: https://imgur.com/gallery/krRXQwP
That was 7, 6 was the last 'good' one.
Ah, thanks.
Too many regressive releases to keep track of...
>We should simply have a well in the dashboard with replaceable inserts that snap in to accommodate different-sized phone models, which would connect to the audio system and power. But no... we still have phones bouncing around in the cabin or attached to hokey third-party claws, and janky-ass Bluetooth which (how many years in now?) can't handle simple music playback reliably.
I've been using Brodit/ProClip USA mounts to solve this. They sell holders designed specifically for your model of phone which attaches to a custom-fit mount for your car's make and model. It's pricy, at about $75 for a holder-mount combo, when cheap Amazon alternatives are closer to $10, but it overcomes a lot of the problems you list. I use it regularly for navigation, since my car doesn't support CarPlay or Android Auto.
Thanks! I can't settle for that, though. This is what I ended up doing in one car. I still haven't tackled my truck, though: https://imgur.com/gallery/krRXQwP
> no support for audio over Bluetooth
So you rant about Bluetooth in cars ... without owning a car that gas Bluetooth?
Just checking, because we put after market radios (with BT) in our last two cars and, while not a miracle experience, music playback and handsfree telephony worked without problems.
I guess you don't think people rent cars, or drive family members' cars, or go on road trips with friends.
Bluetooth implementations are trash. Rented a brand-new Toyota over the summer and its radio suffered from all the same playback defects that Bluetooth has been offering for a decade or more. Playback randomly starting when not told to... showing the wrong info on the display... showing that no songs were available but playing songs anyway (four out of five times; once it did decide to show a song list).
> Bluetooth implementations are trash.
They really are.
> Playback randomly starting when not told to...
Yup. Toyota and Subaru are particularly egregious about this. Something about using old cable/ipod implementations which would immediately reach for the default media player and telling it to start playing (and download a list of songs or some other BS).
> showing the wrong info on the display...
Yup. Especially if you have the audacity to use Spotify or something else.
There's some really shitty bluetooth audio interfaces out there. REALLY shitty.
Oh noes, I've been-modded by some members of the BT consortium, apparently.
Keep up the "good" work, guys! Don't spend all your licensing fees at the pub... unless you're buying a round for the house!
You could have that if manufacturers hadn't abandoned the double-DIN radio bay.
No doubt! I did this though: https://imgur.com/gallery/krRXQwP
And I even installed extra inputs for a guest to plug into on road trips, and the original CD player.
Do you not find it overheats in sunny weather, though?
I have an old car without any sort of fancy infotainment system, and I always end up with my phone overheating during long drives into the sun.
It was a concern but didn't happen often. I did consider making some kind of reflective roof for it.
The phones are too tall to fit there now (even the original SE), so there's going to have to be some rework anyway!
Don't make it reflective. The light would reflect again in the windshield.
It might indeed.
> All we need is a place in the dashboard to mount our phones.
Where I live, even touching your phone while driving is illegal. Doesn't stop most people, but I'd still not mess about.
I do remember reading news of someone getting cited in california when the model 3 was new, for "mounting a screen visible to the driver" which was the stock touchscreen.
> * If you use a rental car, Factory Reset the head unit when you leave.
If I rent a car, I won't pair my phone at all, even going so far as to use a car charger instead of the provided USB ports.
most car USB ports are slow charging. my little power port convert provides fast charging. so not only do i get the extra speed, but the assurance that the USB isn't nefarious. which admittedly is probably a bit paranoid, but what if i'm not?!
i didn't even like having my phone data sunk to a my own personal car. it just made no logical sense on why that would be useful, so being me, i just assumed it was for nefarious purposes. people no longer get the benefit of the doubt of being lazy/incompetent. i immediately jump to the situation essentially being an attack vector.
> most car USB ports are slow charging
TBH, in this day and age where it's difficult to replace batteries when they wear out, I strongly prefer slow-charging over fast-charging. Fast-charging wears out the batteries more quickly.
Same. I imagine the risk of malicious USB ports is higher around military and aerospace rental hubs, like Colorado Springs and Huntsville, Alabama.
It is exactly because people like younger me exist in this world, that I operate under the assumption that all hardware that I have not personally maintained custody of is tampered with regardless of location.
I recently rented a car, and the built-in navigation wasn't enabled. The assumption seemed to be that you'd connect your phone.
Driving in the country was fine with just audio navigation, but I had to connect my phone to get the display once I was driving in a big city. "Take the freeway exit" "Use the right lane" "Use the left lane" was coming too quick if I relied only on the audio.
Agreed, although I use a “usb condom” for convenience…
What's the technical term for those? (I'm afraid to search for that at work haha)
Usb power-only or charge only cable.
You can create one by severing the data lines in a normal usb cable
You can find them with the term "USB data blocker". You might have to add "dongle" onto that.
I think an argument should be made against normalizing this, which could then lead to OEMs building in internet assisted data export functionality in new cars and people won't know until a lawsuit (likely) starts years after the fact and the harm is done.
This is why I've taken a more and more grim look at technology and software, in particular.
Stallman was right, about nearly everything concerning power, companies and governments using it, and the role the citizen is viewed to have in such a limited capitalist view.
Without government mandates to open the source of every chip and firmware, none of the modern hardware we use is trustable.
I don't understand how you think this isn't nefarious based on your own post. I didn't ask my car to basically give a backdoor to all my texts and contacts to law enforcement. If that exists, it is certainly being used. I find it very sad that you have to prove injury despite the fact that is is clearly not in a user's benefit. Laws are always playing catchup to tech and we shouldn't have to play wackamole for every new absurd way our privacy is being abused just becawe can't prove that police aren't doing parallel construction to avoid the direct "injury" to us.
Why do I think these features are not nefarious?
* There's an obvious, legitimate want for the vehicle's head unit to ingest this data, in order to display a UI (or provide a voice UI) which allows the user to call a contact by name or read a recently received text message. Is this a poor implementation concept which has mostly been supplanted by better implementations (Android Auto / CarPlay), sure, absolutely but it's not some thing that was added for the express purpose of "stealing" information. It's a long-standing set of features which use obvious, standardized Bluetooth technologies to fill an obvious, straightforward user need. Nothing weird there.
* There's no sign whatsoever that there was any collusion with law enforcement in the construction of these systems. They're just badly implemented, vulnerable software which is exploited by a forensics vendor (just like literally every other piece of hardware and software under the sun).
I have worked for enough IoT and whitelabeled tech companies to know spying is normally never a plan from the start.
It is the lack of planning to prevent it that is years later branded as a feature to sell when company leadership looking to boost numbers or build political capitol start talking to law enforcement. Often after an acquisition or two.
I personally know a release engineer that was required to quietly send all new code changes to an NSA ftp server, presumably to make sure none of the bugs they rely on were fixed.
If something is in popular use and -can- collect data covertly, it will be co-opted to do so by someone for power or money without fail.
I want to include with your great post that civil action will not stop a government hellbent on gathering data.
Destroying the means of surveillance, capturing targets, and reverse blackhatting is what will work.
> I personally know a release engineer that was required to quietly send all new code changes to an NSA ftp server, presumably to make sure none of the bugs they rely on were fixed.
... what would they have your acquaintance do if a bug they relied on were fixed? Push back on the change?
That was implied, but never happened that they know of.
Could be they just decide to go take maximum risky advantage of the flaw before it is patched.
You're totally falling for the plausible deniability governments engage in when conducting surveillance and espionage on their own citizens.
"Oh it wasn't our fault the software was wrote poorly. Not like we wrote laws around it or paid companies to share data with us."
What else do you believe that comes from the govt's mouth? Would you simply never believe they'd take advantage of us unless caught in some precise way, in some precise situation?
Government can start showing us it's loyal to us, or face attack of its own networks.
Big opportunity for one of the big car rental agencies to come out looking great by advertising their "privacy focus". They could advertise to customers that they promise/certify that any personal data is wiped between rentals. Sort of like all the cleanliness guarantees that came about right after Covid hit.
They'll just monetize it behind a $19.99 fee. And then they still won't do it, leading to some data leak, for which they'll be fined $2,000,000 despite having profited about $30,000,000 from it.
...and then lock the admin UI behind a password so you can't do it yourself :)
> They could advertise to customers that they promise/certify that any personal data is wiped between rentals.
I, for one, simply wouldn't believe any such claim. Too much deception has already happened for there to be any trust left.
Apple Car will be marketed out of both sides of their mouth, just like oh-so-private iOS devices are marketed today.
Why is everyone so sure Apple Car will be a thing?
Because Apple likes money, and cars have high profit margins.
Cars have very low profit margins. Last time I checked a few years ago, the gross margin on an average American car was 10-15%. This doesn't count finacing.
If that is true, an Apple car is very unlikely.
That is a good reason, but in and of itself, not a sufficient reason.
Chocolate has fantastic profit margins. No Apple chocolate. ... mhhhmm, apple chocolate, that sounds yummy.
A bit closer to home, fabbing microchips has great profit margins. Apple pays good money to TSMC.
Just because it's good money isn't enough reason, I am sorry.
My personal solution: I won't own a car that has this sort of capability in the first place, and when I rent a car, I will never allow it and my phone to talk to each other for any reason.
Is that possible anymore? I think all new cars are always online and always collecting data now, and you void your warranty (very different cost/benefit calculus than voiding a phone warranty) if you tamper with the antennas to keep it offline. Very sad state of affairs.
Exactly why I only buy used cars that predate all this insanity.
If we can keep cars from the 40s running, keeping cars from the early 00s running is no big deal. Honestly older fully mechanical/analog cars with manual transmissions are often cheaper and easier to maintain than modern ones with high complexity and DRM on every part.
Sadly my desire for privacy will likely prevent me from ever buying electric unless I build my own car, which I might.
> Sadly my desire for privacy will likely prevent me from ever buying electric
Me too. I'm not that sad about it, though. Saving an older car from being scrapped also brings environmental benefits.
Some modern cars do not have telematics systems. As far as I know, base model Nissans often don't. In other cases, some telematics systems can be easily disabled. (in the Ford Maverick, it's got a single dedicate fuse, and doesn't complain when you pull the fuse.)
We were considering a Hyundai Kona after seeing someone online just yank the modem without an issue. The first dealer I worked with said he could have their service department do it, but then couldn't get the model I wanted. The second had the model, but then said even disconnecting the cell modem would void my warranty, so they wouldn't do it without a letter from Hyundai corporate allowing it.
So now I own a brand-new Chevy Bolt. You just yank a single fuse and that takes out OnStar and nothing else.
> Is that possible anymore?
Absolutely. I don't buy cars that were made relatively recently.
Uh dude any car made in the last 15 years has this capability.
This is far from true. Many cars made within the last 15 years don't have any sort of telematics system.
Correct, which is why I don't buy them.
Translation: It is 100% legal for car companies (and by extension just about any company) to, when you connect your phone to them, to download your call and text history and then sell it.
By extension, that means it is 100% legal for anyone, including any branch of any government to get a copy of your call and text history.
>By extension, that means it is 100% legal for anyone, including any branch of any government
Always has been
The "always" in your comment is only a few decades old. This scale of data collection simply hasn't been possible before.
> It's not quite as sinister
> Here's the fix that 95%+ of the users impacted will never use
Hopefully you only had HN users in mind while writing your comment, otherwise you've intentionally downplayed one of dozens of security & privacy risks "our moms" are dealing with daily.
> * If you use a rental car, Factory Reset the head unit when you leave.
That is ridiculously onerous! Just because geeks can share arcane knowledge about how to be safe does not mean that this isn't horribly anti-consumer.
It should be policy for the rental company to do this. On more than one occasion, I have received a car with a previous renter's personal data still in the system.
When I am out of town, I sometimes print at copy shops.
You'd be amazed what kind of PDFs are left open in Acrobat, just because people are too lazy to close the application. I have seen contracts, bank account statements, residency permits, letters of incorporation, private messages logs, ....
All without doing any digging, I just get assigned a computer for printing, turn on the screen, and it's there.
"You'd be amazed what kind of PDFs are left open in Acrobat,"
Observation tells us it's a lost cause to teach people about privacy/security of this type and have the large majority of people observe prudent ways of preventing their data from leaking. We've known about this since before the internet when people would chuck old documents in the garbage under the assumption no one would ever bother to go through their trash digging for information. But, we've learned from police, private investigators and espionage accounts that huge amounts of data can be extracted from trash simply because people aren't careful.
We also know there's always been a small percentage of people who have been careful, they're the ones who never throw out old accounts, letters, envelopes or even notes with phone numbers on them into the trash but they're so small in numbers that those who are scrounging for information know that the majority of their pickings will be successful.
The only effective way around this is to build systems that automatically obfuscate data from anyone but their owner. As we know, this is easier said than done.
> they're so small in numbers ... will be successful
worse, because it's so few people, this is suspicious behavior (in the eye of LEO)
I wholly agree with your sentiment, but as someone who cares to actually take action for my privacy this kind of onerousness is par for the course, unfortunately.
You're right, but it's the world we live in, and we need to exist within the system. This is the best way to do it - and spread the knowledge among your social circles.
I factory reset the entertainment system in all car rentals at pick up, never share contacts or give access to media folders of my phone and finally reset again when returning the car. It’s a pain to know who is calling you but you get use to it.
> In other words, it's A-OK for your car to "automatically and without authorization, instantaneously intercept, record, download, store, and [be] capable of transmitting" text messages and call logs since the privacy violation is potential, but the injury not necessarily actual.
So it's effectively legal to sell backdoored hardware and software to spy on people. I wonder what would happen if I sold backdoored phones to Volkswagen employees, execs, and their children. To judges and politicians and lawyers. A-OK until there was "actual injury", and even then, it is only the injury that would be wrong?
This is a decision made regarding Washington state law’s “statutory injury requirement” [1].
It says “a plaintiff must allege an injury to ‘his or her business, his or her person, or his or her reputation,’” with “a bare violation” of the privacy law being “insufficient to satisfy the statutory injury requirement.”
It is particular to Washington state, not all Americans. And it may not apply to a prosecutor versus private plaintiff.
[1] https://www.documentcloud.org/documents/24133084-22-35448
That sounds remarkably like saying "it's ok to drive drunk, as long as you don't hurt anyone"; which, clearly, is ridiculous. If you're breaking the law, there should be consequences even if you didn't _happen_ to hurt someone this time.
Most civil law requires actual damages. It’s the same situation.
If you haven’t actually been hurt yet, suing doesn’t result in anything.
To underline why, consider the consequences of letting anyone sue anyone for potential violations. Every minor perceived violation would result in a cascade of lawsuits. You could bankrupt a competitor by baselessly speculating on their wrongdoing.
Generalised lawbreaking is a public concern. It’s prosecutors’ and regulators’ jobs to protect consumers ex ante.
Yup, though for some things that there is a strong public policy reason to discourage, statutory damages can make a good disincentive.
Easy to argue the good/bad of it, but the California statutory damages lawsuit wave related to ADA accommodations definitely got a lot of business owners to pay attention. [https://www.thakurlawfirm.com/single-post/2020/06/15/ada-law...]
Which creates an incentive, if you see a shiny bit of sidewalk that might be ice, to step on it rather than stepping around it.
It's perverse and bizarre. If you avoid harm, you deprive yourself of the tools that you might've used to save others from the same harm.
But also don’t actually suffer that harm. Which is good?
The tricky part here is when someone is steadily stockpiling things which seem likely to cause truly irreparable harm in the future. But that act is not itself causing harm yet. For example, stockpiling tons of sensitive data.
Another example, a mine with a nearly overtopping tailings dam full of toxic chemicals is a disaster that is almost inevitably guaranteed to happen.
But civil law gives little to no method of stopping that disaster until it has already killed countless people, since - as noted - it hasn’t actually happened yet. And there is no actual guarantee that it will! Potential options do exist, but are so time consuming and high risk, good luck.
But it does give methods for those people’s relatives to get compensation after the fact at least. Which is better than some alternatives.
Which is why other types of regulatory frameworks exist, at least in some cases.
Unfortunately, as in the tailings dam case, and the icy sidewalk case, the actual smartest move is to just avoid them all together - somehow. Move? Take a different route?
Not always possible though, and being constantly on the lookout for these things is exhausting and infeasible for most.
Not sure how that is possible privacy law wise though, even for the most alert? Never engage with anyone or give anyone anything true?
Worse, you've got a Hobson's choice when it comes to using many of these systems. If you decline to get your data hoovered up, you simply can't participate at all. In this way, the car's contact-download is pretty benign, you can still make phone calls even if you decline the contacts.
But it's worse pretty much everywhere else. A few years ago, my data was in a breach of a health-care company I'd never heard of and never dealt directly with, they were some sort of back-end broker several layers away from us patients. Recently I went to sign up for new insurance, and I asked for a list of all companies that might handle my data, and copies of their most recent cybersecurity audit. Of course I didn't get a useful reply, and as a 'customer', I have no useful levers to pull. I have no useful information to use when selecting an insurer. And I have no recourse unless someone starts siphoning money out of my account AND I notice and can prove that it happened because of a breach.
"Never engage with anyone" equates directly to "Go be a hermit in the mountains". If that's where our privacy laws have gotten us, I think we're doing something wrong.
Therein lies the issue. This type of thing shouldn't be civil in nature. Things that are dangerous to others and have a likelihood of causing significant damage... should be criminal in nature. Someone driving drunk is putting others at risk, but the injury isn't actualized until it is. A company forcing it's drivers to work too many hours, driving while unable to get enough sleep, is putting others at risk; but the injury isn't actualized until it is.
Along the same lines, a company gathering extensive details on the communications of and connections of others (especially without their permission) is putting others at risk. And, much like the previous example, the damage isn't actualized until it is. But it needs to be stopped _before_ the damage happens. Which means it needs to be criminal.
This is why such things should be criminal offenses!
Yup! Or provide statutory damages instead of vague or no statutory penalties.
As a Washingtonian I am embarrassed that my state loves to pretend its progressive but then I see shit like this, and two party consent laws that businesses can still treat like one-party.
Had the whole state pay for a stadium and a tunnel, in Seattle. So, pointless use of taxes and other wastes of my contributions.
Sadly, not an actually progressive place aside from Mutual Combat laws.
So post facto punishment and not consumer protection.
WA has a referendum system, though, so if people in WA care about this, you can get something on a ballot and vote it into law.
> A-OK until there was "actual injury", and even then, it is only the injury that would be wrong?
Hah! No, they argue that the injury is right.
For example: https://www.cbc.ca/news/politics/sikh-nijjar-india-canada-tr...
After the diplomat assassination kerfuffle, it appears that Canada invoked a communications backdoor for national security purposes. It's hard to feel bad for the dimwitted killers who plotted the entire thing on a smartphone, but it's also a statement about how widespread and de-facto surveillance is today. Even when backdoors surface, we shrug them off.
So... yeah. Until there is actual injury, and the injury isn't someone who people don't like and also don't care about. Then it will be a problem, and God help us all then.
Let's keep our older cars on the road as long as possible.
Let’s face it, in an energy starved world the car of the future is an e-bike. Side effect it’s free of connected BS. So far…
> Side effect it’s free of connected BS. So far…
"So far" is the right qualifier. As electric scooter rentals have clearly shown, it's trivial to add in the connected BS.
We will not be "energy starved" anytime soon, short of an actual apocalypse happening. What we use for energy may change, but energy won't.
We live on free energy, free as in "dig a hole and voilà": energy. No nuclear, no solar, no wind can replace the sheer amount of energy we extract out of oil and coal. I’m afraid privacy in cars is going to be the least of humanity’s problems unless we make fusion working.
As fossil fuels get more expensive to acquire and renewables get cheaper and cheaper, it's really a self-solving problem.
Energy is necessary for modern society to function. It's not going anywhere nor will it decrease just because one source of it is inconvenient.
> No nuclear, no solar, no wind can replace the sheer amount of energy we extract out of oil and coal
What are you basing this on? You realise we have localised grids that go 100% renewable regularly, and could easily keep doing that with electrified transport?
Well, global surveys show how oil, gas and coal are going.
Well sure, we’re consuming more fossil fuels because they’re cheaper. Nothing I’ve seen suggests we can switch primary production to clean sources. It would be more expensive. But that’s far from a hard limit.
I’m genuinely curious if someone is credibly speculating we are unable, versus economically unwilling, to replace fossil fuels with clean options.
My understanding is that there are no clean sources able to replace fossil fuels. Or we would need to cover useful land with solar panels (largely produced in China with coal electricity btw).
Anyway, we should transition to EV and these cars manufacturers bad practices are just keeping old inefficients cars on the streets.
> we would need to cover useful land with solar panels
About the land area of New Mexico, if we went 100% solar [1]. Remove current hydroelectric, potential geothermal and then mix in wind and nuclear, and you have a realistic mix that could replace fossil fuels.
[1] https://www.axionpower.com/knowledge/power-world-with-solar/
If only there was some giant naturally occurring fusion reactor that we could siphon a bit of power from to power our things.
Exactly! But if it’s energy density hasn’t increased since the middle age it’s probably only good enough to support middle age lifestyle.
No, it's saying that because none of the information is transmitted there isn't a privacy violation - the law requires that a privacy violation actually occur, not that it "could".
e.g. that fact that there's a local call/message log on the car, and the car also has a mechanism for transmitting some data, does not mean that there's a privacy violation given that the car does not transmit the call/message log. That's the only reason this lawsuit got thrown out. It would be like saying "my phone receives messages, and stores those, and could transmit them to apple/google, therefore I should be able to sue them for the privacy violation they could do".
> the car also has a mechanism for transmitting some data
As far as I can tell, the car itself doesn't have a mechanism for transmitting data. It just stores the data.
Transmitting only happens if/when someone gets some Berla "vehicle forensics" hardware and physically connects it to the car. The Berla equipment would do the transmitting.
From the complaint linked to by The Register[1]:
> 26. Third party Berla Corporation (“Berla”), based in Annapolis, Maryland, manufactures equipment (hardware and software) capable of extracting stored text messages from infotainment systems in Honda vehicles.
> 27. Berla also manufactures equipment capable of extracting stored call logs from infotainment systems in Honda vehicles.
> 28. Honda infotainment systems thereby transmit stored text messages and call logs to Berla.
And from Berla's web site[2]:
> An acquisition may require systems to be removed from a vehicle and disassembled or be performed in place in a vehicle. In either case, acquisition hardware must be attached to the vehicle or system to acquire data.
---
[1] https://regmedia.co.uk/2023/11/09/honda-infotainment-class-a...
I thought the original lawsuit (in addition to the Berla/diagnostics tools extraction method) was also trying to claim that the system supported transmission of a data (which seems a thing in many new cars? crashes and what not?) even though it was in no one transmitting any of this information.
Thank you for the correction. This makes the judgement much more reasonable.
I'm not an attorney, but I think a lot of the Internet misunderstands the law. It is legal to do this, apparently, but that doesn't mean the court is saying it's okay or they should do this, and it certainly doesn't mean anyone would be okay with you doing it. But if you managed to, then yes, it would apparently be legal. The court can only rule on what the law actually says and it says you only have grounds to sue once you've suffered an actual injury, not because the party you're trying to sue has done someone that might harm you in the future.
This is frankly a shortcoming of trying to use civil law for something like this. As far as I'm aware, this is nearly always the case that you have no grounds to sue unless you've suffered quantifiable monetary damage from someone's actions. If we just want this kind of thing to be generally illegal, then it needs to be made illegal according to criminal law or it needs to violate some law overseen by a government regulatory body with the power to levy its own fines.
Yes, civil law is not about deciding legality. It's about deciding liability. And to do that, there has to be a harm demonstrated. The plaintiff could not do this, so the case was thrown out.
> It is legal to do this, apparently
I am extremely skeptical of this, no matter what this judge says. This seems to be a clear case of illegal wiretapping [1]. Having an illegal act perpetrated upon one, whether it is wiretapping or assault, seems a very clear "injury". It is baffling that there would have to be some kind of financial price attached to be recognized as harm by a court. A disgusting reduction of justice to mere finance, something I would expect from the cartoonishly greedy Ferengi of Star Trek, than a real court.
agree and - the crux here appears to be .. when you are in a moving vehicle on public roads then you have no expectation of privacy -> slippery slope -> license plate readers run by govt 24x7; license plate readers run by parking lots or retail shopping malls; interception of cell traffic via stinger units in strategic locations; interception of the driver's cell phone communications.. etc.
Gov Gavin Newsom preparing to run for President, is OK'ing these uses quickly and without public discussion
I have never seen a car do this without asking you if you want to sync contacts, calendar, and messages upon connecting to Bluetooth. iPhones also let you control this per Bluetooth connection.
Where is this being done without authorization?
Jeep owners will be upset if they can't take the backdoors off.
> "To succeed at the pleading stage of a WPA claim, a plaintiff must allege an injury to 'his or her business, his or her person, or his or her reputation,'" the judges ruled. "Contrary to Plaintiffs' argument, a bare violation of the WPA is insufficient to satisfy the statutory injury requirement."
I think the title is misleading. Unless I'm missing something, it sounds like the decision wasn't that it's legal to harvest text and call logs, it was that these cases did not demonstrate an injury was caused as a result of doing so. Presumably if the plaintiffs proved some injury other than not wanting it to happen, things could have been different.
Reading these stories makes me love my shitty old 16 year old Civic. It's modern enough to have cruise control, AC and a fairly decent engine. But not so modern that reliability is compromised in the name of fuel economy and it's also not a "rude-ass car" with dumb features nobody asked for. I could afford a better car of course but I don't drive much and I'm not inspired by these rude-ass features.
What is shitty about it?
It's not very fashionable and it's kind of a poor person's car.
I've been trying to figure out how to disable my trucks cellular antenna without disabling any other systems. It's proven more difficult than I thought.
The easiest way to do this is usually to unplug the antenna and replace it with an RF terminator. The vehicle will simply think it is always out of range of cellular service. Unfortunately most modern vehicles require a lot of finagling to disable the telematics control module itself without causing error messages.
It would be nice if some regulator would mandate an "easy-off" function for vehicle telematics - some kind of simple procedure which would remove a telematics module from the installation list and allow the module to be unplugged without triggering fault detection. This is possible on some cars using dealership tools to re-train (sometimes called "code") the configuration blobs in each control module to omit telematics, but it's not standardized and usually too difficult for a consumer to manage.
Unfortunately, the regulators (NHTSA) are inches away from mandating cellular be added to cars (if they haven't already pulled that lever).
they haven't yet, but the technology is there and is mandatory in large parts of the world
https://en.wikipedia.org/wiki/ECall
https://www.atic-ts.com/vehicle-accident-emergency-call-glob...
For most manufacturers, you can purchase access to the technical documentation for a short period. I paid Toyota $20 for 48 hours of access and got PDFs of the official instructions for how to remove the 4G module.
How do you find the contact for this?
Also, how hard was it to find the section for removing the module, and how hard was removing the module in your case?
I have a Subaru, but still curious about yours.
Could potentially Faraday cage it if you can find the exact spot it's at.
Careful with that or it might just eat up your battery trying to contact cellular towers at maximum power with a short retry interval.
The module should go to sleep, and the battery management should also load-shed it if it detects the battery draining. I suspect this is probably not implemented correctly on some cars (because what is), but it's definitely something that's tested for regularly (since cars can be expected to be taken camping, off the grid, or even just purchased by owners who live outside of cellular coverage).
> The module should go to sleep
lol tell Subaru owners about this. There are tons of them complaining of batteries going dead the last few years, just from sitting a few days in the driveway, while the always-on cellular is at edge of range, hunting. Subaru's solution to this has been to in some cases pay for a bigger battery for those customers.
Maybe an other way around solution? Is is possible to build some kind of dummy cell tower that supersedes real ones?
Good luck with that. This is illegal (in europe)
What make and model?
Another reason to prefer Apple CarPlay and Android Auto.
using AA/CP won’t prevent your car from being exploited.
It means my infotainment system is a dumb screen, so no opportunity for irresponsible development practices to leave an unsecured text message database lying around.
I'm not going to go as far as to say it can't be exploited, but that is a significantly smaller risk surface.
Except that to run those in the first place you need to be running non-private spyware on your phone (iOS or vendor issued android ROM), so you give up all ability to maintain privacy in or out of the car.
No, it isn't all-or-nothing. iOS does not leak messages to cars. Just by using iOS doesnt mean Toyota, Subaru, Chrysler, etc suddenly have access to your messages. Using iOS with carplay only is strictly better than using iOS and sharing your messages with the car.
This is why I would not consider connecting my phone to anything other than CarPlay/Android Auto.
Both of which require Bluetooth pairing (or at least auto-pair without asking you if I recall correctly) which allows the head unit to siphon data!
You can disable Sync Contacts (PBAP) and Notify Messages (MAP), and then the Bluetooth head unit won't download your contacts or messages.
Unless the head unit refuses to operate unless you share those
Apple CarPlay works over my USB-C cable, at least in my 2018 Subaru Crosstrek on an iPhone 15. No Bluetooth required I am fairly certain. I also have to unlock the device every so often with my Face ID -- unsure what triggers this as it is not 100% of the time.
My car also uses wired Android Auto, but somehow after I set it up the day I drove it home, my phone automatically connected to it via Bluetooth. I recall something similar when a friend plugged in their iPhone but I’m not sure.
I always connect to CarPlay with a wire, and have never connected with bluetoooth. It has not auto paired Bluetooth either with iPhones.
I have not used Android Auto, but if it does auto pair Bluetooth, that would be a shame. I thought the whole point was that the car just provides a screen your phone can extend a display to, and no data ever leaves.
Android Auto can do both wired and wireless. Wired in fact is the only option on cars more than a few years old.
Yes, but the question is does it auto pair (without permission from the user).
I can believe iOS doesn’t offer protection against this garbage. There’s no way to connect a phone to something and on the device side say “this is an untrusted connection; don’t give it shit”.
It’s especially frustrating with rental cars. But I don’t even trust my own personal car!
For what it's worth, in the iOS Bluetooth settings, "Show Notifications" is code for Message Access Protocol and "Sync Contacts" is code for Phone Book Access Protocol. It would be nice if they'd add an extra "Pair but Don't Trust" button, though.
The feature you're looking for doesn't really sound like the nontechnical "it just works" experience they're advertising.
Check out GrapheneOS if you have yet to!
> "To succeed at the pleading stage of a WPA claim, a plaintiff must allege an injury to 'his or her business, his or her person, or his or her reputation,'" the judges ruled.
So.. It's okay if I record private conversation from high ranking states officials as long as I don't harm their reputation with it?
It's okay if I stole state intelligence as long as I don't harm my country with it?
No and no. Those cases would be brought by a prosecutor under criminal law where mere violation of the law counts as harm to the state.
This was a civil case. Civil cases tend to have more concrete harm requirements.
If you read the original lawsuit, the issue is that the car's infotainment system is set to forward/display messages and calls from your phone, and that that information is stored or logged persistently, and that can't be deleted/cleared by the user.
The claimed invasion of privacy is that a person with the diagnostic tools and physical access to your car can extract those logs.
Presenting this as "car manufacturers can steal your text and call logs" is disingenuous.
Don't get me wrong, it's clearly not a great thing for the car to be doing (especially in the context of rental cars for instance) but it isn't the catastrophe people are claiming.
My Toyota asks for permission and if I grant it then it'll "harvest" my texts and calls. How horrible and unexpected.
The title and the conclusion are biased and of poor quality. It should be "car manufacturers didn't get fined for the way their old head units worked".
I was in a rental car this week and pure accidentally (1 in 1000) hit “yes sync contacts.” Didn’t know how to reverse/revoke that decision. Wish I did/could
It probably helps that this isn't exploited often. You're fine. To attack someone requires so much effort the clickbait article didn't deserve the views.
How often isn't it exploited often?
Additionally: if you were a person travelling for an abortion, not in your car because your state is all fucked up(!), can the cops request copies of texts you've received/ sent?
Yes, if they have probable cause sufficient to attain a warrant.
Or they ask the rental company nice enough for a few monutes they may not even need that, as a prosecutor would argue that you waived 4th Amendment protections by not taking sufficient measures to "ensure your privacy". Third Party Doctrine.
One more reason to use the bicycle.
> store each intercepted, recorded, and downloaded copy of text messages in non-temporary computer memory in such a manner that the vehicle owner cannot access it or delete it,
You might think why care if its your own car. But if you rent cars this can become an issue where if poorly implemented the next driver could access the information.
It is such an easy feature to implement and suppliers in Europe already do this due to GDPR. I remember working for an automotive supplier where we implemented this feature. The whole phonebook was actually downloaded onto the unit in an encrypted Database. The system would decrypt it on the fly as needed. When GDPR came around we had to implement a wipe feature that would allow the user to delete their profile which included that database.
I feel like GDPR for all its flaws had a positive impact in that it forced the supplier to actually care about this use case.
What are the flaws in GDPR?
It’s perfectly legal for your car to taunt and harass you. What are you going to do ? sue your car!?
Not in eu
Probably not even if you voluntarily "agree" to it via some button and a very long incomprehensible legal text.
And especially not if you're forced to agree to use a specific feature.
But nobody really knows if car vendors really follow the laws. Facebook/Instagram seem to collect a lot of data anyways, and probably will just pay a huge fine in many years, when they get sentenced for it.
Would GDPR actually do anything in this situation?
From what I understand the data the car acquires is not being sent anywhere. It just gets uploaded to the car and is used to speed up operations that would be slow if the car had to talk to the phone over Bluetooth when it needed the data.
The car vendor is not processing your data. They are selling you a device that processes your data. I'd have guessed then that you are the controller for this data processing and so you are the one responsible for GDPR compliance.
In the case of a rental car, I'd have guessed that the rental company is the controller, and their GDPR obligation would be to tell you that the car caches data if you pair your phone with it and for them to erase that data when you return the car.
They do ask first as far as I know