New research reveals serious privacy flaws in the data practices of new internet connected cars in Australia. It’s yet another reason why we need urgent reform of privacy laws.

Modern cars are increasingly equipped with internet-enabled features. Your “connected car” might automatically detect an accident and call emergency services, or send a notification if a child is left in the back seat.

But connected cars are also sophisticated surveillance devices. The data they collect can create a highly revealing picture of each driver. If this data is misused, it can result in privacy and security threats.

A report published today analysed the privacy terms from 15 of the most popular new car brands that sell connected cars in Australia.

This analysis uncovered concerning practices. There are enormous obstacles for consumers who want to find and understand the privacy terms. Some brands also make inaccurate claims that certain information is not “personal information”, implying the Privacy Act doesn’t apply to that data.

Some companies are also repurposing personal information for “marketing” or “research”, and sharing data with third parties.

  • lunarul@lemmy.world
    link
    fedilink
    English
    arrow-up
    80
    arrow-down
    2
    ·
    29 days ago

    My cars are not modern enough for that, but I always carry a surveillance device in my pocket to make up for it.

        • potatopotato@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          2
          arrow-down
          1
          ·
          28 days ago

          Did you read the article? There were a couple cases were very early Android phones were modified to appear to be off but stayed on. This is fairly common knowledge, but it’s not particularly hard to defeat.

          Everything your phone does requires a deterministic amount of power. Spying on people in particular requires even more power than normal because you need to run the power hungry gps in addition to the modem and cpu.

          If you turn off the device it should be significantly cooler to the touch, not a degree above ambient. If it’s at 100% charge but a power bank with a read out is showing it still charging, that’s a problem. Is the bootloader image different? You can verify that to some extent. When you turn it back on has it been drawing down the battery anyway? Does it require an unlock password instead of biometrics as it normally would (assuming a particularly sloppy setup)?

          This isn’t rocket surgery, in reality nobody is modding everyone’s phone to stay on forever because unless you’re an absolute troglodyte (aka the fucking old school mafia bosses they did this to) it’s going to be painfully obvious your phone is acting weird.

          • SanctimoniousApe@lemmings.world
            link
            fedilink
            English
            arrow-up
            1
            ·
            28 days ago

            Nowhere near an expert in this, but I know I’ve seen in the past that you could set your phone to turn on at a specific time (which means the RTC at a minimum is still running) - could a determined adversary not find a way to take advantage of that?

            • potatopotato@sh.itjust.works
              link
              fedilink
              English
              arrow-up
              2
              ·
              28 days ago

              Depending on the chipset you can usually set rtc wakeup timers, though that typically implies sleep rather than power off so you’d still have some power draw when the device should be off. Similarly, if you’re trying to log GPS you’ll have to wake up for enough time to get a GPS lock so even at something like a 10 minute logging interval you’d get some noticable power consumption. Much much more if you’re trying to log voice or video.

    • sugar_in_your_tea@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      4
      ·
      28 days ago

      Eh, my phone is reasonably unlikely to spy on me. I use GrapheneOS with location off, no Google Play services most of the time (I have a separate profile for that BS), and the only app with location access is Organic Maps. My carrier could rat on me, but I don’t think Google could.

      But I have a smart watch (Pixel 2), but at least it’s WiFi only so it can only rat on me when I get home. So I guess there’s that.

        • sugar_in_your_tea@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          2
          ·
          28 days ago

          I wonder if this applies to MVNOs, or if their data is somehow aggregated. I haven’t used a major carrier for over a decade.

          That said, I can’t really do anything about the carrier because I’d like to continue receiving calls and getting mobile data. So I’ll cut down as much as I can, and to me that means cutting out Google.

          I’ve considered switching to a VOIP service and running everything over a VPN (doesn’t help with location, but cuts everything else out), but I haven’t found one that’s reliable. I need:

          • SMS/MMS
          • reliable wake when receiving calls/texts
          • reasonable voice quality

          Bonus points if I can receive calls on my computer (I’d also love to switch to a Linux phone). If I can find that, I’ll switch.

        • sugar_in_your_tea@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          2
          ·
          28 days ago

          Yup, but not by Google, at least not directly.

          The problem is I want to be able to receive calls and texts while out and about. My next step is to try switching to a VOIP service and only get 2FA codes on my carrier number. That doesn’t stop location tracking from cell towers, but it does reduce how much they know about me, and it makes it easier to switch later (i.e. if making and receiving calls on my computers are good enough).

          Privacy is a process, and it’s an unfortunately frustrating one as companies sell out their customers more and more.

        • sugar_in_your_tea@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          1
          ·
          28 days ago

          It’s not, but it’s a step in the right direction. Here are some additional steps I’m planning on:

          • switch to VOIP - nice extra feature is being able to call and text from my PC
          • VPN for all data - carrier can’t see DNS anymore
          • slowly move friends and family to alternatives to SMS and phone calls

          It’s a process and I’ll probably never be finished, but each step is satisfying.

          • Infomatics90@lemmy.ca
            link
            fedilink
            English
            arrow-up
            1
            ·
            28 days ago

            I was thinking about VOIP, VPN as well, and none of my friends or family would use Facebook or whatsapp

            • sugar_in_your_tea@sh.itjust.works
              link
              fedilink
              English
              arrow-up
              1
              ·
              28 days ago

              I don’t use Facebook or WhatsApp, so that’s not an issue, but we do use SMS quite a bit, so I need something that handles that. That’s an easier problem to solve than Facebook/WhatsApp, so I’m pretty happy about that.

    • sramder@lemmy.world
      link
      fedilink
      English
      arrow-up
      3
      arrow-down
      47
      ·
      29 days ago

      You gotta love that there are benchmark for that… The company that can’t even get free, right.

      I really like their Amazon reviews thing that they bought… I bet the shady dude that had all the fucking people finder sites was in charge of that cause it’s got the same kind of fucking cheesy-graphic-load-screen… basically, the only functional piece of software they had at that point cause they hadn’t touched it, and then they went an AIed it up…

      Here’s a new idea, why doesn’t everybody in the fediverse post their favorite privacy enhanced Firefox rebrand:

      • QuadratureSurfer@lemmy.world
        link
        fedilink
        English
        arrow-up
        31
        ·
        29 days ago

        I’m really confused by your comment and it seems like you’re assuming everyone knows what you’re talking about already. Could you provide some context?

        What about “Free” are they getting wrong? (I’m assuming you’re talking about Mozilla here?).

        What Amazon reviews thing? Who was this “shady dude”, what did he do that was so “shady”, and how does that relate to Some Amazon review thing if you’re not even sure that he was behind it to begin with?

        What does “Aled it up” mean?

        • sensiblepuffin@lemmy.world
          link
          fedilink
          English
          arrow-up
          15
          ·
          29 days ago

          The Amazon reviews thing I assume is referring to Fakespot, which Mozilla bought some time ago.

          But I’m confused about their “AI’ed it up” comment because from the very beginning Fakespot was using ML to determine the tone of reviews and whether or not they were lying about the product/paid reviews by the seller.

          • sramder@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            arrow-down
            1
            ·
            29 days ago

            Just griping a bit about what’s probably more of a design/branding change than anything.

            I think fakespot is promising tech that we desperately need more of.

            Can’t hurt to have it in their hands, hope to see more server resources ;-)

        • sramder@lemmy.world
          link
          fedilink
          English
          arrow-up
          3
          arrow-down
          6
          ·
          29 days ago

          Sorry… busy day and I’m going to need a real computer for this 😅

          RE Free… nothing really, just being bitter. I’m not a huge fan of a lot of the little tie-ins like Pocket, but I respect the hustle… if not the business plan.

          The Amazon review thing they bought is Fakespot™, check it out if you shop on Amazon. Here the Ai nonsense is just some summaries of the reviews it digested… not inherently bad, but the whole experience is painfully slow. Still. Well worth checking out if you haven’t.

          Shady dude gets a 📌 for now. Sorry. Time.

          If you check out Fakespot you can’t miss it. Have yet to try the browser integration, although I have enabled it for some reason…  

  • unexposedhazard@discuss.tchncs.de
    link
    fedilink
    English
    arrow-up
    38
    arrow-down
    2
    ·
    29 days ago

    It shouldnt just be called a privacy risk. Its a safety risk because it enables stalking with little to zero effort on the stalkers side.

        • sugar_in_your_tea@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          6
          ·
          28 days ago

          Yup. Police do that, and I’m guessing it wouldn’t be too hard if you’re persistent (claim to be a private investigator or something).

          • unexposedhazard@discuss.tchncs.de
            link
            fedilink
            English
            arrow-up
            5
            ·
            edit-2
            28 days ago

            Found it (In german but we have translators these days…) https://netzpolitik.org/2024/databroker-files-firma-verschleudert-36-milliarden-standorte-von-menschen-in-deutschland/

            This is about phone location data, but i dont see any reason why cars would be any different, they create less privacy sensitive data than phones in a way.

            The people that wrote this article actually got a huge amount of slightly older data for free just as a sample. But this is the scale these data brokers operate at:

            The data itself comes from the US company Datastream Group. It offers such location data on a monthly subscription basis. According to the offer, it comes from up to 163 countries and is updated hourly.

            You can buy huge amounts of location data for anyone anywhere that uses a standard google or apple phone. Im not sure if you even need to have some random app, like socials or anything with ads in it, installed that leaks this data or if its just google and apple themselves that sell it. All you need is a single identifying point of confirmed time+location for your target and then you can reconstruct their entire movement from that.

            This has very obvious and less obvious horrible implications. Things like tracking victims of abuse, finding out peoples home address after meeting them once, tracking military personnel movement, tracking people going to sex related locations, prisons, abortion clinics, endless potential for abuse.

            • sugar_in_your_tea@sh.itjust.works
              link
              fedilink
              English
              arrow-up
              5
              ·
              28 days ago

              Awesome!

              The difference, though, is I can turn off my phone if I want to, but I can’t really turn off the car tracking unless I tear apart the car to remove the antenna (or at least the power). Some cars make it easy in the fuse box, but others make it a PIA.

              I’m planning to switch to a VOIP number and only use my SIM for data and SMS 2FA. Then I can turn off/remove the SIM as needed. Once I don’t need SMS anymore, I can get a data only SIM and hopefully hide among the various iPads and smart watches.

              I wish I could trust my carrier, but articles like the one you mentioned remind me that I really can’t.

            • Infomatics90@lemmy.ca
              link
              fedilink
              English
              arrow-up
              1
              ·
              28 days ago

              I would mention de-googling your phone but it doesn’t stop HW backdoors. would flip phones be effected? what the hell do we do?

              • unexposedhazard@discuss.tchncs.de
                link
                fedilink
                English
                arrow-up
                1
                ·
                edit-2
                28 days ago

                HW backdoors are probably not something that brokers like these leverage so its a different topic. They just like making easy money from ad tracking systems, they dont wanna work hard and fuck around with zero days.

                If you have physical security worries (government trying to kill you) then you either need graphene on a pixel and hope there are no RCE HW backdoors or something else entirely or no phone.

                But the “tracking by default” in normal phones, with data being easily available is an issue that affects almost everyone not just high risk individuals.

          • unexposedhazard@discuss.tchncs.de
            link
            fedilink
            English
            arrow-up
            4
            ·
            28 days ago

            claim to be a private investigator or something

            Oh no absolutely not necessary, this is commercially for sale data that anyone can buy as long as you dont make it obvious that you are up to no good. I will see if i can find the last article i saw about someone testing this themselves.

  • yeehaw@lemmy.ca
    link
    fedilink
    English
    arrow-up
    32
    ·
    29 days ago

    Modern cars have been privacy invading for a while. Goes back to the ownership torch thing again. Tesla can disable your car if they want. Why pay so much up front if you’re not in control? Old vehicles are the way to go.

    How would you even know about any of this stuff? I am not fortunate enough to afford a new vehicle but I imagine when you’re at the dealer they’re not like “so these cameras will watch you all the time… For safety and security, of course…”

  • theneverfox@pawb.social
    link
    fedilink
    English
    arrow-up
    14
    ·
    28 days ago

    I like the time they implied it would somehow protect people from sexual assault, but just ended up just revealing how personal the data they have can be

  • spyd3r@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    12
    ·
    28 days ago

    My next vehicle is going to be fully mechanical with a carburetor and no computerized bullshit.

    • Zetta@mander.xyz
      link
      fedilink
      English
      arrow-up
      11
      ·
      28 days ago

      I’m really hoping Aptera is successful. Their main selling point is “solar mobility” basically, they designed a hyper-efficient car that looks sort of odd because efficiency is the main design factors. They hope to gain meaningful charge from solar panels on the vehicle because it’s so efficient. They’re thinking like 50 miles a day in someplace like California.

      But they’ve also committed to being open with their vehicle and architecture by providing first-party spare parts and supporting open source stuff like open pilot.

      If they keep on their consumer-friendly path, I’m hopeful for my data privacy if I get a future car from them

    • PalmTreeIsBestTree@lemmy.world
      link
      fedilink
      English
      arrow-up
      12
      arrow-down
      1
      ·
      edit-2
      28 days ago

      Just get an early OBD 2 car with no internet access and you are good or get an EFI kit for an old car as well. Carbs suck.

      • GreenKnight23@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        1
        ·
        28 days ago

        a well tuned carb will outperform an EFI system

        for about two hours. 🤣

        EFI is dynamic and adjusts the system as needed. However, a carb can be fixed with almost anything. I have a feeling that some of the older parts for EFI vehicles will be bought by major manufacturers and trashed/over priced to improve new vehicle sales and long term data collection goals. almost exactly how GM parts are today.

        • PalmTreeIsBestTree@lemmy.world
          link
          fedilink
          English
          arrow-up
          3
          ·
          edit-2
          28 days ago

          I mean if you are going to live off the grid, then I would just stock up on carb parts then haha. Otherwise, old school port injection EFI is extremely reliable. Just get a Toyota tundra or LandCruiser with the V8 without rust and you are good for 500,000 miles at least.

    • bach37strad @lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      25 days ago

      I did.

      I had a 2012 mazda 5, everything completely mechanically sound. Immobilizer failure killed the ECU and 3 different electronics specialist, and 2 dealers couldn’t get it working.

      I bought a 1963 Ranchero (170ci inline six). You’d be amazed how cheap and widely available pretty much ALL the parts for old Fords are too.

      It also cost me less than half of a new Corolla.

    • modus@lemmy.world
      link
      fedilink
      English
      arrow-up
      3
      ·
      28 days ago

      In general, don’t allow it to connect to wifi. As for specific makes/models that might have their own uplink, look into disconnecting antennas.

      • sugar_in_your_tea@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        2
        ·
        27 days ago

        And frustratingly, it’s different in each car. Sometimes it’s in the center console, sometimes it’s behind the infotainment system, and sometimes it’s buried under the dash somewhere. Sometimes you’ll get lucky and it’ll have its own fuse, and other times it’ll cause issues depending on which part you disconnect (SIM vs antenna).

        It really sucks.

    • latenightnoir@lemmy.world
      link
      fedilink
      English
      arrow-up
      4
      arrow-down
      1
      ·
      29 days ago

      Or maybe this is the perfect opportunity to stick it to The Man and jack off even more, exclusively in your car! Maybe get into some really freaky stuff, give’em a proper show!